There is a saying that has been the backbone of many cybersecurity scams over the past 20 years, “You can fool all the people some of the time and some of the people all the time.” With this in mind, cybercriminals have been modifying and reusing tried and tested methods to get us to open malware ridden email attachments and click malicious web links, knowing that they will always fool some of the people.
You only need to look at security advice from pretty much any year since the internet became mainstream and you will find that a lot of it can be applied today. Use strong passwords, do not open attachments or click links from unknown sources. Sounds familiar? Why are people still falling for modified versions of the same tricks and scams that have been running for over a decade? Then again, from the cybercriminals perspective, if it is not broken, why fix it? Better to evolve, refine what works, and collaborate.
There is a solution though, where it is possible to be in a position where you can no longer fool people, even some of the time, because it is not their decision to make anymore. This is achieved by putting technology in between the user and the internet that decides whether or not to trust something. Trust becomes key, and a lot of security improvements can be achieved by limiting what is trusted, or more importantly, defining what not to trust or the criteria of what is deemed untrustworthy.
We have been doing this for years, as many systems will not trust anything that is classed as a program or executable, blocking access to exe or bat files. The list of files types that can act as a program is quite extensive though, if you do not believe me, try to memorize this list: app, arj, bas, bat, cgi, chm, cmd, com, cpl, dll, exe, hta, inf, ini, ins, iqy, jar, js, jse, lnk, mht, mhtm, mhtml, msh, msh1, msh2, msh1xml, msh2xml, msi, ocx, pcd, pif, pl, ps1, ps1xml, ps2, ps2xml, psc1, psc2, py, reg, scf, scr, sct, sh, shb, shs, url, vb, vbe, vbs, vbx, ws, wsc, wsf, and wsh. As you can see, it is way too much for a person, but easily blocked by technology.
We can filter and authenticate email based on domain settings, reputation scores, blacklists, DMARC (Domain-based Message Authentication Reporting and Conformance) or the components of DMARC, the SPF, and DKIM protocols. Email can also be filtered at the content level based on keywords in the subject and body text, presence of tracking pixels, links, attachments, and inappropriate images that are “Not Safe For Work” (NSFW) such as sexually explicit, offensive, and extremist content. More advanced systems add attachment sandboxing, or look at the file integrity of attachments, removing additional content that is not part of the core of the document. Others like “Linkscan” technology look at the documents at the end of a link, and will also follow any links in those documents to the ultimate destination of the link and scan for malware.
Where we are let down though is the area of compromised email accounts from people we trust and work with. These emails pass through most people’s email filters as they originate from a genuine legitimate email account (albeit one now also controlled by a cybercriminal) and unless there is something suspicious in the form of a strange attachment or link, they go completely undetected as they are often whitelisted.
This explains why Business Email Compromised (BEC) attacks are so successful, asking for payments for expected invoices to be made into “new” bank accounts, or urgent but plausible invoices that need to be paid ASAP.
If the cyber-criminals are careful and copy previous invoice requests, and even add in context chat based on previous emails, there is nothing for most systems to pick up on. Only processes that flag up BACS payments, change of bank of details, or alerts to verify or authenticate can help. Just double-check the telephone number in the email signature before you ring, in case you are just ringing the criminal.
Not all compromised email attacks are asking for money though, many contain phishing links or links to legitimate online file sharing services, that then link to malicious websites or phishing links to grant permission to open the file. To give you an idea of the lengths cybercriminals go to, I have received emails from a compromised account, containing a legitimate OneDrive link, containing a PDF with a link to an Azure hosted website, which then reached out to a phishing site.
In fact, many compromised attacks are not even on email, social media is increasingly targeted as well as messaging services or even the humble SMS text message via SIM swap fraud. As a high percentage of these are received on mobile devices, many of the standard security defenses are not in place, compared to desktop computers and laptops. The one thing that is available is two-factor authentication (2FA) which will help protect against phishing links, regardless of the device you use, so long as you train everyone in what to look out for and how they can be abused.
One area I believe makes even greater strides in protecting users from phishing and malicious links is to implement technology that defines what not to trust based on the age of a web domain and whether it has been seen before and classified. It does not matter how good a clone phishing website is for Office 365 or PayPal if you are blocked from visiting it, because the domain is only hours old. The choice is taken out of your hands, you still clicked on the link, but now you are taken to a holding page that explains why you are not allowed to access that particular web domain. The system I use called Censornet, does not allow my users to visit any links where the domain is less than 24 hours old, but also blocks access to any domains or subdomains that have not been classified because no one within the ecosystem has attempted to visit them yet. False positives are automatically classified within 24 hours, or can be released by internal IT admins, so the number of incidents rapidly drops over a short period of time.
Many phishing or malicious links are created within hours of the emails being sent, so having an effective way of easily blocking them makes sense. There is also the trend for cybercriminals to take over the website domain hosting cPanels of small businesses, often through phishing, adding new subdomains for phishing and exploit kits, rather than using spoofed domains. I have seen many phishing links over the years pointing to the domain of a small hotel. Either way, as these links and subdomains are by their very nature unclassified, the protection automatically covers this scenario too.
Other technological solutions at the Domain Name System (DNS) level can also help block IP addresses and domains based on global threat intelligence. Some of these are even free for business use, like Quad9.net, and because they are at the DNS level, can be applied to routers and other systems that cannot accept third party security solutions. On mobile devices both Quad9 and Cloudflare offer free apps which involve adding a Virtual Private Network (VPN) profile to your device. It is preferable though to have a premium VPN solution on all your users’ mobile devices, as these can be centrally managed and can offer DNS protection as well.
Further down the chain of events are solutions like privileged admin rights management and application whitelisting. Here, malware is stopped once again because it is not on a trusted list, or allowed to have admin rights. There is also the added benefit that users do not need to know any admin account passwords, so cannot be phished for something they do not know the answer to. Ideally, no users are working with full administrator rights in their everyday activities, as this introduces unnecessary security risks, but can often be overlooked due to work pressures and workarounds.
Let us not forget patch management is also key, because it does not matter how good your security solutions are if they can be bypassed because of a gaping hole via an exploit or vulnerability in another piece of software, whether at the operating system or firmware level, or via an individual application. Sure, no system is perfect and there is no such thing as 100% security, which is where the Endpoint Detection and Response (EDR) solutions and Security Information and Event Management (SIEM) solutions come into play. These can help minimize the damage through rapid discovery and remediation, hopefully before the cybercriminals achieve their goals.
By embracing the power of technology to protect us, layering solutions to cover the myriad of ways cybercriminals constantly attempt to trick us, we can be confident that emotional and psychological techniques and hooks will not affect technological decisions, it is either yes or no. The more that we can filter out, makes it less likely that the cybercriminals will still be able to fool some of the people all the time. The trick is to spend your budget wisely to cover all the bases and not leave any gaps, which is no easy feat in today’s rapidly changing world.
