Are Phishers Learning From Marketers...

Are Phishers Learning From Marketers...

Most Marketers send targeted, relevant messaging via emails to their customers and prospects with a goal of creating interest. More often than not, marketers include a Call-to-Action in their emails which is a link of some kind. The idea again to capture that interest. Phishers also tend to use similar techniques. Listen to this podcast and learn about these different techniques. Hear more from the Core Security experts if there is a way to differentiate between the good and the evil.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Bobby Kuzma:
Hello and welcome to the Core Security Podcast. This is episode number four. I'm Bobby Kuzma. Joining me today from our offices in the Atlanta area are Venkat Rajaji, our SVP of Marketing and Beto Salino, our Director of Research up from Buenos Aires, Argentina. Welcome to the podcast, gentlemen.

Bobby Kuzma:
Venkat got an email and it weirded him out. And since Venkat directs our marketing, that's kind of interesting. What happened, Venkat?

Venkat Rajaji:
You see Bobby, what we do, ironically enough, we send out a lot of emails to our prospects to gain interest. I received one of those. I get a lot of those types of emails myself. This one was really interesting. It was a person who asked me if I had received a hotel key card and napkin in the mail. And he asked me to click on a microsite with my name in the URL.

Venkat Rajaji:
We had just done security training here at Core Security and I was weirded out by phishing and phishing scams and what not. I saw this and I thought: "Wow! This must be a classic phishing scam or this is perhaps one of the best account based marketing tactics I've ever seen." So, pretty weirded out by all of it...that's kinda the genesis behind all of this, where this came from.

Bobby Kuzma:
Part of your mission is making sure that people get our emails and open them. And that's the same mission that the phishers have.

Venkat Rajaji:
Yep. You got it, you got it. One of these new techniques that we in marketing are beginning to use these days is this notion of account based marketing. What account based marketing is, is we are looking at particular companies. We're targeting those companies. We're targeting specific contacts and people within those companies and saying, instead of providing them with a generic email about: "Core Security does XYZ," we actually create landing pages, we actually create specific pages for that particular person saying: "Core Security can help you, Mr. XYZ with your pen-testing mission, so that you can attain PCI DSS compliance. Here's a link about what we can do specifically for you."

Venkat Rajaji:
This kind of thing is evolving, but it's one of the hot new trends that we in marketing are seeing that we're doing. I certainly as much as all of you guys are probably get...I get emails like this regularly, that are specifically geared towards me. It's really interesting that...they really like you just said, Bobby it probably a very similar mission to what the attackers are doing.

Bobby Kuzma:
To be perfectly honest, you can probably run one of your marketing campaigns out of Core Impact.

Venkat Rajaji:
That's probably true Bobby, we probably could.

Bobby Kuzma:
The techniques behind this and the psychology behind it is based on human perception and adjusting that in order to get the desired result. Where do these techniques come from? Because it seems like we're now stuck in an arms race where the good guys and the bad guys are both using the same tool set.

Venkat Rajaji:
That's a great point. So kind of how we've evolved into this market is ... back in the old days, we would send out brochures, we would send it out through mail to those particular people. And then we would call those particular people that we have phone numbers with. Now that we've moved into the world of digital, that's kind of how we do ... everything's moved towards email. And then what we do is, we supplement those emails and phone calls and supplement them with landing pages. Landing pages being: "Click on this link to learn more about X, Y, and Z."

Venkat Rajaji:
Now, what we've done is, we've gone from this notion of content-based marketing around sending out an email, asking somebody to click, to now we're sending you, Bobby Kuzma, an email and we want you to click on this particular link specifically for you, Bobby Kuzma, that's not generic for everybody else. It's specifically just for you, so that you can gain more knowledge about how we can help you in your mission with content tailored specifically for you, right?

Venkat Rajaji:
When you think about that, isn't that kind of the same type of tactic that attackers could be using to get us? Because it seems fairly convincing, right? It seems like: "Oh, wow! They could actually help me in my job."

Bobby Kuzma:
That's what's kind of frightening to me. Beto, you've been with Core Security since practically the beginning. You were one of the original members of our consulting practice and our pen-testing team before moving across into running our research programs. What's your take on this?

Beto Salino:
Actually, my take on this is that it's pretty exciting to see how all the existing marketing techniques can be abused by attackers. It's a good way to learn how to integrate those techniques in the things that we do. Similar to what Venkat just said, the techniques ... the phishing ... and I will also say what we call client cyber attacks which are not only trying to trick users into getting data, but also to executing something else that could end up compromising their workstations or device they are reading the email we send from.

