‘Tis the season for hot cocoa, holiday shopping and increased phishing attempts from those trying to separate you from your hard-earned money. In the cyber-security field, it’s a well-known fact that the holidays are prime time for hackers and cyber criminals to target their prey to gain unauthorized entry into their computers and accounts. The attackers know that emails containing black Friday deals, Christmas specials and discount gift cards will be appearing in the inboxes of many and they are capitalizing on it.

There’s a reason why most workplaces have mandatory phishing training and some even place large, permanent banners in their employees’ email clients warning them about opening suspicious emails. Phishing is by far the most common type of cyber attack and has been for years. Phishing almost always originates from an email that contains an attachment or a link that, by appearances, looks benign or even wanted.  A sense of urgency may be used against the victim as the attacker attempts to trick them into either opening a malicious document or clicking on a malicious link.  Deception plays a big role in this and the attackers are getting better at it.

As we move ahead into the new year, cyber-security processionals look back on 2019 as being a year of not only increased overall phishing traffic but a jump in sophistication as well.  The attackers have learned what works, what doesn’t and how they can improve their bottom line. Their bottom line being your stolen credit card numbers, personally identifiable information or perhaps a ransomware attack on your company with the hopes of a large payout.

As I mentioned, deception plays a big role in phishing and the attackers are finding new ways of deceiving their victims. One such new method on the rise is a deceptive 404 page. A 404 page is what you see when you attempt to visit a website and the page you’re looking for doesn’t exist. It’s usually a benign message stating that the resource you’re looking for can’t be found.  Criminals are instead using custom 404 error pages on servers that they control to show victims near exact copies of legitimate services like Microsoft Office 365 and Google services. This allows the attacker to randomly generate subdomains and send those as links to their victims. If the victim is fooled into inputting their credentials into the fake website, the attackers will gain those credentials and take over the account. However, these types of dynamically generated domains are easy to detect by trained cybersecurity professionals which makes response time well above the industry average.

Courtesy of Microsoft

Image courtesy of Microsoft Security Blog

 The attackers are not just picking on Microsoft. Google is another prime target for phishing as it is the backbone of the internet for most users. Attackers have been observed hijacking search results to get their malicious websites in front of more victims. They leverage traffic generators to get a website that they control to the top of the results for different keywords. By using this technique an attacker can simply send a legitimate Google search link to their victims. These links will bypass corporate spam filters and land in the inbox of unsuspecting users. The attackers hope the users will open the link, be presented with an all-too-familiar Google search page and click on the first link in the list which is an attacker-controlled website. Threat intelligence plays a big role in discovering and stopping these types of attacks. When a cybersecurity professional knows certain websites are malicious through their gathered threat intelligence, they can use that information to quickly detect and mitigate the threat.

Courtesy of Microsoft

Image courtesy of Microsoft Security Blog

As we saw in one of the attacks noted above, impersonation often comes into play by mimicking an existing service.  The better your email or phishing page looks, the more likely the user is going to click the link and enter their credentials. Attackers have taken this to a whole new level by capturing company specific information in the victim’s email and serving them a phishing page complete with banners, logos and text taken directly from the legitimate website. These phishing pages appear exactly like the target company’s sign in page and this is all done on the fly.

Company sign-in page branding that attackers can copy on the fly

 With the increase in emails around the holidays, users often get bombarded with messages from retailers urging them to check out the hot deals they have either in store or online. Phishing emails often focus on Black Friday, Cyber Monday, Thanksgiving, Christmas and workplace holiday parties to get the user to open the email.

Phishing kits for Apple, UPS, FedEx, Microsoft, Gmail, Amazon, LinkedIn, Paypal, Facebook and countless other web services are readily available on the dark web for anyone to purchase. With a little know-how and some time, anyone can set up a website to do any of the aforementioned attacks against a list of emails which can also be purchased. Phishing has become such a problem for one simple reason: it works. The reason it works is the user believes the email they are receiving is authentic. They believe it’s from a legitimate service, be that Microsoft, Apple, Amazon, etc. Part of the email authenticity is a believable subject line that draws in a person’s attention. According to KnowBe4, these are the most clicked email subjects of Q3 2019:

  1. Password Check Required Immediately
  2. A Delivery Attempt was made
  3. De-activation of [[email]] in Process
  4. New food trucks coming to [[company_name]]
  5. Updated Employee Benefits
  6. Revised Vacation & Sick Time Policy
  7. You Have A New Voicemail
  8. New Organizational Changes
  9. Change of Password Required Immediately
  10. Staff Review 2018

With subjects like these the attackers will attempt to create a sense of urgency and make the victim act on the malicious contents within the email.

Attackers are also creating fraudulent Interac bank transfer websites with which to phish the not so vigilant. As you can see in the image below, they are targeting Canadian users specifically and using bank specific branding.

Like the other types of impersonation attacks, when a victim chooses their bank out of the choices on the page, they are asked for credentials to login to claim their $250 e-transfer. The page sends the credentials to the attacker and the victim does not receive an e-transfer of funds.

While phishing is prevalent, the fight against it is not a losing battle. A company has many preventative measures that they can leverage to protect themselves from these types of attacks.

  • Having a detection and response team is critical
  • Educate employees by conducting awareness training and employ mock phishing campaigns to test this training
  • Backups should be functional and tested often
  • Deploy spam filters that detect malicious attachments and links
  • Keep all systems current with the latest security patches
  • Install an antivirus solution and keep all signatures up to date
  • A web filter should be put in place to block malicious websites

As always, email users must stay vigilant. It is recommended that users don’t open suspicious emails, they don’t click links and that they don’t enable content in Word documents if it’s from unknown or unexpected source. If there is any question about the validity of the email, users should reach out to the sender and verify that the email is legitimate.

With these measures in place, a company stands to have a fighting chance against all the spammers and scammers that are attempting to ruin the holiday cheer.