FS-ISAC Cyberattack: Another Stark Reminder That Anyone Can Get Phished

FS-ISAC Cyberattack: Another Stark Reminder That Anyone Can Get Phished


Cybersecurity journalist Brian Krebs reported today that the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, was the victim of a successful phishing attack.

An FS-ISAC employee “clicked on a phishing email compromising that employee’s login credentials.”  Using the credentials, a threat actor created an email with a PDF that had a link to a credential harvesting site and was then sent from the employee’s email account to select member affiliates and other employees.

While the incident was contained, it is a stark reminder that anyone – even cybersecurity professionals – can get phished.  In an interview with Krebs, FS-ISAC executives noted that the attack that tricked the employee into giving away email credentials wasn’t particularly sophisticated.

Although the organization regularly delivers security awareness training to staff members, this incident underscores many of the core beliefs we have at GreatHorn.

  • Security awareness training, while necessary, is not enough. It is unrealistic to rely on employees to correctly identify a phishing attempt 100% of the time.  In fact, a report from Forrester noted that among all tracked breaches (in 2015), the statistical difference between organizations who received training and those who didn’t was only 4%.
  • Automated security controls to protect against phishing, social engineering and other email-based threats should be a foundational layer of any security program.
  • New approaches to email security in the cloud are essential. Legacy email security gateway tools by design are not capable of protecting against phishing and other advanced threats targeting your employees’ inboxes.

To learn more about GreatHorn’s modern, cloud-native approach to email security for Office 365 and Google G Suite, listen to our most recent webinar: 4 Reasons Why It’s Time to Rethink Email Security.

Complimentary Gartner Market Guide for Secure Email Gateways

How Cybercriminals Craft Phishing Attacks: 4 Easy Steps

How Cybercriminals Craft Phishing Attacks: 4 Easy Steps

How Cybercriminals Craft Phishing Attacks: 4 Easy Steps

Highly-targeted phishing attacks are among the most prevalent threats businesses face today. These attacks, which are increasing in their frequency and sophistication, can result in stolen credentials, loss of intellectual property and, in many instances, entry into core backend systems that contain customer data or financial assets. According to the FBI, U.S. businesses alone suffer from nearly $343,000 in damages every hour from phishing – and this number has been going up year over year for the last five years.

Why are these attacks so pervasive? In short, it’s because they work. Phishing attacks easily circumvent traditional email security systems to deceive their intended target.

Here is a step-by-step breakdown of how cyber attackers execute targeted phishing attacks and why they’re so successful.

Step 1: Identify a Target. The first thing attackers do when they’re launching an attack is look at the target organizations’ website. This allows them to understand the markets in which the organization plays, how it describes itself and its branding (e.g., colors, logos) – all valuable information which is readily available.

Step 2: Research the Victim. From here, the attacker will select an individual target, such as someone in charge of finances inside of the organization. This person could be someone that is listed in the ‘About Us’ section of the website. Attackers gather personal intel from public profiles on LinkedIn, Facebook, Twitter and other platforms to get a feel for the person’s interests and relationships. More importantly, they analyze a person’s tone, grammatical tendencies and common phrases to help make their attacks more authentic.

Furthermore, if that person has integrated some sort of trip software (e.g., TripIt) into LinkedIn, the attacker can even begin to understand where they might physically be. Criminals can then make reference to events happening in the person’s life to add another layer of authenticity.

Step 3: Craft the Attack. Once this information is gathered, the attacker will usually send an email to someone on the sales team to inquire about the services the company offers. Sales teams are typically quick to reply. In responding, they’ll hand over valuable information – things such as the format of the auto signature used in the organization, along with any logos, color schemes or website links that should be there. All of these elements are critical in crafting a believable phishing email. Once they have this information, it’s trivial for the attacker to then modify the signature of the sales executive to resemble that of the person they want to impersonate and reach out to their intended target.

Step 4: Strike at the Right Time. If the attacker sends the phishing email at the end of the day, or any time after normal working hours, it’s likely that the target will be viewing it on a mobile device rather than on a computer. The mobile interface will only show the picture and name of the impersonated person sending it – and not the actual email address, which is usually a Gmail address set up by the attacker. Since the email is coming from a consumer email service, it will pass the email authentication checks that many organizations rely on to block spam or direct brand impersonations.  And so, a  perfectly believable email is delivered to the target’s inbox.

With the combination of psychological pressure and sophisticated attack creation, the target will likely take action and perform whatever is being asked of them. This chain of events has lead to many of the high-profile data breaches we’ve seen in recent years and undoubtedly will lead to many more in the future. It doesn’t need to be this way.

