[BreachExchange] Latest phishing tactics: infected PDFs, bogus friend requests, fake HR emails

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 15 20:39:20 EDT 2017 

https://nakedsecurity.sophos.com/2017/03/15/latest-phishing-tactics-infected-pdfs-bogus-friend-requests-fake-hr-emails/

There’s good and bad news on the phishing front
<https://blogs.sophos.com/2014/03/31/what-is-phishing-anatomy-of-a-phishing-attack-plus-five-security-tips-video/>
.

The good news: attackers don’t seem to be coming up with many new tactics
to target their victims. The bad news: they don’t have to. They’re doing
just fine hooking their prey with the same old tricks.

A recent Naked Security article outlined the bad guys’ efforts to infect
their prey using scams centered around tax season
<https://nakedsecurity.sophos.com/2017/02/21/watch-out-for-phishing-scams-when-preparing-your-tax-return/>,
with the Internal Revenue Service (IRS) warning of fresh email schemes
targeting tax professionals, payroll staff, human resources personnel,
schools and average taxpayers. In another scam, attackers polluted Amazon
listings
<https://nakedsecurity.sophos.com/2017/01/11/beware-phishing-scams-in-amazon-listings/>
with
links that redirected victims to a very convincing Amazon-looking payment
site.

Now come fresh reports that attackers are using malicious PDF attachments
and messages that look like they’re from their company HR departments, as
well as bogus Facebook friend requests.
Bad PDFs and friend requests

Microsoft Malware Protection Center team member Alden Pornasdoro warned of
the malicious PDF files
<https://blogs.technet.microsoft.com/mmpc/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/>
in
a blog post. He wrote:

Unlike in other spam campaigns, the PDF attachments we are seeing in these
phishing attacks do not contain malware or exploit code. Instead,
hey rely on social engineering to lead you on to phishing pages, where you
are then asked to divulge sensitive information. One example of the
fraudulent PDF attachments is carried by email messages that pretend to be
official communication, for instance, a quotation for a product or a
service, from a legitimate company. These email messages may spoof actual
people from legitimate companies in order to fake authenticity. When you
open the attachment, it’s an actual PDF file that is made to appear like an
error message. It contains an instruction to “Open document with Microsoft
Excel.” But it’s actually a link to a (malicious) website.

In the other case, reported by ZDNet, security company MWR
Infosecurity reviewed 100 simulated attack campaigns for 48 of its clients
and discovered that sending a bogus friend request
<http://www.zdnet.com/article/phishing-would-you-fall-for-one-of-these-scam-emails/>
was
the best way to get someone to click on a link – even when the email was
being sent to a work email address. From the ZDNet report:

Almost a quarter of users clicked the link to be taken through to a fake
login screen, with more than half going on to provide a username and
password, and four out of five then going on to download a file. A spoof
email claiming to be from the HR department referring to the appraisal
system was also very effective: nearly one in five clicked the link, and
three-quarters provided more credentials, with a similar percentage going
on to download a file.

Social engineering is alive and well

Recent developments show that the ancient technique of social engineering
<https://blogs.sophos.com/what-is/social-engineering/> is alive and well.
Understanding it is the first step in mounting a better defense. Sophos
described it this way in the corporate blog a few months ago:

Social engineering is the act of manipulating people into taking a specific
action for an attacker’s benefit. You might think it sounds like the work
of a con artist – and you’d be right. Since social engineering preys on the
weaknesses inherent in all of us, it can be quite effective. And without
proper training it’s tricky to prevent. If you’ve ever received a phishy
email, you’ve seen social engineering at work. The social engineering
aspect of a phishing attack is the crucial first step – getting the victim
to open a dodgy
attachment or visit a malicious website.

As the Sophos Blog post noted, phishing can’t work unless the first step –
the social engineering – convinces you to take an action.

To help raise awareness, security vendors have offered a number of products
and services companies can use to launch simulations – essentially phishing
fire drills — which can show employees up close how easy it is to be duped
by social engineering. Sophos offers a simulator called Phish Threat
<https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/Sophos-Phish-Threat-Datasheet.pdf?la=en>
for
that purpose.
Other defensive tips

Though such simulations are an effective way to raise awareness, companies
need to follow that up with concrete instructions to help employees stay
above the fray. Here are a few helpful tips:

   - Be careful what you click. This one is painfully obvious, but users
   need a constant reminder.
   - Check the address bar for the correct URL. The address bar in your web
   browser uses a URL to find the website you are looking for. The web address
   usually starts with either HTTP or HTTPS, followed by the domain name. The
   real websites of banks and many others use a secure connection that
   encrypts web traffic, called SSL or HTTPS. If you are expecting a secure
   HTTPS website for your bank, for example, make sure you see a URL beginning
   with https://before entering your private information.
   - Look for the padlock for secure HTTPS websites. A secure HTTPS website
   has a padlock icon to the left of the web address.
   - Consider using two-factor authentication for more security. When you
   try to log into a website with two-factor authentication
   <https://nakedsecurity.sophos.com/2013/10/10/security-essentials-what-is-two-factor-authentication/>
(2FA),
   there’s an extra layer of security to make sure it’s you signing into your
   account.

To defend against the poisoned Amazon listings described above:

   - Trust your gut and be on guard: If that deal is too good to be true,
   it likely is
   - Don’t pay for anything on Amazon outside of Amazon.com or the official
   Amazon app
   - If you’re in doubt about a deal by an “affiliated retailer”
   ask Amazon’s official customer service
   -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170315/2ed1150b/attachment.html>

More information about the BreachExchange mailing list