There’s good and bad news on the phishing front.
The good news: attackers don’t seem to be coming up with many new tactics to target their victims. The bad news: they don’t have to. They’re doing just fine hooking their prey with the same old tricks.
A recent Naked Security article outlined the bad guys’ efforts to infect their prey using scams centered around tax season, with the Internal Revenue Service (IRS) warning of fresh email schemes targeting tax professionals, payroll staff, human resources personnel, schools and average taxpayers. In another scam, attackers polluted Amazon listings with links that redirected victims to a very convincing Amazon-looking payment site.
Now come fresh reports that attackers are using malicious PDF attachments and messages that look like they’re from their company HR departments, as well as bogus Facebook friend requests.
Bad PDFs and friend requests
Microsoft Malware Protection Center team member Alden Pornasdoro warned of the malicious PDF files in a blog post. He wrote:
Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where you are then asked to divulge sensitive information. One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity. When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel.” But it’s actually a link to a (malicious) website.
In the other case, reported by ZDNet, security company MWR Infosecurity reviewed 100 simulated attack campaigns for 48 of its clients and discovered that sending a bogus friend request was the best way to get someone to click on a link – even when the email was being sent to a work email address. From the ZDNet report:
Almost a quarter of users clicked the link to be taken through to a fake login screen, with more than half going on to provide a username and password, and four out of five then going on to download a file. A spoof email claiming to be from the HR department referring to the appraisal system was also very effective: nearly one in five clicked the link, and three-quarters provided more credentials, with a similar percentage going on to download a file.
Social engineering is alive and well
Recent developments show that the ancient technique of social engineering is alive and well. Understanding it is the first step in mounting a better defense. Sophos described it this way in the corporate blog a few months ago:
Social engineering is the act of manipulating people into taking a specific action for an attacker’s benefit. You might think it sounds like the work of a con artist – and you’d be right. Since social engineering preys on the weaknesses inherent in all of us, it can be quite effective. And without proper training it’s tricky to prevent. If you’ve ever received a phishy email, you’ve seen social engineering at work. The social engineering aspect of a phishing attack is the crucial first step – getting the victim to open a dodgy attachment or visit a malicious website.
As the Sophos Blog post noted, phishing can’t work unless the first step – the social engineering – convinces you to take an action.
To help raise awareness, security vendors have offered a number of products and services companies can use to launch simulations – essentially phishing fire drills — which can show employees up close how easy it is to be duped by social engineering. Sophos offers a simulator called Phish Threat for that purpose.
Other defensive tips
Though such simulations are an effective way to raise awareness, companies need to follow that up with concrete instructions to help employees stay above the fray. Here are a few helpful tips:
- Be careful what you click. This one is painfully obvious, but users need a constant reminder.
- Check the address bar for the correct URL. The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https://before entering your private information.
- Look for the padlock for secure HTTPS websites. A secure HTTPS website has a padlock icon to the left of the web address.
- Consider using two-factor authentication for more security. When you try to log into a website with two-factor authentication (2FA), there’s an extra layer of security to make sure it’s you signing into your account.
To defend against the poisoned Amazon listings described above:
- Trust your gut and be on guard: If that deal is too good to be true, it likely is
- Don’t pay for anything on Amazon outside of Amazon.com or the official Amazon app
- If you’re in doubt about a deal by an “affiliated retailer” ask Amazon’s official customer service
For more on how to avoid phishing attacks, we also suggest reading Don’t fall for phishing and spear-phishing.
2 comments on “Latest phishing tactics: infected PDFs, bogus friend requests, fake HR emails”
Hmmm “•Don’t pay for anything on Amazon outside of Amazon.com or the official Amazon app” … how about Amazon.co.uk, for those of us in the UK, Amazon.de for those in Germany, amazon,fr for those in France, Amazon.nl for those in the Netherlands …
Checking for “https” and a valid SSL certificate isn’t enough to verify the identity of the site; it only verifies that the traffic to/from the site is private. (And even then, if you live in one of the countries where your government has forced you to install a special root certificate before you’re allowed to access the internet, they could be using that to spy on you.)
With the rise of free CAs like “let’s encrypt”, phishing sites are increasingly using HTTPS – and sometimes, their security is even better than the real site! Scott Helme recently published a blog post discussing this issue.
Any “sensitive” sites (Amazon, your bank, etc.) should be using an “extended validation” certificate. This will typically display the name and country of the manually-verified organisation in a green box in the browser’s address bar (at least on a desktop browser). Eg: This site displays “Sophos Ltd. (GB)” next to the address. This is what most users should be checking.
“Don’t pay for anything on Amazon outside of Amazon.com or the official Amazon app”
Don’t forget the country-specific versions of the Amazon site!