In a rare move, the US Financial Industry Regulatory Authority (FINRA) issued a cybersecurity alert earlier this year warning member organizations of “a widespread, ongoing phishing campaign” targeting the financial industry. In the alert, FINRA noted the phishing emails were sent using the domain of “@broker-finra.org,” and made to look like they were sent by Bill Wollman and Josh Drobnyk, two of the organization’s vice presidents. FINRA said the phishing emails included an attached PDF file that contained a link redirecting users to a website prompting members to enter their login credentials.
That last piece is key here – the website (aka fake login page) prompting members to enter their credentials is indicative of a larger trend used by cyberattackers to break through email security defenses.
These pages almost mirror legitimate websites with logos, formatting and overall templates all ranging from difficult to impossible to distinguish from the real thing. That also translates into them being highly effective in their end goal: credential theft.
But just how widespread of a problem are fake login pages? And how at risk is the financial industry as a whole?
Fake Login Pages Bypass Email Security Tools
While fake login pages aren’t new, they are increasingly successful for two main reasons. First, messages containing fake logins can now regularly bypass technical controls, such as secure email gateways (SEGs) and SPAM filters, without much time, money or resources invested by the adversary.
The second reason can be explained by the psychological phenomenon known as inattentional blindness, which occurs when an individual fails to perceive an unexpected change in plain sight.
To further underscore the severity of today’s hacking and phishing challenges, researchers at IRONSCALES spent the first six months of 2020 identifying and analyzing fake login pages. Here’s a summary of what was found:
- More than 50,000 fake login pages were identified
- More than 200 of the world’s most prominent brands were spoofed with fake login pages
- The most common recipients of fake login page emails work in the financial services, with PayPal among the top five brands spoofed.
The top spoofed brands include PayPal, Microsoft and eBay. And although PayPal sits atop the list, the greatest risk may derive from the 9,500 Microsoft spoofs, as malicious Office 365, SharePoint and One Drive login pages put not just people but entire businesses a risk. Further, the FINRA warning cited above was a direct attack aimed at getting users to enter their Microsoft Office or SharePoint password.
In addition to the brands above, several financial services companies also made the list of top fake login pages, including Bank of America, Coinbase, JP Morgan Chase, Stripe, Squarespace, Visa and Wells Fargo, among others.
The Best Way for Financial Services Companies to Stop Fake Login URLs from Reaching Inboxes
Traditional email security tools focus on what is in the email, whether a malicious link or attachment, and they generally do a decent job at preventing those types of messages from getting through to intended victims. Because these defenses are generally stalwart, hackers have had to adapt and change their tactics, using social engineering attacks, which often contain no malicious content that these security systems are built to detect.
Instead, these emails are designed to look like they come from someone or something (like a brand) that you know. Other common variations of these attacks impersonate someone else the recipient knows – a colleague, boss, friend or family member. Again, this is found in the FINRA warning earlier this year which spoofed two well-known figures in the organization.
To protect employees, a new technology is emerging to prevent these attacks – Natural Language Processing (NLP). It works like this: an email is sent and gets through the first stage of security because it has no link and no malicious content. But NLP will analyze the actual language of the email to look for suspicious patterns like the aforementioned availability checks or financial requests. Companies that rely on traditional indications of compromise (IOC), such as malicious links or attachments, will not identify these attacks in real-time.
Fake login pages spread by social engineering tactics are a big risk for financial services companies. A recent report from IBM and the Ponemon Institute found that the average cost of a data breach in 2020 is $3.86 million, not to mention the reputational damage and lost customers as a result. While new technology is beginning to help defenders mitigate threats, there is a long way to go before the most commonly deployed email security and anti-phishing tools completely remediate the threat of fake login pages.