The means by which hackers access user information have quickly evolved beyond traditional phishing emails. Phishing has always had the aim of baiting users to take an action or share a piece of sensitive information by appearing as a non-threat – but awareness has since grown. Unprompted password reset emails, while once effective, no longer drive the same volume of user action and are often detected by spam filters.
Today, phishing attacks are targeted, can be difficult to detect, and grant malicious individuals broad permissions over user data, user devices, and online services. The days of basic phishing schemes have more or less passed. Attacks now rely on advanced forms of infiltration that better disguise malicious intent.
Anatomy of a modern phishing attack
The widely publicized Gmail phishing scam earlier this year is just one example of a modern threat that affected users on a large scale. In this case, users were sent an email that appeared legitimate and directed them to an actual Google page. While most phishing scams rely on pushing users to a malicious domain, this particular attack simply led unsuspecting individuals to granting broad permissions to a malicious application. Hackers could then see victims’ contacts, read their emails, have insight into the users’ locations, and see files created in G Suite.
The Gmail phishing attack shows us just how advanced these techniques have become – it was difficult to detect and difficult to prevent. A critical takeaway is that the attack was able to clear the psychological trust hurdle. Users were tricked into giving permissions to a third party application because they trusted it; they believed the application to be a Google-approved service. A minute change in how the application domain was disguised successfully convinced users that the application was trustworthy.
This is the future of phishing. The ability to spoof cloud apps while masking the true identity of the sender in order to steal personal information – an alarming trend given the rapid increase of cloud adoption in verticals around the world.
Traditional phishing was rather simplistic in execution and relied on the user’s lack of knowledge. For example, social engineering driven by phone calls and emails wherein malicious actors would pose as government agents or corporate customer service representatives. Many targets of these attacks – elderly and young internet users alike – would readily provide any and all information to avoid the threat of legal action, penalties, and account shutdowns.
There are two key reasons why traditional attacks have become less effective: advances in detection and the increase in awareness among the average user. Major email providers, for example, alert users when a message is deemed suspicious or the source domain is not as it seems. What’s more, users are more computer savvy than ever and know not to trust inbound messages that request personal information. That said, while each major breach prompts reaction from users to update their privacy settings and login credentials, targeted attacks are and will remain relentless.
Preventing the next attack
Cloud service providers have already implemented a number of security features to proactively identify phishing attacks. Machine learning, improved email filtering, and malicious URL detection are just a handful of capabilities that keep users safe on the web. Some providers even warn users when replying to emails outside of their corporate domains, particularly important in an enterprise setting.
While cloud providers are often quick to recognize large scale attack and inform the public about the right precautions to take when opening shared files, many individuals and organizations are still subject to costly breaches. Educating users to best practices and making them aware of what to look for can go a long way in protecting data; organizations must also take a proactive approach to detecting these threats as they evolve.