Ilia Kolochenko, CEO and founder of ImmuniWeb, a global application security company, tells Johanna Hamilton AMBCS about the rise in phishing attacks and how the most sophisticated crimes go, largely, unnoticed.

Recent media reports have highlighted that rudimentary phishing kits can be purchased, from the dark web, for as little as $25 a time. While many of us have been inundated with emails telling us our PayPal account has been suspended, or we’re due a tax refund, it probably comes as no surprise that phishing is on the increase.

Can you tell me about the massive rise in phishing kit sales and subsequent attacks?

‘When people are selling phishing kits, it's mostly designed for beginners. Professional cybergangs are unlikely to purchase phishing kits as they will have developed everything inhouse. It's probably important to highlight within this context that the modern cybercrime industry is very well structured, organised, disciplined and commoditised.

‘Cyber gangs are focused and highly proficient in preparing phishing emails. They usually sell thoroughly crafted templates to several trusted purchasers, and frequently they design these phishing kits from scratch. Let's say when a cybergang contemplates attacking the Bank of England, they will go to all relevant sources to better understand design, communication style and channels to lure even experienced users into a trap.

'They might talk to a disgruntled employee, they might have an innocent conversation posing as a journalist, asking “how’re things going? What’s security like? Have you ever experienced a phishing attack? What was your response?” Idle chit chat for most, a wealth of information on how to bypass the myriad of internal security protections for attackers.

‘Experienced cyber criminals focusing on highly effective phishing campaigns are unlikely to develop an in-house malware because it is time consuming, it is expensive, it requires a solid understanding of the operating systems and their internal systems that a virus can cut through. So, they will likely outsource it to another trusted third party, to another cybergang specialised in developing malware for further resale to their ‘colleagues’, or even offer scalable and cost-efficient malware-as-service solutions.’

Traditionally, phishing attacks have had a widespread, scattergun approach. What you describe seems like a business decision. Is this type of phishing on the increase?

‘Most reported attacks are usually operated by newbies who just purchased a ready-to-use phishing kit - one size fits all, with not much sophistication - targeting quantity rather quality of their victims.

‘However, other, more serious attacks are prepared by professional cybergangs and unfortunately, they frequently remain undiscovered because their sophistication makes them hardly detectable, or at least uninvestigable.

‘Unfortunately, when we talk about professional cyber criminals, they frequently enjoy impunity - leveraging lack of international cooperation of law enforcement agencies, high availability of infrastructure tailored to run attacks anonymously - and the growing proliferation of crypto currencies.’

Mass scale phishing or spear phishing: what's the best way for cybergangs to make money?

‘It depends on the cybergang’s skills and objectives. I'd say when we're talking about mass scale phishing, you don’t need to invest a lot of time, resources or potential money to prepare your attack. Usually, it's cheap and easy. They make money by sending billions of forged emails; half of the emails do not even exist anymore, so it's just that growing number of irrelevant noise-generating emails.

‘However, they make their money by volume. Through targeted spear phishing, they may send tens, or sometimes hundreds, of emails tailored to dupe high-profile victims and run a well-prepared data exfiltration or money theft attacks. They are well concealed and have a low profile. They understand very well who their victim is, what they are looking for and just one successful spear phishing campaign may easily bring them millions.’

Your business is to guard against attack. But, in order to find the latest malware and threats, do you have to buy it from the bad guys and thus finance the crime?

‘That is a double-edged sword and under certain circumstances may be problematic. The Department of Justice in the United States has recently released a set of guidelines called Legal consideration when gathering online cyber striking challenges and changing data from illicit sources. It seeks to clarify what is likely be a safe harbour and, conversely, what activities, transactions or deals might provoke ethical questions or even trigger legal investigations.

‘It’s an interrelated question of law and ethics and depends on the circumstances. If you’re buying back your own data from a malware attack, you are still paying the criminals, but in most cases, it will not have legal but ethical implications.

‘However, if you are knowingly purchasing stolen data from third parties and your primary intent is to profiteer from commercialisation or exploitation of the data, you may well be summoned by the attorney general within a scope of criminal investigation and consequent prosecution.’

It’s a global problem. Is there a global solution?

