There is hardly any form of cybercrime that measures up to phishing in terms of its prevalence and global impact. It is front and center in malicious campaigns aimed at obtaining users’ authentication data, bilking organizations of money, or spreading computer viruses through treacherous emails.
Security analysts’ recent findings show the big picture. More than 165,772 new phishing sites were spotted in the first quarter of 2020. The FBI says business email compromise (BEC), is an escalating type of phishing focusing on the enterprise. This causes companies to lose about $5 billion in fraudulent wire transfers annually.
Cyber-criminals are ramping up their genre
These mind-boggling statistics demonstrate the breadth and depth of the scourge. Unsurprisingly, numerous security firms and email providers are delivering solutions that keep scam messages from ending up in users’ inboxes. The increasingly effective defenses encourage the operators of phishing campaigns to mastermind new methods for circumventing the traditional filters.
Bypassing email filters has become just as important for crooks as tailoring rogue messages whose narrative pulls the right strings in recipients’ consciences. The following techniques have recently enhanced the repertoire of phishing operators so that their emails do not raise red flags and arrive at their destination despite mainstream countermeasures.
Recommended for you: What is the Role of Artificial Intelligence (AI) in Cybersecurity?
Office 365 credentials harvested via Google Cloud Services
Cyber-crooks are increasingly hosting decoy files and phishing pages on popular cloud services. This tactic adds an extra layer of trustworthiness and obfuscation to a scam, making it hugely challenging for security-minded users and protection systems to detect it.
A campaign recently unearthed by researchers from cyber-security firm Check Point demonstrates how evasive this type of fraud can get. Its lure element is a PDF document uploaded to Google Drive. This shared file is claimed to contain important business information. To view it, though, the victim is supposed to click on the “Access Document” button, which leads to a sign-in page asking for Office 365 authentication details or an organization ID. No matter which option is selected, a pop-up screen appears requesting the user’s Outlook login info.
As soon as the email address and password are entered, the victim can finally view the PDF file. It is a legitimate marketing report issued by a well-known consulting company in 2020. Furthermore, the pages that appear at different phases of this attack are hosted on Google Cloud Storage, so there are hardly any clues suggesting that something clearly wicked is going on.
Meanwhile, a serious pitfall eclipsed by the ostensible legitimacy of this stratagem is that the crooks obtain the victim’s valid Office 365 credentials along the way. When in the wrong hands, this information can become a launchpad for effective BEC scams, industrial espionage, and malware propagation.
Misleading emails pretending to come from trusted banks
In a recent move, scammers have been spawning fake messages that impersonate popular financial institutions such as Citigroup or the Bank of America. The email instructs the user to refresh their email address details by clicking on a hyperlink that leads to a replica of the bank’s website. To make the hoax look true to life, the felons use an additional page requesting the recipient’s security challenge question.
One of the adverse inconsistencies is that the email slips below the radar of most filters, although it is sent from a @yahoo.com address. The reason is that the malefactors only target a few employees in a company. Because commonplace anti-phishing solutions are tuned for a large number of similar or identical messages, they may overlook several suspicious emails.
Another issue is that the message originates from a personal email account. This fact hampers detection because the conventional verification tools such as Domain-based Message Authentication, Reporting & Conformance (DMARC) as well as the Sender Policy Framework (SPF) only identify emails that spoof the source domain.
To top it all off, the credential phishing page that mimics the bank’s official website passes all checks with flying colors. That is because it was registered recently and therefore has not been blacklisted yet. It also uses a valid SSL certificate. The phishing link redirects users using a legitimate Yahoo search service. All these quirks, combined with quite a bit of pressure imposed in the text, crank up the success rate of this campaign.
Unzip an attachment and get infected
Some threat actors veil a harmful attachment in a rogue archive to thwart detection. Normally, a ZIP file comes with one “End of Central Directory” (EOCD) parameter. It points to the final element of the archive structure. What cyber-crooks do is use a ZIP object with an extra EOCD value inside. It means that the file includes an obfuscated archive tree.
