sb-as logo
Story image

Phishing scams – a deep dive into this year’s cyber attack trends

16 Jul 2018

There’s no doubt email is the number one vector used to initiate attacks on organisations, and of those email attacks, phishing is king. According to a recent survey Mimecast conducted with Vanson Bourne, 94% of enterprise organisations had seen untargeted phishing attacks in the last 12 months, and 92% had seen targeted spear phishing attacks incorporating malicious links.

So, what’s contributing to this rise? We’re seeing hackers increasingly seeking to hijack popular events. In recent weeks, phishing scams have targeted events like the FIFA World Cup, and the end of financial year in Australia as people prepare to do their tax returns.

One notable campaign preying on unsuspecting football fans during the FIFA World Cup promised users the ability to download a match schedule, or to obtain a free pair of Adidas shoes - via a malicious link. Scams like this illustrate the difficulty of protecting organisations and individuals from bad actors who want to gain access to corporate networks or personal information.

These scams are also becoming harder to spot. The Adidas threat, for example, takes the form of a homographic attack.

Targeting Adidas customers, a longstanding partner of the FIFA World Cup, in this phishing attack, the letter “I” in the brand name displayed in the URL was replaced with a vertical character. When a user, mistaking the link for a genuine one, clicked through, they were taken to another web page, where they were prompted for credentials, and faced with the threat of malicious software being automatically downloaded. These attacks have been in the wild since 2001, but they have risen in popularity over the last twelve months.

The key to a homographic attack is what’s known as ‘punycode’. Using punycode, popular browsers will automatically substitute elements of the ASCII (American Standard Code for Information Interchange - a character encoding standard for electronic communication) character set in place of the Unicode characters used to display non-English languages online.

The result is that characters are replaced with similar characters from a non-English language, such as Cyrillic, and to the casual observer the domain being presented looks legitimate. 

These homograph attacks remain a particular problem because aside from being able to display the domain name in its punycode output to help warn users, the majority of major browsers, including Chrome, Safari, Firefox and Microsoft Edge are not able to comprehensively protect against them.

Another vector for phishing attacks is social engineering. Most recently, emails have been sent from multiple domains resembling invoices or tax statements from well-known companies such as accounting software firm Xero, office supply chain OfficeWorks, and the Australian Taxation Office.

These emails include a link prompting recipients to download a malicious file, downloading a banking trojan via compromised Sharepoint sites. For attackers, these emails represent easy pickings, because the recipient sees the logo of a trusted firm prominently displayed and won’t necessarily check the URL to ensure that it is legitimate.

When it comes to orchestrating email attacks, cybercriminals know that a person is sitting on the end of an email address, and the majority of these people are not security trained. Attackers will send these emails because they’re easy – using social engineering to get a user to click on a malicious link is simpler than complex network or application attack vectors.

Once the user clicks on one of these phishing emails, they are generally asked to enter log-ins, personal information or credit card data, or they are subject to an unwanted, malicious download (malware) that automatically harvests these credentials through key-logging or the monitoring of network connections without detection.

During peak periods such as the FIFA World Cup or tax deadlines, recipients are usually more willing to click on links that resemble something of interest to them and as a result, become less vigilant.

When it comes to human error, defending against these attacks remains complex. Humans are frequently cited as the weakest link in any security chain and so it can be hugely beneficial to employ automatic email security. This automated security is able to detect attacks such as the Xero, OfficeWorks and ATO attacks because the software checks the sender URLS and blocks those ones that are generated by non-legitimate sources.

While automated email protection remains the key defence against phishing attacks, user awareness can’t be forgotten. With the threat landscape constantly evolving, users can’t be expected to just figure out the good from the bad.

Training users can be as simple as getting people to check the email address and seeing if it makes sense given the type of email they have received. Or asking questions like – is it asking for something unusual – and if they hover over links, do those links go where they say they will? A couple of minutes spent asking the security team if a link or email is legitimate will save hours or days of effort and embarrassment if the email is fraudulent.

Email remains the number one attack vector, but with vigilance and software protection, it doesn’t have to be the downfall of your organisation.

Article by Mimecast A/NZ principal consultant Garrett O'Hara.

Story image
Evolving threat landscape top priority for security and risk leaders
"COVID-19 has proved how rapidly and how drastically such risks can change."More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More