There have been extensive studies published recently about the state of phishing and social engineering techniques:
• Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials by Google, University of California, International Computer Science Institute
• Phish in a Barrel by Duo Labs Report
Despite continuous user education and public awareness, phishing seems to be still the main technique used by adversary actors to initiate the compromise of individual accounts or obtaining unauthorised access to organisation’s resources. In recent years the situation has become far more worrying due to wide spread adoption of the cloud model, in which an email address is usually used for identification of users and as a first step in forgotten password retrieval mechanism. Compromise of authentication systems that are based on forgotten password feature which is sent to user’s email address is typically the most easy and effortless technique to gain access to an organisation’s protected resources. After an adversary can get an unrestricted access to a mailbox account there are very little further difficulties in unlocking the entrance to an organisation’s protected resources.
The most widely used social engineering techniques by threat actors according to above reports are:
1. Reported public credential leaks: Yahoo, MySpace, LinkedIn, Adobe, Badoo, Dropbox, etc.
2. Phishing kits based on HTML/PHP source code or .htaccess files, listed on: Phishtank, OpenPhish
3. Keyloggers: HawkEye, Predator Pain, Cyborg Logger
One of the worrying aspects of phishing is the growing popularity of projects like Lets Encrypt (backed by Google) and still active but deprecated StartSSL which enable almost automated and free creation of SSL certificates to secure web traffic over public networks for any organisation. On the other hand, it is easy to use, instant and free of charge tool to hide the identity of adversary actors and emulate victims’ trusted contacts and business connections. Since SSL certificates offer identity confirmation, confidentiality and integrity of data in-transit, it almost impossible to distinguish between genuine and fake sources of data. Browser vendors trust “Lets Encrypt” as a public Certificate Authority (CA) in order not to cut down legitimate organisations that use the service of unrestricted SSL/TLS encryption. However, projects that don’t have official support from one of the leading US tech companies are being censored and support for them as a trusted public CA is being withdrawn by main browser vendors: StartSSL, StartCom, WoSign.
Social engineering can take many forms but the most widespread and alarming is the re-use of authentication details that were exposed publicly in third-party breaches. We have witnessed many instances of login credentials being exposed in recent years, e.g. according to non-profit organisation ITRS (Identity Theft Resource Center) for the past 12 years there were more than eight thousand public breaches confirmed that uncovered billions of individual records. The re-use of the same “login+password” between different authentication systems (or cloud service providers) is the biggest threat to unauthorised access to protected resources. It can result in complete effortless way for adversary actors to obtain access to sensitive data: all what is needed is to validate the past passwords for given logins (usually one and the same email address) in databases that aggregate data from 3rd party breaches. Cumulative records are being circulated on underground markets that enable an easy and instant source of information for login details, for example as described in December 2017 1.4 billion credentials in clear text, or partially available to the public forums at exploit.in. The following sites can confirm if given logins/emails were reported previously in publicly available breaches: Have I been pwned?, or breachalarm.com.
Access to multiple authentication systems can be secured with best practices and a solid password manager that:
• replaces the need to remember complex and long passwords for each authentication mechanism: cloud provider, website, etc.
• changes frequently passwords for each system, for example every 90 days
• does not re-use the same values for any password
• avoids “incremental changes” that are frequent among users and easy to brute-force via Mask Attack
• ends the session (logs out) after set period of time to invalidate current session login token
The most efficient way to limit the risk of phishing and re-use of previous passwords is to employ “strong” multifactor authentication that consists of more than one factor from three base ones (knowledge, inheritance, possession), supplemented by secondary attributes: context, patterns, etc. Practical solutions and examples of integrations are documented e.g. by FIDO Alliance, in their strong authentication frameworks:
1. Passwordless UAF
2. Second Factor U2F