Last week we shared CertNZ's Q2 report on the state of logged cybersecurity incidents in New Zealand. Phishing attacks were by far the most reported category, making up 618 from the 1351 reported incidents in the 3 months ending June 2021.
In contrast to the chaos caused by the Covid19 pandemic on everyday business, criminal enterprise has flourished in the new reality of remote working and employee flexibility with more people using their own devices for work than ever before. This unfortunately, is clearly evident in CertNZ's report as it indicates a definitive quarter on quarter increase in cyber attacks.
Just yesterday I noted another well known business in our country that fell victim to ransomware. All of its 45 PC's, including all backups have been encrypted. Without their data, they have no means to contact their customers (as required by the New Zealand Privacy act 2020) to let them know what has transpired, let alone deliver the services that they are contracted to deliver. This is a nightmarish disaster that no business ever wants to find itself in.
The rise of phishing attacks poses a significant threat to all organisations. It’s important that all companies know how to spot some of the most common phishing scams if they are to protect their corporate information. It’s also crucial that they are familiar with some of the most common types of techniques that malicious actors use to pull off these scams.
Towards that end, we at VOX Telecom will discuss six of the most common types of phishing attacks as well as provide useful tips on how organisations can defend themselves.
1. Deceptive Phishing
Deceptive phishing is by far the most common type of phishing scam. In this ploy, fraudsters impersonate a legitimate company in an attempt to steal people’s personal data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want.
Techniques Used in Deceptive Phishing
Vade Secure highlighted some of most common techniques used in deceptive phishing attacks:
Legitimate links: Many attackers attempt to evade detection from email filters by incorporating legitimate links into their deceptive phishing emails. They could do this by including legitimate contact information for an organisation that they might be spoofing.
Redirects and shortened links: Malicious actors don’t want to raise any red flags with their victims. They therefore craft their phishing campaigns to use shortened URLs as a means of fooling Secure Email Gateways (SEGs), “time bombing” as a means to redirect users to a phishing landing page only after the email has been delivered and redirects to legitimate web pages after victims have forfeited their credentials.
Modify brand logos: Some email filters can spot when malicious actors steal organisations’ logos and incorporate them into their attack emails or onto their phishing landing pages. They do so by looking out for the logos’ HTML attributes. To fool these detection tools, malicious actors alter an HTML attribute of the logo such as its color.
Minimal email content: Digital attackers attempt to evade detection by including minimal content in their attack emails. They might elect to do this by including an image instead of text, for instance.
Recent Examples of Deceptive Phishing Attacks
As an example, PayPal scammers could send out an attack email that instructs recipients to click on a link in order to rectify a discrepancy with their account. In actuality, the link redirects to a website designed to impersonate PayPal’s login page. That website collects login credentials from the victim when they try to authenticate themselves and sends that data to the attackers.
We’ve seen these types of campaigns make headlines in recent years, as well. In the beginning of September 2020, for instance, PR Newswire shared research from the CERT at Retarus warning organisations to be on the lookout for attackers impersonating contract partners. Those malicious actors sent out phishing emails urging organisations to update their business partner contracts by downloading an attachment. To add legitimacy to their attack, the malicious actors made the documents look like they were hosted on the industry-leading transaction system Dotloop. But clicking on the document simply redirected the victim to a fake Microsoft login page.
Less than a month after that, researchers at Cofense spotted an email campaign that pretended to originate from a security awareness training provider. The operation’s attack emails warned the recipient that they only had a day left to complete a required training by clicking on a URL. In the event that the victim complied, the campaign sent them to a phishing kit that used a fake OWA login page hosted on a Russian domain to steal victims’ Microsoft credentials.
How to Defend Against Deceptive Phishing
The success of a deceptive phish hinges on how closely the attack email resembles a piece of official correspondence from the abused company. As a result, users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website. They should also look out for generic salutations, grammar mistakes and spelling errors scattered throughout the email.
2. Spear Phishing
Not all phishing scams embrace “spray and pray” techniques. Some ruses rely more on a personal touch. They do so because they wouldn’t be successful otherwise.
