No Signs of ‘Over-Phishing’ Yet: Tracking One of the Most Prevalent Initial Attack Vectors

The U.S. Defense Department recently acknowledged that it receives 36 million emails every day containing some form of malware. This is an astonishing, but not altogether surprising figure. After all, the cost of launching cyber attacks via weaponized email is essentially negligible, and all types of malware, phishing kits and phishing-as-a-service offerings are available on the “dark web” for anyone who wants to use them. The only real question with that 36 million figure is: How fast will it grow, and will private companies soon see a similar volume of attacks?

Phishing has been a popular tactic for a long time now, and it is unlikely to go away anytime soon. More often than not, phishing emails are determined to be the initial infection vector for compromises that lead to credential theft, malware infections, and data exfiltration. While other infection vectors rely heavily on technical skill, where attackers must defeat defense technologies and navigate enterprise infrastructure, a well-crafted phishing email need only convince a single user to click on a malicious link and enter their sensitive information – or download a malicious attachment – to provide attackers access to a victim environment. Once that foothold is obtained, the attackers can do further reconnaissance to identify databases with the greatest volume of sensitive information, or find a high-value target.

Phishing emails are so powerful that they are used by all different types of threat actors, from cyber criminals interested in financial gain, to sophisticated cyber espionage groups, to inexperienced pranksters looking to make a quick buck. The following are some examples of recent real-world attacks involving phishing:

• In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign being carried out by a group FireEye tracks as FIN7. In this campaign, FIN7 appeared to be targeting personnel at various organizations who are involved with preparing United States Securities and Exchange Commission (SEC) filings at various organizations.
• Since May 2017, FireEye has witnessed North Korean actors target at least three South Korean cryptocurrency exchanges with spear phishing emails. FireEye believes the attacks were carried out in order to steal funds.

Financially motivated criminals and cyber espionage actors constantly change their tactics, techniques and procedures in order to evade detection and increase their rate of success in phishing operations. Not only has the volume and sophistication of phishing campaigns increased throughout 2017, but we are also observing an uptick in spear phishing campaigns that are extremely tailored to the target and are much harder to spot.

From a legal perspective, the fact that the volume and sophistication of email-based cyber attacks only continues to grow raises serious questions about what companies need to do in order to protect themselves. Given current trends, any moderately sized business should be looking beyond basic signature-based anti-virus defenses and employee training if they want to better protect their email systems from cyber attacks. Defenses that were once considered “next-generation” or “advanced” should now be viewed more as essential components of any standard cyber defense architecture. This would include tools such as non-signature based defenses, automatic threat intelligence sharing, and other behavioral analysis systems designed to automatically and affirmatively identify malicious code or links embedded in emails or hyperlinks.

While electing to utilize such defenses can certainly be justifiable depending on a company’s resources or threat profile, private companies at the very least need to actively analyze and consider the overwhelming volume of email based cyber attacks when determining how to allocate their cyber security resources. Whatever defenses a company decides to implement, they should contemporaneously document why those defenses were chosen and how they match up to their various risk and threat assessments.

Brian E. Finch is a partner at Pillsbury Winthrop Shaw Pittman LLP and co-leader of the firm’s Cybersecurity, Data Protection and Privacy practice. He can be reached at  brian.finch@pillsburylaw.com .