To find out more about the latest phishing and social engineering techniques — and how a new approach to email security can protect your organization — check out our most recent webinar, 4 Reasons Why It’s Time to Rethink Email Security.

FinovateFall Demo Days Begin Today!

FinovateFall Demo Days Begin Today!

Today is the first day of Finovate Fall 2017’s two demo days, and the GreatHorn team is eagerly preparing to present our Inbound Email Security platform to business and technology leaders from financial institutions worldwide who have come together to learn about cutting-edge technologies. Recent research shows that financial institutions were attacked 65% more frequently than any other industry in 2016; no surprise, given the nature of the data they work with on a daily basis. 

The ever-increasing volume of targeted email attacks, coupled with an alarming success rate, emphasizes the financial industry’s need for a new approach to email security. During our demo, we’ll walk through a real impersonation attack live onstage to showcase the IES platform’s ability to automatically detect and remediate what Gartner callsthe most pernicious threat challenging modern connected organizations:” targeted phishing.

GreatHorn will be presenting on Tuesday, Sept. 12, during demo session #6 (10:45AM – 12:05PM). Come check it out, and swing by our table in the networking area! Tweet us @GreatHorn or send an email to [email protected] if you’re interested in lining up some time to speak with one of our reps.

Bonus Points: Awards Roundup

In addition to Finovate, we’ve also kept up a steady pace of industry accolades. Here are a few that we’ve taken home in the past few months:

  • SC Reboot AwardsTop Management. CEO Kevin O’Brien was selected as an honoree for the SC Reboot Awards’ “Top Management” category, based on his extensive track record as a senior executive for a series of Boston-area security startups over the last 15 years.
  • Mass TLC Leadership AwardsInnovative Tech of the Year: Security. GreatHorn was also named one of five finalists for the 2017 Mass TLC Leadership Awards! The awards recognize the individuals, technologies, and companies that are driving innovation in the region. We will be attending the MassTLC Leadership Awards’ Finalist Gala on September 14th, at Seaport’s World Trade Center in Boston, MA.
  • The Timmy AwardsBoston’s Best Tech Startup. GreatHorn was recently announced as a finalist for Tech in Motion’s Timmy Awards in the “Boston’s Best Tech Startup” Category. The awards aim to recognize and celebrate the best employers for tech professionals in Boston. GreatHorn will attend the awards ceremony at Laugh Boston on Wednesday, September 20th.

Subscribe to the GreatHorn Blog

We'll email you when we publish new content, but we'll never spam you or share your information. 

If Even Top White House Officials Are Falling for Spear Phishing Emails, What Hope Do the Rest Of Us Have?

If Even Top White House Officials Are Falling for Spear Phishing Emails, What Hope Do the Rest Of Us Have?

Last night, news broke that Homeland Security Adviser Tom Bossert was fooled by a spear phishing email impersonating the president’s senior advisor, Jared Kushner. After “Kushner” — in reality, the sender of the email was self-described “lazy anarchist” @SINON — REBORN — invited him to a party, Bossert replied with a friendly note and volunteered his personal email address.

Bossert isn’t the only White House official to fall for SINON’s tricks: using a mail.com email address, the prankster targeted ex-communications chief Anthony Scaramucci with messages purporting to come from former chief of staff Reince Priebus, and Jon Huntsman, who is Trump’s pick for U.S. Ambassador to Russia. In both cases, Scaramucci took the bait and replied; Huntsman himself, along with Trump’s son Eric, were also fooled by the phishing scheme.

That the impersonations were successful at all point to serious flaws in the White House’s cybersecurity posture. Government officials are high-profile targets who have certainly been trained on cybersecurity best practices, and the White House is one of the most protected locations on Earth — if targeted phishing is effective even in this highly secure environment, it’s further confirmation that something is very seriously wrong with the current state of email security.

The Implications of a Successful Phish

Targeted social engineering attacks like this one — phishing, business email compromise, and impersonation — have become the single most effective attack type in the world.

Earlier this year, we at GreatHorn conducted a survey of the threat landscape across approximately 115,000 mailboxes from our clients, comprising nearly 375 million messages. Our focus in conducing this research (published in the 2017 Cloud Email Report) was to establish a baseline of how many suspicious, anomalous, and potential phishing emails were received by our client base. The results are sobering: out of those 375 million messages, approximately 0.016% were statistically anomalous in a significant way, containing indicators of phishing threat.

