Interview: Tackling Phishing At The Point Of Click—On Any Device, From Anywhere

Chris Cleveland is the CEO and Founder at PIXM. An engineer and entrepreneur, Chris Cleveland founded PIXM using the cash prize he earned as a result of winning the CVC High-Tech Venture Competition. Today, PIXM combines machine learning and visual search technologies to stop breaches at the point of click. 

Matt Mosley is the Chief Product Officer at PIXM. With over 25 years of experience in cybersecurity and a proven track record of leading products from concept to launch, Mosley is adept at understanding end users’ challenges and finding innovative solutions to them, and applies this knowledge to drive performance improvement at PIXM.

Hot off the heels of RSAC 2022, we spoke to Cleveland and Mosley to discuss the evolution of phishing attacks as adversaries increasingly leverage alternative communication technologies to gain access to corporate networks, and how machine learning and prevention at the point of click can help protect organizations against phishing across all vectors. 

PIXM is an established anti-phishing provider, but you’ve recently released a new product to help prevent phishing attacks against mobile workforces. Could you give us an introduction to PIXM Mobile, and what differentiates it from other mobile security solutions?

Mosley: With PIXM Mobile, part of our story is that we detect phishing at the point of click, regardless of the source device, so any device, any vector. Phishing has traditionally been thought of as an email problem in our industry and, while there still is a lot of email phishing, more than half of all phishing now comes in through other vectors like business collaboration apps, text messages, and personal email. And most of the products out in the market today are not searching for phishing attacks targeting those vectors. PIXM defends against attacks from these vectors and traditional routes.

Cleveland: Yeah, it’s really about protecting users outside of the corporate inbox. A lot of phishing activities come in from channels like text message, Facebook, and other apps that people are using on their phones and desktops. 

And it’s important to note the capabilities of PIXM in the context of delivering real-time protection across all of these vectors by leveraging computer vision—a type of artificial intelligence. There are a lot of vendors today that have, quote unquote, “mobile phishing solutions,” but they’re essentially connecting links that are open on the phone with known threat feeds, black lists, threat intelligence–and all that is good stuff, but the vast majority of credentials are stolen within the first hour from a phishing attack being deployed. So, if you’re relying on threat feeds, it’s already too late. It’s like putting yellow tape around a crime scene. Effective anti-phishing is about delivering real-time AI scanning on any application and on any device.

Phishing was traditionally an email-based threat, but attackers are increasingly using other methods to target their victims, such as mobile social media and collaboration apps. In fact, the PIXM threat research team have reported their findings on a large-scale phishing campaign that has successfully stolen over five million credentials in the last four months. How do these alternative phishing methods work, and why are they so successful? 

Mosley: People don’t expect to see these types of malicious links coming in through avenues they trust. Traditionally, when you think of these other applications, you receive a link from a friend on Facebook and you click on it because you know and trust that person. “Surely, it’s a real link, it can’t be malicious!” The same goes for receiving a message through Slack or a text from a friend. 

By leveraging these trusted networks that already exist, attackers are easily able to convince people that something is legitimate, and people tend to gloss over the warning signs a lot easier. The attack you mentioned that we caught, the large Facebook Messenger phishing attack, it’s a lot of instances of people not second guessing or thinking about security, and actually asking themselves whether it’s safe or not. It’s very easy to get people to click links through Messenger and enter their credentials. This attack was particularly clever because it basically tricked people into thinking they were just logging back into Facebook and putting their password back in, when, in reality, they were giving it to a third party.  So it propagated very quickly to a large number of people around the world.

And the attackers weren’t even necessarily interested in the credentials—they were trying to get people to click on these links, and then click on videos and other things that they shared for ad revenue. So, they were actually using the ad revenue sites as a way to make money. And the more Facebook credentials they stole, the more they were able to push their content out to a large group of people to get them to click on it, and the more money they made. And so, it was a very clever attack that was able to spread pretty much unabated across a very large population in a short period of time.

What are some of the impacts that these attacks to people’s personal communication channels can have on business? 

Cleveland: When I check my updates in the morning from my colleagues, the first place that I’m going to is our Slack and WhatsApp instead of email. It’s the same for a lot of others. The amount of business communication that occurs outside of email has just skyrocketed with all these different kinds of collaboration tools. So, when I think about attacks like this here, you have millions of Facebook credentials being harvested and sold on the dark web, but what is downstream from that is leveraging people across networks. For example, if somebody that I collaborate with on a daily basis on WhatsApp sends me a PDF, I’m not going to call them on the phone to confirm it’s actually from them. But their account could actually be breached, and opening that file could give hackers access to others from that breached personal account. If you breach five people from an organization via Facebook, it’s not going to be difficult to deliver a ransomware payload to that company.