‘In 2020, we’re not even talking about identifying cyber criminals, because unfortunately most of them will be located in a foreign jurisdiction and beyond the reach of European or American courts. So, we may invest a huge amount of taxpayers' money, to forensically investigate and technically uncover who they are - but if they’re based in, say, China - there’s not much you can do about it as a matter of law, unless Chinese authorities agree to cooperate.

‘We obviously do have international and multinational task forces to overcome the legal hurdles and effectively tackle cybercrime, enhanced with national inter-agencies groups - whose primary goal is to uncover and arrest the cyber criminals. Frequently, their initial purpose is to stop their activities by tracking them and deactivating their booming ecosystem; by shutting down botnets, servers, different marketplaces or dark web forums, for instance.

‘If criminals are located at jurisdictions where they can be brought to account, then obviously, they will go on trial - unless they agree to cooperate and make a plea bargain with the prosecution. However, when they aren’t, law enforcement agencies maintain an up to date list of the well-known cyber criminals and if they know that a specific criminal has travelled to, let’s say, Florida, enjoying the seaside, or been having fun in a European country driving luxury cars, then, in that jurisdiction, they may knock on their door and say, "hello, remember that crime from seven years ago...?"’

Reports suggest that the price of stolen data is falling. Why is this?

‘I would say it is a temporary and niche-specific trend happening mostly because we have an influx of new players trying to start their careers in cybercrime. In developing countries, we’ve had countless numbers of students who have been dreaming of becoming an IT specialist.

Since COVID-19 they have no jobs, or have very limited access to jobs or internships, so they're trying to find their vocation on the dark side of things. Unfortunately, most of them have succeeded and we’re now seeing a rapid growth in stolen goods with sellers slashing their prices to stay competitive.

‘There is also certainly a growth in cybercrime and successful data breaches now because many organisations are shifting their teams and employees to work remotely. In many organisations, we had what we call a multi-layered approach to security.

For example, you have your laptop that is located in a segregated area of the network with security monitoring tools and an anomaly detection system that is connected to a corporate email server with its own anti-phishing solutions, malware sanitisation sandboxes and so on. This multi-layered approach is in place to make sure that as a few as possible malware, ransomware or malicious content emails arrive on your office device.

‘When working from home, you are usually connected directly to the internet or via a VPN, where many of the security controls that are readily available in the corporate environment are non-existent, or even worse when employees are using shadow IT or personal emails for business purposes - all this facilitates intrusions, data theft and further growth of shadow IT.

‘Good and faithful employees have insecurely connected to office infrastructure in order to continue performing their duties remotely, but they haven’t always notified their IT personnel or cyber security person to ensure security and compliance with the enacted policies.’

Is this widespread?

‘Effective implementation of work from home really depends on the organisation’s profile and geography. It is widespread for companies who had both the time and the resources to properly implement security controls for remote working before the pandemic, while others are severely impacted by the sudden burden to operate from home. And that’s not just SMEs, similar can be said for large multinational organisations that have several different CISOs in several regions and every CISO says that he or she is in charge, or not in charge, of a specific issue. Frequently, they miss essential things while arguing.’

Do you think people abdicate personal responsibility when it comes to company IT? I read recently that people are still using ‘password1’ - which is horrifying in 2020!

‘It’s a tricky question. We've been doing some research related to stolen passwords and dark web exposure of organisations and what we found was that sometimes strict password policies may jeopardise the entire organisation.

Why? Because people, if they are required, will create passwords, say 15 characters long, including special characters, for use in a secure environment - then will reuse the very same password everywhere else. So, thieves will steel passwords from a golf website, or a car sales shop, then use this presumably unbreakable and unbruteforceable password to gain access to company systems.

‘The second issue is that the more complicated a password you have, the more complicated it is to remember. So, if you’re required to change your password every 30 or 90 days, then people are more likely to put the password on a post-it note and put it under the keyboard or under the table. And who really bothers to enforce a clean-desk policy?

‘I say there are also problems with two factor authentication (2FA). By default and abstracted from other nuances, two-factor authentication enhances the resilience organisations have. It minimises the risk of data breaches involving password theft, oftentimes stemming from incidents affecting third parties or suppliers, but it's not a panacea.

