Cyber Risk Aware Blog

New Phishing Tactics Used by Threat Agents in 2019  and How to Get Around Them

[fa icon="calendar"] 17-May-2019 11:36:56 / by Jennifer Nwaigwe M

Jennifer Nwaigwe M

As internet security infrastructure becomes smarter and more difficult to penetrate, hackers have made the migration toward phishing attacks as the cyber-criminal weapon of choice because they exploit the seeming weakest part of any security system – humans!

In the first quarter of 2019, phishing attacks and other social engineering tactics like Business Email Compromise grew at a similar pace to 2018. They are still the starting point of almost all attempted and successful data breaches which cost an average of $1.23 million per breach for enterprises and an estimated $120,000 per incident for SMBs.

Phishing scams are usually associated with emails, but now they take other forms as well.  As our awareness of and defences against old tactics grow, cyber-criminals explore new tricks to get through our defensive walls, which means constant vigilance is key. Below, we have outlined 4 new tactics increasingly being employed by cyber-criminals and some with incredible success.

 

Non-Email Phishing Attacks

The traditional format of a phishing attempt typically involves using a malicious link sent to a user via email to download a malware file or extract information through a criminal website disguised as a trusted one. The trouble with this from a hacker’s point of view is that most major email service providers such as Google and Microsoft now scan every email for such malicious links. Emails with such links are either sent to the spam folder or boldly flagged to users as potential security risks.

To get around this, cyber-criminals have started exploiting messaging services typically used by business such as Slack, Facebook Messenger, and Skype. If they are able to steal user login credentials, they can pose as trusted team members and send malicious links to unsuspecting colleagues, who are more likely to fall for the scam because there is a familiar face ostensibly attached to it. There is not much data available yet on the exact scale of this scam tactic, but it is safe to assume that using collaboration tools as phishing vectors results in a much higher strike rate for cyber-criminals than the plain old email scam.

The Facebook messenger virus is a notorious tactic used by threat agents to spread cyber infections with the help of the Facebook Messenger app. The infected Facebook Message delivers a shortened link, e.g. video.bz or video_12345.bz, and an intriguing phrase that includes the name of the recipient and a couple of emojis. The embedded link seems to be leading to a YouTube or video link but once clicked, the malicious URL redirects to a phishing website filled with installers of dangerous browser extensions, fake Flash Player Updates, and similar content.

Also, in April, block chain platform Zilliqa announced phishing attacks using the brand name to target users of the platform and requesting details such as name, email, password, private key, etc. The attackers, “Zollo” who claimed to have entered into a partnership with Zilliqa used numerous platforms to reach out to potential targets including a fake Zilliqa blog, Zollo website, and Telegram.

To counteract this threat, businesses need to educate their employees about the realities of phishing, specifically on the point that any platform at all can become a dangerous phishing vector in the wrong hands. Typically, team members tend to be far more trusting of links shared on an internal Slack workplace than via email. They need to be taught that there is little difference between the two and that all a cyber-criminal need is an opportunity. If possible, businesses may also install third-party security add-ons to use alongside such programs to reduce the risk of scam vectoring.

 

Direct Interaction Phishing

As mentioned earlier, the entire raison d’etre of phishing is that the weakest point of any network security setup is the end user. Regardless of the different delivery and vectoring tactics, all phishing ultimately depends on the gullibility of the user. Direct interaction phishing takes this basic idea to the next level by exploiting available information from leaked databases to create highly personalised and believable messages to target marks. When the mark responds to the message as planned, they are then placed in direct communication with the cyber-criminal, who is then able to convince them to voluntarily hand over valuable data such as personal financial information and information that can be used to carry out identity theft.

In a typical scenario, the cyber-criminal may clone the website of a trusted institution such as a bank, and then use a live chat feature to get unsuspecting users to visit this website and submit financial details such as their credit card number, transaction history, social security/national insurance number and bio-data. This popular scam also works via telephone, for example with the criminal pretending to be the mark’s boss or colleague, and it is particularly effective when used on vulnerable demographic groups and non-internet savvy people.

Some weeks ago the Irish Times reported the story of a broadband fraud that left one family €15,000 poorer. The scammers employed a vishing tactic and pretended to be representatives of Telecoms company, Eir. They were able to get the victim to download a piece of software that gave them remote access to her laptop and further convinced her to go into her email and into her online banking platform. Even though they did not ask for any personal details or any details of access codes for her online banking, they did not need to as they could see everything she was doing on her laptop as she typed.