When processed by decompression tools that constitute Secure Email Gateways (SEGs), the ZIP attachment appears benign because its “red herring” component is typically the only one that gets scrutinized. In the aftermath of this trickery, the extracted file stealthily executes a banking Trojan on the recipient’s machine.
Lost in translation
Another common stratagem is to hoodwink email filters by embedding text in a foreign language. Some defenses are configured to scan incoming messages for dubious materials in English or the user’s native language only.
With that in mind, crooks may create phishing emails in Russian and include a tip saying, “Use Google translator.” As a result, the message makes it to the inbox and the victim may get on the hook after reading the translated text.
Modifying the HTML code of an email
One more way for a phishing message to slip by protection systems is to reverse the text strings in its HTML code and then render the info forwards so that it looks perfectly normal to the recipient. Since the contents of the misrepresented source code do not overlap any known phishing templates, SEGs will most likely ignore the message.
A highly insidious knockoff of this technique revolves around Cascading Style Sheets (CSS), an instrument used to complement web documents with style components such as font size and color, background color, and spacing. The foul play comes down to mishandling CSS to merge Latin and Arabic scripts in the raw HTML code. These scripts flow in opposite directions, making it easier for crooks to achieve the text-reversing effect mentioned above. As a result, the message dupes the defenses while remaining human-readable.
Abusing hacked SharePoint accounts
Some phishing gangs capitalize on compromised SharePoint accounts to set their scams in motion. The evil logic hinges on the fact that SEGs trust domains associated with the reputable collaborative platform from Microsoft. The link in the email body leads to a SharePoint site. So, security systems treat it as benign and ignore the message.
The catch is that criminals re-purpose the landing page to display a dodgy OneNote document. This, in turn, redirects to a credential phishing page camouflaged as OneDrive for Business login form. The authentication details that the unsuspecting user enters in it are instantly sent to the crooks’ server.
Give your phishing awareness a boost to stay safe
Email filters are undoubtedly worth their salt. They do flush out the bulk of sketchy messages thrown toward your inbox. However, the lesson you should learn from the real-world attacks described above is that relying on these systems unconditionally is risky business.
“You should do your homework and follow some extra tips to improve your personal anti-phishing hygiene.” – in a recent interview as mentioned by Andrew Gitt, the senior tech specialist, co-founder, and head of research at VPNBrains.
Andrew also provides the following recommendations in his interview:
- Refrain from clicking on links that arrive in emails.
- Do not open attachments received from strangers.
- Before typing your username and password on a sign-in page, ascertain that it is HTTPS versus HTTP.
- If an email looks legit and you decide to take the risk of clicking on an embedded link, check the URL for typos and other giveaways first.
- Read incoming emails carefully and check their text for spelling, grammar, and punctuation errors. If you notice such mistakes, the message is most likely a scam.
- Ignore and trash emails that pressure you into doing something. For instance, phishers often impose some kind of deadline to make people slip up. Do not fall for such tricks.
- Beware of emails whose contents deviate from the norm in terms of your day-to-day work duties.
- If you receive a message from a senior manager requesting a wire transfer, double-check it by contacting the person over the phone or in person. The chances are that you are dealing with an impostor who took over the colleague’s email account.
- Mind what information you share on social networks. Malicious actors are adept at conducting open-source intelligence (OSINT), so they may turn your publicly available personal data against you.
- If you are an executive, be sure to set up a phishing awareness training program for your employees.
- Enable a firewall and install effective online security software with an anti-phishing feature onboard.
You may also like: How to Protect Your PC from Cyber-attacks, Tracking, & Malware?
Whenever white hats come up with a new prevention mechanism, cyber-criminals do their best to outsmart them. An emerging and very promising security trend in this regard is to employ artificial intelligence and machine learning to identify phishing attempts. Hopefully, this approach will keep the defenses one step ahead of attack vectors no matter how sophisticated they are.
For now, the best thing you can do is stay vigilant and make the most of traditional anti-phishing tools that work wonders in most cases.