In the wake of increased activities of cyber criminals and phishers, Cisco has come up with a predictive intelligence report explaining why internet users should be careful when granting authorization online.
The predictive intelligence tips released by Cisco’s umbrella for IT companies and individuals are targeted at giving internet users the ability to identify and avoid cyber attacks, even before they are spotted by security companies.
The role of predictive intelligence in the fight against cyber attacks – https://t.co/tnwamAtEXf
— Cisco Umbrella (@CiscoUmbrella) June 4, 2020
An example given in the white paper was a phishing attack in May 2017, which compromised over a million Gmail accounts in a short while. The attack started off with an email invitation from a known contact asking for collaboration on a Google doc.
As soon as the user clicked the “Open in Docs” link, he would be directed to an OAuth page asking the target to authorize the app.
Of course, this is a fake app spoofing Google Docs, but as soon as authorization is given, it has access to all email exchanges and contacts email addresses of the target. It uses the email addresses to spread its tentacles by sending similar messages to them in the user’s name. At this stage, the phisher also has access to the email inbox and can monitor email exchanges of the victim.
“IT security has historically focused on identifying attack artifacts such as malicious payloads after an attack is fully launched — and then attempting to defend against those specifically identified attacks.
“The first step in any type of attack, however, is to create attack infrastructure from which to launch that attack,” it says.
Just the way IT developers test a new service before launching it, attackers code a malicious payload, stage the server infrastructure on the internet, register domain names, and then test it on a few random targets. The success or otherwise will either send them back to the drawing board to re-strategise, or take them straight to the launch stage, where they mass-target.
Another key thing is that they often reuse the attack infrastructure used in previous cyber attacks, due to the time and cost involved in setting up another.
Sadly, they are often not easy to identify, and even IT companies sometimes fall prey.
“One particular difficulty with present-day attacks is that there’s often nothing noticeably anomalous about the actual payloads moving between the attacker and the target. So attack infrastructure can’t always be quickly or accurately identified simply by tracing the origin of malicious payloads,” it reads.