How hackers use low effort tactics for phishing attacks – Yubico

Marissa Nishimoto

Marissa Nishimoto

3 minute read

Phishing continues to make headlines with attackers using stolen credentials to gain access to valuable systems and sensitive data. Although phishing has been a known technique for a long time, the industry is still struggling to effectively defend against it.

This may seem surprising to many as “phishing” calls to mind poorly written emails, generic text messages, poorly made web pages, or robot-voiced phone calls – and the industry has been trying to defend against these methods for years. Primary defenses thus far have been training and legacy MFA (multi-factor authentication). However, these defenses make user discretion one of the key components. If an attacker can successfully trick a user with sufficiently convincing visuals and URLs, they can still be successful. 

As long as there’s still a reasonable chance of success for relatively low effort, attackers will continue to build upon their successes. Similar to how today’s developers will leverage toolkits and shared community projects to simplify their work, attackers are able to do the same. There are toolkits that simplify the effort needed for an attacker to get up and running to just a few command line steps. 

An example of a similar tool intended for demonstration and research purposes, evilginx2, allows researchers to easily set up and enable convincing phishing campaigns. A researcher installs the toolkit and selects an option from a set of community developed options called phishlets. 

This style of toolkit still requires a technically savvy attacker, but doesn’t require specialized phishing campaign software skills. 

Phishing-as-a-Service

Now the ecosystem has evolved even further with phishing services. For criminals who know where to go and are willing to part with some crypto, it is possible to have a phishing service provider manage their phishing campaign for them and simply provide them with results without any technical knowledge of phishing campaign tools on behalf of the attacker. Similar to legitimate service offerings, phishing-as-a-service providers are even offering discounts and subscriptions to entice new users. A screenshot from Resecurity’s blog post on a recent phishing-as-a-service campaign shows how simple these services make it for attackers to start up these campaigns. 

What can be done to combat phishing campaigns today?

Phishing-resistant MFA is multi-factor authentication (MFA) that is immune from attempts to compromise or subvert the authentication process, commonly achieved through phishing attacks, which includes but is not limited to spear phishing, brute force attacks, man-in-the-middle attacks, replay attacks and credential stuffing. Phishing resistance within an authentication mechanism is achieved by not only requiring that each party provide proof of their identity but also intent through deliberate action.

Phishing-resistant MFA is really the most effective way to address this issue due to a couple main distinctions:

  1. The credentials are tied to a domain and a user does not have to visually assess whether a site is legitimate or not. This means an attacker can’t trick a user with unicode tricks or convincing images. 
  2. Using asymmetric credentials means users no longer have to trust service providers with the credentials they use to access their services

To see how this phishing attack could go differently with the use of FIDO security keys like the YubiKey, check out a demonstration from Rachel Tobac made in collaboration with Yubico here.

, , ,
Talk to our teamTalk to our team

Share this article:
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless
  • Mission matters – my reflections on winning the EY World Entrepreneur of the Year “This is the biggest mission any of the entrepreneurs have presented in this competition.”  I heard these words a few weeks ago from one of the judges for the EY World Entrepreneur of the Year award program – whom I had the honor to meet during the final step of the world’s largest entrepreneur competition.  […]Read moreawardsFounderStina Ehrensvard