Phishing takes place when a fraudster tricks an individual into sharing sensitive information (account numbers, Social Security numbers, login credentials, etc.) by way of fraudulent emails, texts, or counterfeit websites. Phishing can also enable a scammer to gain access to a computer or network so that they can install malware, such as ransomware, on a victim's computer. Phishers are able to achieve this by spoofing the familiar, trusted logos of established, legitimate companies. Or, they may pose as a friend or family member and are often successful in completely deluding their targets.
Some Current Phishing Threats
- Stealth Mango (Android) and Tangelo (iOS), discovered by Lookout Security Intelligence, are surveillanceware tools that target government officials, diplomats, activists and military personnel, specifically in Pakistan, Afghanistan, Iraq, India and the UAE. According to Lookout Security, “data from U.S., Australian, and German officials and military have been swept up in the campaign we believe is being run by members in the Pakistani military.”
- Fake eFax email deceives email recipients by telling them they have received ‘a new eFax’ and that they need to click on a link button in the email to retrieve the document. The link goes to a phishing page. This is not a new attack, but has recently been spotted in emails again.
- Email filtering company, Mailguard, has picked up a fake E-Toll notification containing an infected .doc file. According to Mailguard, the file contains a malicious macro that will download malware to the victim’s computer. The notification also includes the logos of Microsoft Office and Mailguard in order to appear authentic. It even goes as far as to claim that, “this document is protected by MailGuard".
- DHL branding was mimicked and fake shipping notifications were sent out, asking recipients to download an attached file that contained highly destructive trojan malware.
- The Twitter verification phishing site is still live. Late last year through early 2018, some Twitter accounts launched a promoted tweet campaign, which had been approved by Twitter. But, it was in actuality a phishing attempt. The phishing site, linked to the promoted tweets, claimed that, “to prevent identity confusion, Twitter is now offering the ‘verification form.’ We’re working the establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a [blue checkmark] are the official accounts.” It then asks users to fill out information about how many followers they have, their phone numbers and their account passwords.
- Gmail’s new Confidential Mode may invite link-baiting phishing attacks. According to analysis by ComputerWorld, “Confidential Mode works by storing your email in a secure space on Google servers in the cloud. When both sender and recipient use Gmail, the email appears normal. But recipients who do not use Gmail get a link for viewing the email in a browser. The messages you send or receive via Confidential Mode are not actually email. The link is an email, but the message is an email-looking page on the internet that’s password-protected. Emails containing the link can, in fact, be forwarded, but only the intended recipient can successfully open the link. When someone gets one of these forwarded mails, they’re prompted for their Google login username and password to determine whether or not they’re the intended recipient. This is problematic, because it invites link-baiting phishing attacks, which could con people into revealing their login information.”
- A phishing campaign targeting Apple users seeks to dupe victims into updating their profiles in preparation for the EU’s General Data Protection Regulation (GDPR) policies, which go into effect on May 25. This is just one of many scams exploiting the coming implementation of GDPR policies.
- Phishing Campaign on Instagram:
- On May 8, a Bleeping Computer article covered a zero-day vulnerability known as baseStriker. It "allows miscreants to send malicious emails that bypass security systems on Office 365 accounts. Discovered on May 1, 2018, by security researchers from Avanan, baseStriker is a flaw in how Office 365 servers scan incoming emails. But baseStriker isn't just a random vulnerability that researchers found after weeks of pen-testing. Avanan says it discovered baseStriker as part of real-world attacks. 'So far we have only seen hackers using this vulnerability to send phishing attacks, but but it is also capable of distributing ransomware, malware and other malicious content,' Avanan's Yoav Nathaniel wrote in a report published today."
- "Rules of Conduct" Office 365 phishing email scam, written about by Bleeping Computer at the end of April, "pretends to be from a company's human resources (HR) department and requests that the recipient read and acknowledge an attached 'Rules of Conduct' document. This document, though, prompts you to login at a fake Office 365 login prompt, which is used to steal your credentials."
- Phishing via "voice squatting" attacks is a new way of targeting Amazon Alexa and Google Home Assistants. The idea is to lure the user into opening a malicious app by using voice triggers comparable to those in authentic apps, and then use the malicious apps to either phish users for sensitive data or eavesdrop on their surroundings.
According to Verizon's 2018 Data Breach Investigations Report, 90% of cyberattacks begin with phishing. And, the rate at which mobile enterprise users get tricked into becoming victims of phishing attacks has increased 85% every year since 2011, according to Lookout Security. Add to that the fact that mobile devices are becoming popular phishing targets and it becomes clear that phishing attacks aren't going away anytime soon.