When it comes to impactful types of internet-borne crime, phishing is the name of the game. And for good reason. It serves as a vessel for various strains of malware, including ransomware, and underlies data-stealing campaigns that target large organizations and individuals alike. According to Verizon's 2023 Data Breach Investigations Report (DBIR), a whopping 74% of breaches involve a human element, which is exactly what phishing aims to exploit.
From a cybercriminal's perspective, the rationale behind prioritizing these attacks is that they are both lucrative and fairly easy to execute, even more so if the theme of a fraudulent email pulls the right strings in a recipient's mind.
Speaking of which, security analysts from KnowBe4 have recently shared their findings regarding the top phishing schemes of Q2 2023. According to the study, the most encountered fraudulent email subject line include:
• "HR: Staff Rewards Program"
• "Someone is trying to send you money"
• "Amazon: Action Needed – Purchase Attempt"
• "Microsoft 365: MFA Security Review is Required"
• "Metamask Wallet Update"
• "Chase: Confirm Your Card Possession"
The list demonstrates how dexterously scammers align their tactics with what piques the average recipient's interest. Whereas such agility lays the groundwork for an effective fraud, it's not the only pillar of a successful phishing campaign. Tactics matter a lot, too.
Automated defenses against phishing attacks are constantly evolving in response to emerging challenges. Modern secure email gateways (SEGs) prevent the vast majority of dodgy messages from ever ending up in users' inboxes, and most antivirus tools can identify and block content that matches known phishing templates, as well. However, online fraudsters keep contriving methods to bypass these barriers. The following techniques allow them to stay one step ahead of white hats.
Evil twin attack
To set this trick in motion, a scammer creates a rogue Wi-Fi access point that appears to be a trusted one, using a familiar Service Set Identifier (SSID). Also referred to as the "evil twin," the phony wireless network provides a would-be victim with an internet connection, possibly with a stronger signal than the original, with no heads-up visible to the naked eye. Only some deeper scrutiny can reveal that an encryption protocol is the missing piece of the puzzle, which means that the connection is insecure and the attacker can tamper with all communications.
This hoax involves what's called a captive portal, which is a web page that prompts users to enter personal information or login credentials, such as usernames and passwords. This portal can mimic the look and feel of a legitimate login page for a well-known service or website.
The most effective countermeasure for this style of attack is to avoid using public wireless networks altogether. If that's a no-go for whatever reason, a Wi-Fi VPN can do the heavy lifting in terms of traffic encryption. This way, even if threat actors intercept your sensitive information during the sketchy internet session, it comes in an unintelligible form and they can't possibly weaponize it.
Morse code cloaking dubious materials
In a clever move first spotted in February 2021, malicious actors used meaningful combinations of dots and dashes (known as Morse code) to obfuscate harmful URLs in a file attached to an email. This mechanism was seen in a series of highly-targeted attacks against businesses representing different industries, including finance, insurance, automotive, and investment management.
In each scenario, the rogue message contained an HTML attachment disguised as an invoice for the target company. When viewed in a text editor, the file turned out to encompass a multitude of Morse code strings and therefore didn't raise any red flags when inspected by email filters. The catch was that the document contained a function to transform these gibberish-looking symbols into hexadecimal values that denoted specific JavaScript tags.
When injected into the original HTML page, these tags would load a knock-off spreadsheet stating that the user's Office 365 sign-in session timed out and asking for a password to see the alleged invoice. Predictably, the sensitive credentials were instantly sent to a server under phishers' control.
Google Docs comments abused to spread toxic links
In early January 2022, bad actors mastered a new unusual technique to spew out phishing links and avoid detection. It parasitizes the commenting feature in Google Docs, a service popularly used for team collaboration these days. To carry out this phishing scheme, an attacker creates a Google Doc, adds a comment that includes a harmful URL, and specifies the addressee with the "@" value. The would-be victim then receives a notification over email asking them to respond to the comment.
As is the case with another notorious Google Docs phishing scam, security tools don't interpret such a message as malicious because it is sent by Google. To top it off, the notification only mentions the sender's name while omitting the email address. This allows the criminal to easily pass themselves off as someone the recipient trusts. The link embedded in the comment leads to a site that tries to hoodwink the user into giving away their sensitive data.
