Is phishing inevitable?

Before getting to the heart of the matter, let's start by defining the term "phishing". The term "phishing" refers to a technique used by fraudsters to obtain personal information or deploy malware within the victim's infrastructure.

The aim of this article is not only to characterize its evolution over time, but above all to identify areas for improvement that companies can work on to reduce the impact of this type of attack.

If we go back in history, we can find traces of the concept of email phishing as far back as 1987 (!!!). So why haven't we been able to put a stop to phishing for over 30 years?

Phishing attacks have evolved to keep pace with the evolution of our information systems. From simple email spoofing to the most creative techniques, phishing is a practice designed to last. The fact that the techniques used are often based on legitimate tools doesn't help to limit the impact of these attacks. Recently, for example, phishing attacks have abused Google Translate's "Translate this site" feature to avoid being blocked by a proxy. In fact, very few companies have banned the use of Google Translate on any of their machines.

A few years ago, a technique called "Punycode" was widespread. This is a special encoding that converts Unicode characters in different languages into ASCII. It enables a domain name containing non-Latin characters to be correctly transcoded into DNS-compliant addresses. Cybercriminals used this technique to create phishing pages, as most modern browsers correctly handle national domain names, but do not convert them to the Latin alphabet when displayed in the address bar. Fraudsters could therefore mislead users by creating websites with URLs similar to those of well-known companies. For example, the domain coca[.]com typed in Cyrillic letters is transcoded as xn--80a1aib.com; unfortunately, the browser address bar did not previously display the prefixed transformation of xn--. Users therefore thought they were browsing coca[.]com, when in fact they were being redirected to a fraudulent URL! (see image below). Fortunately, all browsers now display the "xn--" prefix, so there's no need to check the certificate to see if the site is legitimate.

Let's take a current example and study the case of "Qakbot".

Qakbot is part of a family of malware originally designed to steal financial data. The first traces of this malware date back to 2007, and it is still very actively deployed. A researcher recently investigated the various delivery methods of the software:

The Qakbot malware is sent either as a clickable URL (link), or as an attachment. In terms of defense, it's a bit of a cat-and-mouse game. As long as the URL is not known, it is not necessarily categorized as malicious, or in the worst case scenario, it may even be a legitimate site that has been compromised to deliver the malware. It is therefore difficult to block. As for attachments, while it may be fairly straightforward for a company to ban .zip and .iso files, the same cannot be said for .doc files.

As Samuel Rossier's model shows, malware sub-files are systematically created after a user clicks on the initial file. Once the user has clicked, the workstation is infected and the attacker can take remote control to continue his malicious operations internally.

It is therefore essential to make users aware of cybersecurity in order to reduce the impact of phishing.

Soluss helps its customers combat phishing with an approach based on 3 pillars:

1. Procedures: internal procedures need to be put in place to deal with phishing threats and incident response. To reduce the attack surface, it is important to define with the business the types of file that should legitimately be exchanged by email.
2. Technology: various technological building blocks can reduce the number of phishings reaching the user's mailbox. These range from anti-spam to software that instantly deletes malicious e-mails from all users' inboxes.
3. People: as the company's last line of defence, people are often neglected. A once-a-year awareness campaign is not enough. Users need to be trained not only to recognize threats, but also to report them when in doubt. To achieve this, Soluss offers a two-pronged approach, with ongoing phishing test campaigns for users and a malicious e-mail processing service.

So, in answer to the initial question "Is phishing inevitable?", I'd like to propose a closely related question: "Do we manage to achieve a 100% success rate at school? The answer is no, and the same applies to phishing. All it takes is one out-of-touch user clicking on a dubious link to put your infrastructure at risk. Consequently, it's important to invest in people and technology to minimize the risk of occurrence, but also to prepare for the worst so as not to be caught unawares when it does happen.