In this type of ploy, fraudsters customise their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. Yet the goal is the same as deceptive phishing: trick the victim into clicking on a malicious URL or email attachment so that they’ll hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a targeted attack email.
Techniques Used in Spear Phishing
Provided below are some of the most common techniques used in spear phishing attacks:
Housing malicious documents on cloud services: CSO Online reported that digital attackers are increasingly housing their malicious documents on Dropbox, Box, Google Drive and other cloud services. By default, IT is not likely to block these services, which means the organisation’s email filters won’t flag the weaponized docs.
Compromise tokens: The security news platform also noted that digital criminals are attempting to compromise API tokens or session tokens. Success in this regard would enable them to steal access to an email account, SharePoint site or other resource.
Gather out-of-office notifications: Attackers need lots of intelligence in order send a convincing spear-phishing campaign. Per Trend Micro, one way they can do that is by emailing employees en masse and gathering out-of-office notifications to learn the format of the email addresses used by internal employees.
Explore social media: Malicious actors need to learn who’s working at a targeted company. They can do this by using social media to investigate the organisation’s structure and decide whom they’d like to single out for their targeted attacks.
Examples of Spear Phishing Attacks
In the beginning of September 2020, Proofpoint revealed that it had detected two spear-phishing attack campaigns involving China-based APT group TA413. The first took place in March and targeted European government entities, non-profit research organisations and global companies associated with economic affairs by tempting recipients to open the WHO’s “Critical preparedness, readiness and response actions for COVID-19, Interim guidance” document. The second targeted Tibetan dissidents with a PowerPoint presentation entitled “TIBETANS BEING HIT BY DEADLY VIRUS THAT CARRIES A GUN AND SPEAKS CHINESE.ppsx.” Both delivered payloads of a new infostealer family called Sepulcher.
Less than a week later, Armorblox explained that it had come across a phishing attack attempt against one of the top 50 innovative companies in the world in 2019. The attack email used spoofing techniques to trick the recipient that it contained an internal financial report. The campaign’s attachment subsequently redirected recipients to a fake Office 365 login page that showed their username pre-entered on the page, thereby further creating the disguise that the portal was an internal company resource.
How to Defend Against Spear Phishing
To protect against this type of scam, organisations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyse inbound emails for known malicious links/email attachments. This solution should be capable of picking up on indicators for both known malware and zero-day threats.
3. CEO Fraud
Spear phishers can target anyone in an organisation, even executives. That’s the logic behind a “whaling” attack. In these scams, fraudsters try to harpoon an exec and steal their login details.
In the event their attack proves successful, fraudsters can choose to conduct CEO fraud. As the second phase of a business email compromise (BEC) scam, CEO fraud is when attackers abuse the compromised email account of a CEO or other high-ranking executive to authorise fraudulent payments to a financial institution of their choice. Alternatively, they can leverage that same email account to conduct further phishing in which they request IRD information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
Techniques Used in Whaling
Whaling attacks commonly make use of the same techniques as spear phishing campaigns. Here are a few additional tactics that malicious actors could use:
Infiltrate the network: A compromised executive’s account is more effective than a spoofed email account. As noted by Varonis, digital attackers could therefore use malware and rootkits to infiltrate their target’s network.
Follow up with a phone call: The United Kingdom’s National Cyber Security Centre (NCSC) learned of several instances where attackers followed up a whaling email with a phone call confirming the email request. This social engineering tactic helped to assuage the target’s fears that there could be something suspicious afoot.
Go after the supply chain: Additionally, the NCSC has witnessed a rise of instances where malicious actors have used information from targets’ suppliers and vendors to make their whaling emails appear like they’re coming from trusted partners.
Recent Examples of Whaling Attacks
Back in May 2016, Infosecurity Magazine covered Austrian aerospace manufacturer FACC’s decision to fire its CEO. The supervisory board of the organisation said that its decision was founded on the notion that the former CEO had “severely violated his duties, in particular in relation to the ‘Fake President Incident.’” That incident appeared to have been a whaling attack in which malicious actors stole €50 million from the firm.