Understanding the Rise of Phishing

Mathew Pregasen
September 20, 2023

Phishing is a hacking technique as ancient as the Internet itself. And while there is more awareness about the dangers of phishing—propelled by SOC 2-mandated anti-phishing employee training— the nefarious tactic has continued to be on a steep rise. According to the research firm Abnormal Security, 2022 showed a massive 81% increase in phishing hacks.

Some online chatter argues that bad actors are moving toward phishing due to the crackdown on cryptocurrency and ransomware attacks. While this may contribute to phishing’s rise, it’s likely not the main culprit.

Instead, many discrete factors have made phishing the easiest attack strategy for hackers to pull off. Broadly speaking, modern tooling makes executing a robust phishing scheme easier, security practices have made humans the weakest link, and data leaks have given attackers more to work with. Together, these factors have made phishing the most dangerous security threat out there.

The success of MFA authentication

A force against non-phishing hacking methods

Two-factor authentication (2FA) and multi-factor authentication (MFA) are security measures that have recently gained mass adoption. Both involve adding at least one extra step to logging in— either through text, physical hardware key, or authenticator apps like Authy and Google Authenticator.

Multi-factor authentication has had a remarkable rollout over the past decade. Even niche consumer apps such as baby monitors support and encourage enabling MFA. In fact, MFA has grown so quickly that there is fervent debate over what authenticator apps are best. And in the context of businesses, employees have to have MFA enabled for all of their vendors to be SOC 2 compliant (a security standard often required by customers).

So how does more security relate to phishing? If anything, shouldn’t 2FA/MFA make phishing attempts harder? In the short term, it did—it required MFA to fool oblivious users twice, entering in both their password and MFA code. But what MFA also did was crack down on hackers simply waltzing into accounts using leaked passwords or guessed passwords. Of course, those attacks are still possible when combining them with SIM swaps to intercept codes, but they are significantly more difficult.

Because MFA made other attack vectors more difficult, phishing has returned as a primary attack vector. With phishing, the victim unwittingly shares their credentials and MFA code directly with hackers. This requires a more hardened hacker, as MFA codes expire after thirty or sixty seconds. However, real-time phishing proxy (RTPP) software has emerged, which uses the stolen credentials immediately after the user shares them. These aren’t nefarious programs sold on the sketchy market, as one might expect should they watch too many action movies. They are open source! Examples include Evilginx 2.0 and Modlishka.

In short, while MFA helps stop account compromises from leaked credentials, it doesn’t actually eliminate phishing – it only requires more sophisticated attacks.

The abundance of leaked SMTP credentials

A force assisting phishing

Recently, cybersecurity firm CloudSEK published a harrowing study that found that thousands of API keys for mailing list software like Mailchimp, Mailgun, and SendGrid have been leaked. The data exposure? 54 million users. These leaks were due to various security issues, but half were credited to poorly compiled apps submitted to the Google Play Store.

These leaked API keys are a gold mine to hackers. With them, they can utilize a victim’s mailing list account—which has an SMTP (Simple Mail Transfer Protocol) integration with their mail provider—to send emails on their behalf. To the receiver, these emails look convincing. And given there are APIs for mailing list software, hackers could dispatch tens of thousands of emails with a single request.

This is what happened to Namecheap, who was a SendGrid customer. With their stolen API key, hackers were able to target Namecheap customers by posing as Namecheap, sending them to a dummy login page and dummy 2FA page. In the background, an RTPP was accessing the user’s accounts, compromising their domains. This was a particularly nasty hack; with access to a user’s domains, hackers could wreak all sorts of havoc.

These SMTP leaks have enabled hackers to pull off phishing attacks at scale. While many email providers, including Gmail, will flag a sketchy domain that a user hasn’t seen, they cannot easily flag emails from trusted addresses. In fact, they’ll actually allow trusted senders through spam blockers if the user has an existing relationship with them, allowing hackers to effectively pull off convincing spoofed emails.

In short, SMTP enables hackers to fire off phishing schemes en masse and pull off more convincing hacks.

The sweetened pie: integration exploits

Integrations are a great thing, especially for B2B applications, because they enable users to connect their stack together. Nowadays, integrations are table-stakes for any venture-funded B2B company. Unfortunately, integrations also create a wasp’s nest of vulnerabilities, and one of the hacks they encourage is phishing.

Taking a step back, integrations create four attackable surfaces. Because integrations occur between two products, those are two endpoints that could be breached at each end (the API gate + employee access). The latter is a surface for phishing. Given most APIs don’t support allow-lists due to floating IPs (or they do support them, but are seldom used by customers), a stolen API key could enable a hacker to silently seep data from an integration.

To be clear, this doesn’t make phishing easier or harder—it’s just a different surface. But it does sweeten the pie for hackers. Employees have access to API keys, and because API keys could enable hackers to steal data or demand blackmail, employees are targeted for those keys. Unfortunately, this isn’t hypothetical. It’s actually happening.

One of the worst ones was Dropbox. Dropbox was breached via a phishing scheme (with the hacker phishing a password and a hardware key authentication token). The damage? Over 130 GitHub repositories were accessed, most with API credentials.

In short, integrations give one organization programmatic access to its account on another system; with a stolen key, hackers could accomplish a lot. To protect against this, companies should not store secrets in plain text or transmit them using common programs like Slack—tools such as secrets management platforms (e.g., Doppler) for API keys and relay encryption platforms (e.g., Evervault) for OAuth tokens help minimize the damage should an employee get phished.

The latest—GPT generated scams (and protection)

While a lot of business is conducted in English, many hackers don’t use English as their first language—we’ve all seen those phishing scams with very poor English. Accordingly, a lot of phishing schemes were immediately flagged due to poor grammar. With GPT, though, attackers could produce more convincing emails in whatever language they wanted, even if they didn’t speak it.

Even worse, GPT could be used to dynamically generate phishing emails to better A/B test which copy works best. Plus, with different emails instead of canned templates, hackers could minimize the odds that their emails will be flagged as spam.

There is some good here, though. GPT will be tapped by anti-phishing software to warn employees of phishing attacks, which is definitely a positive. However, nobody has been able to accomplish this just yet. In early tests, GPT was able to flag phishing emails but also often flagged realistic emails as phishing, which hurts its effectiveness.

Closing thoughts

Phishing is growing. Leaked APIs to products with SMTP access have made phishing easier. GPT allows hackers around the world to target more businesses. MFA has made other hacks harder, while API keys have increased the reward for a successful hack. It’s simply not surprising that phishing is growing.

While some of these attacks might be really convincing, they could be stopped by training employees on how to spot (a) fake emails, (b) sketchy imitated domains, and (c) fake MFA token requests. Of course, businesses can also deploy additional techniques like time-based access controls to minimize the damage if an employee is successfully phished.

Recommended Posts