Flying Under the Radar: Four Increasingly Common Phishes You Should Know About
If you are working in the IT trenches, you will not be surprised to learn that around 90 percent of phishing emails that are reported to us by customers using the Phish Alert Button (PAB) employ social engineering schemes that are merely thin retreads of schemes that have been around for years. Although that might strike lay readers as surprising, those who deal with phishing attacks daily know the bad guys tend to re-use tried and true social engineering schemes because they work. Oldies-but-goldies reliably generate ill-considered clicks from distracted users and security headaches for help desk staff.
The menu of common social engineering schemes used in phishing attacks is not that varied or expansive:
· fake invoices, POs, and RFQs
· fake package/parcel delivery notifications
· fake file delivery/sharing/signing notifications
· bogus online account verifications/updates
· email upgrade/update notifications
· email password expiration notifications
· email deactivation warnings
The bad guys tend to innovate more around the payloads delivered by phishing emails than the delivery vehicles themselves. Thus, the constant barrage of new ransomware variants and the steady expansion of feature-sets for backdoor trojans to make them stealthier and deadlier. Occasionally, we do see new phishing schemes, though. And while most die a quick death, some do acquire legs.
Over the past three months, we have seen four noteworthy phishing schemes that are not entirely drawn from the usual menu. While clearly inspired by several of the more common social engineering schemes familiar to readers, they are more than thin retreads. Users and IT admins should be aware of them and the particular dangers they pose for potentially gullible employees.
1. Fake Support Phishes
The bad guys have been spoofing IT help desks for years, hoping to exploit users' implicit trust in their own IT support staff to trick users into irresponsible clicks. They have also been reliably spoofing security-related messaging from trusted online institutions like banks, retailers, and other service providers where users may have accounts.
A new round of fake support phishes builds on such social engineering schemes by stealing a few tricks from tech support scams that have long been a staple of shady internet advertising (as well as dodgy call centers). In this scheme, the bad guys spoof large, trusted service providers and retailers like Amazon and Facebook, warning users in phishing emails of unauthorized logins or similar activity on their online accounts.
Instead of asking users to click an embedded link or open a malicious attachment, these emails request users dial toll-free 800 numbers to talk with support personnel for the spoofed companies.
Although we have not managed to successfully connect with any of these numbers ourselves, we strongly suspect that these toll-free numbers lead to tech support scams that request users provide unknown assailants remote access to users' desktops.
When used against home consumers such tech support scams are typically used to frighten users into coughing up money for bogus tech support necessary to fix non-existent problems on their PCs. These scams are damaging enough when deployed against clueless home consumers without much knowledge of their own PCs. The prospect of unknown scammers attempting to remotely connect to corporate desktops in a workplace environment, however, ought to be alarming.
2. iTunes Gift Card Requests
The second phishing scheme we've noticed over the past few months sees bad guys spoofing CEOs or other C-level executives in order to direct underlings to purchase iTunes gift cards for friends, family, or business partners and clients. Given that these emails clearly follow the same general script used for wire fraud and W2 phishing schemes, they can be regarded as an oddball variant of standard CEO fraud phishing attacks.
The emails attempt to engage targeted employees in an exchange designed to elicit compliance. First, the seemingly innocuous opening salvo…
When employees respond...
...they are hit with a request to purchase iTunes gift cards -- usually in an amount of hundreds of dollars:
Not all employees, unfortunately, will regard this request as odd as we do:
As with the fake support phishes we looked at just above, we suspect the bad guys behind this phishing scheme have simply borrowed a trick from another group of fraudsters -- IRS phone scammers, who pose as IRS employees and demand frightened victims purchase gift cards as a means for paying non-existent IRS debts and penalties.
When we first encountered this social engineering scheme, we were skeptical it would be around for long. We were wrong. Several months later the bad guys are still pushing these bogus requests into employees' inboxes, which tells us they must be enjoying some amount of success with it.
If there is any small comfort, it is that the amount of money targets stand to lose from this scheme is in the hundreds of dollars as opposed to the tens of thousands of dollars usually requested in CEO wire fraud phishes. And the potential legal headaches aren't anywhere near what a company could be facing following a successful W2 phish.
