BLOG

Phishing Season is Upon Us

F5 Miniature
F5
Published October 22, 2019

As the warm months wither and we shift toward the holiday spirit, remember that the savvy criminals out there will be looking for holiday cheer themselves.

What is the most active time of year for fraudulent online schemes like phishing and fraud? Essentially, right now through the holiday shopping season. (I thought it best to get your attention now near the opening bell.)

Phishing has become the number one attack vector for good reason. A low amount of effort for high reward. F5 Labs defines Phishing as:

Any type of fraudulent communication that is sent, often to multiple recipients at once via email, social media, or text message, from someone impersonating a party or entity that the victim trusts. The goal is to trick the user into providing private information (such as a bank account number, social security number, or credit card number)—usually by clicking on a link or opening an attachment. There are several variations of phishing, such as spear phishing, in which a specific, often high-level individual within an organization is targeted, and vishing, which involves fraudulent voice messages.

Basically, you’ll get an email from a name you might recognize. A friend, family member, co-worker, company, or an associate asking you to do something or inviting you to some event. They’ll want you to click the link or open an attachment to get the important info. And once you do that, you’re hooked, as they say.

The Anti-Phishing Working Group notes that for first quarter 2019, phishers who target Software-as-a-Service (SaaS) and webmail services have become phishing’s biggest category, with 36 percent of all phishing attacks. It passed the ‘phishing against payment services’ category for the first time. They also saw a notable increase in phishing sites in the first quarter of 2019 compared to third and fourth of last year. Both APWG and F5 Labs have also seen an increase of phishing sites using SSL certificates to present the HTTPS lock in the browser. It must be legit if it’s secure, right?

BleepingComputer recently reported on new campaigns targeting banking employees using compromised SharePoint sites and OneNote documents to redirect potential victims to a phishing site. Because the domains used by SharePoint are almost always allowed through email gateways, the attackers use this trick to get past detection and their message arrives unfettered. The emails, which are from other compromised accounts, tell the receiver to review a sensitive document. The embedded link sends the victim to a malicious SharePoint site with a partial, unreadable OneNote document. It then instructs the person to enter their credentials to see the full document. Users can either enter their Office365 credentials or any other email account to get in. And at that point, the credentials are extracted and harvested.

Now that the criminals have compromised a corporate email account, they can then do what’s called lateral phishing. This time, the email looks to arrive from inside the organization rather than an outside domain. People are probably more likely to click a link or perform some action if it looks to be a work colleague or someone they normally email daily. UC Berkeley, UC San Diego, and Barracuda studied lateral attacks and found that attackers were successful 11% of the time compromising other folks in the same organization. What’s scary is 42% of the attacks were not reported to IT or the Security department. Thus, these compromised accounts could have been used for multiple attacks.

The scammers could then decide how they wanted to use it. They could target individuals, the entire organization, or even a partner. In most cases, the scams either pretended there was a problem with the email account or a link to a shared document. And you probably figured out by now that the link goes to a fake login page to capture even more credentials. Attackers went so far as to delete sent & received messages to avoid detection.

These accounts can also be used to send family and friends those dreaded, “I’m stranded, send money!” pleas that many have fallen for.

Measures like two-factor authentication along with security awareness training often helps. F5 Labs notes that more awareness training always lessens the risk. And if you do get a “I need help” note from a loved one, don’t instantly jump to a wire service. Try to contact the person by other means to see if they are really in trouble.

Lastly, while you are in the physical world, always check gas station credit card inserts, same for ATM and other devices our cards enter. Thieves like to add their malicious capture devices right over the actual reader. Use proper data protection hygiene, and if it doesn’t look safe or it is tampered with, move on to the next machine.

Have fun and be aware. You’ll be glad you did.