We Live Data Security

Nerd Out On Our Latest Thoughts

One Phish, Two Phish, Red Phish, Blue Phish...

Phishing attacks are getting more and more severe. We spoke with Kowsik Guruswamy to find out what exactly is going on and why

You’re being attacked. I know. Shocking. You might not believe it but it’s true. I’m getting attacked. You’re getting attacked. We’re all getting attacked.

I want you to take a look at something for me:

One Phish, Two Phish, Red Phish, Blue Phish...

That’s a screenshot of my desktop email app. Those are junk emails. Lots of them. On average I get about five a day. Most of them come from a sender claiming to be a social media platform support staff member. They say things like “you have an unread message.” If you looked through my junk email folder you’d think there were scores and scores of people trying to get in touch with me and that I was just ignoring them.

Truth of the matter is I don’t have unread messages from these services. I’m not that popular. However, I am security conscious and know a thing or two about phishing and spear phishing attacks.

See, all those emails in that picture are a part of a phishing attack campaign. Someone out there on the web is trying to mine me for personal information and more likely than not, they’re going after you too.

Comparably, I’m lucky. I know well enough not to fall down the rabbit hole and click on one of those hazardous links. But every time I see a new message in my inbox with those hallmark tells, I can’t help but think of all those people who don’t know quite what’s going on and are baited into clicking one of those links.

It’s taken me a while to set up my email inbox rules to filter this crap (and it is crap) out of my normal inbox and into the junk folder. Every now and then one or two still get through. No matter what I do, I can’t quite stop them completely. Phishing campaigns seem to be sent out 24 hours a day 7 days a week.

So what is Phishing/Spear Phishing?

We sat down and spoke to Kowsik Guruswamy, the Chief Technology Officer at Menlo Security, to get a better idea on what exactly phishing or spear phishing is.

“Phishing is a way (mostly via email) to entice/lure users to click on a link that typically results in one of three things happening,” Guruswamy said. “1. A drive-by-download resulting in a malware dropper. 2 A download of a weaponized document that’s a Ransomware. 3. Credential theft from a website pretending to be a legitimate site.

“The results of Spear Phishing is the same, but the email is much more contextualized to that specific user. For example, it might be related to something that user recently posted on social media, it could be masquerading as an email from a “trusted” partner that the user recently transacted with. The contextual nature of the email makes it that much easier to fool users.”

Guruswamy’s an expert when it comes to spotting Phishing and Spear phishing attacks. It’s one of the things the company he works for, Menlo Security, specializes in detecting and preventing with their web and email isolation services.

The Menlo Security Isolation Platform (MSIP) brings the benefits of isolation technology to any size enterprise. It deploys as a cloud service (public or private) and requires no software or plug-ins on the endpoint. The MSIP supports any device, OS and browser and delivers a user experience essentially indistinguishable from native Web access.

Menlo Security’s Phishing Isolation solution eliminates credential theft and drive-by exploits caused by email attacks. By integrating cloud-based Phishing Isolation with existing mail server infrastructure such as Exchange, Gmail, and Office 365, all email links can be transformed to pass through the Menlo Security Isolation Platform.

When users click on an email link, they are 100% isolated from all malware threats, including ransomware. Websites can also be rendered in a read-only mode which prevents individuals from entering sensitive information into malicious web forms.

With their users safely isolated, administrators can monitor behavior statistics, and provide customizable time-of-click messages that help reinforce anti-phishing awareness training. Administrators can also define workflow policies for groups or individuals that determine if or when web input field restrictions can be relaxed.

With zero dependency on error-prone threat detection methods such as data analytics, Menlo Security Phishing Isolation is the only email security solution that protects every email user the instant it’s deployed.

Over the years Guruswamy and the team at Menlo Security have seen a shift in the way phishing and spear phishing attacks are carried out.

“Phishing used to be about stupidity in that we used to blame users (because they) were gullible. Now it’s really about sophistication,” he said. “Even the most ‘trained’ cyber security professionals can fall for a phishing attack if they drop their guard even for just a moment.

“(For example) the recent OAuth attack was definitely a new class of phishing since it used the Google Platform to trick users into giving access to their email and (Google) Drive. Since it was a third-party app (called Google Docs, no less) hosted on the same platform that was trusted by the users, most fell for it since everything felt so integrated.”

The OAuth attack Guruswamy mentioned is from a recent phishing campaign that tricked people into thinking somebody they knew had sent them a Google Doc, prompting them to log into the service and then having their credentials stolen.

The attackers would steal the mark’s contact list and a whole new round of emails would go out, giving the attacker access to more and more accounts every time somebody clicked on the link and authenticated.

Google said it was only about .01% of its users who were affected, but hey, that’s about 1 million people overall. Like Russel Brandom said over at The Verge, it was a pretty toothless attack, all things considered. Yes, personal info was leaked that could potentially put other accounts at risk, but Google shut it down quickly and despite affecting 1 million people, the attack could have been much, much worse.

OAuth, exit stage left. Enter WannaCry stage right. (We’ve talked about WannaCry before here and here if you want to read back and get a better understanding on how we feel regarding the ransomware but we won’t be getting into that in this article)

Now…nobody knows exactly how WannaCry was originally solicited. Some are saying it was through a phishing campaign while others, like MalwareBytes are saying attackers scoured the web for open SMB ports and hit those unprotected endpoints faster than a cat-house being flanked by sailors who were at sea for six months and just cashed their paycheck.

Guruswamy was just as in the dark as everyone else when it comes to how WannaCry was solicited. But what he does know is, if endusers were employing Menlo Security’s isolation suite, they wouldn’t have been infected by the ransomware if it did indeed come from a phishing/spear phishing campaign.

“WannaCry combined two things: Ransomware that also was a Worm,” Guruswamy said. “That’s what made it spread laterally, very quickly. Our take is that if WannaCry was delivered by a phishing campaign, and if the user was isolated, then the initial vector would’ve been nullified with Menlo Security.

Guruswamy said Menlo Security’s isolation suite would have isolated the document that helped spread WannaCry and it would have never reached the endpoint to begin with.

“We would’ve thwarted both aspects of WannaCry. And we would’ve done this without knowing it was Ransomware. This is the beauty of isolation. We don’t have to detect anything in order to provide 100% safety to users.”

That being said, even Guruswamy admits there’s no silver bullet solution for phishing attacks but that Menlo Security is doing whatever they can to make sure they take make a dent in trying to stop it.

“Phishing is a thorny issue because today we have three different sets of technologies trying to “detect” this. The Email Security Gateway understands spam, reputation, etc. but doesn’t know about the web. Web Security Gateway (like proxies) understand HTTP(s), but can’t tell if a request to a web page came from the user clicking on an email vs. typing it in on the browser bar. And then there’s Phishing awareness & training,” Guruswamy said. “The challenge is most organizations have email link-clicking has an integral part of everyone’s daily workflow. For approvals, payroll, internal processes, etc. Yet we somehow want the same click-happy users to differentiate between internal vs. phishing emails. This makes it very difficult to enumerate the warning signs.

“At Menlo we felt compelled to combine the three into a seamless everyday experience where the users are trained continuously, on every click, while they are in the safety of isolation. And we do all of this without having to detect if it’s a phishing site or not.”