Phishing isn’t a new problem, but that fact alone doesn’t mean that it’s an easy one for companies to protect against.
Phishing attacks remain a central component of many of the security breaches that are reported in the press for one very good reason – they work.
Often times, an attacker doesn’t need to exploit a zero day vulnerability or craft malware that can steal keystrokes from a targeted PC. All they may need to do is use some compelling social engineering to fool an innocent user into clicking on a link, and take them to a convincing-looking website which simply asks for their password.
And recently there have been many headlines of phishing attacks that appear to be orchestrated by hackers with the endorsement of intelligence agencies and governments.
Such state-sponsored phishing attacks may be less commonly encountered than those orchestrated by identity thieves and common-or-garden online criminals, but that does not reduce the serious consequences of a successful breach.
And that’s why this week Google chose to remind its users of the danger of government-backed phishing attacks:
“Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers. These attempts come from dozens of countries.”
Such state-endorsed phishing attacks can target individuals (such as journalists and political critics) and companies. After all, if a government-backed hacking gang cannot extract the information it wants from a single person’s Gmail account, they might instead target an organisation they work for or with whom they are affiliated.
Over four million businesses around the world are running G Suite, Google’s collection of integrated cloud-hosted tools that are designed to help office workers collaborate and be productive. Some of these, undoubtedly, are of interest to various intelligence agencies and governments around the world.
To better protect its corporate customers, Google announced earlier this month that it was providing an option for G Suite administrators to receive warnings when Google believed that a government-backed attacker had likely “attempted to access a user’s account or computer through phishing, malware, or another method.”
Part of the alert reads as follows:
“There’s a chance this is a false alarm, but we believe we detected government-backed attackers trying to steal your password. This happens to less than 0.1% of all Gmail users. We can't reveal what tipped us off because the attackers will take note and change their tactics, but if they are successful at some point they could access your data or take other actions using your account.”
The alerts, which Google admitted might easily be a false alarm, should effectively be treated by corporations as a reminder to take additional countermeasures to protect and secure accounts.
What might those additional measures be?
An obvious candidate is two-step verification, where anyone logging into an account will be asked to enter a one-time-password (OTP) alongside their password. Even if a password is grabbed by a phishing attack, the attackers won’t be able to log into the site unless they also manage to determine the six digit OTP code that changes every 30 seconds or so.
And if a higher level of defence is required, last year Google announced its Advanced Protection feature for users who felt they were most at risk of having their accounts compromised. Advanced Protection went one step beyond Google’s existing authentication measures, demanding that a hardware security key is used instead.
Earlier this year, despite the alarming rise business email compromise and phishing attacks against organisations, Google admitted that less than 10% of its users have enabled what I regard as the bare minimum of two-step verification to harden their accounts from compromise.
Unless that statistic dramatically improves, we’re going to continue to see government-backed phishing attacks succeeding on far too many occasions.