A recent advisory put out by Madison-based Aberdean Consulting LLC warned clients of the latest trend in business email compromise in which cybercriminals send a new form of phishing emails that hide malicious code behind QR codes and seize credentials in the process.
Phishing attacks containing QR code, also known as “quishing,” involve tricking an organization’s users into scanning a QR code using a mobile phone and then redirecting the user to a fake website for the purpose of stealing credentials. According to local IT service executives, one of the reasons threat actors exploit QR codes is they are the simplest way to force a user to move from a more secure desktop or laptop to a less secure mobile device. The latter often lack adequate anti-phishing defenses.
“It is a variant of existing phishing methods as they shift the user to their mobile device where things may not be so obvious,” explains Jim Blair, managing partner of Aberdean Consulting.
Some tech giants are taking action in response to QR code phishing. Microsoft has mandated multifactor authentication (MFA) for Office 365 users and has implemented conditional access policies to stop risky sign-in behavior, but businesses can do more to ward off quishing and other cyberattacks. With small company attacks on the rise, we interviewed Blair, who co-founded Aberdean Consulting; Bryan Chan, president and founder of SupraNet Communications Inc.; and Todd Streicher, president of CyberNINES. They offered several tips for navigating the evolving threat landscape.
Tip 1: Think comprehensively
While necessary and helpful, the steps Microsoft is taking with MFA and conditional access policies are akin to scratching the surface of the attack vector — not stopping it all. The comprehensive approach involves frequent employee training, software upgrades and patches, existing and emerging technology, cyber insurance considerations, and if necessary, expanding forensic capabilities to determine how breaches occur.
“Any of these solutions offered by a provider, like a software solution from Microsoft, can be really valuable,” Streicher notes, “but the question is: How do you know it’s pertinent to you? When you choose any one solution, it’s really not a comprehensive approach to solve the problem. MFA is really important. It helps a ton, but what companies need to think about is what are all the things that they need to do?”
Tip 2: Train and educate
Ultimately, end-users are the last line of defense but can be the weakest link in the chain. Companies can always do more to train their team to recognize threats, and various managed service providers (MSPs) or managed service security providers (MSSPs) offer free recurring online training or periodic, short-format briefings for business clients. Other vendors, such as the Madison-based Infosec, are focused on cybersecurity training and certification.
The more that’s done to educate users, the less phishing becomes an issue. Notes Blair: “The weakest link in the chain is the weak point, and unfortunately, people tend to be that way.”
Part of the training involves educating users on certain dead giveaways of a cyberattack. With the QR code phishing, Aberdean’s advisory cited various red flags that computer users should be able to identify on emails. They include a spoofed email address, your company’s name near the Microsoft copyright statement, and the URL that the QR code would direct you to. Among the preventive actions is simply reminding users that Microsoft will never email them a QR code.
According to Chan, one key training point for quishing or any phishing attack is to be suspicious of urgent requests. “Any kind of urgency is usually a red flag,” states Chan, who also notes that about 50% of random impersonation attacks falsely claim to come from Microsoft. “Your financial institution generally won’t use any of those types of measures to get you to enter information.”
Another preventive step was to brand logins, or create a login page with a company logo. Unfortunately, cybercriminals have learned how to recreate logos so that they can create bogus logins that resemble a company’s login page on an employee’s mobile phone. This game of give-and-take with threat actors is a key reason business operators must stay on top of cybercrime trends. “Usually, the thing that people need to pay attention to, like with these QR codes, is whether they have ever received an email from anybody in the IT department or anyone that had a QR code that they needed to act on,” Blair says. “Most people haven’t.”
Tip 3: Monitor the market
Paying attention to new security features, whether it’s a new software product or the enhancement of an existing solution, is another must-do. One of the things that a small business operator can implement within either Google or Microsoft is a security key — a physical device that Blair describes as a “phish-resistant” type of MFA. Users create a PIN code for the key, tying the key to their Google or Microsoft account. In addition to the computer password, there’s another physical device that has a PIN code, and then users have to physically interact with it by touching the key.
“I would expect that probably over the next two years, everybody will be using that method for MFA because it’s a physical device that you have in your premise, and there’s a passcode to that physical device,” Blair explains.
Your MSP also plays a key role with occasional security patches and updates and through the use of remote monitoring and management tools. There have been times when those tools have been compromised by bad actors, but they are important to keep everything up to date. Business organizations often receive security patches, and most computer users are familiar with them.
