LAS VEGAS -- The most challenging component of security is people. No tool can keep an organization safe if awareness is lacking, because people often make mistakes and are the cause of many breaches and other incidents.
At Black Hat 2019, several sessions looked at the human factors in security, and offered suggestions on preventing people from making costly errors.
In "Deconstructing the Phishing Campaigns that Target Gmail Users," Elie Bursztein, security & anti-abuse research lead with Google, and Daniela Oliveira, an associate professor at the University of Florida, looked at the methods and psychology behind why so many people still fall for phishing lures over email.
Perhaps one of the most illuminating – and surprising – nuggets of information in the talk was that 45 percent of internet users are still unfamiliar with the concept of phishing. You read that correctly. Almost half of those using the web daily are still in the dark when it comes to one of the most common online criminal techniques.
While it is easy to brush off phishing tactics as easy to spot, that figure shines a spotlight on the realities of the typical user – particularly those outside of the risk-fluent infosec community.
As Bursztein pointed out, phishing emails continue to be a moving target. Each day, he said, Gmail blocks over 100 million phishing emails. And 68 percent of phishing emails blocked by Gmail are simply the same emails -- they're just slightly different from day to day. Attackers are able to tweak them just enough so that they are not exactly the same, meaning two-thirds of the data detected by the system is data it has not already seen.
“Phishing is adversarial, the attacker is shifting and messages keep being changed,” Bursztein said.
Business email addresses are 4.8-times more likely to receive a phishing email.
“Phishers are selective,” he said. “Remember, they are financially motivated, so for the highest target, business email compromise is the main problem.”
Oliveira explained the science of how brains are fooled by phishing emails and how the ploys work on a user’s ability to detect deception, noting socioemotional functioning plays a role in the likelihood of falling for a phishing line.
The session takeaways included best practices for phishing defenses, including using awareness education, warnings and two-factor authentication to mitigate phishing threats.
In "Testing Your Organization's Social Media Awareness," Jacob Wilkin, network penetration tester and application security consultant with Trustwave SpiderLabs, cautioned that a 10-fold increase in social media-based phishing is a massive risk to the enterprise, but neither social media sites nor business organizations have taken the right steps to address the new risks that users face on social media.
“Social media becomes an alternative attack vector into your organization,” he explained. “You’re three times more likely to get click-throughs on social media, and this is important as companies move to BYOD models and people have devices at home and use social media and bring them into work environments.”
Wilkin walked attendees through two methods of gauging social media risk in an organization. The first includes passive testing with Social Mapper, an open-source tool that searches for profile information from social media sites, such as Facebook, Instagram, LinkedIn, Google+.
“The point of this is you can enumerate all profiles of employees linked back to your organization,” said Wilkin.
While Social Mapper provides some overview of the connections employees have, it does not evaluate risk at a sophisticated level because it merely identifies connections. His second suggestion was to conduct active testing with Social Attacker, a tool he released this week.
Social Attacker requires testers to set up a fake social media account. With those credentials, testers log into a social media site, upload Social Mapper results and send connection requests to those people. The tool provides a report so testers can see which profiles have accepted and who clicked on what, providing a more in-depth assessment of which users in an organization could be vulnerable to social media phishing attacks.
“You see who is connecting with strangers, you see who is clicking on links that you send them,” he explained.
Wilkin cautioned that the techniques utilized in Social Attacker may not be legal in some regions and organizations. He advised security leaders to put an emphasis on user education, including advising them to caution users not to link back to their employer on social media if possible, not to use the same name across social media sites, and not to accept connections from strangers.
“Attackers are increasingly pivoting to personal profiles to attack organizations,” said Wilkin. “As attackers have pivoted their attacks to social media, it’s important for us to bring awareness to this issue.”