Beto Salino:
Those techniques have a boiled overtime. I will say, probably by the same effect that the marketing techniques are evolving. And the reason is, we want to increase our success rate. I think marketing wants to do that as well. They might call it conversion rates, we call it agents deployed or data gathered. At the same time minimizing the amount of noise that could potentially be used for detection.

Beto Salino:
At the very beginning, I will say 15 years ago when we started doing some phishing and client cyber attacks, it was just sending out emails with attachments and not that much information. And most probably people would take the bait, let's say. Now, with all the trainings and actually all the news that are out there about phishing attacks, things are getting more complicated. Or I would say exciting. And that requires more techniques to be developed.

Beto Salino:
As Venkat mentioned, the consulting team whenever they perform phishing or client cyber attacks, there's a phase that has to do with fingerprinting the users. That doesn't necessarily mean that you will be sending an attack that will require the user to enter data or execute something right away, but they will send emails just aiming at knowing where the user is reading the emails from, what is the target infrastructure and the target browser the user has, to even what are the potential ways to generate connection back to us. Something we call rebirth people scanning.

Beto Salino:
At the end, there are a lot of similarities that we use and I see this actually pretty interesting and await to see what marketing is doing to mimic those things in our attacks.

Bobby Kuzma:
Do you think that the phishers are learning from the marketers? The marketers are learning from the phishers or they're both learning from someone else?

Beto Salino:
That's a good point. I think overall there are many sources for learning. And definitely, marketing is one. Because they've been doing this for a long time already. As I said before, one of their main purposes to put a brand in front of the prospects and I won't say trick, but convince the user into getting interested in whatever brand it is. And that's exactly what attackers are trying to do, right? What do you think, Venkat?

Venkat Rajaji:
I think...we have this terminology that we use in marketing. It's called click bait, right? It's how do we bait people into clicking on something, whether that's a link, whether that's an advertisement. Whatever that might be, what's the bait we can use? What are the hooks? What is the kind of terminology, the language that we can really get people interested in?

Venkat Rajaji:
I'm not actually sure who's learning from whom, actually. I'm not sure. If we're learning from the attackers, if the attackers are learning from us, but I think similar to what Beto said, it's interesting. It's exciting to see how we all, by we all, I'm meaning marketers and attackers, we have the same objective. And that objective is to do something to create interest in a targeted person. The techniques that we're using, some are for good, some are not for good. And it's really interesting to see how there's this convergence of ... we want to help people. We want to evangelize what our product capabilities are. And yet at the same time, that same technique that we're using could also be used for evil as well.

Venkat Rajaji:
It's really interesting how these types of methodologies and techniques are converging and blurring the lines between what's good, what's evil. It's really interesting how the world is evolving this way.

Bobby Kuzma:
I've personally always been a firm advocate that tools are tools, and it's the intent of the user that makes the usage itself good or evil. The particular marketing email that you received was part of a multipronged, multifactor process and some of our colleagues actually received physical items associated with this campaign.

Bobby Kuzma:
Did that type of strategy increase the effectiveness of this campaign, do you think?

Venkat Rajaji:
That's what's really interesting. First and foremost, it wasn't a phishing attack. It was actually a legitimate email. I did a Google search on this email and it turns out it is legitimately from a company that does website design and they hook you in using this method. It is typical account based marketing.

Venkat Rajaji:
And yeah, you're right Bobby. People on my team did actually receive hotel key card and napkin in the mail from this person who then followed it up with an email specifically with a URL and a microsite with my name on it. There's a very high likelihood that given that I had gotten some previous warning that there's a high likelihood that: "Oh, okay. I've seen this. This is not unfamiliar to me. I could probably click on this and be okay."

Venkat Rajaji:
Now, if you think about it from the attacker's mind. I'll let Beto and you comment on this, but maybe this is something that now, if we find out contact information, we find the location of where these people are, we can send them snail mail to then induce a behavior.

Beto Salino:
That's actually a pretty interesting technique. Thanks for commenting that out. I think it all boils down to the evolution of the phishing attacks. As I said before, what marketing techniques are nowadays, which is trying to target specific users. Not a bunch of users. If you wanna do that, it has to be a personalized approach. I really like the idea of approaching a target from different sources, as you've said. In order to create false or not false sense of: "Oh, hey, I know these folks. I might be able to click this because I know these folks. I heard about these folks before."