3. Porn Blackmail
While most social engineering schemes used in phishing attacks tend to leverage users' trust in recognized brands, institutions, or people, shame and embarrassment remain potentially powerful tools that attackers can and do use against potential victims. And despite the ubiquity of porn content on the internet, adult content continues to offer would-be blackmailers a ready-to-hand weapon to extort money from targeted individuals.
Consider the following email, variants of which we have seen hitting corporate inboxes for the past few months:
Although just one of the dozens of variants reported to us by customers, this particular email is fairly representative of the whole. It uses aggressive, demeaning, derogatory language to coerce users into coughing up money via a Bitcoin account (much as so many ransomware variants do).
And while porn blackmail schemes on the internet are not new, such schemes have tended to pounce on unsuspecting users via pop-ups at or redirects to dodgy websites, not phishing campaigns that hit users sitting in their office cubicles.
While we suspect most users will dismiss the blustering threats contained in these emails, some employees may be more sensitive and vulnerable to this scheme precisely because it hits them in their work environment, with potential employment consequences hanging over their heads. And employees burdened with such concerns may well attempt to conceal their interactions with malicious assailants from IT staff out of shame and fear -- a surefire recipe for problems should they get in over their heads while engaging with fraudsters from their corporate workstations.
4. Malicious WeTransfer Files
As noted earlier, malicious actors rely heavily on fake file delivery/sharing social engineering schemes when prosecuting phishing campaigns against corporate targets. Employees are likely to be familiar with the process of having files shared with or delivered to them via popular services like DocuSign, OneDrive, and Dropbox. As a result, many will not think twice when presented a link to a file allegedly hosted by one of these well-known services. We see a deluge of these phishing emails reported to us every day by alert customers.
These fake file delivery/sharing phishes almost always rely on spoofing trusted online services, however. A malicious email may look like your typical DocuSign email, but the links point to compromised sites hosting the bad guys' malicious content, not Docusign itself. Every now and again we might see a malicious file hosted at a legitimate file hosting service, but they are comparatively rare (at least in the world of phishing), and rarely survive more than a few hours before being taken down.
One recent phishing campaign has strayed from this pattern. Consider the following email, which actually hails from WeTransfer -- a cloud-based service that offers free accounts with the ability to send files up to 2GB:
The link in that email takes users to a PDF file download at WeTransfer.com:
The PDF, in turn, contains a malicious link...
...that points to a credentials phish at a potentially compromised Wordpress site.
What is unique about this round of phishes is that it uses WeTransfer itself to host the malicious content as well as deliver the phishing email that kicks off the entire attack. Even users who are trained to look for phishy file sharing/delivery emails may be fooled by this one, given that the initial email and download are not spoofed in the way most similar malicious emails are.
To be sure, WeTransfer does seem to be aware of the problem and is taking down malicious files as they are reported...
Given that there is almost certainly a delay between the time a malicious file goes live and the time it is taken down, users should be skeptical of files presented to them via WeTransfer that they were not expecting.
In our experience, lay users tend to overestimate their own savviness when the subject of phishing attacks arises. That alone ought to be concerning to IT admins, as overconfident users remain vulnerable to even the most common of social engineering schemes, which attempt to pass off highly malicious emails as routine, unremarkable email communication.
What is most notable -- and potentially dangerous -- about three of the four off-the-wall phishing schemes we have discussed here is that instead of persuading users to click a link or open an attachment these phishing schemes attempt to draw victims into extended communications or interactions with seasoned malicious actors -- situations in which your employees will be at a decided disadvantage, particularly if that communication is driven by fear, shame, or the urge to do the bidding of what appears to be an authoritative figure.
When the bad guys do innovate around social engineering schemes -- the delivery vehicle for malicious content in phishing attacks -- it is imperative that your users are regularly stepped through New-school security awareness training to prepare them for the new and unexpected and that your IT staff have the tools to keep tabs on potentially dangerous decisions and actions those users might be taking inside your network.