Phishing – Gen Z
A new era of customized per-case attacks
Phishing – Gen Z
A New era of customized per-case attacks
Share This Post
Blog • 3 min. read
January 16, 2022
2021 was a great year for hackers.
Employees and companies had to quickly transition to working remotely from home, Digital Currency (like Bitcoin and Ethereum) trading was and is always on the rise, and many social engineering campaigns were launched targeting human weakness and curiosity.
Mitigating a security vulnerability usually involves configuration changes, adjustments, removing vulnerable components, or even adding new layers of defense, but employees – often referred to as the weakest link in the chain – cannot be reconfigured like a server.
There are several ways to defend company assets against social engineering attacks, but it is rarely as easy as replacing your password with a more complex one, and usually leads to a “Cat and Mouse” game with attackers.
Blacklisting, whitelisting, scanning, filtering, and analyzing may filter some basic low-level phishing campaigns, while only causing a moderate level of discomfort to your users and slightly hindering their work processes. Some legitimate emails will be blocked, pictures will no longer be loaded by default, and complicated crafted Excel files or documents that contain macros will be considered malicious as a precaution.
When it comes to the technical aspect, the methods that are discussed above show some of the pros and cons when applying hardened defenses against social engineering attacks, which have quite frankly become futile against real-world high-level phishing attacks.
Most companies today conduct some sort of social engineering awareness program, provide a document or guide as part of the onboarding process, make annual training with presentations and questionnaires mandatory, and even utilize frameworks to conduct automated phishing campaigns to raise awareness levels throughout the year. Do these properly educate employees, or do they only serve to tick the annual training requirement box?
Humans are naturally quite good with patterns. We can subconsciously identify patterns in everything we experience, especially when we experience something repeatedly. That characteristic can work either for or against us, depending on the case.
Employees are trained to be aware of and identify patterns in phishing attacks, based on specific indicators that recur in low-level phishing attacks. However, high-level spear phishing takes place on a totally different level!
It is good to raise awareness, and it is good to avoid websites that use insecure communication channels. But those schemes are far from today’s reality and attack methods.
Get in touch with our cyber security consultants
Unlike generic low-level campaigns that run for a few hours through an automated framework, professional hackers have an unlimited amount of time, which they usually utilize very well. Hackers will spend most of their time performing reconnaissance and weaponization instead of using trial and error methods. Understanding who the employees are, their levels of technicality, their personalities (which can be examined through social media), their everyday usage of software and programs, and more, are all aspects that a professional hacker will examine prior to building a high-level phishing campaign.
Attackers scrape every bit of information they can find to create the perfect tailor-made spear-phishing attack. Professional hackers are very technical and have often mastered the art of deception when it comes to social engineering. An email phishing campaign for instance, will be customized and relevant to a specific company. The logo in the autograph of the sender will be the same as the company’s and the email domain will look very much like the real one. To fake the domain ThriveDx.com, for instance, an attacker can use ThrlveDx.com, ThirveDx.com, TDX.com, etc.
Employees are used to seeing the same email in the same program every day, and attackers will pinpoint and abuse that intuitive nature.
Sending a campaign to as many victims as possible to “increase the chances of success” requires the campaign to be generic, so that it appeals to many employees, and such campaigns are considered low-level.
Tailoring a campaign to a very small subset of employees or even targeting one with proper reconnaissance, tremendously increases the chances of remaining “under the radar” and succeeding.
Having a group that specializes in Red Team adversary simulations can provide a comprehensive solution. The team can create a tailor-made phishing campaign that simulates a high-level real-world attack, provide statistics that help solve underlying issues, and plan remediation through proper training against the real deal.
About ThriveDX Labs
We strive to help organizations protect themselves against threats in today’s cybersecurity landscape. We utilize the same advanced techniques and cutting-edge tools as real threat actors to expose security gaps in applications and network infrastructure and assist organizations with bridging those gaps to prevent real damage.