Beto Salino:
Something that in contrast to receiving an email for the first time might generate a higher alert. In particular, this is worth commenting as well, right? In a sense attackers have a slightly better advantage over us because they can use known brands as a way to target users. We, white hackers, we can't because we don't want to spoil well-known brands when performing attacks. This technique of trying to do some brand awareness with targets overtime before sending the actual attack and trying the target to click the bait it's actually very interesting. It is a very good technique to be used.

Bobby Kuzma:
I seem to recall in my early days of the field lure, Kevin Mitnick made some claims that he conducted a multipronged social engineering attack against a cellular phone manufacturer to get a debug chip that started with a series of letters masquerading as a colleague at another location and escalated to phone calls. Creating that synthetic sense of familiarity is what was done in both of these cases.

Bobby Kuzma:
What can we do to protect against that in our user populations?

Beto Salino:
Actually, that's a great question. There's no simple answer to that because we all mentioned this before, right? There's a blurry line between what's fake and what's real. I've seen some companies approaching this problem in a very straight forward manner which is, they explicitly announcing or letting the customers know what type of information and what type of data they will send and ask through emails, through email communication channel. The customers are aware that if they receive something on behalf these companies that sounds strange, they might not actually click the bait.

Beto Salino:
That's the thing that I think it's interesting for companies to implement. Whenever they're approaching customers, this is slightly different for marketing campaigns maybe, right? Because marketing campaigns often go to prospects as well. In any case, companies may have policies about what they send out or do not send out even to prospects. Prospects know: "Okay, company X, they will never ask me to execute or send my personal data because it's their policy."

Beto Salino:
I think it has to start this way, as I said before, the line is too blurry between what's legit and what's not.

Bobby Kuzma:
We all know that, while you can continuously train people to recognize warning signs, eventually training fatigue sets in and it starts going in one ear and out the other. These techniques are going to continue to be effective long into the future, unfortunately. Or fortunately from our marketing team stand point.

Beto Salino:
Yes, I think this is here to stay. We always say when we talk about security, security always break in the weakest link, right? These days the link is the human factor. And I think it's gonna stay the same for quite a long time. At least with this existing communication channels that we have nowadays. And that's one of the things why we have to assume if we do security, that sooner or later somebody is gonna get into our organization and it's a matter of testing what can be done if somebody is in here, instead of forcing security not only at the border networks. You have to enforce security anywhere inside the organization. Include detection mechanisms as well as penetration testing with different attackers profiles, like somebody from the outside. Somebody that got into our network. Somebody that not only got into our network, but also has privileges inside the network.

Beto Salino:
So you can have a clear picture of what can be done with those different attack profiles and minimize the impact of somebody compromising internet networks.

Bobby Kuzma:
The "always assume that you're breached and react accordingly" strategy is something that personally I've been advocating for almost the entire time I've been in the security field. These particular sets of issues are just going to continue. As long as email is the unauthenticated insecure protocol that it is, we're gonna be facing this.

Bobby Kuzma:
We're coming up toward the end of our program today. Venkat, any final thoughts?

Venkat Rajaji:
From a marketer's perspective, we are trying to raise awareness, raise awareness of what we do and try to target particular people. It's interesting that ... given that what we do, we try for good. The techniques we use can often be used for evil. I guess, the only thing I can say is just be careful, but assume positive intent from the marketers. That's the only thing I can say.

Bobby Kuzma:
Beto, last thoughts?

Beto Salino:
From the attacker's standpoint, I tend to think like attackers, right? I think it is wise to look at what marketing folks are doing because what I foresee in the future it's not only emails as a way to approach people, but also some other channels and those channels will probably be abused as well by attackers. So, that's pretty exciting because email has been going on for quite a long time already, but you have advertisements, you have even watches that receive news. Who knows what attackers will be able to do through those things in order to convince targets, victims to expose their information that later on could be used by the attackers for increase the attack's surface. It's pretty exciting to follow what marketing is doing, actually.

Bobby Kuzma:
Gentlemen, Venkat, Beto. Thank you very much for coming on the program today. And for those of you out in the audience, we will be back for episode five soon. In the meantime, please check out all of the great resources that we have available up on CoreSecurity.com and until next time, see ya!

Audio icon Podcast 4_mixdown.mp3