‘We've seen many security flaws and vulnerabilities impacting specific implementation of 2FA in web applications and web services. In some cases, the incorrect implementation of the two-factor authentication has permitted non-authenticated users to completely skip any authentication all together and login into the system with administrative privileges!’

Are there cases where even the security conscious employee gets duped?

‘There is a myriad of means to trick users of different systems. Fraudsters may contact an employee by SMS saying “this is your employer security division. Mr Jones or Mrs Jones you will get a fraudulent SMS within 60 seconds from logging in. Please ignore the SMS and forward it to us and we will investigate."

Then the authentic one-time password is forwarded, by the diligent employee, to cyber criminals who will then access the secure network. Social engineering will always defy even the most sophisticated technological barriers by targeting human weaknesses.’

If human error can never be negated, do you think it will be possible to train AIs to recognise phishing and malware in the future?

‘I'd say the good news is that machine learning and AI can definitely help. Machine learning can probably catch up to 85-90% of routine phishing email - possibly up to 99% of the basic phishing kits widely available on the market.

‘What machine learning needs is a large volume of well-structured data; in our case, many thousands of samples of phishing websites. But if a newly created phishing website does not resemble anything that the machine learning model is aware of and rather has all the criteria of a legitimate website, then machine learning won’t help.

‘Given how flexible modern web technologies have become, every website can become virtually different from all the others so you can confuse the machine learning and it will tell you this is a legitimate website.

‘On the cyber security side, we may add weights to certain parameters that impact phishing status - but in this case, a system may generate just a huge number of false positives. That could result in online banking being blocked and indignant users saying, "I need access to my ebanking, NOW."

What is the biggest threat to the industry?

‘We have many software developers who learned everything themselves. I have nothing against that, because I used to code in eleven programming languages at university and later, while I learned just two of them at school. However, a lot of people working as software developers don't hone their skills sufficiently to build and develop resilient software. I'm not talking about state-of-the-art security, even just the foundational security controls are oftentimes missed, or ignored.

‘Also, European and American organisations tend to outsource their software developing capacities to third parties located abroad. Frequently, these companies (even if they have all the certificates, internal policies and frameworks on secure software development) tend to sub-contract, too and their subcontractors outsource to other subcontractors; at the end of the day, they just deliver a horrible quality of source code, in terms of security, in terms of resilience and in terms of data protection compliance.

‘The company might say, "we've been scanning and here's a list that we've been scanning for OWASP top 10. We've been developing this specific piece of software being mindful of secure development life cycle; here's a certificate that we are ISO 9001 certified company", nobody really bothers. Nobody really bothers to verify, or to scrutinise the source code.

‘The number of self-taught programmers is growing. On one side it's great, on the other, they are building this super fragile ecosystem of software, of IoT firmware, of mobile apps, that is a powder keg ready to explode.’

What do you think about open source?

‘On one hand, open source can offer a lot of benefits. On the other, it can bring a false feeling of security because we are living in the epoch of collective irresponsibility where everyone's saying “it's not my job”. So, usually what we see in open source software, is old tools - some as many as 20 years old - packed with trivial and easily exploitable vulnerabilities. But, people continue to use the software, thinking, “this is open source, meaning that everyone has already audited this specific source code." But in reality, perhaps no one has ever bothered to do anything beyond a quick review.

‘I attended a CISO round table and we all agreed that what makes open source so dangerous is the fact it’s maintained by unknown individuals and enthusiasts who are not getting paid. So, what is to stop a cyber gang or nation state hacker corrupting one of the developers and making them introduce an almost invisible vulnerability? We're not talking about back doors - because a back door is almost always identifiable and detectable - but let's say leaving a convoluted security vulnerability in the code?

‘Everyone makes mistakes, so no one will point the finger over just making a small update to a piece of software (then selling the vulnerability to an external actor and moving on).

‘We have no idea how many such vulnerabilities exist, though I think statistically speaking, there are reasonable grounds to believe that we have quite a few. Virtually nobody has ever bothered to properly audit continuously evolving, continuously importing open source code, so I think the biggest challenge is there.’