Netskope, a leader in secure access service edge (SASE), has unveiled new research that shows how the popularity of cloud apps is changing the way threat actors use phishing attack delivery methods to steal data.
Highlights:
- On average, 8 out of 1000 Australian employees accessed phishing sites and content in Q3 2022, on par with the global average (8/1000 as well)
- Employees in Financial services are being more cautious, with the global average dropping to 5/1000
- Phishing content is now delivered through a more diverse scope of online channels: 26% through personal sites or blogs, 11% via email, 6% on search engines, and 4% on social media
- The report sheds light on an emerging threat with cybercriminals creating fake cloud apps mimicking legitimate ones, and tricking employees into granting those fake applications access to their Google Drive, Sharepoint or other sensitive data and resources.
What has changed recently?
New trends in phishing delivery methods such as fake login pages and fake third-party cloud apps designed to mimic legitimate apps
Email is still a primary mechanism for delivering phishing links to fake login pages to capture confidential data (usernames, passwords, MFA codes etc). However, users are more frequently clicking phishing links arriving through other channels, including personal websites and blogs, social media, and search engine results.
There is also a rise in fake third-party cloud apps designed to trick users into authorising access to their cloud data and resources.
Related read: Westpac offers Businesses new Cyber Tools to Combat Cyber Attacks
Phishing Comes From All Directions
- Traditionally considered the top phishing threat, 11% of the phishing alerts were referred from webmail services, such as Gmail, Microsoft Live, and Yahoo.
- Personal websites and blogs, particularly those hosted on free hosting services, were the most common referrers to phishing content, claiming the top spot at 26%.
Netskope cloud and threat report identified two primary phishing referral methods:
- Malicious links through spam on legitimate websites and blogs
- Use of websites and blogs created specifically to promote phishing content
Search engine referrals to phishing pages have also become common
The attackers are weaponizing data voids by creating pages centred around uncommon search terms where they can readily establish themselves as one of the top results for those terms.
Examples include content on how to use specific features in popular software, quiz answers for online courses, user manuals for a variety of business and personal products, and more.
“Business employees have been trained to spot phishing messages in email and text messages, so threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places,” said Ray Canzanese, Threat Research Director, Netskope Threat Labs.
The Rise of Fake Third-Party Cloud Apps
Netskope’s cloud and threat report reveals another key phishing method: tricking users into granting access to their cloud data and resources through fake third-party cloud apps.
“The next generation of phishing attacks is upon us”.
This early trend is particularly concerning because access to third-party apps is ubiquitous and poses a large attack surface
- On average, end-users in organizations granted more than 440 third-party apps access to their Google data and applications
- One organisation had as many as 12,300 different plugins accessing data – an average of 16 plugins per user.
- Equally as alarming, over 44% of all third-party apps accessing Google Drive have access to either sensitive data or all data on a user’s Google Drive—further incentivising criminals to create fake third-party cloud apps.
Actionable steps organisations can take to identify and control access to phishing sites or applications:
- Deploying a security service edge (SSE) cloud platform with a secure web gateway (SWG)
- Enabling zero trust principles for least privilege access to data and continuous monitoring,
- Using Remote Browser Isolation (RBI) to reduce browsing risk for newly-registered domains.
Other Noteworthy Trends:
Employees continue to click, and fall victim to malicious links
- It takes just one click to severely compromise an organisation
- Despite training, an average of 8 out of every 1,000 end-users in the enterprise clicked on a phishing link or otherwise attempted to access phishing content.
Users are being lured by fake websites designed to mimic legitimate login pages
- Attackers primarily host these websites on content servers (22%) followed by newly registered domains (17%).
- Once users put personal information into a fake site or grant it access to their data, attackers are able to capture usernames, passwords, and multi-factor authentication (MFA) codes.
Are we prepared?
Nearly half of CIOs are concerned their cybersecurity is not keeping up with their digital transformation efforts, according to a new study.
The new cybersecurity benchmarking survey “Cybersecurity Solutions for a Riskier World” by research firm ThoughtLab, co-sponsored by ServiceNow finds nearly half of CIOs are concerned about their cybersecurity defences. The research aimed at identifying the potential solutions to the growing menace of cyberattacks.
Self-reported losses from cybercrime in Australia were over $33 billion last year. The frequency and impact of cyberattacks go hand in hand with a massive cybersecurity skills shortage. Australia will need 7,000 cybersecurity professionals by 2024, notes Australia’s Cyber Security Sector Competitiveness Plan.
The increase in the volume of cybercrime reporting equates to one report of a cyber attack every 8 minutes compared to one every 10 minutes last financial year.
We just haven’t made enough investment and don’t have enough people to fight cybercrime at scale
Cybersecurity Leader, EY Oceania
“And Australia needs to rapidly change the equation on that.”
Around 85% of Cyber Security leaders in Australia think outdated security approaches are failing in the face of modern threats. Only 40% were confident their security tools would protect them against sophisticated attacks.
