One of the first lessons that cybercriminals learn is ‘if it ain’t broke, don’t fix it.’ It’s why phishing continues to be one of the most frequent initial attack vectors: a user sees an ‘urgent’ email from someone they trust, they click on a link, and the bad guys gain access to the systems and data that they shouldn’t.
But while cybersecurity has been grappling with phishing for decades, that doesn’t mean the tactic hasn’t evolved. Like an evolving COVID strain, threat actors are bringing new wrinkles to phishing that make it more effective on its targets and more damaging to organizations.
One of those newest developments is Phishing-as-a-Service (PHaaS) which, as the name implies, allows cybercriminals to outsource their phishing campaigns to skilled professionals. Another evolution is Cloud Account Takeover (CATO), which allows threat actors to gain access to an organization’s cloud accounts.
Given that phishing was the most frequent initial attack vector and cost organizations an average of $4.76 million USD per breach, anything that organizations can do to limit their exposure to phishing can go a long way in protecting their bottom line and staying safe.
So let’s look at PhaaS, CATO, what makes them so effective, and steps that organizations can take to stay safe from both.
Like ransomware-as-a-service, you know that a threat vector has become a problem when cybercriminals can outsource a given tactic. That’s what’s happening with PHaaS, which allows threat actors to contract out and automate cyberattacks.
Phishing and PHaaS tend to use social engineering tactics to make them more challenging to detect. It’s why targets receive so many ‘urgent’ emails ‘from’ the CEO, CFO, or other leadership: people are likelier to respond more quickly and with less caution if their boss’ boss is telling them to act.
Moreover, PHaaS campaigns are not limited to traditional email inboxes. Attackers are now targeting cloud-based email services, leveraging platforms like Microsoft 365 or Google Workspace. With the ever-increasing reliance on cloud-based productivity tools and services, CATO attacks can have devastating consequences for organisations.
To make matters worse, often PHaaS campaigns deliberately target C-Level executives. In a recent cloud takeover campaign using Evil Proxy, 39% of victims were in the C-suite.
It has also been reported that other accounts are ignored in favour of the CEO or CFO, and it’s easy to understand why. Senior leaders often have access to sensitive data and wield significant influence within an organization. As a result, attackers tailor their phishing attempts to focus on these high-value targets, increasing the likelihood of a successful CATO attack.
C-Level executives are also prime candidates for spear-phishing attacks, where attackers craft highly personalized messages to trick their victims into revealing sensitive information or clicking on malicious links. The stakes are higher when executives are involved, making it imperative for organizations to take proactive measures to protect their leadership.
To combat the growing threat of CATO attacks and PHaaS, organizations can turn to modern authentication solutions like the Fast Identity Online (FIDO) protocol. FIDO offers a secure and user-friendly way to verify user identities, reducing the risk of phishing attacks.
FIDO-based authentication relies on public-key cryptography, which enhances security by eliminating the need for passwords. Instead, users authenticate themselves using a securely-registered hardware device: when authenticating, users are prompted to tap the device to fulfill the ‘something you have’ factor of MFA. That means that even if an attacker phishes a user’s credentials, the attacker won’t be able to meet the authentication challenge if they’re not in possession of the device.
Making authentication both easy and secure is critical in driving user adoption across an organisation. The technology underpinning FIDO devices makes them extremely helpful in resisting even the most complex phishing campaign.
Many organisations have resisted investing in FIDO since the technology only works via the Web, such as on cloud applications and SaaS services. This limitation leaves behind many of the critical on-premises applications and resources that businesses need to continue functioning. Investing time, effort and budget on a technology that doesn’t work everywhere is problematic for many organisations.
RSA has solved that challenge. The RSA DS100 is a hardware authenticator that provides both one-time passwords (OTP) for on-premises resources and FIDO for internet-connected resources. Such a device not only protects cloud-based accounts but also legacy on-premises systems that may rely on older authentication methods like OTP.
The ability to bridge the gap between modern cloud services and legacy systems is crucial for many organizations. By implementing a hybrid FIDO device such as the RSA DS100, organizations can ensure consistent security across all accounts and applications. This ensures that even if you have some systems that can only challenge with OTP methods, they are still protected.
Whether it’s PHaaS, targeting C-Level executives, CATO, or whatever next wrinkle that cybercriminals throw at organizations, it’s crucial for cybersecurity to stay one step ahead.
Implementing a hybrid FIDO device that protects both cloud-based and legacy on-premises systems is a powerful step toward ensuring comprehensive security for your organization. By embracing modern authentication methods and staying vigilant against evolving threats, organizations can safeguard their business from CATO attacks, phishing, and other risks. Remember, when it comes to cybersecurity, proactive prevention is always better than reactive recovery.
