Identity and access management (IAM) leaders, CISOs, and other IT leaders all know credentials—and people—still factor into 80% or more of all security breaches—even with companies investing heavily in training, email and endpoint security, and multi-factor authentication (MFA). So, what’s the deal?
Are phishing attacks getting smarter or is the sum total of these “modern” security controls and investments still not smart enough? Turns out the answer is “both.”
In this update on phishing, we’ll take a quick look at how attacks keep getting smarter, faster, and harder to detect — thanks in large part to AI — why the conventional approach to MFA hasn’t stopped attacks the way CISOs hoped it would, and how you can make MFA phishing-resistant in 2024 to keep pace with threats, regulations, and modern best practices.
Time to Detection: Attackers’ Advantage
Unoriginal as it is, threat actors still love phishing because phishing still works, and works pretty quickly with the sheer volume of email, and now text communications traversing the ethers every day.
Research shows most users take the bait within minutes of a phishing email landing in a user’s inbox. That may be long before email security, endpoint detection and response (EDR), and other ‘rules and signatures’ types of solutions catch on.
Cyber education definitely helps but studies show 5% of users still take the bait after a whole year of training. Advantage: attackers.
AI makes phishing attacks smarter and faster
As if enterprise security wasn’t having a tough enough time keeping up with ‘regular’ attacks, now we have high-scale, sophisticated attacks being launched by machines. AI-led social engineering attacks do the “legwork” of gathering data about intended targets that only real senders should know and make it easier to attack the most desirable targets via spear phishing or “whaling” attacks.
AI helps create longer lag times between evolving techniques and cyber education. Use of generative AI in tools like ChatGPT equips novice and foreign attackers to craft emails that avoid telltale signs emphasized in most cyber training – things like poor grammar, misspelled words, awkward phraseology, and sloppy translations. These tools also equip perpetrators to craft more personalized and convincing emails that mimic the tone and style of trusted senders and domains.
Automation lowers barriers to entry — and makes threats harder to find
Increased automation also makes it easier for cybercriminals to ‘productize’ their nefarious techniques — so virtually anyone can do it. Phishing as a service (PhaaS) “kits” lower barriers to entry by supplying novice attackers with ready-to-use emails that impersonate known brands, and spurious hosted sites used to capture credentials. These kits, and blocks of credentials themselves can be purchased on black market sites and aimed at multiple targets simultaneously, making it easy for attackers with little-to-no engineering skills to join the fray and run the numbers.
The rise of AI tools like ChatGPT also make phishing exploits more convincing and harder to spot. Would-be attackers can use AI to ‘stalk’ intended targets via social engineering attacks that allow attacker to impersonate trusted senders and tailor communications to intended victims.
Phishing’s ‘attack surface’ continues to grow
At the same time as AI is helping traditional phishing campaigns evade detection by email security, threat actors have set their sights elsewhere with new flavors of attacks targeting cellphones, voicemail, can QR codes:
In vishing exploits, the intended victim receives a voicemail urging them to call their bank, credit card company, or other known provider at a false phone number. When they do, the user is prompted to enter credentials or other privileged information.
Smishing or SMS-based phishing leverages the SMS protocol used in texting. Since most people are more likely to respond to a text than an email, smishing often succeeds at getting users to enter credentials that unlock accounts.
Quishing –phishing that exploits QR codes—prompts recipients to switch from their desktops or laptops to mobile devices to scan QR codes. Since the phishing link itself is an image, the QR code fails to trigger suspicion on the part of users and even many email security solutions. Scanning takes the victim to a fraudulent site that requests sensitive information or asks users to download malware.
Traditional MFA treats the symptoms
It’s no longer a secret that MFA as we know it – the thing that’s supposed to be security’s first line of defense — has not made enterprises phishing-resistant, or at least not nearly resistant enough. That’s because most MFA treats the symptoms of a phishing attack — users taking the bait and entering working credentials into bogus websites and sign-in screens, or calling fake numbers to volunteer privileged data in person.
Users revealing their credentials is symptomatic of the bigger problem at the heart of most MFA: passwords as the foundational layer. Valid credentials should literally be considered the ‘keys to the kingdom’ and passwords the ‘root of most evil.’ Login information getting lost, leaked, guessed or stolen still leads the vast majority of breaches, ransomware attacks, account takeover, data theft, and the many financial losses that follow – ransoms paid out, fines levied for breaching compliance, reputational damage causing a loss of revenues, and more.
A poor user experience into the bargain
MFA that fails to protect companies from phishing also tends to frustrate and slow users down. IT piles additional steps to take into the authentication process, like physical tokens, smart cards, extra PINs to enter and biometric scanners to satisfy, all of which take time, all day every day. IT continues to require users to set, reset, and manage their own passwords, and at the end of it all, companies still get phished.
Passwordless MFA treats the cause
A passwordless MFA solution such as the Secret Double Octopus (SDO) platform gets rid of the passwords fueling the still-thriving phishing industry.
Meets evolving mandates for phishing-resistance
In keeping with zero trust philosophies at the heart of evolving mandates from NIST, CISA, federal governments worldwide, passwordless MFA represents a major step forward in improving your security posture over time.
Imagine: no more credential abuse. No passwords falling into the wrong hands. No credentials for sale on the Dark Web. No more calls to the Help Desk to help reset passwords.
The founders of SDO imagined this years ago and we’ve been building the industry’s highest-assurance, most extensible and phishing-resistant MFA. Easier for users and IT. Complete 100% use case coverage for web and on-premises applications. Versatile, affordable, and faster to roll out and onboard users.
See phishing resistance for yourself
Contact SDO to arrange a free demonstration of the Octopus platform by filling out the form below!