By Salvatore Stolfo, PhD
A crisis like the global COVID-19 pandemic can bring out the best in people. All over the world, we’ve witnessed acts of bravery and kindness from everyone from doctors and nurses to grocery store workers, restaurant owners, and teachers. We’ve even seen businesses completely reconfigure their production models on a dime to assist in the effort to make needed items such as masks, gowns, and hand sanitizer.
Unfortunately, crises also have a tendency to embolden the opportunists – such as cybercriminals looking to make a quick profit from stolen data. Bad actors are already launching schemes to prey on the confusion and fear around the coronavirus pandemic. And with millions of people suddenly working or taking classes from their homes, or looking for a new job online due to massive layoffs, it’s never been easier for hackers to achieve their nefarious goals. Remote workers and students are now visiting websites without the protection of a corporate or campus security perimeter, putting them at greater risk for becoming the target of a phishing scheme.
As more and more transactions are forced to move online due to stay-at-home orders, expect to see a rise in phishing activity. Barracuda Networks, for example, reported a 667% increase in coronavirus-related phishing scams during the month of March. In many cases, adversaries send highly-convincing emails claiming to offer information about the coronavirus. The emails include URLs masquerading as websites belonging to legitimate organizations. These scams prey on the fear and need for up-to-date, reliable information that many people are feeling right now.
Phishing has been around for decades, and there’s one big reason for that: it works. Without much money or technical knowledge, hackers can acquire all the tools they need to scrape a legitimate website and set up a highly convincing spoof site. Some tools available on the Dark Web allow hackers to bypass two-factor authentication (2FA) that many websites rely on to protect their users’ credentials. And a growing number of spoof sites are registered SSL websites, meaning that users can’t rely on SSL alone to determine whether a site is safe or not. We’ve now reached a point where even the trained eye has trouble identifying the difference between a real URL and a spoof.
Consumers who are trying to be proactive by using a secure VPN connection to go online cannot be protected from phishing, either. A VPN tunnel simply delivers the same data and content, including spoof URLs that lead them to malicious sites.
Businesses with customer-facing websites must take more proactive steps now to improve the way they detect and respond to phishing attacks. When the target is your customers, your brand’s reputation and trust relationship with them are at risk. Phishing attacks harm customers, but they also have the potential to devastate the companies whose websites are spoofed. A recent study by RSA showed more than half of respondents said they blamed companies, not hackers, for data breaches.
Protecting your customers, especially at a time when fear and uncertainty are high and people are more vulnerable to cybercrimes, must be a top priority. A robust anti-phishing strategy considers the tactics used in today’s sophisticated phishing schemes, such as social engineering, email, and the fundamental building block of this attack vector: the spoof website. Detecting these malicious websites requires a better approach that extends beyond domain monitoring, 2FA or email filtering. These are all subject to human error, and hackers have developed workarounds to counteract their benefits.
A better way to stop phishing in its tracks is to use deception technology that is both painful to the attacker and provides actionable data for security teams. The idea is to leave digital “bread crumbs” behind on your customer-facing website, so if it does get spoofed, the hacker takes these little bits of code that are embedded in your website. These lines of code, or beacons, trigger an alert when the new spoof site is live. Then, security response teams can flood the fake site with highly believable decoy credentials. This approach causes a great deal of doubt about what really was stolen, making it hard for the fraudster to discern what is real and what is fake.
It’s up to all of us in these challenging times to stay vigilant, take care of one another, and commit to protecting vulnerable people from becoming victims of digital fraud. We have enough to worry about, without fretting over hackers having a field day by capitalizing on fear. It is the responsibility of organizations to ramp up protections and ensure that none of their customers end up the unwilling target of opportunists.
About the author
Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of computer science at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has been granted over 90 patents and has published over 250 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining, computer security, and intrusion detection systems. His research has been supported by numerous government agencies, including DARPA, NSF, ONR, IARPA, AFOSR, ARO, NIST, and DHS. He was recently elevated to IEEE Fellow for his contributions to machine learning applied to computer security and ACM Fellow for his contributions to machine-learning-based cybersecurity and parallel hardware for database inference systems.