Evil URLs lurking in Google Forms
Similar to the previously described trick, this mechanism mishandles a reputable service blindly trusted both by email filters and users. To orchestrate the hoax, a perpetrator uses Google Forms to create a booby-trapped survey in which one of the responses contains a phishing link. The sketchy field additionally includes a bait phrase that says something along the lines of "You have a pending refund."
To put the finishing touches on the ruse, the scammer indicates the target's email address so that the person receives an invitation to complete the eye-catching survey. Since this message is generated by a Google service, SEGs and other protection instruments ignore it. Moreover, the victim is likely to engage with this pseudo-questionnaire, only to follow the bad link and unwittingly download malware or disclose personally identifiable information (PII).
Tweaks at the level of an email's HTML code
Another way to make a shady message slip through the cracks is to reverse the text in its HTML code and then render it forwards so that it looks normal to the recipient. Since the skewed source code doesn't overlap any known phishing templates, SEGs will give such an email the green light to reach the inbox.
A particularly stealthy spin-off of this hoax involves Cascading Style Sheets (CSS), a markup language used to enrich web documents with style components, such as background color, spacing, and font size.
The exploitation boils down to abusing CSS to jumble Latin and Arabic scripts in the raw HTML code. Because these strings flow in opposite directions, it's easier for threat actors to pull off the above mentioned text reversing trick. In the aftermath of this foul play, the message circumvents defenses while staying human-readable.
Public cloud services become oases for credential phishing sites
Fraudsters are increasingly hosting malicious materials on popular cloud services. This approach adds a layer of feigned legitimacy and obfuscation to a scam, making it very difficult for security-minded users and protection systems to identify it.
Phishers built one of such campaigns around a decoy PDF file uploaded to Google Drive. To evoke a victim's curiosity, this document is claimed to contain important business information. To view it, the unsuspecting person has to go through a rabbit hole of authentication steps. First, they are instructed to click the "Access Document" button, which leads to a login page asking for the Office 365 password or a company ID. Regardless of the selected verification option, a pop-up screen appears requesting the user's Outlook access credentials.
As soon as the email address and password are provided, the victim can finally view the PDF file, which is a real marketing report from a reputable consulting company. Also, all the pages that the user interacts with are hosted on Google Cloud Storage, so there are hardly any giveaways of an outright scam along the way.
However, a major pitfall hidden behind the façade of outward legitimacy is that threat actors get ahold of the victim's Office 365 credentials. These details can be weaponized to orchestrate business email compromise (BEC) swindles, industrial espionage plots, and malware attacks.
ZIP files with an insidious flip side
To fool email filters, phishers may hide a dangerous attachment within a dodgy archive. Normally, a ZIP file has one "End of Central Directory" (EOCD) record that marks the final element of the compressed data structure. By lacing an archive with an extra EOCD locator, crooks can inject a parallel tree invisible to the naked eye.
When processed by an SEG's decompression engine, a ZIP attachment like that looks harmless because its "smokescreen" component is typically the only one that undergoes all the checks. In the upshot of this trickery, the extracted file quietly runs a banking Trojan on the target's device.
The importance of email filters shouldn't be underestimated, as they do block most phishing messages to minimize the risk of compromise. However, a big takeaway from the attacks highlighted above is that relying on these tools alone is a bad idea.
A great deal of the responsibility for avoiding the worst-case scenario is on each end-user. People should hone their vigilance and follow some extra tips to step up their preparedness for the next phishing attack. Here is a round-up of these dos and don'ts:
Whenever email providers or antivirus software vendors come up with a new phishing prevention technique, cybercriminals get busy trying to outsmart them. However, the situation isn't all doom and gloom.
One of the approaches that already yields great security dividends to individuals and organizations is to leverage artificial intelligence (AI) and its branch machine learning (ML) for detecting such frauds. This seems to be the next big thing in enterprise protection against cyberattacks overall, but it doesn't lessen the power of traditional anti-phishing tools and good old security awareness.