Phishing Email Alerts
Catch of the Day: Bob Talks About Phishing
Chef’s Special: Council of Europe Information Disorder
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to phish@wyzguys.com.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
Well, loyal readers, the nets came up empty this week, and even my usually reliable sources on other blogs I follow had nothing that I could share. Maybe its the NFL Playoffs, or maybe the crisis in the Ukraine. Or maybe my email filters are just better at blocking phishing emails. So I am going to freestyle this week’s Friday Phish Fry, and discuss some of the trends I am seeing in the area of Phishing TTPs (Tactics, Techniques, and Procedures).
In the past, Phishers had to assemble a lot of infrastructure to execute a phishing exploit. They would need a good phishing email with a compelling story and a malicious web-link, a list of email addresses to target their emails, a hijacked web server to host the landing pages that received the responses generated by the malicious links. As more people have been trained to resist these types of attacks the Phishers have moved on to other tactics.
Spearphishing and Whaling
Phishers used to rely on large numbers of targets in a spamming style attack. Many phishing exploits are now targeted to smaller numbers of specific targets at specific companies, or specific highly placed managers and officers of to specific companies. Business Email Compromise attacks that hijack a CEO or CFO email account allow attackers to send emails using legitimate email accounts that the targets would accept as legitimate sources of email. The end game is the penetration of a company to engage in fraudulent invoice, bank transfers, and wire transfers. Or the reconnaissance may lead to a targeted ransomware attack.
Use of Public Infrastructure
Landing pages are hosted on legitimate public services including free web hosting sites (for landing pages), or file storage services like OneDrive, Google Docs, and Dropbox. I’ve seen exploits hosted on cloud services platforms like Amazon Web Services and Office365. Because these are legitimate sites and services, recipients of these phishing attacks tend to trust the message and follow instructions.
Attachments
Instead of relying on malicious links in an email that take the recipient to a realistic looking landing page, more phishers are using attachments, often a PDF attachment of an expensive invoice for services like security applications, annual service agreements, and large purchases on ecommerce sites like Amazon or Best Buy for gear being shipped to a stranger. These are designed to get the recipient agitated enough to call the toll-free support or customer service number to dispute the charges.
Toll-Free Numbers
Many more exploits are directing targeted recipients to toll-free support numbers. Recipients who call these numbers to dispute the charges are subjected to social engineering by live human beings, who undoubtedly need your credit card number to refund your money. I am seeing this a lot more, and I suspect it is because it works better than landing pages. Once you have successfully made a target angry, they are likely to make irrational decisions, and are easy to prey upon. Two things to remember: your are never liable for fraudulent charges on your credit card, you can dispute they charges with the card company . And check your credit and bank card accounts to see if there are really any unexpected charges showing inn these accounts.
These are changes in TTPs that I have noticed becoming more prevalent over the last two years or so. Check suspicious messages using out-of-band methods (a different method than the approach) Got an hinky email from the CEO or CFO? Check it out with a phone call. Got an invoice from a service provider. Check it out directly in your account on the service providers web site. Never reply to the email itself, or call the provided telephone number, because the attacker generally controls that communication channel.
Again, stay alert, stay suspicious, and whenever there is any doubt, their is no doubt.
This is an excellent article from KnowBe4’s web blog, and ties in nicely with the comments above. For the complete article, which is an excellent short read, click through to KnowBe4
In the world of phishing, this misuse of information is what makes these attacks so effective. But it’s tough to attack something that is more a concept. So, I loved it when I saw that the Council of Europe has provided some definitions around what they call “Information Disorder”. There are three types of information disorder, of which two apply in the work of cyber attacks:
- Mis-information – when false information is shared, but no harm is meant.
- Dis-information – when false information is knowingly shared to cause harm.
- Mal-information – when genuine information is shared to cause harm, often by moving information designed to stay private into the public sphere.
In phishing, we see LOTS of disinformation; everything from the senders identity, email address, company, purpose for the email, and need for a response are all examples. In ransomware campaigns that involve a data extortion component (which most do today), we see the use of malinformation, where stolen data is posted to a publicly-accessible site. More... And check out the article on the Council of Europe’s website as well.
Share
JAN
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com