phishing attack on smartphone, tablet, and laptop computer
Image: weerapat1003/Adobe Stock

Threat actors have been using phishing as an attack vector for nearly 30 years, and they’ll continue to use it until it isn’t effective anymore. A reason for its success is that phishing takes advantage of the weakest link in any organization’s cybersecurity system — human behavior.

“Phishing is largely the same whether in the cloud or on-prem[ise], in that it’s exploiting human behavior more than it’s exploiting technology,” said Emily Phelps, director at Cyware.

Phishing for data in the cloud

Phishing attacks do the same type of damage whether they’re after information stored on premise or in the cloud, Phelps explained. The majority of phishing attacks are designed to steal credentials, which then give threat actors the ability to move freely and undetected in an organization’s infrastructure.

However, successful phishing attacks in the cloud could be complicated by the fact that environmental ownership is more complex.

“If you fall victim to a phishing attack on-prem, your security team and IT department own the ecosystem,” said Phelps. “If your AWS or Azure accounts get compromised via phishing attack, the environments are managed by your folks but are owned by Amazon and Microsoft, respectively.”

SEE: How latest phishing attacks can bypass multi-factor authentication security

Cloud becomes phishing favorite playing field

With more applications moving to cloud computing, it’s not surprising that threat actors see the cloud as a fertile playing field for attacks. A report by Palo Alto Networks Unit 42 found that, ” … from June 2021-June 2022, the rate of newly detected phishing URLs hosted on legitimate SaaS platforms has increased over 1100%.”

According to the research, visitors to a legitimate web page are prompted to click on a link that directs them to a credential-stealing website. By using the legitimate page as its primary phishing site, ” … the attacker can simply change the link and point to a new credential-stealing page, preserving the effectiveness of the original campaign,” according to the report.

Using cloud applications to launch phishing attacks is growing in popularity because they can bypass typical security systems and it’s easier to lure unsuspecting users to click on a malicious link via email. SaaS platforms are just the beginning of the use of cloud computing for phishing. Cloud applications like video conferencing and workforce messaging sites are also being increasingly used to initiate attacks.

SEE: SMBs are behind in adopting multi-factor authentication

Implementing phishing-resistant MFA

One of the best defenses against credential-stealing phishing attacks is multifactor authentication, which includes several security factors including: something you know (i.e., a password), something you have (i.e., a phone or email to receive a code) and/or something you are (i.e., a fingerprint). By having a secondary code-sharing device or a biometric tool for authentication, MFA makes it harder for credential thieves to get past those security factors.

If someone clicks a malicious link and credentials are stolen, MFA offers another point of verification that the threat actor cannot access, whether it’s SMS, email verification or via authenticator app. Phelps recommends authenticator apps.

However, because MFA is an effective tool against credential theft, threat actors have stepped up their game to compromise MFA credentials. And yes, they’ll use phishing as one of their methods to gain those credentials, as the Cybersecurity and Infrastructure Security Agency warned:

“[I]n a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, as well as the 6-digit code from their mobile phone’s authenticator app.”

For this reason, CISA recommends using phishing-resistant MFA as a way to improve overall cloud security against phishing attacks. The most popular method of phishing-resistant MFA is Fast ID Online/WebAuthn authentication. According to CISA, this type of MFA works in one of two ways: through separate physical tokens that are connected to a USB or NFC device or authenticators that are embedded into laptops or mobile devices.

A lesser used method of phishing-resistant MFA is PKI-based, which relies on security-chip embedded smart cards connected to an organization and to the individual user. Government entities use this method as it’s highly secure, but it also requires mature security and identity management systems to already be in place.

Any type of MFA will help protect data in the cloud from a phishing attack, but it’s clear that having only the popular code-sharing factor is no longer enough. Threat actors have already figured out ways to trick users into sharing those codes, and it depends on users setting up MFA across all of their credentials (another way human behavior kicks in). Turning to phishing-resistant MFA and adding more than two layers of authentication offers the highest levels of security against the most popular type of cyberattack.

Also See: Why is multi-factor authentication crucial to enable today? (TechRepublic Premium)