Social engineering attacks are usually associated with deceptive phishing emails in which the victim is tempted to click on a malicious link or open a malicious attachment to help an attacker penetrate network systems. Yet most people are less aware of the large and growing variety of sophisticated phishing attacks that tempt employees outside of email. These phishing attacks are growing in their effectiveness and are carried out via browser pop-ups, ads, malicious search results, browser extensions, chat applications, social media, web “freeware” and deceptive apps in App Stores.
Social engineering attacks are designed to elude software protections by deceiving employees into offering up personal credentials and/or visiting malicious web pages that compromise their machines. Such attacks rely on human fallibility to bypass existing defenses including firewalls, anti-virus protections and secure email gateways. All these types of cyber defenses, along with email phishing training, have helped companies get better at blocking phishing emails in recent years, so the hackers have reacted by dreaming up ever-more sophisticated attacks through other vectors.
The hackers realize that more employees are being trained these days to guard against the dangers of phishing emails, just as more organizations are deploying next-generation security protections. In response, the hackers have moved onto file-less attacks that are intended to evade those very defenses.
In one recent scam, hackers have targeted accounts payable teams at large companies to pull off fraudulent wire transfers and to steal employee credentials. The employees are presented with seemingly legitimate web pages which ask them to enter their user credentials, immediately granting hackers access to entire corporate servers.
Firewalls can only help when there is a known malicious URL to be blocked. But today, cyber criminals roll out new phishing pages and tear them down again within hours. Because these bogus sites are so short-lived, it is impossible for web security indexing bots to keep up with all the dangerous URLs that continue to proliferate. The criminals move too fast.
Other new weapons in this war involve file-less browser malware comprised of HTML, rogue applications downloaded from app stores, web freeware, chat applications, and of course social media posts. In addition, as more employees adopt dual-use company devices that serve both business and personal uses, both employees and their employers become more vulnerable to social engineering attacks – whether at work or outside of work – which can lead to very bad outcomes.
Most security professionals have begun to recognize this risk, but their organizations lack any defenses to effectively guard against phishing attacks beyond email, so they remain increasingly vulnerable to this new wave of socially engineered attacks. There is only one solution to this growing problem – detecting and blocking phishing attacks before the user can reach the page behind the link and start the kill chain from which bad things happen.
To detect and block these kinds of attacks, the protection system must use increasingly advanced threat detection capabilities that can analyze the phishing lure, and all related elements, at CPU speed to quickly determine if it is malicious. By analyzing the attack screen, and working both backwards and forwards, thousands of clues can be uncovered that can definitively identify these new generation of phishing attacks before they ever reach a user.
Security professionals and IT practitioners need to start thinking differently about how the social engineered threat landscape is changing and what they need to do to address this growing threat. The solution for more powerful, real-time phishing threat detection lies at the intersection of computer vision, OCR, NLP, and state-of-the-art machine learning to achieve truly effective and adaptive threat detection capabilities.
No matter how smart or well-trained employees become, they will never be able to anticipate the advanced techniques adopted by cybercriminals who make deception their full-time job. And security teams can’t hire enough threat researchers to quarantine every suspicious browser pop-up, ad, browser extension and social media post, despite their best intentions.