Email Phishing Attacks Are Back in the News
Simple but potentially devastating, Email Phishing attempts and attacks are back in the news. Why? These types of attacks are nearly impossible for security tools to catch.
The latest attack, as of an August 14th update by Barracuda Networks, said the latest variation of a phishing attempt begins with a phishing email that entices recipients to open an attached purchase order file - using malware.
‘Most phishing attacks are associated with data theft, but here we are looking at an attack designed for extensive data exfiltration executed by a sophisticated infostealer,’ said Saravanan Mohan from Barracuda.
According to Barracuda, this attack represents a new frontier in data exfiltration threats, since malware has a range of data collection capabilities that pose severe risks.
Plus, attackers have sharpened their skills by using free online services (like email) too – like the recent attack disguised as Venmo.
How? In the Venmo attack, hackers created a free Venmo account, then requested payment from victims. Here is an example, they will say something like: ‘you just paid $39.99, if this was an error – please call. . . “
The victim in a panic, questioning this charge calls the number and they say, ‘please provide your credit card information, and I can look it up in our system.’ These types of phishing attacks are what Managed Service Providers (MSPs) are used to dealing with when clients ask for help.
Another recent phishing attack was reported in the news a few days ago - affecting multiple political campaigns’ offices. One expert, Dave Baggett said phishing attacks are so difficult for most security tools to catch because ‘this is a perfect email’ from the standpoint of legitimacy (the Venmo example we cited above) - with ‘every single aspect of the mail security infrastructure, this thing passes because it’s a real email from Venmo,’ he said. ‘You have to have a dedicated model that knows about this kind of tactic and looks for this kind of language.’
And, get this – another one: the anti-phishing features in Microsoft 365 can be bypassed with CSS.
There is a way to bypass anti-phishing measures in Microsoft 365, increasing the chance of users opening malicious emails. So basically, the anti-phishing measure can be hidden ('First Contact Safety Tip’) something that would normally warn email recipients using Outlook when they receive a message from an unfamiliar address.
How do they do it? When CSS is used in a phishing email, sent from a new contact, no alert shows up to warn the recipient. This where we bring AI, yes AI once again comes back into the conversation. Along with having strong security protocols, monitoring for suspicious activities and of course training employees on what potential threats to look for, with every email - AI can help where it’s trained to detect and block all kinds of phishing attempts before they even reach people’s inbox.
This again goes back to our earlier SBS blog posts where we said every organization needs a leader that appoints a cybersecurity czar in a sense. This person needs to continually stress on a regular basis what the latest threats are and train employees on what to look for when it comes to potential threats. Or, an organization can use an MSP, like SpaceBound Solutions to monitor and help train their clients’ employees on what to look for when it comes to various threats, like phishing attempts, etc.
Sources:
InfoSecurity: New Phishing Attack Uses Sophisticated Infostealer Malware - Infosecurity Magazine (infosecurity-magazine.com)
Bleeping Computer: Microsoft 365 anti-phishing feature can be bypassed with CSS (bleepingcomputer.com)