One of the first lessons that cybercriminals learn is “if it ain’t broke, don’t fix it.” It’s why phishingcontinues to be one of the most frequent initial attack vectors: a user sees an “urgent” email from someone they trust, they click on a link, and the bad guys gain access to the systems and data that they shouldn’t.
But while cybersecurity has been grappling with phishing for decades, that doesn’t mean the tactic hasn’t evolved. Like an evolving COVID strain, threat actors are bringing new wrinkles to phishing that make it more effective on its targets and more damaging to organizations.
One of those newest developments is phishing-as-a-service (PHaaS) which, as the name implies, allows cybercriminals to outsource their phishing campaigns to skilled professionals. Another evolution is cloud account takeover (CATO), which allows threat actors to gain access to an organization’s cloud accounts.
Given that phishing was the most frequent initial attack vector and cost organizations an average of $4.76 million USD per breach, anything that organizations can do to limit their exposure to phishing can go a long way in protecting their bottom line and staying safe.
So let’s look at PhaaS, CATO, what makes them so effective, and steps that organizations can take to stay safe from both.
Like ransomware-as-a-service, you know that a threat vector has become a problem when cybercriminals can outsource a given tactic. That’s what’s happening with PHaaS, which allows threat actors to contract out and automate cyberattacks.
Phishing and PHaaS tend to use social engineering tactics to make them more challenging to detect. It’s why targets receive so many “urgent” emails “from” the CEO, CFO, or other leadership: people are more likely to respond quicker and with less caution if their boss’ boss is telling them to act.
Moreover, PHaaS campaigns are not limited to traditional email inboxes. Attackers are now targeting cloud-based email services, leveraging platforms like Microsoft 365 or Google Workspace. With the ever-increasing reliance on cloud-based productivity tools and services, CATO attacks can have devastating consequences for organizations.
To make matters worse, often PHaaS campaigns deliberately target C-level executives. In a recent CATO campaign using Evil Proxy, 39% of victims were in the C-suite.
It has also been reported that other accounts are ignored in favor of the CEO or CFO, and it’s easy to understand why. Senior leaders often have access to sensitive data and wield significant influence within an organization. As a result, attackers tailor their phishing attempts to focus on these high-value targets, increasing the likelihood of a successful CATO attack.
C-level executives are also prime candidates for spear-phishing attacks, where attackers craft highly personalized messages to trick their victims into revealing sensitive information or clicking on malicious links. The stakes are higher when executives are involved, making it imperative for organizations to take proactive measures to protect their leadership.
To combat the growing threat of CATO attacks and PHaaS, organizations can turn to modern authentication solutions like the Fast Identity Online (FIDO) protocol. FIDO offers a secure and user-friendly way to verify user identities, reducing the risk of phishing attacks.
FIDO-based authentication relies on public-key cryptography, which enhances security by eliminating the need for passwords. Instead, users authenticate themselves using a securely registered hardware device: when authenticating, users are prompted to tap the device to fulfill the “something you have” factor of MFA. That means that even if an attacker phishes a user’s credentials, the attacker won’t be able to meet the authentication challenge if they’re not in possession of the device.
Making authentication both easy and secure is critical in driving user adoption across an organization. The technology underpinning FIDO devices makes them extremely helpful in resisting even the most complex phishing campaign.
Many organizations have resisted investing in FIDO since the technology only works via the Web, such as on cloud applications and SaaS services. This limitation leaves behind many of the critical on-premises applications and resources that businesses need to continue functioning. Investing time, effort and budget on a technology that doesn’t work everywhere is problematic for many organisations.
RSA has solved that challenge with a variety of solutions:
- RSA Authenticator App 4.5 provides a FIDO2-certified device-bound passkey on users’ mobile devices, helping organizations improve adoption, enhance the user experience, boost productivity, and accelerate Zero Trust maturity.
- The RSA iShield Key 2 Series features FIDO2, PIV, HOTP support and a FIPS 140-3 certified cryptographic module. The hardware authenticators meet Executive Order 14028, OMB M-22-09, and OMB M-24-14, and can help the public and private sector simplify and secure credential management.
- The RSA DS100 is a hardware authenticator that provides both one-time passwords (OTP) for on-premises resources and FIDO for internet-connected resources. Such a device not only protects cloud-based accounts but also legacy on-premises systems that may rely on older authentication methods like OTP.
The ability to bridge the gap between modern cloud services and legacy systems is crucial for many organizations. By implementing a hybrid FIDO solution such as the RSA DS100, RSA Authenticator App, or RSA iShield, organizations can ensure consistent security across all accounts and applications. This ensures that even if you have some systems that can only challenge with OTP methods, they are still protected.
Staying a step ahead of threats like CATO and PHaaS requires a proactive approach to cybersecurity. Here are some best practices organizations can adopt to reduce their risk:
- Employee Training and Awareness: Regular security training is critical to help employees recognize phishing attempts and avoid falling for social engineering tactics.
- Implementing MFA: MFA adds an extra layer of protection, making it significantly harder for attackers to succeed, even if credentials are compromised.
- Conducting Regular Security Audits: Regular reviews of access controls, permissions, and account configurations for cloud services are important for identifying vulnerabilities that attackers could exploit.
- Implementing a Layered Security Approach: Layered security includes multiple defense mechanisms at different points in the network.
- Regularly Updating Security Protocols: Cyber threats evolve rapidly, so updating protocols and policies regularly ensures they are aligned with the latest security best practices.
Whether it’s PHaaS, targeting C-Level executives, CATO, or whatever next wrinkle that cybercriminals throw at organizations, it’s crucial for cybersecurity to stay one step ahead.
Implementing a hybrid FIDO device that protects both cloud-based and legacy on-premises systems is a powerful step toward ensuring comprehensive security for your organization. By embracing passwordless authentication methods and staying vigilant against evolving threats, organizations can safeguard their business from CATO attacks, phishing, and other risks. Remember, when it comes to cybersecurity, proactive prevention is always better than reactive recovery.
