Most phishing emails contain a malicious link in the hope that the recipient will click on it. Phishing prevention technology is wise to this tactic, which has forced attackers to adapt. Their latest adaptation is a novel new phishing technique targeting American Express customers, by breaking the malicious link up into two parts.
The technique uses the <base> HTML element. “This allows attackers to specify the base URL that should be used for all relative URLs within the phishing message, effectively splitting up the phishing landing page in two separate pieces. It also helps to hide it from the target since, on hover, the hyperlink will only show the end part of the malicious link, without the domain used to host the landing page.”
“This tactic helps the attacker evade URL filters and gateways that have active URL scanning services, which currently do not have the capability to combine these inert pieces into a scannable malicious URL.”
Phishing mobile devices is big business. “Phishing attacks on mobile has increased by an average of 85% year on year since 2011.” This week we learned about a new phishing scam targeting iPhone users.
Trusty iPhone
According to iGeekBlog, the new scam involves “trusty iPhone.” According to Marjorie Stephens, CEO of BBB, “The scam was so realistic that even a BBB executive was nearly fooled.”
The scam involves getting a call from Apple, Inc., or at least that’s what the caller ID on the iPhone says. Scammers then leave “a pre-recorded message saying that there’s a serious threat to your phone or computer.” When you call back, the scammers ask for personal information or payment to fix the problem.
Nescafé Coffee
It was only a matter of time before hackers went after coffee drinkers. Their scam of choice? Free coffee. According to Metacompliance, “Nescafé coffee lovers are the latest to be targeted with a phishing scam designed to steal their personal details and infect their devices with malware.”
The scam asks targets to complete a survey for a chance to win coffee makers and free coffee packs. To take the survey the targets have to download a PDF, which of course isn’t a PDF at all but rather malware. “Once installed, attackers can use the malware to spy on their online activities, steal personal and financial information or use the device to hack other systems.“
Phishing Phrontier
Back in the 1840s, during the California gold rush, it was said the people who got rich weren’t the prospectors, but the ones who sold the prospecting equipment. That understanding has carried over to the world of phishing.
Apparently, it’s more profitable to offer phishing tools than to actually do the phishing yourself with the rise of Phishing-as-a-Service. That’s right. Websites now exist where you can purchase everything you need to launch your very own phishing attack.
These Phishing-as-a-Service companies offer phishing kits, which include phishing templates, as well as hosting the landing pages. It’s completely turnkey. According to an article on Bleeping Computer, “The phishing templates that are available include SharePoint, Office 365, LinkedIn, OneDrive, Google, Adobe, Dropbox, DocuSign, and many more. These templates range from $30 to $80 and include one month of hosting for the page.” Really? Thirty bucks?
In keeping with a theme, according to IBM Security Intelligence, “Digital attackers are now abusing the 16Shop phishing kit to target Amazon users for the purpose of stealing access to their accounts.”
People receive email attachments all the time. Most are business documents like Word, Excel or PDF. Phishing protection software scans these documents for malicious content so it’s getting harder for hackers to use these documents to launch a phishing attack. Unfortunately, hackers evolve.
Now comes word of a new phishing trend targeting Office 365 with HTML attachments. “These HTML attachments host webpages on the victim’s device instead of the public internet, which is a strategic way for hackers to avoid URL reputation checks. This attack is particularly dangerous in collaboration suites such as Office 365.”
Body Count
The health sector is always a big target for hackers, not so much for direct financial gain, but for access to patient records. This week was no exception. According to an article on Health IT Security, “An employee of vendor California Reimbursement Enterprises fell victim to a phishing attack, which potentially breached the data of 14,500 patients, including those from Los Angeles County DHS.”
Mickey Mouse must be horrified. According to the Orlando Sentinel, “An employee at Reedy Creek Improvement District believed she was receiving emails from a legitimate landscaping vendor and paid out nearly $722,000.” Reedy Creek Improvement District handles building codes, road construction, fire rescue and landscaping throughout Disney-owned land.
Email Forwarding
Making news this week is all the trouble you can get into by mindlessly forwarding emails. Problems with forwarding emails range from copyright infringement to disseminating misstatements made by someone else to forwarding sensitive information. The bottom line: look before you forward.
And that’s the week that was.