Phishing attacks have become a common factor in our daily routines for businesses and in our personal lives. There are many different types of phishing attacks, each of which requires a slightly different defense while having some commonalities as well. This article covers a specific type of attack called credential phishing and ways to protect against it. While you may have heard of this type of attack, many people do not fully understand the different types of credential phishing, their goals, and how to defend against them. Time to remedy that!
Types of Credential Phishing Attacks
Generally speaking, most credential phishing attacks have a common, obvious purpose – to gather credentials from an individual. However, what attackers do with that information and the creativity used in the attack can vary greatly. In some cases, the credentials can be used to gain access to systems or network resources, while in others they can be used to take over bank accounts, social media accounts or email accounts. In any of these cases, the damage the attacker can do can be harmful to the organization or individual, both reputationally and financially.
A couple of months ago, I spent some time in Washington, DC, where I was honored to speak to members of several different House Subcommittees ranging from those focused on financial crimes and terrorism to consumer protection and intelligence services. After one of the briefings, I spent some time speaking with a member of the U.S. Secret Service. He told me a story about a case he just finished working. Sadly, this was a scenario that I already knew too well through others impacted by the same scenario.
In this case, the attacker was able to gain access to an individual’s email account through a credential phishing email. This victim worked in the real estate industry and was working on some reasonably large deals. The attacker stayed quiet and monitored the victims emails for about a month before springing the attack. In this case, when it was time to transfer the escrow funds, the victim sent the account information for the transfer to the sender. Immediately afterword, the attackers made their move, and from the legitimate account of the victim, sent another email with a “correction” to the account number. The result was about $500,000 wired to the attacker’s bank account in another country, and it happened in the blink of an eye.
The FBI calls this kind of attack Business Email Compromise (BEC), and there are many different variations. This escrow/earnest money transfer attack is just one of many. I have seen attacks diverting funds for invoice payments, false invoices being generated and sent from legitimate accounts and malware being spread through legitimate, “trusted” accounts are just a few others. This doesn’t even touch on the CEO fraud versions of this type of attack, which occurs when the CEO makes an urgent request for a funds transfer or to send tax forms for the employees. These attacks are so lucrative, Trend Micro is expecting the losses to exceed $9 billion by the end of this year, and the FBI has already tallied $5.3 billion in losses back in 2016.
In addition to these types of attacks, if you own the user’s email account, password resets for other types of accounts using that email address become trivial.
Fighting Back Against Credential Phishing
So, how do we fight back against these sorts of attacks? Generally speaking, the most effective countermeasures I have seen are:
- Training the users to spot these attacks
- Using Multi-Factor Authentication (MFA) to secure the accounts.
When it comes to training users to spot these attacks, we need to understand that the days of the Nigerian prince scams are largely behind us. Modern attacks are well designed and can be tough to recognize.
For example, the following credential phishing pages are from the KnowBe4 simulated phishing platform and are indicative of credential phishing pages used in the wild.
Image 1 – Fake Office365 Login Page
Image 2 – Fake OWA Login Page
Image 3 – Fake LinkedIn Login Page
As you can see from the examples, these pages are made to look exactly like the real login pages for these services, and they can be easily hosted on any web server. Most of the time, when the user enters the credentials, the page not only captures those credentials, but it also forwards them to the actual login page, which then logs in the user, and they never know that they just gave up their credentials. Even in cases where the user is not automatically logged in, the page will usually just show a “Bad username or password” error, prompting him/her to log in again. Because all of us have mistyped a password before, this typically goes unnoticed and the user thinks they just fat-fingered the keys, once again leaving them oblivious to the harvesting of their credentials.
We must train users (and ourselves) to hover over the link in emails to ensure they are going to where they say they are, and to glance at the URL bar before ever entering login credentials on a page.
The second thing we need to do is to enable Multi-Factor Authentication (MFA) on these accounts wherever possible. This means not only do you need to have a username/password combination, but you also need to have another means of authentication. This can be biometrics, a text message to your phone, an authenticator app such as Google Authenticator, or, my favorite, a hardware token like a YubiKey.
When I worked for the U.S. Army, we used something called a Common Access Card (CAC) that contained a set of Personal Identity Verification (PIV) certificates that were tied to Active Directory. These PIV certs allowed us to digitally sign emails, encrypt emails, log in to computers on the domain, and even to control physical access to some areas in the buildings. These devices were a 2-Factor Authentication (2FA) device, as they required you to physically have the card, and also required you to know a PIN number to unlock the certificates on the card. Without one or the other, the operation would fail.
This same MFA principle should be applied to the email accounts of your users, especially the sensitive ones. Here are a few types of MFA to consider:
Using SMS as a second factor is a topic of debate amongst security professionals as cell phones/SIM cards can fairly easily be spoofed. Personally, I believe that something is better than nothing in this regard, so if this is the only option you have, go ahead and use it.
