Stop Phishing and Cut Encrypted Exfiltration and Communication

Published January 11, 2021

Once upon a time, phishing and spearphishing attacks would only surge around specific times of year, such as major holidays like Christmas or Chinese New Year, consumer-ready holidays like Valentine’s Day or Lantern Festival in China, or around consumer shopping events like Black Friday or Cyber Monday in the United States, Boxing Day (December 26th) in the UK and Commonwealth of Nations, or Singles Day (November 11th) in Asia.

Attackers then figured out that they could leverage the FUD—fear, uncertainty, and doubt—driven by natural and manmade disasters, wars, illnesses, elections, or any event that drives today’s news cycle to sow their malicious seeds.

In the UK, the Information Commissioner’s Office (ICO) indicated that phishing was the top cause of cyber-related breaches from April 2019 to March 2020. The Office of the Australian Information Commissioner (OAIC) showed that phishing accounted for 36% of all cases reported to them, top on their list.

To that end, phishing and spearphishing attacks have drastically increased throughout 2020, driven by the threat of a worldwide pandemic, nations under quarantine or lockdown, workers who must work from home, and even contentious elections in the U.S. and other nations. Even the announcement of vaccines to address COVID-19 being ready is being leveraged to entice even wary folks to open emails from unknown sources—or even known sources who may have had their accounts breached and hijacked—to then spread malware and other malicious attack vectors, and steal user and corporate information or enable illicit access to sensitive networks, clouds, applications, and data.

One of the reasons most cited for the recent explosion in phishing attacks has been the work from home orders precipitated by the COVID-19 pandemic. Many employees, contractors, and other staff members have been forced to work from home or remotely and this quickly attracted the unwanted attention of attackers. They understood there is a strong likelihood that people working remotely would be under increased pressure, let down their guard down and begin clicking on links in just about any email, even those that might normally raise suspicion. They also know that those working from home might be using BYOD products that won’t have the tools typically used by organizations to protect them from attacks like phishing. Attackers and hackers also believe that home-based workers might not have enough bandwidth to keep security software running or updated, and may turn off or miss updates to their security software. Many times, they are right.

Phishing and Encryption

As phishing attacks have rapidly increased, the number of phishing sites using encryption has kept pace. According to the F5 Labs recent Phishing and Fraud Report 2020, nearly 72% of phishing links send victims to HTTPS encrypted websites. That means that the vast majority of malicious phishing sites now appear to be valid, credible websites that can easily fool even the savviest employee. This data has been corroborated by research from other reports, as well, including a report by Venafi that uncovered suspicious retail look-alike domains that use valid certificates to make phishing websites appear valid, leading to stolen sensitive account and payment data.

And it’s not only malignant websites that leverage TLS encryption to appear convincing and legitimate. It’s also destinations to which malware, delivered by phishing attacks, sends data that it pilfers from victims and their organizations; these destinations are called drop zones. According to the F5 Labs’ Phishing and Fraud Report 2020, all—100%—of incidents that involved drop zones investigated by the F5 Security Operations Center (SOC) during 2020 used TLS encryption.

Finding Threats In Encrypted Traffic Isn’t Easy

There are a number of solutions available today to address phishing from a variety of different angles. There are solutions to train staff how to recognize and handle phishing attacks to reduce attack uptake and efficacy. These solutions address email security, protecting against spam, malware and malicious attachments, BEC attacks, and more. There are services to manage an organization’s email. There are even offerings that proxy an organization’s web traffic, replicate or mimic it, and deliver code to local devices to be rendered or that mimic the web page but without any of the underlying suspicious and possibly malicious code.

While those are all great solutions, there is still the problem of addressing encrypted traffic. If traffic is encrypted, it needs to be decrypted before it can be checked for malware and other dangerous code. That applies equally to encrypted traffic coming into the organization from users clicking on bad, malware-prone links in phishing emails, downloading attachments laden with malicious code, and accessing malevolent websites that appear real and benign because they have the “right” encryption certificate, as well as encrypted traffic leaving with stolen data for an encrypted drop zone or reaching out to a command-and-control (C2) server for more instructions or triggers to unleash even more attacks.

Plus, this is not even taking into consideration that government privacy regulations, such General Data Protection Regulation (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA), or many other regulations being debated in nations around the world, typically including language that precludes the decryption of personal user information, such as user financial or healthcare data. Any decryption of encrypted traffic would need to address these privacy mandates, or it could lead to litigation and substantial fines for any organization that runs afoul of these regulations.

But Wait, There’s More…

All that said, there is even more to today’s phishing attacks that use encryption of which organizations must be aware. The F5 Labs’ Phishing and Fraud Report 2020 also found that over 55% of drop zones use a non-standard SSL / TLS port, while over 98% of phishing websites used standard ports, such as port 80 for cleartext HTTP traffic and port 443 for encrypted traffic. This means that, particularly for outbound encrypted traffic, relying on scanning standard ports is not enough. Solutions deployed need to scan and decrypt outgoing traffic on non-standard ports. This is imperative in order to halt the obfuscation and exfiltration of critical data.

Today, in order to halt encrypted threats borne by phishing attacks, organizations need to inspect all incoming SSL / TLS traffic to ensure that any malicious or possible phishing-initiated web traffic is stopped and eliminated. But that inspection must include the ability to intelligently bypass decrypting encrypted traffic that contains sensitive user information, such as financial or health-related information. In addition, today’s organizations need to either outright block or at least monitor non-standard outbound web ports to stop malware from encrypted communications with C2 and drop zone servers, to stop data exfiltration or attack triggers. There are also other key things to consider, as well, such as the type of encryption supported by devices in the security stack. For instance, if an attacker knows that a certain security device is unable to support forward secrecy (also known as perfect forward secrecy, or PFS), they may leverage it so that the encrypted traffic is simply passed through by the security device. This action is especially costly and dangerous in environments where security devices in the stack are daisy chained together. If the one device that doesn’t support PFS bypasses the traffic, it will be bypassed by the rest of the chain.

Without these protections in place, in addition to security awareness training and email security or anti-phishing solutions implemented, organizations are leaving themselves open to attacks and breaches, and the theft of critical corporate and user data.

For information on how F5 SSL Orchestrator can eliminate the security blind spot delivered with encrypted traffic, and how it can cut through the obfuscation of critical data being exfiltrated and stolen, please click here.