The State of the Phish:

Improving cyber-resilience

Threat actors have found new and convincing ways to separate people from their credentials and open the door to your organization. Read on to find out how to stop these attacks and protect your people.

The State of the Phish:

IMPROVING CYBER-RESILIENCE

MATT COOKE
Director,
Cybersecurity
Strategy, Proofpoint

ANDREW ROSE
Resident CISO,
EMEA, Proofpoint

THREAT UPDATE ACCOUNT COMPROMISE

Just as night follows day, cybercriminals get more creative with every passing year. In 2022, they focused their creativity firmly on the identities of your users.

In the face of greater adoption of security controls like multifactor authentication (MFA), threat actors had to find new and convincing ways to separate people from their credentials or convince them to unwittingly open the door to your organization by other means.

The result is a rapid rise in sophisticated identity-focused threats like MFA bypass and telephone-oriented attack delivery (TOAD), with the ultimate goal of account compromise.

What’s telephone-oriented attack delivery (TOAD)?

In a TOAD attack, targets receive a message often containing a fake invoice or alert. The message also contains a customer service number for anyone with questions.

If the victim calls the number, they find themselves on the line with a cyber attacker.

At its peak last year, Proofpoint recorded over half a million attempted TOAD and MFA bypass attacks every day. So, it’s little wonder that account compromise was cited as a top concern by over a third of board members, behind only business email compromise (BEC).

Threats of this nature give cybercriminals a huge advantage, allowing them to circumnavigate protections that, up to now, have been trusted by many to protect users from common threats like phishing and credential theft. And once inside your organization, the veil of trust and privilege afforded by ‘legitimate’ accounts only serves to make matters much worse.

As always, tools and protocols can only do so much, so sustainable security habits are crucial. To avoid handing over the keys to your accounts, networks and data, every user in your organization must have the knowledge to detect and deter threats to their identity.

Inside MFA bypass and TOAD attacks

MFA bypass and TOAD attacks have made waves across the threat landscape, delivering a wake-up call to anyone still of the belief that protections such as multifactor authentication are a cybersecurity silver bullet.

While we have seen MFA bypass attacks in the past, its relatively recent adoption by phishing-as-a-service providers puts it in the hands of almost anyone, for less than the price of a coffee.

Whether buying off-the-shelf or launching direct, cybercriminals can bypass MFA protections in a number of ways.

Many threat actors rely on fatigue, using compromised credentials to repeatedly request access to an account.

The unwitting victim then receives multiple requests to authenticate the attempted sign-in. The hope is that after enough requests, the victim will accept the prompt just to stop the barrage of messages. Unfortunately, many do.

Another method popular among phishing kits allows a threat actor to adversary-in-the-middle a browser session and capture usernames, passwords, and, most importantly, the session cookie. This cookie is then used to gain access to the targeted account without the need for an MFA token.

A slight saving grace is that, in both cases, cybercriminals must already have access to a compromised set of credentials. Unfortunately, when it comes to TOAD attacks, all they need is a victim’s phone number.

The target phone receives a fake invoice or time-sensitive alert, compelling them to call a customer service number for more information. Once on the line, they are issued further instructions, usually to download malware, sign in to an account via a spoofed page, enable remote access or transfer money.

As this style of attack puts cybercriminals in direct contact with potential victims, and doesn’t rely on the intermediary of malware or a malicious URL to be clicked, security awareness and education is the only thing standing in the way of account compromise and a raft of subsequent threats.

Account compromise – the cyber skeleton key

Legitimate credentials are among the most highly prized targets of today’s cybercriminals – and it’s not hard to see why. Once an account is compromised, threat actors get access to a treasure trove of information that can be used to profile victims and pursue further mischief, from inboxes and calendars to corporate directories and company files.

So, as well as exfiltrating data, threat actors can use their new-found insider knowledge to change settings and permissions to avoid detection, intercept customer and supplier communications to launch additional attacks such as invoice fraud, drop ransomware payloads and target other legitimate accounts to inflict further damage. Unfortunately, the list goes on and on.

With such a bounty on offer, it’s little wonder that cybercriminals are constantly honing their techniques to trick and defraud unwitting victims. And, once again, from phishing and password spraying to keyloggers and other malware, most are available to anyone with some ill will and a few dollars.

To compound matters further, you can still experience this kind of attack even if your credentials and identities remain safe and secure.

Should one of your suppliers fall victim to an MFA bypass, TOAD attack, or any other type of account compromise, threat actors can very simply intercept existing email chains, amend payment information and defraud both organizations in the process – not to mention causing lasting damage to your working relationship. Almost 70% of companies experienced this style of supply chain attack in the past 12 months.

Building an identity focused defence

Tools, protocols and other protections are an absolute requirement when defending against any method of cyber attack. But as the techniques described above go to show, they cannot be relied upon entirely. When it comes to protecting identity, the person behind that identity can very quickly become your last line of defence. And they must be equipped for the size of that task.

So, any effective defence requires visibility into those people and their behaviours. You must first understand who is most likely to face these threats, so you can apply identitycentric policies to your high-risk users.

You also need visibility into how they work, allowing you to spot suspicious activity and anomalies and block access from risky locations. Finally, while they are no panacea, every organization should implement and enforce granular access control such as MFA, browser isolation and VPN use.

But understand that this alone is not enough. Regular, companywide security awareness training, tailored to the threats of the day, is the only way to equip users with the skills to stop suspicious communications before they open the door to your organization, its people and its data.

WHEN IT COMES TO PROTECTING IDENTITY, THE PERSON BEHIND THAT IDENTITY CAN VERY QUICKLY BECOME YOUR LAST LINE OF DEFENCE

Download our

2023 STATE OF THE PHISH

Download report

Read our blog covering

A REAL TOAD ATTACK

Proofpoint
POWER SERIES

Powering up the security community to protect people and defend data.

Hear from our guest speakers and get the latest cybersecurity insights from our experts in our POWER Series of monthly webinars.

Watch on-demand