Despite being one of the best-known ways that cybercriminals compromise organisations, email phishing attacks continue to be surprisingly successful. Scams are now better than ever at tricking people into disclosing sensitive personal and financial information.
One of the key reasons for this is that phishing campaigns are now more sophisticated and targeted—making them harder to identify than ever. Here we take a look at some of the innovative ways that cybercriminals are duping employees.
1. Chain communications
One-off phishing emails that have a strong call to action can be easy to spot. Increasingly, however, cybercriminals are sending their targets a sequence of emails to help create a more believable narrative. A common example is an employee receiving an email informing them that their account has been accessed from an unknown device, then soon after receiving a second message telling them that details relating to the account have been changed.
These sorts of scams are deliberately designed to appear more realistic and trigger a panic response. Emails will typically provide a link to an account log-in page, except these pages will be fake and victims will be tricked into handing over their credentials.
As witnessed in Business Email Compromise (BEC) attacks, sequences of emails are also used to build trust and trick recipients into wiring payments for goods and services into alternate bank accounts.
2. Deceptive linking
Another technique that criminals use to trick their targets is to conceal malicious links within the emails that they send. Some phishing emails, for instance, contain a mixture of safe and malicious links; this makes it harder for individuals to identify illegitimate links, and criminals are finding new ways to do this all the time. One method is to display a link within the body of an email but point it to a completely different URL.
Another URL obfuscation trick that is increasingly common involves hackers using HTML font and style attributes to conceal text within a URL. By defining a size of zero, for instance, assailants can effectively render a character or space invisible to the human eye. Recent reports suggest that Google Translate is also being used to mask disreputable links.
3. Use of trusted services
In order to bypass spam filters and more successfully lure users into clicking links, attackers have started to use recognized platforms and services such Azure, AWS, Google Drive, WordPress, and PowerPoint to host malicious content. For attackers, using public file-hosting sites invariably involves less effort than registering and setting up new, custom domains which risk being identified and shut down.
Effectively, criminals are exploiting the familiarity and trust of well-known services to trick users into feeling more confident about the content being shared.
Additionally, the whole system of using file-hosting sites rather than their own websites makes it more convenient for cybercriminals, as they always run the risk of their sites being identified and closed down. With the benefit of the links looking more legitimate to the victim, too, it is easy to see why criminals are increasingly using them.
4. Custom mobile exploits
Criminals are also finding ways to exploit the fact that more people than ever before are using mobile devices to access emails and other communications on the go. Part of this is driven by the fact that victims are more likely to open text messages, the open rate of which is as high as 94 percent, compared to emails which achieve just a 30 percent open rate.
Mobile optimization for small screens means that important details, such as a sender's email address, are often less visible. Devices are also more prone to custom developed scams. Security research recently uncovered a vulnerability affecting the mobile version of Chrome that enabled a site to spoof a URL when scrolling.
5. Bespoke targeting of cloud platforms
With more companies than ever before using cloud services, it is not surprising that these platforms are being increasingly targeted by hackers. And with more than 155 million active commercial users per month, Office 365 is one that is often routinely attacked.
One of the latest Office 365 phishing scams involves a fake non-delivery notification, prompting users to 'send again.' When that link is clicked, the user is taken to a phishing site that looks exactly like the O365 email login screen. Another highly successful campaign makes use of a live chat feature to trick users into thinking they are on an authentic site with customer support.