Thanks to AI and some creativity, phishing attacks evolve to bypass common defenses

If one truism applies to cybersecurity, it’s that attackers will keep evolving their tactics. This is especially so when it comes to phishing attacks. This year proved to be no exception, and Zscaler’s most recent Zscaler ThreatLabz Phishing Report highlights several crucial changes in phishing attack tools and techniques.

The Zscaler report identified two particularly stark trends. The first is an increase in phishing kits available on dark marketplaces. The second is the increased use of generative AI tools to rapidly help threat actors develop targeted phishing campaigns very cleverly. Researchers fear this “democratization” of phishing kits will result in more enterprise users clicking on malicious links leading to more stolen credentials, data breaches, and ransomware attacks.

“Our goal was to study all the campaigns we saw over 2022 and compare year-over-year changes,” explains Deepen Desai, global CISO and head of Zscaler security research. “How are the threat actors changing their tools, tactics, and procedures? Why are we seeing so many of these attacks becoming successful,” he asks.

Phishing remains one of the most critical risks to monitor because it’s often the initial starting point for cyberattacks and data breaches. “It starts with phishing whether it's ransomware, whether it's [an] infostealer, or whether it's a nation-state. [Threat actors] want to establish that initial foothold, " Desai explains.

There may be evidence that generative AI tools have already boosted the volume of phishing attacks, with a 47% increase in phishing volume this year compared to the previous report.  “Leveraging machine learning to conduct some of these attacks is increasing,” says Desai.

In terms of brands that these threat actors are leveraging in their attacks, Microsoft remains the top target.

AI is democratizing sophisticated attack techniques 

Desai explains how criminals engage in a sophisticated value chain comprised of specialists. For instance, the threat actors that use phishing attacks to gain access to endpoints are not necessarily the attackers who will use that access to commit additional cybercrimes. “Gangs will establish the initial foothold and then sell that access to the next level operators who will then leverage that access for their objective,” Desai says.

Speaking of adapting to environmental changes, enterprises moved substantially several years ago to multi-factor authentication. Well, attackers have subsequently evolved. Zscaler uncovered sophisticated adversary-in-the-middle attacks that help criminals to bypass more robust multifactor authentication measures. In adversary-in-the-middle attacks, the criminals essentially place themselves within the authentication process and capture the one-time passwords or tokens to access the targeted application or service.

While attackers may be using AI in new ways and increasing the use of attack techniques that place them directly within the authentication process to breach their victims successfully, some things don’t change. One area that’s a constant in phishing attacks is social engineering techniques.

The Zscaler report found attackers turning to more SMS-themed and voicemail-themed phishing campaigns. These are known as smishing and vishing attacks, respectively. To get staff to click on the enclosed links, attackers will employ an exact voice recording of an executive at the business, such as the CEO, requesting the employee take some action that, unbeknown to the employee, furthers the goals of the attacker. “That's how they have been successful in many cases,” says Desai.

By George V. Hulme