Netskope report: Phishing still alluring bait

Phishing at this point seems an age-old concept: The term can be linked as far back as the 1990s [ed. note: Reminder to fellow Gen Xers — 90s were 30 years ago, not 10]. 

Yet, remarkably, phishing remains a tried-and-true top source for capturing usernames, passwords, multifactor authentication (MFA) codes and other sensitive information.

While users today are indeed savvier in spotting phishing attempts in email and text messages, they are much easier to lure via phishing links in less-expected places such as websites, blogs and third-party cloud apps, said Ray Canzanese, threat research director at Netskope Threat Labs.

Call it the next generation of phishing attacks: Threat actors are adjusting their methods and phishing is increasingly coming from all directions, according to the quarterly Netskope Cloud and Threat Report. 

“Phishing isn’t just scary emails,” he said. “Phishing is an attempt by somebody to get access to your accounts, and they’re doing it by any means necessary.”

More clever phishing

Every quarter, Netskope Threat Labs focuses a report on a specific topic, using anonymized data collected from the Netskope Security Cloud across millions of users worldwide. This quarter’s report, released today, focused on phishing between July 1 and September 30, 2022. 

And the report reveals that, despite widespread controls and training, many users are still taking the phishing bait. Technology and training is “still not enough to stem the tide and volume of phishing that we’re seeing,” said Canzanese. “It seems to always continue to go up in volume.”

Per the survey, an average of 8 out of every 1,000 enterprise users clicked on a phishing link or otherwise attempted to access phishing content. (Except in financial services, where 5 out of 1,000 users accessed phishing content.)

The initial reaction to this is that it’s not that big of a number, said Canzanese. The general thinking would be, for instance, that “8 out of 100 would have been much scarier.” 

But taking it into context, in a large company with 100,000 users, that translates to about 800 employees every quarter falling prey to phishing, he said. 

“All it takes is one person to go in there, enter their credentials and end up in a business email compromise situation,” said Canzanese.

Two primary phishing referral methods include the use of malicious links through spam on legitimate websites and blogs (particularly those hosted on free services), and the use of websites and blogs created specifically to promote phishing content. These accounted for the highest number of successful phishing attempts (26%). 

By contrast, while email is considered the primary mechanism for delivering phishing links for fake login pages to capture sensitive information, it only accounts for 11% of phishing alerts. These were referred from webmail services including Gmail, Microsoft Live and Yahoo. 

The most successful of those can be “almost indecipherable” from real emails, said Canzanese, because they have already made it through spam filters. 

Seems legitimate? Not always

Meanwhile, third-party application access is ubiquitous, posing an immense attack surface, and phishing threats are starting to leverage third-party access relationships, usually with very high success rates, said Canzanese. 

And, fake apps are expected to increase, particularly those around office, collaboration and security. Attackers have already created apps mimicking legitimate apps in these categories, and credential attacks are beginning to leverage third-party app access using OAuth application approvals. 

“Fake apps turn out to be a really nice MFA bypass,” said Canzanese. “Enabling MFA won’t defend you against these fake apps.”

People are accustomed to clicking “yes” when they get a pop-up from what legitimately seems to be Google 365, for instance, or Microsoft applications that they use every day. 

• On average, organizations granted more than 440 third-party applications access to their Google data and applications.
• More than 44% of third-party applications accessing Google Drive have access to either sensitive data or all data on the user’s Google Drive.

Also, geography plays a role in susceptibility: The Middle East is more than twice the average, for instance, while Africa is 33% above average. In many cases, attackers frequently use fear, uncertainty and doubt to design phishing lures; they also try to capitalize on major news items such as political, social and economic issues affecting the Middle East.

Be wary of next-gen phishing attempts when web surfing

Attackers are becoming “very persistent and very clever,” he said. They understand that “people are accustomed to having their guard up in certain circumstances and down in others.”

Attackers primarily host such websites on content servers (22%) followed by newly registered domains (17%).

Also, in social media, attackers are increasingly using direct messages or posts that link to phishing pages. 

Those are “usually very click-baity,” said Canzanese, as are pop-up surveys on Instagram. Similarly, there are increasing instances of people getting phone calls “alerting” them that there is a critical problem with one of their accounts (be it banking, social media or platforms they use for work). 

“It’s not enough to be careful when looking at email,” said Canzanese. “You have to have your guard and defenses up basically when doing anything on the internet.” 

MFA — and beyond

MFA is essential; the lack thereof is a simple ploy for attackers, said Canzanese. And, he said, organizations are leveraging hardware MFA tokens, such as a USB that is plugged into a machine and must be physically touched by the user. 

“This provides another hurdle for attackers to get onto apps,” he said. 

Still, cunning threat actors are figuring out workarounds for that, too: Oftentimes acting immediately upon username and password input, or repeatedly sending MFA notifications until a user accepts. 

Ultimately, it comes down to being vigilant, aware, skeptical and guards up; not just blindly accepting links, said Canzanese. If users are wary, they should apply MFA to their most important accounts, he suggested, including those for work or banking. 

Simply put, “you have to keep up with training, keep improving technology,” said Canzanese. “It’s not a problem that’s going away.”