Welcome to the second week of CISA’s Cybersecurity Awareness month! This week’s theme focuses on phishing and the importance of reducing the effectiveness of this attack.
For many years, attackers have relied on a few common types of phishing attacks. And for years, businesses like yours relied on three key strategies to protect against them. But, as security measure improve, so to phishing methods.
To reinforce the strategy of educating your team, you need to know about new types of phishing attacks designed to slip past your defenses.
Phishing scams are becoming more complex as people catch on to tricks, and so staying aware and informed is more important than ever.
When training your team, make sure you’re aware of these new, dangerous methods.
Phishing with Tricky URL Addresses
You train your team to hover over links and look for legitimate URLs.
But, when links are long or complicated, you might see a lot of noise after the link and just ignore it.
For example, most users might not see the difference between the following two links:
https://www.LegitURL.com/login.html?RelayState=http%3A%2F%2Fgoodurl.com%2Fnext
https://www.LegitURL.com/login.html?RelayState=http%3A%2F%2Fnastyurl.com%2Fnext
This is an example of the Open Redirect vulnerability. Microsoft and Trustwave cover this topic in more detail, but essentially, redirects abuse a method used to track web traffic for marketing and subvert it to capture credentials and user information.
The first part of the URL seems legitimate (https://www.LegitURL.com/login.html), and usually indicates the web page that a user will land on after a successful login. But it’s actually the second part of the address (?RelayState=http%3A%2F%2Fnastyurl.com%2Fnext) that indicates where the user will go first.
Phishers understand users don’t see past the .com, and then set up phishing sites with corporate logos and captcha security to look legitimate.
These complex URLs can baffle both users and anti-phishing software by obscuring the true URL, but phishers also attempt to obscure the sending of emails. For example, one new type of attack uses encrypted Zix email links to sneak past your monitoring software.
Email encryption software is a very good way to prevent unintended recipients from seeing content, and it’s a great thing to use.
However, they also provide a handy trojan horse for attackers to hide the purpose of the email behind a trusted, legitimate company.
The attackers in one case also coopted a previously legitimate URL (thefullgospelbaptist[.]com) to obscure the source of the email.
By doing so, they managed to bypass authentication checks as they spammed 75,000 email recipients.
The One-Click Phish - Don’t Click Enable Editing
Phishing attacks trick victims into giving up credentials, making fraudulent payments, or downloadling malware.
And, although the first two might give users time to become suspicious, downloading malware can be as simple as one click of a button.
The most prevalent one-click attacks involve enabling macros for Microsoft Office.
The Qbot botnet, for example, uses a fake Windows Defender Antivirus theme hidden within malicious Excel attachments. It pretends the document is encrypted and that the user needs to click “Enable Editing” to see the content.
With one unfortunate click, the user is infected.
The BazarLoader goes one step further by sending links to Google Docs first. Users feel safe clicking on a link to Google, but once there, they are shown an error message and encouraged to download the malicious file.
Dridex, Emotet, QakBot, and many other attacking groups operate by creating a sense of urgency and importance. They do this by labeling files as relevant to payroll, payments, or shipping, so that users are pressured to click.
Your users need to be reminded to always hesitate before clicking ‘enable’, and that if they have any doubts, to send the files to IT to have the file checked.
Taking Action Against Phishing
As screening tools improve, attackers continue to adjust their techniques.
For them, the potential rewards of a successful phish is huge. In the past two weeks alone, the following phishing breaches made headlines:
- Fraudsters stole millions of British pounds from Barclays accounts through phishing texts.
- Thousands of dental patients may have had their information stolen from North American Dental Management by a phishing and credential harvesting attack.
- Phishing texts trick 1,200 NTT Docomo customers into giving up their PIN number and are charged for 100 million yen in gift cards.
- 6,000 Coinbase customers fell for phishing campaigns to turn over their credentials.
Phishing attacks affect your company, your employees and your customers. As such, prevention remains absolutely critical.
In addition to these three buffer strategies, why not set up a special email address “checkmyfile@myurl” so that users easily know where to send their files?
Additionally, you could also put your help desk information at the top of a sticky note for their monitors that reminds them not to click on files that end with .bat, .com, .exe, .jar, .js, .ps1, .scr, or .vbs.
People click because they feel pressure, so help remove that pressure by making it easy to do the right thing.
The Takeaways
Phishing remains one of the biggest problems facing businesses today.
And, as phishing techniques become more and more damaging, prevention continues to grow in importance.
If your organization needs phishing training, help desk assistance, or a hand recovering from a bad click, reach out to Ideal Integrations at 412-349-6680 or fill out the form below.
We provide a free consultation and can deploy a team of experts ready to handle any of your IT and security needs!