Mosley: Facebook is also very frequently used as part of single sign-on for different applications, even business ones in some cases. It’s a setting you can define, but you can allow Facebook for single sign-on for Microsoft email, for example. So, if your corporate email allows people to use Facebook credentials, that could in theory be an avenue into the company for threat actors.

How does PIXM Mobile help disrupt these types of attack?

Cleveland: It really goes back to how we started this call. The way we actually detected this campaign and how we discovered the scale of it was from people who are using our free browser extension. These are people who are getting these links in their messenger apps, clicking on those links, and opening that in the browser. PIXM Real Time Computer Vision Protection is able to identify a Facebook-branded page on a domain that has no business showing a Facebook login page. Our browser extension is unique in picking that up. And that’s true across desktop and across mobile; a huge amount of devices that have been targeted in this campaign are on mobile and are on iOS and Android. And we’ve just started to pick some of those up in addition to some of the desktop databases we’ve been stopping.

Matt Mosley: We got it just by looking at our data. We’re stopping this attack every day for our customers. And when we went and looked in the data, we saw some common metadata, tags, and JavaScript and such on some of these pages. And so, we followed the breadcrumbs and found out that this was a large-scale attack, but we only knew about it because we’re blocking it for customers that are using our product today.

A part of what differentiates your solution is this machine learning element in the way that you identify phishing threats. What part do machine learning and artificial intelligence play in the future of phishing, either in terms of protection or in terms of adversaries using these technologies?

Cleveland: Yeah, this is a great question. On the protection side, our machine learning algorithms or computer vision algorithms are based on models that are trained on very large datasets. Machine learning is all about having models that can learn patterns from very large datasets in order to make predictions. That’s something we’re very much on the frontier of. And that’s going to be something that we have to constantly improve, evolve, and adapt. 

From an adversary side, consider this Facebook phishing campaign: it’s harvesting millions of credentials. When you look at the scope of data available to those adversaries, there’s a strong potential to train very effective models to better target users. 

It’s a case of, you start to have better AI, then the other side has even better AI. You build a taller wall; they get a taller ladder. It’s like an arms race that we have to be constantly aware of.

How can organizations prepare themselves to face this kind of attack? 

Mosley: Having the right technology in place is helpful. Training is helpful and it is important— you do need to make sure you’re actively training your users on what to look for and what not to click on—but it’s not as effective as we’d like it to be. So, you need a combination of the right training and the right technology. 

The internet is not a safe place. I like to make the analogy that it’s like a dangerous street at night. You’re walking down it and you’ve got to be situationally aware. You always have to be looking out for something that just doesn’t look or feel right.

Cleveland: Yeah, I think there’s a statistic out there that says 25% of folks that click before training still click after it. That tells me that, if I’m responsible for data at my company, training is a good idea but it’s not good enough. Some people compare the browser to being like the car of the 21st century: you can educate people about driving on the road before you give them their license, but people are still going to get tired, fatigued, there are still going to be a lot of crashes and a lot of fatalities. I’d agree with that. 

The law of large numbers and overworked organizations is like Murphy’s Law. It’s not going to be in your favor. You’re going to have people that make mistakes, no matter how hard you train them. It’s still a good idea to train people, because the adversaries are always going to be adapting, but it’s also about solutions that work as the last line of defense, where you can use these new artificial intelligence capabilities to seal that gap and eliminate human error from that chain. 

What is your final piece of advice to organizations struggling to protect their remote or hybrid users against phishing attacks?

Mosley: I think a similar answer to the one we just gave. You know, make sure you have the right training and the right technology in place. Remote work is a unique situation because you don’t necessarily have control over what’s happening in that environment. You’ve got to make sure you’ve got good security hygiene and security products in place on those machines, so that you’re not getting other sorts of attacks coming in that are getting around your defenses. But you know, it’s tough. Remote work is a whole different world, you know, and not one that most of these solutions were designed for or prepared to work in. It’s something we’re still all kind of adapting to, and a product like PIXM can be a big help in protecting you there.

Cleveland: Just to add to that, remote and hybrid workforces to me mean lots of locations, lots of devices, and lots of applications. And people are working on a much more diverse range of applications. They’re doing work not just on a Windows device that they’ve been issued, but they’re also working on their MacBook Pros, their iPads, their Chromebooks. So, it’s making sure that your security infrastructure can support all of those new vectors. 

At the risk of plugging our own solution, something we’ve really had in mind from the very beginning is supporting that modern work environment and securing against people clicking on malicious links in any application, on any device. We try to make our solution very easy to install and integrate. But it’s about being able to support that modern work environment where people are working from home, while traveling to conferences, in different time zones, etc. You just need to be realistic about what that means in terms of how they’re communicating with their colleagues, or what devices and applications that they’re using, and making sure your security infrastructure can support that.

Thank you to Chris Cleveland and Matt Mosley for taking part in this interview. You can find out more about PIXM’s real-time phishing protection solution via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.