Part III: What is at stake?
Based on the information thus far, it is apparent that some of the risks of being caught in a phish are inherent in the goals and tactics statements. However, there is significantly more at stake than what appears at first glance.
1. User Credentials:
According to LastPass’s annual security report on password management, the average employee manages between 54 and 97 passwords in their business password manager4. Furthermore, within the dataset collected, users—on average—reused between 9 and 22 passwords depending on the industry4. Equipped with this information, attackers looking to harvest passwords have a relatively substantial chance of not only capturing a user’s password but also capturing a password that is reused for another software, program, website, or application. This is also why—according to the DBIR—stolen credentials are the second-highest threat activity taken during a breach behind phishing.1
Given the number of passwords a user maintains and the common practice of reusing passwords, a single lost password can lead to loss of confidentiality of business systems, personal systems, and application security, especially if a work account password is reused for personal banking or other personal business.
Collecting user credentials also gives attackers insight into the psychology of password creation and helps them hone their password cracking toolsets and wordlists to be more successful at cracking password hashes or guessing user passwords in the future.
2. Authenticated Sessions:
As alluded to in the previous section, certain attack methodologies5 will allow attackers to capture the username and password combination from a user and capture an authenticated session after the MFA prompt has been successfully satisfied.5 This allows attackers to bypass additional security measures put in place to keep attackers out.
3. Additional Information Disclosure:
While rare, an attacker may make a phish simply for additional information about a company in some instances. In some cases, after compromising accounts, an attacker may impersonate an inside user or a company vendor to gain additional information about the organization. While impersonating a user, the attacker may request information from employees about system security, model numbers of devices, and other information about technology to help them maintain a foothold in the environment or escalate privileges. These are a few examples of what attackers may do. However, when an attacker can gain the trust of another employee at the business, the options are only limited by the attacker’s imagination and ability to convince others to provide information.
With company assets at stake and individual security and online hygiene, the final section will outline some easy steps and protocols to implement to lower the risk associated with users in your environment.
Bromiley, M. (2019). Defend Your Business Against Phishing. SANS Institute. Retrieved March
10, 2022, from https://www.sans.org/media/vendor/defend-business-phishing-38745.pdf
Hylender, D. (2021). 2021 Data Breach Investigations Report. Verizon. Retrieved March 10,
2022, from https://verizon.com/dbir/
lastpass. (n.d.). THE 3RD ANNUAL GLOBAL PASSWORD SECURITY REPORT. LastPass.
Retrieved March 10, 2022, from https://lp-cdn.lastpass.com/lporcamedia/document-
Norton. (2018, January 18). Malware - What Are Malicious Websites? Norton. Retrieved March
10, 2022, from https://us.norton.com/internetsecurity-malware-what-are-malicious-websites.html