Catch of the Day: Statement Phish
Chef’s Special: URL Shortener Phish
Examples of clever phish that made it past my anti-spam nets and into my inbox. Some are contributed by clients or readers like you, and other reliable sources on the Internet.
You can send phishing samples to me at phish@wyzguys.com.
My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.
Statement Phish
Here is another example of a self-hosted HTM file attachment being used to spawn a login screen for credential stealing. Not a lot going on with this exploit. Here is the phishing email.
When you open the attachment using your web browser it creates an HTM web page.
If you were to enter your user ID and password, your credentials would be sent to the attacker
A quick check with VirusTotal shows the attachment is a known phishing exploit element.
Be care what you click on. Opening the web page may also trigger a drive-by malware download.
Your Users Still Fall For Phishing Attacks Because of URL Shorteners
Analysis of current phishing attacks by security researchers has uncovered an increase in the use of trusted shortlink services.
To be successful, phishing scammers need to establish legitimacy as much and as early as possible.
Brand impersonation within an email has long been one method, but to establish legitimacy to security solutions, scammers have had to do more than just have a look-alike domain.
According to security researchers at Barracuda, a wave of phishing attacks is leveraging legitimate URL shortening services to add a layer of obfuscation to their malicious links in emails.
While some security solutions actually follow links to, and analyze, their final destination, many solutions simply look at the link itself. By using a shortlink, like those created by bit.ly that look similar to “bit[dot]ly[slash]FakeURL,” solutions that take the link at face value will see it as legitimate.
Barracuda theorizes that threat actors are compromising credentials at these shortlink services to gain access and utilize them as part of phishing attacks.
There are really only two ways to counteract this:
- Employ security software solutions that traverse links and scan final web destinations for malicious content
- Teach users through continual new-school security awareness training to be vigilant each and every time they interact with an email, attachment, or a web link, not trusting the content or context in front of them and choosing to scrutinize before proceeding.
And because cybercriminals will continue to evolve their methods, both of these should be put and kept in place.
Blog post with links:
https://blog.knowbe4.com/phishing-attacks-continue-to-leverage-url-shorteners-to-obfuscate-malicious-links
AUG
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com