One of the cyber attacks perhaps the most “old”, phishing, not a sign of demolishing, indeed the phenomenon is constantly increasing. But it’s no longer about the old emails where the “famous” Nigerian prince promises millionaire rewards in exchange for a small advance to deposit into his account. Today, criminal hackers have evolved and increasingly target mobile users through multiple carriers such as sms, instant messaging platforms, social media and any other app that allows link sharing.
And, thanks to the fact that much of our personal information is now online, attackers can customize these attacks to make them much more difficult to locate and therefore more likely to succeed.
Social media was born to connect with those we know, but also with those people with whom we share interests, passions or work areas (see LinkedIn). For this reason cybercriminals often create fake profiles where they pretend to be common colleagues or acquaintances in order to connect with you and then access your personal data.
As if that weren’t enough, scammers often join social-media groups and post malicious links to a site that can be used to collect personal information or login credentials.
This data is then used to launch phishing attacks against even more people and organizations.
So it’s no surprise that phishing is now responsible for nearly a quarter of all Data Breaches…
Just as the pandemic changed the paradigm – Even before the extraordinary conditions we all had a few months ago, Smart working – spread more and more even in SMEs – had questioned the classic paradigms of defending the company perimeter.
Now, business applications and data are everywhere, on any device or network that employees use for work, including personal endpoints and home Wi-Fi.
The consequence of all this is that the risk of phishing attacks must now be managed even on non-corporate devices, social media platforms, mobile applications.
At the beginning of the lockdown, companies focused mainly on maintaining the productivity of workers at home.
But after the summer break there was no return “to normal”, with many workers still preferring the “mixed” work regime between office and home.
The cybercriminals of this are fully aware and are realizing their phishing exploits accordingly.
They know that with little information about an employee and his company (which can be easily obtained from social media profiles), they can launch a spear-phishing campaign against any organization.
We know, for example, that the attackers used spear-phishing via mobile in the July 15 Twitter attack.
He contacted a Twitter employee and, posing as a colleague, managed to trick that person into sharing the user’s credentials.
The Criminal Hacker was then able to falsify the Twitter employee’s phone number through the Sim swap and probably obtained the information needed to impersonate the employee from social-media profiles.
Once he was able to redirect the phone number to his device, he could intercept the one-time passwords (OTP) used for multi-factor authentication and quickly elevate his privileges within the company.
The Twitter attack showed that a criminal hacker does not need to be part of a global cybercrime organization to do enormous damage.
And if this attack could succeed against a company like Twitter, it could probably work against any company, including yours.
Simple measures are not enough – Relying mainly on multi-factor authentication and OTPs to provide secure access is not in itself wrong, I understand how a criminal hacker armed with key details taken from social-media accounts and the ability to carry out a Sim Swap attack can easily bypass these security levels.
That’s why we can’t expect employees to be the only line of defense against phishing attacks.
Think about it: every day their job is to open attachments and click on links sent by collaborators, customers, partners, suppliers, and so on. If they were to question every clickable link sent to them during a working day, how much work would actually be done? And how much anxiety would you create in the process?
Sure, companies absolutely need to provide periodic training to help users stay vigilant against phishing attacks, but this alone could still leave room for weaknesses. But if we merge training with a zero-thrust approach to Cyber Security, we will certainly see a marked improvement in resilience.
This approach is a security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already within the perimeter of the network.
For example, companies need to ensure that smart working workers can only access company apps from IT-managed devices, not their spouse’s family iPad or smartphone.
This virtually eliminates the risk of credential theft and OTP interception and prevents unmanaged or otherwise compromised devices from accessing corporate data.
A zero thrust approach can insulate your business from the most persistent and pervasive vulnerability: human error.
SOURCE: FEDERPRIVACY