Phishing, social engineering, and ransomware remain favorite attack methods of cybercriminals, but threat actors are beginning to shift to newer techniques, such as phone-oriented attack delivery and adversary-in-the-middle phishing proxies designed to bypass multifactor authentication, according to cybersecurity firm Proofpoint.
The Sunnyvale, Calif.-based company’s’ State of the Phish report finds that email-based phishing attacks remain a thorn in the side of IT and security professionals, with 84% of organizations surveyed saying they had at least one successful email-based phishing attack against them in 2022.
Those phishing attacks are impacting the bottom line, with the amount of organizations reporting financial losses as a direct result of phishing attacks increasing by 76% compared to 2021.
New phishing attack methods emerge
While phishing, ransomware, brand impersonation and cyber fraud remain major culprits, Proofpoint highlighted a range of emerging threats, including telephone-oriented attack delivery (TOAD) and multifactor authentication bypass such as adversary-in-the-middle (AiTM).
In the report, Proofpoint says those phishing methods “made waves” in the threat landscape.
The company defines a TOAD attack as one in which targets receive a message, typically containing a fake invoice or alert, that includes a phone number for customer service for questions. If the victim calls the number, they are connected directly to the attacker, who then tries to convince the victim to download malware, transfer money or enable remote access.
In addition, threat actors now have a range of methods to bypass MFA, and some phishing-as-a-service providers already include MFA bypass in their off-the-shelf phishing kits, the company says.
“Unknown to most users, these techniques gave cyber attackers a new advantage,” Proofpoint says in its report. “At their peak, TOAD and MFA bypass saw hundreds of thousands of attacks sent per day—ubiquitous enough to threaten most organizations.”
Specifically, attackers made about 400,000 telephone-based phishing attempts on average per day, with attacks peaking at 600,000 per day in August 2022.
While the report didn’t include data on the number of MFA bypass attacks, one recent case involving Uber spells out the danger. The rideshare giant disclosed in September 2022 that it was the target of a cyberattack.
According to Uber, an Uber external contractor’s account was compromised by an attacker, and the contractor’s corporate credentials were likely purchased on the dark web after the contractor’s personal device was infected with malware.
The attacker then tried to log in to the contractor’s Uber account several times, prompting a two-factor login approval request to be sent to the contractor’s device. Two-factor authentication worked in preventing unauthorized access, but the contractor eventually accepted a login approval request, opening the door for the threat actor.
Then, the attacker accessed several other employee accounts that ultimately ended with the attacker gaining elevated permissions to a number of tools, such as G-Suite and Slack. This is how the attacker was able to communicate with Uber employees via Slack. With free reign, the attacker reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites, according to the company.
Phishing still works really well
With these more sophisticated phishing methods and advanced social engineering, phishing attacks are still highly successful, according to Proofpoint.
Attackers are smart, and they know how to convince users to click on links and open attachments in emails. This includes impersonating trusted brands such as Microsoft, Amazon, DocuSign, Google and other companies that provide widely-used enterprise tools.
According to Proofpoint, the company observed about 1,600 brand impersonation campaigns, with Microsoft the most abused brand. Over 30 million messages used Microsoft branding or featured a Microsoft product such as Office or OneDrive.
Simulated phishing attack data shows that Microsoft OneDrive-related email attacks had a 7% failure rate, while DocuSign and FedEx impersonations had an 11% failure rate. Since it only takes one users to lead to an organization-wide compromise, those statistics are alarming.
However, an even more successful phishing lure is COVID-19, with pandemic-themed phishing simulations leading to a 17% failure rate. COVID also appeared twice in the company’s list of “trickiest” themes, which is defined as attacks with the highest failure rate regardless of how many times the template was used.
Awareness still lacks
Despite renewed emphasis around end-user training and awareness, end users still struggle to understand basic cybersecurity concepts, regardless of the phishing methods used.
According to Proofpoint’s report, only 40% of users know what ransomware is, although that is a 9% jump from 2019. In addition, just 58% of users said they know what phishing is, which is a 5% increase from 2021 but a decrease of 3% from 2019.
In addition, users still struggle to spot phishing emails, with 21% saying they don’t know that an email can appear to be from someone other than the sender, 44% saying they don’t know that a familiar brand doesn’t mean the email is safe, and 63% saying they don’t know that aee mail link text might not match the website it goes to.
Nearly 30% of users are still reusing passwords for multiple work-related accounts, and 80% of home and work Wi-Fi users didn’t change the default admin password from their routers, which is slightly worse than 2021.
With organizations continuing to embrace remote and hybrid work, that lack of security awareness is alarming. This could lead to substantial risks for organizations and their data, says Alan Lefort, senior vice president and general manager of security awareness training at Proofpoint.
“As email remains the favored attack method for cyber criminals and they branch out to techniques much less familiar to employees, there is clear value in building a culture of security that spans the entire organization,” Lefort says.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!