Once upon a time, phishing and spearphishing attacks would only surge around specific times of year, such as major holidays like Christmas or Chinese New Year, consumer-ready holidays like Valentine’s Day or Lantern Festival in China, or around consumer shopping events like Black Friday or Cyber Monday in the United States, Boxing Day (December 26th) in the UK and Commonwealth of Nations, or Singles Day (November 11th) in Asia.
Attackers then figured out that they could leverage the FUD—fear, uncertainty, and doubt—driven by natural and manmade disasters, wars, illnesses, elections, or any event that drives today’s news cycle to sow their malicious seeds.
In the UK, the Information Commissioner’s Office (ICO) indicated that phishing was the top cause of cyber-related breaches from April 2019 to March 2020.The Office of the Australian Information Commissioner (OAIC) showed that phishing accounted for 36% of all cases reported to them, top on their list.
To that end, phishing and spearphishing attacks have drastically increased throughout 2020, driven by the threat of a worldwide pandemic, nations under quarantine or lockdown, workers who must work from home, and even contentious elections in the U.S. and other nations. Even the announcement of vaccines to address COVID-19 being ready is being leveraged to entice even wary folks to open emails from unknown sources—or even known sources who may have had their accounts breached and hijacked—to then spread malware and other malicious attack vectors, and steal user and corporate information or enable illicit access to sensitive networks, clouds, applications, and data.
One of the reasons most cited for the recent explosion in phishing attacks has been the work from home orders precipitated by the COVID-19 pandemic. Many employees, contractors, and other staff members have been forced to work from home or remotely and this quickly attracted the unwanted attention of attackers. They understood there is a strong likelihood that people working remotely would be under increased pressure, let down their guard down and begin clicking on links in just about any email, even those that might normally raise suspicion. They also know that those working from home might be using BYOD products that won’t have the tools typically used by organizations to protect them from attacks like phishing. Attackers and hackers also believe that home-based workers might not have enough bandwidth to keep security software running or updated, and may turn off or miss updates to their security software. Many times, they are right.
Phishing and Encryption
As phishing attacks have rapidly increased, the number of phishing sites using encryption has kept pace. According to the F5 Labs recent Phishing and Fraud Report 2020, nearly 72% of phishing links send victims to HTTPS encrypted websites. That means that the vast majority of malicious phishing sites now appear to be valid, credible websites that can easily fool even the savviest employee. This data has been corroborated by research from other reports, as well, including a report by Venafi that uncovered suspicious retail look-alike domains that use valid certificates to make phishing websites appear valid, leading to stolen sensitive account and payment data.
And it’s not only malignant websites that leverage TLS encryption to appear convincing and legitimate. It’s also destinations to which malware, delivered by phishing attacks, sends data that it pilfers from victims and their organizations; these destinations are called drop zones. According to the F5 Labs’ Phishing and Fraud Report 2020, all—100%—of incidents that involved drop zones investigated by the F5 Security Operations Center (SOC) during 2020 used TLS encryption.
Finding Threats In Encrypted Traffic Isn’t Easy
There are a number of solutions available today to address phishing from a variety of different angles. There are solutions to train staff how to recognize and handle phishing attacks to reduce attack uptake and efficacy. These solutions address email security, protecting against spam, malware and malicious attachments, BEC attacks, and more. There are services to manage an organization’s email. There are even offerings that proxy an organization’s web traffic, replicate or mimic it, and deliver code to local devices to be rendered or that mimic the web page but without any of the underlying suspicious and possibly malicious code.
While those are all great solutions, there is still the problem of addressing encrypted traffic. If traffic is encrypted, it needs to be decrypted before it can be checked for malware and other dangerous code. That applies equally to encrypted traffic coming into the organization from users clicking on bad, malware-prone links in phishing emails, downloading attachments laden with malicious code, and accessing malevolent websites that appear real and benign because they have the “right” encryption certificate, as well as encrypted traffic leaving with stolen data for an encrypted drop zone or reaching out to a command-and-control (C2) server for more instructions or triggers to unleash even more attacks.
Plus, this is not even taking into consideration that government privacy regulations, such General Data Protection Regulation (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA), or many other regulations being debated in nations around the world, typically including language that precludes the decryption of personal user information, such as user financial or healthcare data. Any decryption of encrypted traffic would need to address these privacy mandates, or it could lead to litigation and substantial fines for any organization that runs afoul of these regulations.
But Wait, There’s More…
All that said, there is even more to today’s phishing attacks that use encryption of which organizations must be aware. The F5 Labs’ Phishing and Fraud Report 2020 also found that over 55% of drop zones use a non-standard SSL / TLS port, while over 98% of phishing websites used standard ports, such as port 80 for cleartext HTTP traffic and port 443 for encrypted traffic. This means that, particularly for outbound encrypted traffic, relying on scanning standard ports is not enough. Solutions deployed need to scan and decrypt outgoing traffic on non-standard ports. This is imperative in order to halt the obfuscation and exfiltration of critical data.
Today, in order to halt encrypted threats borne by phishing attacks, organizations need to inspect all incoming SSL / TLS traffic to ensure that any malicious or possible phishing-initiated web traffic is stopped and eliminated. But that inspection must include the ability to intelligently bypass decrypting encrypted traffic that contains sensitive user information, such as financial or health-related information. In addition, today’s organizations need to either outright block or at least monitor non-standard outbound web ports to stop malware from encrypted communications with C2 and drop zone servers, to stop data exfiltration or attack triggers. There are also other key things to consider, as well, such as the type of encryption supported by devices in the security stack. For instance, if an attacker knows that a certain security device is unable to support forward secrecy (also known as perfect forward secrecy, or PFS), they may leverage it so that the encrypted traffic is simply passed through by the security device. This action is especially costly and dangerous in environments where security devices in the stack are daisy chained together. If the one device that doesn’t support PFS bypasses the traffic, it will be bypassed by the rest of the chain.
Without these protections in place, in addition to security awareness training and email security or anti-phishing solutions implemented, organizations are leaving themselves open to attacks and breaches, and the theft of critical corporate and user data.
For information on how F5 SSL Orchestrator can eliminate the security blind spot delivered with encrypted traffic, and how it can cut through the obfuscation of critical data being exfiltrated and stolen, please click here.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...