Counteracting this is a two-step operation. First of all, businesses need to educate their employees about what information should never be shared over the telephone or a live online chat. Banks are often at pains to point out for example, that they will never contact a customer and ask for key credit card details over the phone. Regardless of how well-personalised a phishing message is, a properly educated user will know that under no circumstances should they give up certain information via phone, email or text.

The second step is the introduction of a “channel switching” internal company communication protocol. What this means is that if a request for certain information comes via an official channel like email, the recipient should confirm that the purported sender actually requested this information using a different channel like Slack or text message. The idea is that it is considerably harder for a hacker to gain control of several official channels, so using different channels to confirm information requests functions as a type of 2-factor authentication.

 

SaaS-Focused Phishing

What this sort of phishing does is that instead of asking for information that has an obvious incentive to a cyber-criminal such as credit card numbers, it seeks to grab login credentials for SaaS (Software as a Service) packages like AWS, Slack, Google G-Suite and Dropbox. If they are successful, their impact can be devastating, potentially granting the criminal access to the entire data bank of business, or a complete record of its emails. It also helps the criminal pose as a trusted actor within the organisation and widens the phishing attack.

SAAS phishing exampleTypically, how it works is that the criminal creates a believable message claiming that a security breach has been noticed with the user’s SaaS service account. To fix it, the user is asked for their login details which are promptly stolen and used to access the network and gain unauthorised access to valuable information. Unsurprisingly, this ends up having a much worse impact than your run-of-the-mill ‘send us your credit card number’ phishing scam, and such attacks are now more popular than those directly targeting user financial data.

Action Fraud, the UK's national fraud and cyber reporting Centre warned citizens of Amazon-related phishing emails that were making the rounds in February.  The emails which were made to look like they were genuinely from Amazon, attempted to trick customers into clicking on a link to confirm their account details, and inadvertently give the fraudsters access to personal data.

Enabling 2-factor authentication is a security standard both individuals and organisations must have and adhere to. This ensures that a single compromised password does not grant criminals access to the network and helps users differentiates between actual messages genuinely sent by SaaS services and cloned messages sent by fraudsters.

 

Malicious Links Inside Shared Files

While a lot of email service providers scan all emails for suspicious links, which makes it hard for standard phishing emails to get through, this tactic bypasses that security filter by linking users to documents stored in trusted locations such as Google Drive and Dropbox. Email scanners do not flag such emails because the links direct users to legitimate locations.

Phishing scam via malicious links inside files

The documents, however contain malicious links to cloned websites, which completely bypass all security protocols because hosting services only scan files for malware and not for suspicious links. This way, criminals are still able to deliver malicious links to users by exploiting a blind spot in the architecture of internet security.

In March, the New Jersey Cybersecurity and Communications Integration Cell stated it had observed threat actors sending tax-themed Dropbox phishing emails to State employee email addresses. The emails contained a “View file” blue box link that supposedly downloads a PDF document titled with the spoofed employee’s first and last name and email address followed by “1040a.pdf.” However, when clicked, the embedded link will either attempt to download a malicious document that will install malware on the user’s device or direct the user to a spoofed site meant to steal the user’s Dropbox login credentials.

To get around spoofed websites, users can install a password manager such as 1confirmation and Google Lock, which automatically enter passwords into the correct login page. They will never enter the desired password into a cloned web page because they are designed to work only with the exact URL and certain security information from the correct website. If a password manager user observes that the program does not automatically enter their password on a web page that it ordinarily should, that is a clear sign that the web page is either fake or has been compromised in some way.

 

The rest of the year is sure to bring with it many new challenges and it’s likely that the economic losses related to cyber-crime will reach an all-time high in 2019.  The truth remains when it comes to cyber and information security, companies have to be right all the time while cyber-criminals only need to get ‘lucky' once. If you don’t want your company to be caught in this web of data breaches and the resulting losses and disruptions to business activities that they bring, it is important to stay abreast of the latest threats and continually invest in and improve your cyber defences.

Topics: Phishing, Social Engineering, phishing email, vishing, phishing attacks, phishing scams

Jennifer Nwaigwe M

Written by Jennifer Nwaigwe M

Digital Marketing, Food and Literature.