Mail without a classically malicious payload — typical of today’s whaling, business email compromise, and spear phishing attacks — can be devastatingly effective in the theft of sensitive data, intellectual property, and (of course), money. An FBI Public Service Announcement published in May puts the financial losses of business email compromise scams at over half a billion dollars annually, and warns that the volume of attacks is only going up.

Why Can’t We Stop Getting Owned — And What Should We Do About It?

Three key trends are driving modern threat:

The rapid adoption of cloud infrastructure, particularly cloud email like Microsoft’s O365 and Google’s G Suite.

Email has perhaps changed the most of any system used on a daily basis by the modern workforce. Since 2012, the landscape for email infrastructure has shifted dramatically towards cloud — Microsoft Office 365 and Google G Suite dominate this space — but legacy security solutions like Secure Email Gateways (SEGs) have been slow to adapt to these newer platforms.

SEGs offer only single-point-in-time protection, meaning that they provide no visibility or control over threats that successfully bypass the perimeter, and they struggle to detect deception-based social engineering threats like those involved in the White House prank, leaving users vulnerable to the most difficult-to-detect types of threats.

Cloud email providers themselves also struggle to stop targeted phishing attacks. If your organization was one of the many hundreds of thousands of recipients of the Google Drive phishing attempt that hit the world’s businesses in May, or the subsequent Docusign data breach and phishing attempts, you likely saw that even Google and Microsoft were not able to block every instance of these messages.

The demonstrable inefficacy of security awareness training programs.

Many organizations attempt to bridge the gap left by insufficient security technologies through security training programs, which include “realistic” fake emails that chastise users who click on an embedded link, automated video trainings, and Outlook plugins that require that users self-report phishing attempts.

Unfortunately, while training is helpful (and an important part of many compliance strategies), it’s been proven ineffective. Forrester ran a study of a wide range of organizations which had experienced a security breach; statistically, there is almost no difference in breachability correlated to the use of these types of training programs.

The pervasiveness of email, the proliferation of self-owned devices,and the always-on-nature of modern work makes it impossible forpeople to be constantly vigilant. There’s no way to transform peopleinto hard targets for hackers; they’re all soft.

An unprecedented lack of trained information security talent.

Last but not least: cybersecurity has a capacity problem.

Today, there are at least 1 million unfilled information security analyst jobs, and the number is expected to rise to between 1.5 and 2 million by 2020. Over a quarter of all organizations surveyed report that that simply cannot fill their open positions at all.

The result is that information security teams are understaffed like never before, and this critical skills shortage has played a significant role in the increasing distance between how little time it takes an attacker to work their way past cybersecurity defenses, and how long it takes for those incursions to be detected and remediated.

Since neither end-user training nor information security analyst teams can keep up, what can we do to protect ourselves?

Automation Is the Only Way to Keep Up

What’s needed is an entirely new way of stopping these attacks — automatically, and at scale.

Research findings from the 2017 Cloud Email Security Report show that a 50,000 person organization can expect to field thousands of phishing threats per week — and that time spent investigating and (if applicable) remediating them can add up to hundreds of hours.

Reducing time to detection and response is the goal for the modern information security operations center, from establishing a baseline of visibility and control to measuring the reduction of risk with, is clearly a priority for the White House. As the May 2017 Executive Order on on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure notes, one of the key goals of the current administration is for the selection and implementation of “risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”

In accomplishing this mission, automation techniques are increasingly being looked to as one of the core capabilities available to organizations in the pursuit of identifying and reducing the potential for harm from these types of attacks.

Doing so will require dedicated technological resources, with deep automation workflows, to aid in the detection of patterns and anomalies that humans might otherwise miss. Until such systems are in place, a simple consumer email address a penchant for mischief may be all that stands between our most sensitive personnel and an increasingly dangerous digital world.

Subscribe to the GreatHorn Blog

We'll email you when we publish new content, but we'll never spam you or share your information. 

Docusign Breach Leads to Multiple Phishing Attacks

Docusign Breach Leads to Multiple Phishing Attacks

We are currently tracking a new Docusign impersonation attack that began around 10:45AM ET. The attack utilizes a number of phishing links, all of which are coming from [email protected].

GreatHorn Inbound Email Security customers are protected: as with previous examples of this attack type, we are removing all instances of this email from inboxes, moving them to the Danger-Phishing folder, and will be deploying a policy to all customer instances of Inbound Email Security that will mitigate further email from this address.

Subscribe to the GreatHorn Blog

We'll email you when we publish new content, but we'll never spam you or share your information.