For particularly sensitive data, an encrypted email system is another tool that can help as data is stored or whether it’s transferred back and forth. “On a machine, it’s encrypted at rest on the hard drive with something called BitLocker, and implementing that is a good exercise, especially on laptops where they’re mobile,” Streicher explains. “A laptop could be stolen, and that encryption means that anybody who gets that device has special keys to unencrypt the data on the drive so they can’t easily see it and take advantage of the data.
“Now, with encryption in motion or in transport, people are sending lots of information and emails,” he adds. “When I send an email from myself to you without any kind of encryption in place — and normally there is not encryption in place — that email can be read by the bits and bytes of what’s being transferred over the data network. So, a bad actor could be a man in the middle, look at the data on the network, and read exactly what I sent to you.”
Tip 4: Fortify forensics
While this isn’t a preventive step, it can help find out how a cyberattack occurred. According to Blair, Microsoft has announced that it would offer wider access to security logs for users. This logging data is accessed to better detect hacking and determine whether there is any risky sign-in behavior.
“The example of that would be Microsoft blocking logins that are obviously fraud,” Blair explains, “and it could be somebody trying to log into somebody’s account. So, maybe the person lives and works in Wisconsin, and they logged into their account from Wisconsin. Maybe they’re traveling on an airplane and they logged into their account from Chicago or New York, but then if they get a login to their account from overseas, they’re blocking those overseas logins.”
Another emerging technology in the early stages of deployment is called endpoint detection response (also monitor detection response). In the Microsoft cloud, there are logs that tell you what email you’ve opened, what email you’ve deleted, what email you’ve forwarded, and what files you’ve edited. “People have those logs in the cloud, but they don’t have those logs on their network, and so a lot of small businesses don’t have a logging of what’s happening on a user’s computer,” Blair says. “This new technology, while it doesn’t prevent an attack, it tells you exactly what happened if there was an attack. It basically leaves bread crumbs for an investigator to know exactly what happened.”
Chan notes the biggest motivation of cybercriminals is account takeover of people in the C-suite, and that should inform the protective layers that are deployed. “We’ve seen organizations where that’s happened here in town, where they [hackers] infiltrate an organization through the account-takeover process,” he notes. “Sometimes that account takeover can touch other aspects of the business in terms of their financial systems, especially if they’re receiving anything through the different payment systems.”
Tip 5: Understand the implications
The driver for endpoint detection is cyber insurance. Insurance companies that have to pay a claim will want to know exactly what happened, but most businesses don’t have this kind of logging. A data breach carries more than the cost of downtime, forensic investigation, and reputational damage. The rising cost of insurance, including cyberinsurance coverage, is a risk for companies that leave themselves vulnerable because insurance underwriters will factor the extent to which a company has taken preventive steps.
Such steps include no longer synching to personal devices or restricting business communication to browsers specifically for business such as Google Chrome Enterprise or Microsoft Edge for Business. “With that, you can make sure that business data isn’t being synced to somebody’s personal computer,” says Blair, noting that such a breach actually occurred in a large security company. “What happened in that breach is that somebody’s browser was synching to a personal device and the personal device was compromised, and that allowed bad actors to get access to a user account. Businesses aren’t thinking about that.”
Streicher explains how such a claims process works. “You need to lock down the systems,” he notes. “The company initially calls their insurance company and their lawyer, and their insurance companies say, ‘Well, we’ve got to figure out what happened here, so you’ve got to lock down the system.’ There needs to be some forensic investigation to determine what happened, and then you need to restore that system even though it’s difficult because sometimes it gets caught up in the need to continue the forensics work.”
What’s happening is that the insurance companies are trying to figure out who needs to pay, Streicher adds. “Is it them or another company’s insurance carrier that needs to pay the legal costs involved? Ultimately, there could be a case against somebody.”
Under no circumstances should businesses host their own email. That’s rare but it does happen, and when it does, it’s difficult to obtain cyber insurance. “Another red flag we look at is changes to rules or suspicious activity that’s happening on the mail server,” Chan notes. “Most organizations don’t do their own email, which is a good thing. It’s very difficult to get cyber insurance if you host your own email.”
Better safe than sorry
A few years ago, when technology vendors began to implement MFA for businesses, a number of business operators did not believe it was necessary and some still don’t. Yet preventing security breaches in your network is a necessary business expense for most organizations, and failure to do so can become a pay-me-now or pay-me-more-later proposition.
“You need to make sure that you have good logs from all the systems and that there’s some analysis of those logs for bad behavior,” Streicher notes. “There are tools and that gets a little expensive, and hiring the MSSP can get expensive. A lot of companies just defer on the cost, but for some it’s essential. It depends on the risk to your business.”
