New research shows extent of ‘polymorphic’ email phishing campaigns
We’re deluged by emails on a daily basis; many of which are not in good faith. Many others, like the old-fashioned telephone game, are passed down from scammer to scammer, changed a little here, and then sent to users’ inboxes.
According to new research from phishing prevention provider Ironscales, more than two in five (42%) email phishing attacks are polymorphic, with some attacks undergoing more than 500 permutations.
Polymorphism, as the name suggests, occurs when an attacker makes a small yet significant change to the content of a particular email, such as content, copy, subject line, or sender name. The approach can give nefarious actors an opportunity to trick signature-based email security tools, giving attacks a second wind with a slight modification.
According to the analysis, of more than 11,000 email phishing attacks that underwent at least one permutation, less than 7% of attacks went through more than 50 permutations. Almost 70% underwent 10 modifications or fewer, while 96 attacks underwent between 251 and 521 permutations.
The challenge for security operations centres (SOC) and IT security teams, therefore, is not only how to get past these challenges, but how to stop it from becoming a major time sink. Ironscales notes that use of AI and machine learning, to cluster similar attacks together, has been a help in some regard. Yet the stakes remain high.
“Polymorphic email phishing threats represent an incredibly difficult challenge for SOC and IT security teams to overcome,” said Eyal Benishti, founder and CEO at Ironscales. “Just as security personnel think that they may have a phishing threat under control, attackers can augment the artefacts to give the message an entirely new signature, thereby enabling what is for all intents and purposes the same malicious message to bypass the same human and technical controls that might have stopped a previous version of the attack.”
Naturally, Ironscales has a solution to this particular problem, in the shape of multi-layered phishing threat protection. With its platform, the company promises a ‘unique’ collaboration between human intelligence and machine learning and artificial intelligence. Yet there is an interesting question afoot: should more time be spent on the end user training side, or more budget spent on automation and trying to stop attacks at source?
An Oracle report last month argued that for better enterprise cybersecurity, the answer should not lie in hiring great talent or more solid training. The reason – as told in the report ‘Security in the Age of AI’ – was that humans, no matter how trained, will succumb to error, which is simply not good enough in the current age of cyber threats.
Writing on May 29, Brian Krebs found a particularly interesting angle. One company he recently met admitted to terminating employees for repeatedly failing phishing tests. Many industry watchers, as Krebs noted, felt this action was too harsh, even in an industry such as finance where mistakes matter more than most. If you want to go down the training route, do it properly rather than play ‘gotcha’ with your employees, argued John LaCour, founder and CTO at PhishLabs.
“Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy – otherwise, it just creates resentment among employees,” said LaCour.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.
- » How global cybercrime is an ‘efficient and global’ operation – and what needs to be done about it
- » A roadmap to Zero Trust for SMBs: Keeping security solid while moving swiftly
- » Samsung SDS EMM attains NIAP Common Criteria certification
- » Why passwords are the weakest defence in a Zero Trust world
- » Myth-busting mobile in the enterprise: Day two support is the same as other IT resources