“Phishermen” Up Their Game
By now almost everyone who uses a computer knows about “phishing” attacks in which cybercriminals lure unsuspecting users into infecting their own computers with malware by clicking a malicious link or downloading a malware-laden file, or trick them into revealing their user credentials by logging into a spoofed website.
While the old tried-and-true email phishing scams still net some prey, hackers continue to create new, increasingly sophisticated types of email phishing attacks that are capable of fooling even experienced users. Defending against these smart new attacks requires both the latest anti phishing tools, and better education for users.
Malware via Macros
Microsoft Security Intelligence published a series of tweets describing a phishing attack that appears to come from Johns Hopkins Medical Center, with the subject “WHO COVID-19 SITUATION REPORT.” The email contains Excel files purporting to show coronavirus cases in the US. When the file is opened, a malicious macro file downloads and runs NetSupport Manager Remote Access Tool, allowing the hacker to take over the unsuspecting user’s computer. The email formatting is very similar to legitimate emails that come from Johns Hopkins.
“Branded” Spear-Phishing Attacks
Cybercrooks are increasingly running “branded” spear-phishing attacks, hosting their phishing forms or pages on legitimate services such as Google Docs or Microsoft Office URLs. Users can be lulled into a sense of security by the link to a Google or Microsoft address – when in reality a digital criminal is simply abusing a legitimate service.
Stealing Cloud Credentials
With many more people working remotely during and following coronavirus closures, many companies upped their usage of cloud services such as Amazon Web Services, Microsoft Azure, and Google Cloud. Digital criminals recognized this trend and responded with aggressive attempts to steal cloud credentials.
In one phishing campaign, users received what appeared to be an automated email from Amazon Web Services. The emails contained links that look like legitimate AWS addresses, but the page they actually linked to is not an AWS page, although it looks exactly like the AWS logon page, complete with logo and actual Amazon images. By signing in, a user gives their AWS credentials to a cybercriminal -- who can then use them to access the user’s account freely, at least until the next time the password is changed or multifactor authentication is engaged.
What to Do?
Countering these increasingly sophisticated attacks calls for two things: more effective technological tools and intensive education to build email phishing awareness.
Conventional anti-malware and antivirus software is only as good as the most recent update. The best way to prevent users from inadvertently installing malware on their computers is to institute and enforce Zero-Trust principles of “always verify, never trust.” With Remote Browser Isolation, such as Ericom Shield, all websites are browsed and email attachments opened in an isolated container, remote from the endpoint. Only a safe interactive media stream representing the website reaches the user device, along with fully sanitized downloaded files. There is no possibility malware infecting the user’s computer or company servers. In addition, links within websites may be opened in read-only mode, so that users can’t erroneously enter credentials in spoofed sites.
Users need to be educated to be alert to emails that are just a bit off the mark, and to not click on links or attachments if anything is even slightly suspicious. But user education and email phishing awareness tips go only so far. In fact, even info security professionals have been known to fall for the sophisticated phishing scams that hackers devise. Being careful and smart are very important, when it comes to sophisticated and clever phishing attacks, protecting users from their own inevitable slips is even more so.
See our article “Best Practices in Enterprise Identity and Access Management” for more information on keeping your corporate data safe.