How Blockchain and Bots Are Turning Phishers Into the Hunted

The realities of today’s modern business organization dictate that the vast majority of business-critical information is accessed, shared and used by workers using some combination of mobile devices, cloud-based applications and a sweeping variety of messaging and email applications.

These convenient and necessary tools are vulnerable to all manner of nefarious shenanigans by would-be hackers and phishers looking to trick users into divulging personal information like passwords and banking information or intellectual property such as customer lists or product specifications.

They’re vulnerable because, sure, everything connected to the internet is potentially exploitable. But when we’re talking about these phishing scams – sophisticated and pedestrian alike – it’s human nature that’s often the real problem.

Think on this for a bit: according to the 2018 Verizon Data Breach Investigations Report, 78 percent of people don’t click on a single phishing campaign all year. However, on average, 4 percent of the targets of any given phishing attack will click on the tainted link. And, believe it or not, the report also finds that the more phishing emails someone has clicked on, the more likely they are to do so again.

The 11th edition of the annual Verizon DBIR identified more than 53,000 “real-world” incidents in the past year with over 2,200 confirmed data breaches in 65 different countries.  Seventy-six percent of those breaches were financially motivated. Almost three-quarters of these attacks were orchestrated from outside the organization. We’re talking about the usual bad actors such as garden-variety, organized crime syndicates, nation- or state-affiliated groups or perhaps, as someone once said, some 400-pound person sitting on a bed.

These guys and gals want the smash-and-grab, low-hanging fruit like passwords, credit card numbers and bank account information for sure. That’s easy money and the bread and butter for most phishing operations.

But increasingly it’s a ransomware operation where the goal is to extort money by either threatening to share your private information or intellectual property (hello, Sony Pictures) or simply preventing you from using your own data for day-to-day business operations. Either scenario is a nightmare and although the FBI urges companies not to pay up, there are arguments to be made for just biting the bullet.

Keep in mind that phishing attacks represent 96 percent of all data breaches investigated and email – does your company ever use email? – is the main entry point 96 percent of the time. The FBI estimates between October 2013 and December 2016, more than 40,000 “business email compromise” incidents worldwide resulted in $5.3 billion in losses.

More troubling, the ways and means of the offending scam artists are becoming more complex and more “tempting” to even the savviest of user thanks to the very technologies that we’re relying on more and more for better productivity and efficiency.

Artificial intelligence, bots and machine learning are saws that cut both ways.

And that’s the good news.

MetaCert, a software company that’s one of soon-to-be many security vendors, is carving out a niche to fight back with some of the latest technologies, including a blockchain protocol, to keep these phishers at bay.

It has compiled a massive (and constantly updated) database of web addresses – more than 10 billion URLs so far – that phishers like to use to ply their dark trade. It also has a database of known “safe” addresses used by companies that hackers like to spoof – banks, online retailers and payment services like PayPal. Its security software uses the databases for the purpose of creating alerts within individual emails received by your organization.

If an embedded link passes the database review, a small green shield appears in the email next to the now-vindicated link suggesting it’s safe to proceed. Links from known phishing sites get an ominous red shield and those that the software can’t be sure about are assigned a gray shield. The idea is to make someone opening and reading an email with any embedded links to at least think twice before tapping that link.

MetaCert is also working on blockchain technology to encourage people to submit and categorize links to build out the database even more. The theory is that since the company won’t control the decentralized database, customers and other reporting entities needn’t worry about MetaCert employees – or anyone else for that matter – abusing their power by flagging sites they either don’t like or can’t monetize.

This software has its roots in enterprise communication tools – MetaCert first set its sights on building a phishing protection app for Slack – but doesn’t purport to be a cure-all for the ever-expanding gauntlet of new phishing schemes. It’s a tool that can augment existing security software applications that are already running (hopefully) throughout any organization.

Right now, MetaCert is available for the native iOS email app and works with major email providers including Gmail, Microsoft and the desktop Apple Mail app. It’s free for now but the company plans to charge for it down the road. There’s also a Google Chrome browser extension that warns users when they try to visit a site that contains links to known phishing sites, as well as bots that flag and delete messages with phishing links from Slack, Skype, and Telegram.

We know criminals are going to continuously weaponize these emerging technologies to attack our information, prey on our humanity as it were. But it’s encouraging to see some of these same robust tools manifesting themselves in new security tools to at least give us a fighting chance.