Building on last week’s blog Cyber Criminals Exploit the Human Factor, this week we’ll explore a little more detail around the tools and techniques used by Cyber Criminals to convince selected and targeted individuals to take action.
To be effective in obtaining credentials and/or sensitive information through phishing attacks Cyber Criminals rely on an arsenal of tools and techniques. These are focused on building rapport with selected individuals, creating situations that appear to be authentic, and help to establish credibility and typically a sense of urgency.
Social Engineering
Social engineering principles form the core of the majority of attacks. These range from simple lures designed to appeal to our curiosity, for example a fake invoice sent to the Accounts Payable Department, or a Job Description for an attractive role/vacancy to an IT Department Systems Administrator.
More sophisticated approaches can include union action over a fabricated unresolved Health and Safety incident or media exposure of non-conformance to government procurement guidelines. Themes can vary based on Cyber Criminal groups, industry type and selected individuals. Typical themes spanning most industry types include Love, Money, Food and Real Estate.
The Carbanak Campaign
A well known example is the Carbanak campaign, predominately targeting financial institutions for the purpose of monetary theft. A Windows based malware payload was introduced via phishing emails and has been reported to have resulted in over $900 Million USD from Banks and selected individuals. The email attack used authentic looking lures with professional documentation in the form of attachments that distributed multiple strains of malware. The email author claimed to have been double-charged and demanded an urgent resolution. It used stolen vendor branding and claimed to be protected by that vendor’s technology. Instructions provided for unencrypting the document were actually the steps required to enable macros and allow the installation of the malware.
Real Estate Lures
Real estate transactions typically involve multiple parties, a degree of urgency, and the opening and exchanging of both personal information and digital signatures. This is why they represent a frequent target for Cyber Criminals using phishing and malware attacks. DocuSign, a trusted source for electronic signatures, is routinely abused using Brand Impersonation along with Real Estate and Bank Portals that look legitimate. The processes of buying a home and/or applying for a rental property create readily exploitable opportunities, especially when the selected individuals are not familiar with the many steps involved.
Fake Jobs
An increasingly effective tactic, especially as economies commence rebuilding post COVID-19, is the fake job add. These typically use multiple points of contact to establish a relationship with the selected individual. Popular career platforms such as LinkedIn are used to send invitations from a legitimate account to the selected individual. These are then followed up with personalised emails without any malicious content. At some stage in the ongoing exchange, once a rapport has been built, Cyber Criminals sends the malware bearing email. Selected individuals, typically with access to corporate accounts or sensitive information, are targeted with the ultimate aim of initiating fraudulent money transfers or providing sensitive personal and/or business information. In most cases the Cyber Criminals impersonate a known business leader in a position of authority.
Brand Theft
Believable (but fake) domains and web presences tangibly support social engineering efforts. Fraudulent Websites using stolen branding and registered domains resembling real brands are all part of the Cyber Criminals arsenal. Look-alike domains are becoming increasingly sophisticated and are close enough to the original that they are infrequently questioned. Legitimate sounding variations of known brands provide Cyber Criminals with the ability to execute account fraud, also known as angler phishing, impostor email attacks and more.
Legitimate Platform Abuse
Cyber Criminals are increasingly taking advantage of file-sharing and collaboration tools as businesses move to Software as a Service platforms. This is made easier due to business familiarity and whitelisting allowing easy distribution of malware and phishing templates. Frequently abused platforms include;
- Google Drive and Microsoft Office 365
- Box and Dropbox
- MailChimp and SendGrid
- Payment services allowing outbound mailing of invoices
- Social Media Platforms
These services readily leverage the human factor as we work from a position of trust, opening links received via email without considering the potential for malware or reconnaissance leading to credential theft. Targeted infiltration of a SaaS platform enables secondary attacks that are hard to detect and be identified by users. It allows for internal phishing and can result in credential dumps that are used for credential stuffing or brute-force attacks.
Imposter Attacks
Impostor attacks utilize a range of techniques to convince targeted individuals they are communicating with a trusted entity. These include display-name spoofing, where the email appears to be coming from a known trusted source, domain spoofing, where an attacker appears to use a company’s domain to impersonate a company or employee, and look-alike domains. The basis of these attacks is Identity Deception, as opposed to more common attacks simply using throwaway attacker-owned addresses and domains, and they are proving to be highly effective.
How can Click Studios Help?
Another element of the human factor is the reuse of passwords. Recent research suggests that greater than 40% of businesses have at least one compromised account and 6% of businesses have at least one VIP account that is compromised. This makes internal phishing and Business Email Compromise easy for Cyber Criminals.
Click Studios Passwordstate, an on-premise web based solution for Enterprise Password Management, facilitates unique combinations of account and passwords for all systems. Passwords can automatically be reset on a scheduled basis, only be accessed by authorised users via Role Based Access Control, and full end-to-end auditing keeps track of who has accessed the credentials and when.
As always, we welcome your feedback via support@clickstudios.com.au.