What do phishers, scammers, criminals on the Internet want? Increasingly they want user credentials. An effective way that user credentials are collected is through massive phishing campaigns. Credential phishing schemes continue to increase each year and target almost everyone. The number of phishing attacks overall is larger than all other threats by a significant margin. Microsoft reports that in 2021 they blocked over 710 million phishing emails in their Exchange Online mail service (Microsoft Digital Defense Report).
People often ask security professionals why they continue to see phishing messages in their mailboxes. Companies pay for security products and hire IT professionals to filter out unwanted and malicious email. Unfortunately, the techniques that attackers use to deliver phishing messages continues to evolve (Microsoft Digital Defense Report). Filtering involves requiring email to meet certain conditions. For instance, emails from a bad email sending domain will be blocked. To get around this, Phishers can simply make new domains or compromise other organizational domains. Those messages will now bypass the filter. An incredibly effective technique, for attackers, is simply to compromise a trusted user at a company, and then send phishing messages with their account. Most email security is protecting organizations from external email and not from internal emails.
If we get so much phishing and we can’t stop all of it what is the impact? A user will click a link in an email and then enter their organizational account credentials. 35% of Verizon observed major cyber security incidents happen this way. From there the phisher will likely sell the credentials they obtain to another party. That person or eCrime organization will then begin trying to use all the credentials they can collect to take over an organization’s IT systems. If they succeed, they will copy all the organizational data and encrypt everything leading to financial extortion (Data Breach Investigations Report).
What about specifically in the education industry? What are we facing? Verizon observed over 1200 significant cyber security incidents in 2021 with almost 300 of those resulting in a confirmed data breach. Most of these attackers were from outside the organization. Their main motivation in almost every case was financial gain. Importantly Verizon also notes that the most frequently stolen data in their cases was user credentials at over 60% of all data disclosures in North America for 2021 (Data Breach Investigations Report).
Why do attackers want these credentials so bad? Many organizations have traditional cybersecurity defenses. They have networks protected by firewalls and antivirus applications on their devices. With stolen credentials attackers can bypass most of this traditional security and obtain direct access to the organization. Increasingly they don’t need to make malicious applications or employ very technical methods in order to obtain access to organizational resources and data (Global Threat Report). Of all the detections measured by the security company, Crowdstrike, in the last quarter of 2021, over 60% of them were attacks with no malware involved. On the contrary, hands-on keyboard attacks are growing in prevalence with financially motivated threat actors working their way through organizational defenses interactively (Global Threat Report).
Attackers favor credential-based attacks for more than just getting in. Once inside an organization they can be difficult to detect since they have stolen legitimate access. They can utilize tools and software already in the environment to conduct the attacks which aids them in avoiding detection (Global Threat Report). Of all the attacks that Crowdstrike observed in 2021, 80% utilized an attack on identity and attempted to use stolen credentials to further their attack. (Global Threat Report).
What can we do? User awareness is a critical step. Organizational members need to understand how aggressively their access is being targeted and how valuable it is to attackers. In many cases it’s the skeleton key which allows attackers to bypass a large amount of protections the organization has in place. People need to follow good password practices, utilize MFA and report suspicious activity on their account immediately. Accounts which are no longer in use should be disabled or removed. Care should be taken when providing accesses to various systems. Organizational awareness training is important in this area in addition to having effective organizational policies and practices. We need security tools and technologies to protect the organization, but increasingly we need people too (Ransomware Threat Report). Technology alone won’t protect our data and our technology within organizations.
References
Data Breach Investigations Report. Verizon, 2022.
Microsoft Digital Defense Report. Microsoft, 2022.
Global Threat Report. Crowdstrike, 2022.
Ransomware Threat Report. Palo Alto Unit 42, 2022.
Need to report an IT security event or incident?
To report, please submit a ticket here: Report an IT Security Incident, or call the IT Service Desk at (585) 395-5151 Option 1.