Phishing Campaign Leads Users to Site Disguised as Email Scanner

A phishing campaign tricked users into visiting a website that masqueraded as an email scanner in an effort to steal their account credentials. Kaspersky Lab found that the campaign began with a scam email containing a fake virus alert. This email claimed to originate from an organization’s “Email Security Team,” but it actually originated from a Hotmail account. In an attempt to intimidate the recipient, the email message used a “Virus Alert” heading followed by three exclamation points.

  • What is “PHISHING”?

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.

Phishing is a cybercrime in which a target or targets are contacted by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

Types of Phishing –

Spear phishing – When attackers try to craft a message to appeal to a specific individual, that’s called spear phishing. Phishers identify their targets (sometimes using information on sites like LinkedIn) and use spoofed addresses to send emails that could plausibly look like they’re coming from co-workers.

Whaling – Whale phishing, or whaling, is a form of spear phishing aimed at the very big fish — CEOs or other high-value targets. Many of these scams target company board members, who are considered particularly vulnerable: they have a great deal of authority within a company, but since they aren’t full-time employees, they often use personal email addresses for business-related correspondence, which doesn’t have the protections offered by corporate email.

Deceptive Phishing – This is also known as password harvesting. Herein the attackers used scripts in cloned websites to get hands on sensitive information of users leading to financial loss or data loss.

  • The Phishing Campaign disguised as Email Scanner:-

A phishing campaign tricked users into visiting a website that masqueraded as an email scanner in an effort to steal their account credentials. Kaspersky Lab found that the campaign began with a scam email containing a fake virus alert. This email claimed to originate from an organization’s “Email Security Team,” but it actually originated from a Hotmail account. In an attempt to intimidate the recipient, the email message used a “Virus Alert” heading followed by three exclamation points. They built upon this urgency by informing the recipient that they would no longer have access to their email account unless they agreed to scan their email account by clicking on an embedded link.

Clicking on the link led the recipient to a website disguised as an email scanner. This website used the logos of several reputable antivirus providers to convince the user that it was legitimate. It also used the recipient’s email address to personalize the name of their employer in the site’s heading. At first, the site simulated a scan, but it interrupted this process with the message “Confirm your account below to complete Email scan & delete infected all files.” It then prompted the user to submit their email account credentials.

This attack highlights the need for organizations to protect themselves against a phishing campaign. They can do this by educating their users about some of the most common types of email-borne campaigns in circulation today.

  • Impacts of Phishing Attack –

A phishing attack can hold severe impact on a firm in form of data loss, data breach, financial loss, reputational loss, exposing such data as names, phone numbers, physical addresses, and email addresses. Etc

CEO fraud – In this form or attack the criminal has successfully hacked CEO’s email address. The criminal will then send email instructions to employees within accounts or the financial department instructing the transfer of funds or the immediate payment of a bill, all legitimised by the CEO or director. There will often be a note within the email that will emphasises the need for immediate or emergency action.

Bogus invoice scam – Within this form of criminal activity the criminal will infiltrate the executive or directors email accounts, look at any bills that are needing to be paid soon and then contact the finance department instructing them to change the bank details of the upcoming bill as they have changed banks or accounts. This then means once the bill is paid it is paid into the criminals bank account without anyone knowing or thinking otherwise.

Account Compromise – Similar to the above versions. An email account of an employee within the organisation is hacked and then used to make requests for invoice payments to the criminal accounts. The emails are sent to multiple vendors that are in the businesses contact list.

Data Theft – This involves the email of role-specific employees in the company being accesses or hacked into and then infiltrated to be used to send requests – not for fund transfers but for personally-identifiable information of other employees and executives.

Reputational Damage – At a fundamental level, brands are built on trust. Similarly, the public disclosure of embarrassing internal communications can create reputational damage that tarnishes the brand. The publicity around a serious breach impacts the perception of the overall brand as untrustworthy for employees, partners, and customers. Brand is the foundation of virtually every company’s market capitalization. The negative brand effects of a phishing attack on your employees can shave hundreds of millions off your market capitalization.

Intellectual Property Loss – Intellectual property theft can be the most devastating loss of all. Trade secrets, costly research, customer lists, formulas and recipes can all be compromised by phishing. For firms like technology, defense, or pharmaceutical a single design or drug patent could easily represent millions, or billions, in sunk research costs. Direct Costs – Your organization could also face direct monetary costs from phishing. Phishing attacks on your employees can also result in fines levied by regulatory bodies in the case of breaches that cause violations of HIPAA or PCI. The costs of providing identity protection or compensation to employees or customers who have their data stolen — as well as theft from your company itself — can easily run into the millions. US firms spend about $12.6 million on the average cybercrime attack. Phishing and social engineering accounts for 13% of annual cybercrime cost for businesses

Business disruption -No matter how small a breach might be, breaches inevitably lead to business disruption. After being infected by malware in 2017 following a phishing email, the advertising multinational WPP instructed its 130,000 employees to “immediately turn off and disconnect all Windows servers, PCs and laptops until further notice.” It took the company days to resume normal service.

  • Common Points to observe and identify a Phishing Attack:-

Too Good To Be True – Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don’t click on any suspicious emails. Remember that if it seems to good to be true, it probably is!

Sense of Urgency – A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it’s best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.

Hyperlinks – A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com – the ‘m’ is actually an ‘r’ and an ‘n’, so look carefully.

Attachments – If you see an attachment in an email you weren’t expecting or that doesn’t make sense, don’t open it! They often contain payloads like ransom-ware or other viruses. The only file type that is always safe to click on is a .txt file.

Unusual Sender – Whether it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don’t click on it!

  • Recommendations to avoid Phishing scams :-

Phishing scams have been around practically since the inception of the Internet, and they will not go away any time soon. Nobody wants to fall prey to a phishing scam. There is no single fool-proof way to avoid phishing attacks; fortunately, there are ways to avoid becoming a victim yourself. Here are 10 basic guidelines in keeping yourself safe:

  1. Keep Informed About Phishing Techniques– New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users is highly recommended in keeping security top of mind throughout the organization.

    2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. Most phishing emails will start with “Dear Customer” so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link.

    3. Install an Anti-Phishing Toolbar– Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.

    4. Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals.

    5. Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

    6. Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

    7. Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.

    8. Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.

    9. Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.

    10. Use Antivirus Software – There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system.

You don’t have to live in fear of phishing scams. By keeping the preceding tips in mind, you should be able to enjoy a worry-free online experience.

It is recommended to conduct Phishing simulation exercises in your organization. CyberSRC provides Phishing as A Service (PHaas) to educate your employees regarding various phishing attacks by simulating them through our proprietary tools.

For more information, kindly contact: info@cybersrcc.uk