Phishing prevention that primarily depends on awareness training is doomed to fail. That’s the implication of the latest research conducted at Ruhr University Bochum and Münster University of Applied Sciences
A team of researchers discovered several vulnerabilities in two technologies used for email authentication and verification: OpenPGP and S/MIME. The vulnerabilities could allow attackers to spoof signatures on over a dozen popular email clients including Microsoft Outlook and Apple Mail.
Email spoofing is a technique used to mislead email recipients about the origin of the email. It’s one of the main phishing techniques used by attackers. Theoretically, awareness training can combat email spoofing if users are taught to carefully inspect the email from address. That is, until now.
According to an article on Hacker News, “When you send a digitally signed email, it offers end-to-end authenticity and integrity of messages, ensuring recipients that the email has actually come from you. However, researchers tested 25 widely-used email clients and found that at least 14 of them were vulnerable to multiple types of practical attacks, making spoofed signatures indistinguishable from a valid one even by an attentive user.”
To make matters worse, “researchers also found that some email signature spoofing attacks can also be used to spoof decryption results, causing the email client to indicate an encrypted message where in fact the plaintext was transmitted in the clear.” So, these vulnerabilities compromise authentication, verification AND encryption.
“Our attacker model does not include any form of social engineering. The user opens and reads received emails as always, so awareness training does not help to mitigate the attacks,” the researchers said.
The one common theme to phishing attacks is the attackers’ never-ending ability to find and exploit some kind of technological weakness in email communications. There’s no doubt that this recently-discovered vulnerability will be patched eventually. There’s also no doubt that attackers will find some other vulnerability to exploit in the future. It’s just how this goes. There’s just too much to be gained from a successful phishing attack.
Awareness training is good, but it alone will never be a match for advanced phishing attacks. Only technology can combat technological exploits. Technology like real-time link click protection.
Even when hackers execute the perfect phishing attack, one that gets a lot of people to click on a malicious link, real-time link click protection can save the day. By checking email links when they’re clicked, every time they’re clicked, users are protected.
It’s time to stop believing that awareness training alone can give you protection from phishing. If you want to quickly, easily and affordably use the latest phishing prevention technology to combat advanced exploits.