I will caution you, if you enable SMS as a second factor, avoid using numbers that are tied to services that forward SMS to email. For example, if I enable the SMS second factor in my Google account and have the message sent to my Google Voice number, I run the risk of it being more easily intercepted in email and potentially risk locking myself out of my account. Consider this, if I need the SMS message to get in to my Google account, and it’s being sent to my Google account… It’s just better to send it straight to a phone number. Trust me, I have learned from experience.
Another option is software-based authenticators such as Google Authenticator or Duo Security. This application is typically set up using a “shared secret” key that then uses that key to generate a numeric code you can enter into the requesting application. For example, if I set this up as a second factor for my Google account, when I log in, I will be prompted to enter the code. I would open the app on the phone and enter the code for that account. Unlike SMS codes, the One-Time Password (OTP) code generated by this type of application has a short lifespan, typically about one minute, before expiring and generating a new code.
Image 4 – Example of Google Authenticator Codes
I have to admit that I am a big fan of hardware-based tokens. When I used smart cards in the DoD, I gained a great deal of respect for the abilities of these devices. Typically, these hardware devices will be used to generate OTPs or will store the PIV certificates for that user. As I mentioned previously, these hardware generated codes or PIV certificates are a very strong authentication mechanism.
One problem that plagued smart cards in the DoD was a very high failure rate. Our organization had roughly 300 people using these cards with some users having multiple cards for different accounts. In this organization it was not uncommon to replace 2-3 cards a week due to failure. Smart cards have exposed contacts, much like newer chip-enabled credit cards, and require a special reader to be used.
Image 5 – DoD Common Access Card (Smart Card) – photo courtesy Department of Defense
For these reasons, I don’t recommend smart cards for the typical organization, however there are other options that address these issues.
There are a lot of options for similar devices that can make these same improvements in security while being much easier to use and more reliable. A quick search on Amazon for FIDO U2F will give you some options to peruse. Be sure to pick the ones that support your required authentication protocols and methods.
I have been using a device called a YubiKey which is produced by Yubico. These devices act very much like smart cards but plug directly into a USB port and are much more reliable. I have used these devices to store Active Directory PIV certificates and for OTP generation as well. Some of these devices also allow for Near Field Communication (NFC) connectivity as well as USB connectivity. These support multiple authentication protocols and methods including FIDO2, WebAuthN, U2F, smart card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH, HOTP, and Challenge-Response.
Image 6 – My YubiKey Collection: L to R – YubiKey NEO (NFC), YubiKey 4 and YubiKey 4C
Aside from a second factor for account authentication, one of my preferred use cases for these devices is securing password vaults such as LastPass. This allows for a very secure second factor to lock down the vault and associated passwords. The YubiKey Neo is handy, as it can be used through NFC to unlock the password vault even on cell phones.
Another consideration for these devices is the protection of very high-value accounts in Active Directory. I have used these to secure domain and enterprise administrator accounts using smart card login and PIV certificates, which have been natively supported since Windows 2000. That, however, is a topic for another post.
While these devices are typically pretty rugged and convenient, the cost and the requirement to physically have the device can be an issue. I have left my keychain with the YubiKey at home and left on a trip. This can be very inconvenient and can be a challenge to work around if you do not configure a backup method of authentication.
Setting Up MFA
Securing accounts with multi-factor authentication is becoming much easier as more and more vendors add native support for the technologies. Twitter, Facebook, Office 365, Dropbox, GitHub, Google, and many others already allow you to secure your accounts with MFA. Below are a few examples of what these pages look like when enabling MFA.
Image 7 – Google account settings with MFA enabled
Image 8 – Facebook account settings with MFA enabled
Credential phishing and BEC attacks are continuing to cripple organizations across the globe. The attacks are well planned and executed and often very stealthy. Combining high-quality end user training and multi-factor authentication can significantly reduce the risk of damages resulting from a successful credential phish. While this is not a solution to all of the issues surrounding credential phishing, requiring that additional layer of authentication that is tough for the attackers to obtain, can significantly reduce the risk of damage if a user is tricked into giving up their username and password.
The balance between usability and security is always tricky, but the industry as a whole is making it less painful when adding more layers of security. Therefore, review the available options for multi-factor authentication, especially for high value accounts and especially for all email accounts, and your organization as well as you as an individual should enable this additional security wherever possible. Strongly consider the addition of a password vault system as well, which can reduce password reuse across sites and allows for quick, easy password changes.
While nothing is 100% secure, most of these setups are extremely difficult to break. Any determined attacker can eventually get their target. However, these simple measures go a very long way in helping you rise above being the low hanging fruit, making the bad guys simply go on to an easier mark.
Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec.2fakronmfaphishingsmart cardsocial engineeringvault