Phishing Season never Closes

10995148872?profile=RESIZE_400xIn cybersecurity defense, the use of automatic protection tools is half the assignment.  The human element plays an increasingly important role.  Scammers like to take shortcuts and know that it is easier to trick people than it is to exploit software or hardware.  Any organization with a well-guarded security perimeter is an easy target, as long as its employees fall for phishing scams. 

The problem reached new heights during the coronavirus pandemic.  This situation for led to online panic that gave cyber threat actors an advantage to deliver effective online frauds.  According to a recent by the international Anti-Phishing Working Group (APWG), Q3 2022 was the worst quarter for phishing attacks the consortium had ever observed, with the number of recorded attacks exceeding 1.2 million.  In addition, the average amount of money requested in wire transfer Business email Compromise (BeC) scams reached US $93,881.

See:  https://redskyalliance.org/xindustry/phishing-how-not-to-get-caught

Thinking like a fraudster can help create additional barriers for these social engineering tricks and form a foundation for effective security awareness training so that the human factor hardens an organization's defenses instead of being the weakest link.  Any phishing email aims to make a recipient to err in one of the following two ways: clicking a malicious link or downloading a malware-riddled file.  The former typically results in visiting a credential phishing page, and the latter mostly triggers rogue macros within a Microsoft Office document.

During penetration tests, Pen testers use harmless decoy elements that allow them to keep a record of link hits or instances of opening attachments.  During actual attacks, the bad actor instantly obtains credentials entered in the fake sign-in page, and recklessly enabled Visual Basic for Applications (VBA) macros quietly drop malware that can provide backdoor access to the target device.

The narrative of the message has to be accurately aligned with the attacker's goa/interests and the would-be victim's position in the organization.  If the scammer wants to get a hold of a senior executive's correspondence, the email should pretend to come from a person whose rank and reputation in the business world match those of the recipient.  If the objective is to remotely access a workstation used by a finance department employee, the message would be masqueraded as an accounting report or a manager's request to verify wire transfer details.

Urgency is a scammer's best strategy.  The most effective phishing messages instruct victims to take some kind of action immediately.  For instance, they emphasize the adverse consequences of not meeting a specified deadline. Another step in prepping for the attack is to proofread the email.  Typos and grammar errors can raise red flags and cause the recipient to ignore the message.  Do not be afraid to telephone the requesting party and ask some questions before doing anything.  Read this again.

Potential victims are more likely to open email attachments than enter personal information on a credential phishing page.  It means that perpetrators have a greater chance of depositing malicious programs than pilfering passwords via a phony web form.  Trojan downloaders and ransomware are becoming inalienable components of a phisher's repertoire.  They add an extra layer of monetization to these attacks.

As far as phishing themes are concerned, the most lucrative ones revolve around corporate benefits, such as freebies and discounts from partnering businesses.  Statistically, about a third of all targeted users get on the hook in such scenarios. Messages that tell employees to familiarize themselves with changes to organizational policies and other rules relating to the corporate culture are also highly effective.

One more aspect is to lace the attack with a little bit of hype like seasonal events or news that is currently in the news.  For instance, when winter holidays are approaching, it is time to be wary of scams in which criminals try to bait people with bogus promos and giveaways.  During this period, crooks may also camouflage malicious files as a holiday work schedule that most users will open without a second thought, only to receive the malware.

An email thoroughly tailored for a specific recipient has a much higher success rate than a generic message used in a Spray-and-Pray (SaP) attack.  This kind of foul play is known as spear-phishing.  Some open-source intelligence (OSINT) based on publicly available sources, such as social networks, discussion groups, and professional publications, may suffice to retrieve personal data and gain insights into pain points that allow a scammer to concoct a legitimate-looking email. An attack targeting only several employees in a company is usually a sure-shot exercise, contrary to a large-scale campaign that lacks personalization.

Most phishing attacks are easy to spot, but things can get challenging when experienced fraudsters are in play. It is in every organization's best interest to nurture a proactive security posture and forestall these scams regardless of their sophistication.

No matter what position an employee holds in the company's hierarchy, they must keep in mind that any hyperlink or file embedded in an email is potentially dangerous, even if the message appears to come from a trusted individual or organization.  Long-standing loopholes in the design of the SMTP protocol make it ridiculously easy to pull off email spoofing via tweaks of a message header, which lowers the bar for carrying out effective impersonation attacks.

Being on the lookout for red flags in incoming electronic correspondence is a precious skill you should practice.  You and your colleagues should pay attention to anomalies like misspellings, inaccuracies in the sender's name, and regular domain names (for example, gmail.com or yahoo.com after the "@" symbol) when the email claims to come from a reputable company.

Most importantly, you need to understand that security is a process, not a plug-and-play product.  Deploying a Secure Email Gateway (SEG) and an anti-malware program with online security features in its toolkit is worthwhile because these solutions do filter out most scams that match known phishing templates.  However, crooks are increasingly proficient in bypassing them.

Security awareness training is mandatory these days.  In addition to teaching your teams on the ways to identify frauds, it teaches them to respond to various cyber threats and helps refine their online hygiene overall.

See the negative side:  https://redskyalliance.org/xindustry/can-chatgpt-write-malware

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

source: https://www.secureworld.io/industry-news/know-your-enemy-phishing-tactics

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!