Email. Pah.
In the age of WhatsApp, Facebook Messenger, Slack and the thousands of other messaging tools, email is now considered by many to be a “long-form” method of communication.
Long-form accurately describes some of the emails in my inbox well, though any authors in the audience might disagree.
Have you noticed a recent trend for updates from companies by phone.
Airlines regularly text me with flight info.
HMRC (tax) text to tell me my tax return is due.
My bank texts me one-time-pass codes (two factor authentication).
Whilst useful, these are problematic from a security perspective, because of the trust people place on phone messages.
People still fall victim to email scams, but most are aware email addresses are not that personal – many will happily share them online.
Their phone number? No way!
Which creates a layer of trust for anything they receive on their phone.
The (incorrect) belief being, if someone has their number then they must know them well.
Whilst said airline, HMRC or banks never include any links and come with security advice (do no click any links, etc.) is typically not enough.
Case in point, see the above text. Source.
A nicely crafted myriad of sub-domains, that I’m sure caught many out.
As the author of the linked post notes, these domains get blocked pretty quickly. But in many cases not quickly enough. Even if one or two people click these links I’m sure a healthy profit is made.
We’re all security professionals. We’re sceptical about most things. We also suffer from the curse of knowledge.
A layman’s ability to independently validate a domain is hard (and “don’t click any links” messaging in security training is ignored 99% of the time).
Threat intelligence tools are vital in protecting users from ending up on these malicious pages. Though BYOD policies and the speed at which these domains are created and torn down mean threat intelligence alone is not enough.
So I ask you; how do you protect users against this type of activity on their devices in addition to threat intel?
ThreatPipes Modules relevant to this post
- AlienVault OTX: Obtain information from AlienVault Open Threat Exchange (OTX)
- Fraudguard: Obtain threat information from Fraudguard.io
- TotalHash: Check if a host/domain or IP is malicious according to TotalHash.com.
- MetaDefender: Search MetaDefender API for IP address and domain IP reputation.
- VirusTotal: Obtain information from VirusTotal about identified IP addresses.
David Greenwood, ThreatPipes Team