Akamai Diversity

The Akamai Blog

Tale of the Tape: Top 5 Reasons Phishing Attacks Haven't Dried Up

One of my favourite websites is archive.org (OK, so I'm a nerd). For anyone not familiar with this website, it's essentially a time machine that allows you to go back and look at pretty much any site from a point in time over the past 20-odd years.

Recently I came across a story on the BBC website from June 2000 that caught my attention. At the time, the BBC referred to America Online (AOL) as the biggest, richest, and most successful internet company in the world. Yet somehow, they had been hit by hackers and a number of customer accounts had been compromised.
One paragraph in particular left me with a feeling of déjà vu:

"The people behind the attack targeted AOL customer service representatives with e-mails containing a virus attachment. When opened, it created a connection to the sender's computer and allowed access to some AOL accounts, including the customer's name, address and credit card details." 

It struck me that with an update to the language and technical terms, a change of company name, and a current web page style sheet, this same story would not look out of place in July 2020.

Twenty years on, companies are still being attacked, customer account details and other sensitive information is still being stolen, data is still being encrypted with ransomware, and users are still clicking on links in emails that command them to "click here to update your VPN credentials."

Phishing (and derivatives such as smishing or vishing) is still the attack beachhead for many of the cyberattacks we read about week in, week out.

Here are five key reasons why I believe that even 20 years on from AOL being hit by hackers, businesses are still struggling to adequately defend this attack beachhead and why the problem has become even worse in 2020.

Remote working has dramatically increased the phishing attack surface

The dramatic and sudden shift to home-based working since March has significantly changed the way that many of us work. However, based on Akamai's research, this shift has also seen a huge change in the types of content that users are now accessing on their corporate devices. For example, based on analysis of traffic from our Enterprise Threat Protector secure web gateway service between March 9 and May 11, there was a 37% increase in requests to social websites and a 134% increase in traffic to streaming websites. Moreover, there was an astonishing 447% increase in requests to websites that were potentially malicious. 

In other words, corporate devices are now also personal devices -- thus, users are now accessing content on these devices that they wouldn't likely access in an office environment. That blurring of business and personal browsing opens up a huge attack surface for phishing attacks.

Phishing is no longer just about email

No longer limiting themselves to email, attackers are now exploiting popular social media networks, instant messaging applications, and online file-sharing services. Facebook, Slack, Microsoft Teams, Dropbox, Google Docs, and other popular platforms are now serving as the criminals' initial point of penetration into the enterprise. These channels are much more personal; they invite sharing and widespread distribution, so phishing can propagate exponentially. While email still remains route one, combine the previous point about the blurring of business and personal web browsing, and this move to using other channels presents new security challenges. 

Attacks have become industrialized

Phishing attacks are now being created and executed on an industrial scale, and are increasingly using highly sophisticated off-the-shelf phishing kits that allow them to be delivered as very targeted, short-lived attacks. These campaigns direct victims to a phishing web page that's an exact copy of a consumer or enterprise brands site. So, for example, it's relatively cheap and simple to launch a phishing campaign that takes users to an exact replica of a Microsoft 365 login page. All it needs is one user to unsuspectingly give up their credentials and it can be game over.

The "hackers'' are always one step ahead

Because there's money to be made in cybercrime, there's a huge motivation for the attackers to continuously innovate, and it can often appear as if the attackers are always one step ahead when it comes to phishing. They are quick to find loopholes and vulnerabilities, and exploit these. For example, in the past 12 months, attackers have used a slew of different techniques to obfuscate their attacks and bypass phishing defenses. These include the use of zero-width characters, URL redirection, Google Translate, and base HTML elements. It's a continuous arms race between the attackers and the defenders. As security vendors address the latest exploits for bypassing email gateways, the attackers are already developing new ways to continue to get through the door.

People are still the weakest link

Despite companies investing considerable efforts in security awareness training, many employees are still unsuspectingly clicking on links or opening attachments in emails. At the 2019 Black Hat security conference, a Google researcher reported that 45% of internet users still don't know what phishing is. That's a pretty staggering statistic given how long phishing has been around and how much time and effort has been expended in educating users about phishing. Put that statistic alongside the emerging phishing attack vectors and the change in user behavior due to home working, and it's a worrying combination. Who wouldn't be tempted to open an email with a subject line of "Your COVID-19 Test Results" and click on the link or open the attached PDF?

For more information, visit akamai.com/etp.