Phishing is a never ending war thug of war where one side is only trying to stop other side from winning, “Attackers are always trying to be innovative while defenders are trying to innovate on the innovation done by defenders.”
Ironic as it may sound, but this is what it is.
This article is not about blaming some organisation not doing enough to protect the customers here it is more about the vendors who are trying to defend, while current time doesn’t demand defence – instead it needs aggressive attack mechanism, even proactive attacks before damage could be done.
To solve the problem I am proposing a N step approach to solve the problem of phishing.
- Get ready with your defences – Just as in war, first strengthen your defences. It can be done by proactively doing following:
- Training your employees
- Asking cybersecurity team to be vigilant
- Performing vulnerability assessment and penetration testing.
- DDOS prevention (you might need, DDOS is cheap these days)
- DMARC, Cousin domains monitoring
- WAF, SIEM & other stuff.
- A small attack ( to know capabilities )
- To get an idea monitor what type of attacks are originating.
- Measure similarity among phishing attacks – you might be able to figure out active APT groups.
- Initiate takedown’s, publish something about them in media (yes, you heard me – more aggressively, see how they react)
- Attack the psychology
- Setting up “honeypot” (honeypot is key, I cannot write the process in detail, but trust me – they are something you will need) to gather information.
- Giving the attacker bogus information
- You win !
But how ?, the key part of approach is psychology – if you attack infrastructure it can be bought easily, success of a phishing attack depends on how good results the attacker gets.
if you ever conducted an actual phishing attack or have observed programmatic logics – attackers have adopted methods to get 2FA from clients but once verified data is valuable. Let’s do some math.
Let’s say you are conducting a phishing attack & it costs you to 100$ to compromise a web site or host it, sending email might cost you 0.001$.
Assuming 1/1000 spam are clicked – you are technically going to spend 1$ per click, let’s say 10% of clickers turn to victim. To get useful data you will require 10$.
if captured data is being sold in market at 20$ for every good data – you are going to make profit of 10$ excluding hosting cost.
but what if you are getting bogus data, which feels just good but now it is useless since 2FA has failed, or may be the server’s are not responding. Overall if vendors can make cost of Phishing high, only those will survive who have willingness to catch a whale.