Get email delivery of the Cadence blog featured here
A few weeks ago I wrote a post Passwords and Multi-Factor Authentication about the scale of attacks on cloud providers and other services. At the recent Black Hat Security Conference in Las Vegas, Google's research lead for security, Elie Bursztein, discussed phishing attempts on Gmail in his session titled Deconstructing the Phishing Campaigns that Target Gmail Users.
The first statistic is that 45% of users have no idea what phishing is. With percentages that big, you might be one of them, and so I'll start there. Phishing is sending emails that look like they come from someone legitimate but they are actually coming from an adversary. Typically the email is either trying to get you to click on something to collect usernames and passwords with a doppelgänger website, or to take some other action such as approving some purchase or wiring money.
Elie categorized campaigns into three:
Elie opened with what I thought was an amazing statistic, that there are over 100M phishing emails blocked by Gmail every day.
Google uses deep learning approaches to recognizing phishing emails, but he pointed out it is very different from just recognizing cats, which haven't changed through the ages. Phishing is adversarial and so the people sending them are trying to defeat the recognition algorithms, so the messages and the appearances keep being changed.
To give you an idea of just how tricky this is, 68% of phishing emails have never been seen before. They have been tweaked so they are not precisely the same, to try and avoid detection. So every day the Gmail system has to cope with a huge amount of phishing email never seen before. Phishing attacks are short-lived, lasting just seven minutes on average from sending the first phishing email to the last of the same campaign. For bulk campaigns they last longer, over 12 hours, using botnets and trying to spread messages over as many IP addresses as possible.
Phishing is generally targeted with businesses and non-profits five times more likely to be targeted than individual users. The adversaries are financially motivated and so are looking for high-value targets. They are split as to what the phishing emails impersonate:
The Gmail system classifies emails into three buckets: not phishing, phishing, and maybe. In the maybe cases, Gmail shows a warning that the email is suspicious.
Next, Daniela Oliveira of the University of Florida took over and talked about how phishing works by tricking the way our brains work. We have two systems for processing information, known as system 1 and system 2. These were named by Daniel Kahneman, who won a Nobel Prize. His very readable book, Thinking Fast and Slow, goes over the idea.
System 1 is fast, automatic, intuitive, and emotional. System 2 is slow, deliberative, logical, and uses more energy in the brain. Phishers construct their messages to try and get you to use system 1, where you think the message looks normal and you don't analyze everything about it in detail. Then they add more deceptive cues to the message to make them even more appealing, such as persuading you to action, framing things as a potential loss ("you have a refund"), or emotional salience ("wildfire relief fund").
Elie came back to discuss what we can do about phishing. There is no silver bullet to rendering phishing ineffective. User awareness is critical and people are less likely to click on things if they are aware of the concept of phishing. Of course, systems like Gmail try and suppress phishing mails but with the short-lived and fast mutating campaigns, it will never be 100% effective at catching emails that have never been seen before.
Two-factor authentication (2FA) is another big one, since it means that simply having your username and password captured is not enough for the adversary. Elie said that all 2FA schemes are not equal, in the order of a secondary email, text message, device prompt, security key.
Gmail can't really do this, but another thing is to vary the aggressiveness of the algorithm depending on the person. A junior employee with no ability to authorize anything is not a big risk. Someone with financial wire-transfer authority up to some limit is bigger. Someone with international wire transfer authority, or a no-limit, is bigger still.
Sign up for Sunday Brunch, the weekly Breakfast Bytes email.