In the world of security oldies-but-goodies, nothing beats phishing. It’s a problem that goes back to the early days of the mass-online world.
The term “phishing” dates back to 1995 in the malware “AOHell,” which included “a fisher [sic] that allows a user to pose as an AOL official and ask new members for passwords or credit-card numbers.” (The 1995 reporter can be forgiven for thinking that “ph” must have been a mistake.) Twenty-eight years later, impersonation on the Internet is still an effective technique, even though everyone knows it’s widespread, and a lot of effort has gone into thwarting it.
Consider Figure 1, collected by security researcher Eric Lawrence, who blogs about these and other matters on his site.
This is exactly the kind of attack that works against corporate websites. There’s nothing obviously wrong with it, unless you look carefully at the domain name in the URL. Notice that the lock icon is there, proving that there’s a TLS certificate that identifies the cert and is owned by whoever controls service7-coinbase.com. The lock icon has never proved anything more than that. (Another point worth making is that there’s nothing Coinbase can do about it.)
2FA May Not Help
The same thing can happen with your corporate domain. If you don’t look carefully enough, you might enter your credentials, and the phishing site will capture them. Hopefully your IT department is responsible and has instituted 2-factor authentication, but this may not save you.
In the simplest scenario for getting around it, the attackers log into the real corporate site from their own systems as you type the username and password into the phishing site. The phishing site then shows you a field to enter the code you’ll receive from your texting or authenticator app. The attacker then takes the code and enters it to complete the login and then show you the misleading error. Software to perform this attack is for sale. Microsoft calls it an Adversary-in-the-middle (AiTM) phishing kit.
Some systems allow you to approve a login from a computer with the authenticator app, but with no need to enter a code. The app asks if you’re trying to log in. You may just click yes, letting the attacker in under the scenario above. The app may also give a geographic clue about the system logging in, so if you and your phone are in New York and the authenticator says that the user is trying to log in from Novosibirsk, you might suspect foul play.
They can send an email with the same phishing link to many people in the company. If just one takes the bait, they have access to the corporate network from which they can, for example, move laterally to other systems and users to launch a ransomware attack.
So What Does Work?
These days, the gold standard for authentication is the physical security key built to the FIDO 2 specification from the FIDO Alliance and the WebAuthn specification from W3C (the World Wide Web Consortium), through which web applications can strongly authenticate users. Systems that use these specifications are immune to the schemes described above.
FIDO was designed for physical security keys like those from Yubico. But you can also use an iOS or Android device, typically your phone, as a FIDO token. The link in the previous sentence is to Google’s instructions for your Google account, but the process will be similar for any vendor. You must establish a Bluetooth connection between the phone/key and the desktop or laptop system, and the authentication will happen directly between them without the user’s need to act.
If your phone is your key and you try to log in from it directly, then you probably have to fall back to the authenticator method above, although there are physical keys that can act as a key for a phone.
AI to the Rescue?
Experts can be pretty good at noticing the signs of impersonation. Not everyone can be an expert, but they can have one on their side. We can expect browsers and security software to apply AI to this task, and it could do at least as well as expert humans.
A human might see the visible aspects of the webpage, but the security software can see the email headers, the entire HTML page, all the domains it came from and links to, the exact contents of the TLS certificate, and more. It will probably have enough information to report phishing attacks automatically to relevant authorities.
The ceiling for AI capabilities against phishing is high. Of all the fields that ChatGPT has impressed us with, its software development and security abilities are at or near the top. This also means, as has already been reported, that AI can be used to generate newer and better phishing attacks, but an AI defense should still have the advantage.
If it works, you can expect Microsoft to incorporate it soon, as the company has been among the vendors most aggressively incorporating AI into their products.
It Really Can Happen to Anyone
Phishing only happens to other people, you say? Wrong—phishing even happens to sophisticated tech companies. A recent Cloudflare blog on “How To Stay Safe from Phishing” provided a list of victims, including Reddit, Twilio, and even Cloudflare itself.
The tips and guidelines in the article are noteworthy for having been the same anti-phishing tips and guidelines we’ve seen for more than two decades. Phishing continues to be an effective method of attack because people have trouble following those guidelines. You have to be aware of them all the time and inherently trust nothing that comes into your inbox, and nobody wants to live that way.
FIDO is here for you to implement and use, and it can solve a big part of the problem. Perhaps AI will take up the task and tip the scales in our favor. In the meantime, take a more careful look at the address bar.