When it comes to the many ways attackers try to get what they want, it seems that one of their old favorites — phishing — is enjoying a fresh new resurgence.
That’s because, as compared to some more technically complex exploit methods, phishing is easy to pull off and boasts great ROI. With little more than craftily-worded emails and websites, attackers can wrangle large sums of money and sensitive data out of their targets. With this in mind, it’s no surprise that phishing is currently the top cyber threat vector, far surpassing threats like zero-days, trojanized software updates and web server exploits. What’s more, the number of phishing sites has doubled in the last year, while websites serving up malware have been on a steady decline.
Learning Phishing Lessons
Phishing has been around almost as long as the internet itself, getting its start in the early ‘90s, when attackers targeted AOL instant messenger users. The earliest variants were unrefined, grammatical and content trainwrecks; Thus people easily learned to keep their distance from wonky websites offering deeply discounted iPads and Adidas brand shoes. Any emails claiming to be from a Nigerian prince were deleted without a backward glance.
So eventually attackers moved on to creating more sophisticated variants that were harder for the average person to discern. These emails and websites used much better grammar and the scenarios were far more realistic. But again, people eventually learned some rules to keep safe: look for HTTPS and a little padlock, check all URLs thoroughly, never click unverified links and more.
HTTPS Doesn’t = Secure
And now, attackers have once again upped their game to keep people in their snare. The Anti-Phishing Working Group’s (APWG) recently released a startling stat in their Phishing Trends Report for Q3 2018: Currently, half of all phishing sites are being hosted on websites with SSL or TLS certificates — meaning that when visitors reach the site in question, they are greeted with that reassuring HTTPS and little padlock that they have been trained to look for.
The HTTPS and padlock indicate that all data being transmitted between your browser and the site is encrypted and can’t be read by third parties. Typically, it’s thought of as a clear sign that the website you’re visiting is trustworthy — so attackers are hoping that when you see the HTTPS and padlock, you’ll be lulled into a false sense of security. Interestingly, encryption also actually benefits the attackers as well, since encrypted content may be able to evade identification as malware.
Preventing Phishing with URL Filtering?
One way browsers attempt to protect their users from these rogue websites is with URL filtering. Browsers such as Microsoft Edge, Chrome and Firefox filter and then block access to websites based on the content of the website or the suspicious construction of their URLs. This is great but it typically takes two to three days for these browsers to find and ultimately block 95 percent of the phishing sites out there.
According to CA Security Council (CASC), on Day One in the life of phishing websites, only 77.0% are blocked by Firefox, 79.0% by Chrome, and 89.0% by Edge. Now consider that the life cycle of the typical phishing website (with and without the HTTPS) is generally about 4-8 hours long — which means that it’s very likely that such sites will never be caught and blocked by each browsers’ URL filtering methods. During this short stretch of time, attackers employ lots of methods to get victims to their site — including sending phishing emails and SMSes, using malvertising redirects on other infected websites and popups. And a whole lot of damage can occur in this relatively short span of time.
Preventing Phishing with Zero Trust Browsing
There has been a great deal of attention paid to the concept of Zero Trust Security as of late. The concept is that the legacy security model, which assumes that internal traffic is good and external traffic is bad, no longer works in today’s complex workplace. Our dependence on mobile devices, hybrid clouds and third party suppliers means that the old “castle and moat” approach to securing one’s perimeter is completely unsuited to meet the needs of modern networks.
Zero Trust says that nothing and no one should be automatically trusted — and everything needs to be verified. Every user and every device that tries to access any kind of resource must be verified, with no regard paid to whether they are trying to access that resource from inside or outside the network.
Zero Trust is the way forward in security — but until now it has been impossible to extend its reach to internet usage. The internet is, by definition, dynamic, unpredictable and unverifiable. It’s also a necessary part of working today. While some companies employ whitelisting to restrict the sites that users can access in an effort to prevent phishing, malware and other threats from infiltrating, this method greatly interferes with productivity. What’s more, whitelisting is pretty pointless, as even legitimate sites can be weaponized under the right (or wrong) circumstances.
It’s possible to extend the Zero Trust concept to securing the internet with Zero Trust Browsing — implementing the idea that no site can be trusted, no matter what. Detection-based solutions aim to verify the safety of websites and their content but time and time again, this approach has proved ineffective. Ericom’s Remote Browser Isolation solution keeps all browser-borne content far away from endpoints and networks, while allowing users to access the sites they need and continue working as they naturally would.
With RBI, websites are each opened in their own isolated container. Only a completely safe and clean content stream reaches the browser on user devices. Any malware, malicious code and other threats – in fact, all website content – is kept safely inside the container and disposed of at the end of the browsing session.
Ericom Shield offers a number of options for protecting users from credential theft and other social engineering attacks. Admins can opt for suspected phishing sites to not open at all, or to open in “view only” mode so users cannot divulge any sensitive information. Alternatively, Shield can be configured to issue a warning before opening a site with full RBI interactivity. As such, Ericom Shield enables your users to access any websites, even the sketchiest ones, while remaining completely secure.
Attackers are never going to stop cooking up new ways to entrap their targets. Today it may be using HTTPS on websites to create a false sense of security, but who knows what it may be tomorrow. This is why a baseline of Zero Trust is needed when it comes to web browsing. With Remote Browser Isolation, nothing is inherently trusted and everything is contained — and your users are protected from whatever tomorrow’s attackers come up with.