Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
Email can be a double-edged sword. It’s one the most essential tools for business communication, and, at the same time, it is the number one threat vector for cybercriminals. Phishing emails are the Achilles heel of most organizations’ security defenses.
Despite many advances and improvements in protection tools over the years, email remains the single most effective way for attackers to deliver malicious payloads. More than 90% of successful cyberattacks start with a phishing email, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The psychology of phishing
Attackers prey on people’s unconscious biases to trick them into making that one click that will open the doors to a cascade of negative consequences. Verizon recently reported in its 2022 Data Breach Investigations Report that 82% of breaches result from human error or misjudgment.
Humans are practically hardwired to fall for carefully designed deceptions. We rely on mental shortcuts, known as heuristics, to help us efficiently move through life. Psychologist Robert Cialdini, author of the acclaimed book Influence, identified seven psychological principles of influence that attackers often use in phishing scams. For example, when people are uncertain about something, they look to outside authority to reduce their uncertainty and sense of ambiguity.
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
The latest trick for scammers is to use these very principles of social proof and authority to leverage the reputations of legitimate services and platforms, such as Amazon Web Services (AWS). This gets users to click links that are also able to bypass the reputational checks of email security tools.
A recipe for disaster
Let’s look at how this works. First, an attacker hacks into a business account. The attacker then sends a phishing email to users, encouraging them to download a “Proof of Payment” mock file. The file will be hosted by reputable or somewhat reputable but genuine hosting providers, file transfer services, and collaboration platforms, or a combination, including calendar organizers. This is how the attacker bypasses email security tools.
An example of this approach appeared in 2019 in the form of a threat strain known as Lampion. It used the free file transfer service “WeTransfer” to target Spanish and Portuguese-speaking demographics.
Once the user makes that fateful click on the mock file, a ZIP package containing a Virtual Basic Script (VBS) is installed and executed on their device. As the Wscript process starts, malicious payloads are deposited and run discreetly in the background before beginning to search for and exfiltrate data from the user’s system. The final blow is when a trojan mimics a login form over a banking login page, so that when a user enters their credentials on what looks like their bank login page, the fake form sends the credentials directly to the hacker. Because this breach occurs on a victim’s own device, this type of malware is particularly challenging for security teams to detect.
Remote browser isolation to the rescue
An effective way to combat these tactics is to apply remote browser isolation (RBI) to shield the device from malicious payloads, cookies, and content. The RBI isolates risky and malicious web page requests so that only a visual stream of pixels representing the pages is shown to the user. The user can still interact with the site as usual if the administrator allows it, but the contents are never actually downloaded to the device.
Security teams can tailor RBI to their needs. They can create custom lists of risky reputational categories, such as file-sharing, Peer2Peer, and gambling sites. They can shield from specific URL categories, IP addresses, and domains. They can still provide functions such as uploads, downloads, and clipboard usage, or they can block them entirely.
The bottom line is that, with RBI, security teams are no longer at the whim of reputational lookups or binary allow/deny policies to spot the wolf in sheep’s clothing. Even as newer, more sophisticated variants are released, security teams can rest assured that their systems are shielded in the unfortunate event that a victim clicks on a malicious phishing email link.
Rodman Ramezanian serves as global cloud threat lead at Skyhigh Security.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!