By Jack M. Germain
Jun 26, 2020 4:00 AM PT
With much of the workforce conducting business from home to escape the pandemic, scammers have revved up their trickery to scare victims into falling for credential harvesting schemes.
Two new reports lay bare the new twists digital scammers are putting on old approaches to get you to unwittingly give up login credentials for your personal or company online banking and server portals. The two reports focus on how to avoid becoming a corporate or consumer victim.
One new twist detailed by Armorblox threatens to recycle inactive addresses unless the would-be victims immediately update and confirm their account details. This results in fearful recipients entering their legitimate email addresses and password information.
The second report, by email phishing protection firm INKY, reveals the intricate directives of a credential harvesting phishing email. These emails impersonate the United States Department of Justice by using a malicious link with real logos mimicking government websites.
A phishing email scam which gives the appearance that the sender is the U.S. Department of Justice.
Credential harvesting is largely considered the foundation of email phishing. It is the easiest way for anyone to get into your secure files. They simply use your password that you gave them, explained Dave Baggett, CEO and co-founder of INKY.
“In terms of the overall rate of phishing generally, we have seen nearly a three-times increase in phishing emails since the pandemic started,” Baggett told TechNewsWorld.
Banking on Phishing
Last week, Armorblox, a cloud office security platform that protects inbound and outbound enterprise communications, released its latest discovery of a new credential phishing attempt. The report details how cybercriminals use an email with a malicious link leading to a fake website. The landing page painstakingly resembles the Bank of America login page.
This credential phishing site is made to look like the Bank of America home page. Notice that the beginning of the URL in the browser address field is not for the bank. However the bank’s name is used elsewhere in the URL to try and fool visitors to the page.
Amorblox co-founder and architect Chetan Anand reported the latest credential harvesting ploy in the company’s blog.
“Adversaries are always mixing and matching existing phishing tricks, plus adding some new ones, to circumvent any organizational measures that increase security,” Anand told TechNewsWorld.
His report details some examples of security measures and explains how this attack sidesteps them. The newly discovered attack phished for Bank of America credentials to sidestep any Single Sign-On (SSO) or Two Factor Authentication (2FA) measures in place.
In this case, attackers also asked targets security-challenge questions to increase attack legitimacy and obtain even more personal information. To successfully pass email authentication checks, the attackers sent the email from a reputed domain and created a zero-day domain for the phishing site to escape detection by threat feeds, he explained.
This new packaging of credential harvesting attacks is increasingly prevalent today, Anand noted. This type of attack is being aimed at organizations of all sizes, but especially small and medium sized businesses (SMB) that may not have all their security processes in place yet.
“If an attacker gets hold of email credentials of an employee from an SMB, this email account is then weaponized to launch attacks both within the SMB and on customers, partners, and vendors,” Anand said.
Unlike most other criminals, cybercriminals pursuing credential harvesting scams lead a relatively stress-free life of crime, according to Baggett’s report on the INKY blog. Their biggest worry is whether or not you will type in your password.
The modern-day credential harvesting phishing attack is easy to pull off. It has six simple steps, he explained.
They are simple to carry out and even easier to be victimized. This is the process:
- The hacker sends a phishing email.
- You’re encouraged to click on a link and perform a task.
- The link takes you to a PHONY web page.
- You are tricked into entering your email address and password.
- The hacker retrieves your password from his server.
- The hacker exploits your harvested credentials.
Remember, your speed in clicking that link is what the cybercriminal counts on.
“The fundamental problem is that the tactics phishers now use generalize very well. Deceptive text tricks, for example, can take many forms,” Baggett explained.
Why It Works
Sophisticated attackers know that Secure Email Gateways, or SEGs, and other filters look for known scam-indicative patterns, according to Aggett. The smart attacker knows this. They hide this deceptive text from the SEG and does it in a way that does not look funny to the user.
For example, an SEG may have a rule where it looks for the text “Office 365 Voicemail” because emails with this text have been reported as phishing. One deceptive text tactic is to replace letters in scam-indicative text with other Unicode characters that look similar.
Security experts call these “confusables” because humans easily confuse them. The attacker can, for example, replace the letter “O” with any of these Unicode characters:
Any characters that show up as a box are just missing from your font software. While few of these look exactly like a normal letter “O,” they can all be quite easily confused with a normal letter “O.” The recipient might think that the font is a bit funny or there is dirt on the screen, noted Baggett.
To detect this tactic, the SEG has to look not just for “Office 365 Voicemail,” but all possible variants that an attacker could create using Unicode substitutions. That is an incredibly huge number — far too many to just list out in a ruleset — and there are many other similarly general tricks the attackers can use, too, explained Baggett.
Diverse Call to Action Gotchas
Bad actors lure users into responding by notifying them of a new document, voicemail, fax, or invoice. Another approach is the Helpdesk phishes that tell users they need to confirm or update their account, or it will be disabled.
“With the coronavirus pandemic, we’re starting to see more government impersonations offering health tips, relief funds, or the ability to track new cases in their area,” said Baggett.
No one-shot panacea exists to help consumers and business IT catch or prevent these phishing scams from working, according to Anand. So, organizations need to balance a variety of security measures and process changes to improve their response posture to phishing attacks.
Native and third-party security controls, employee awareness, enforcing policies like SSO and 2FA, and having rapid automated incident response all play a part in diffusing credential harvesting attacks.
“In the case of this Bank of America attack, the biggest red flag is the ‘context red flag’ that crops up the more you think about the email, i.e. Bank of America won’t send an email to your work address with a request to update credentials. But busy employees often don’t have the time or luxury to think about every email in their inbox and end up following through on the email’s action,” Anand said.
What Else to Do
Baggett recommends consumers and business IT do two things to catch or prevent these harvesting credential scams from working. First, put sophisticated software-based mail protection in place so the machines block the vast majority of these scams before delivery and users never interact with them.
Second, train users to be suspicious of email in general. While humans can’t discern real emails from fake ones, it is still a good idea to use phishing awareness training to teach users not to trust their eyes when it comes to email. Above all, always verify any sensitive email through another, separate communication channel.
“In other words, teach users to pick up the phone, send a Slack message, etc. to verify that the mail they are looking at really is from who it appears to be from,” said Baggett.
As an example, INKY facilitates this preventative measure by putting yellow warning banners on emails with sensitive content such as wire requests, password reset requests, etc. INKY counters the Unicode confusable cloaking technique by rendering the mail, pixel-for-pixel so that INKY’s software “sees” the mail as the human recipient will.
This allows INKY to match the text in the email in a “fuzzy” or approximate way based on visuals. For instance, it recognizes the general shape of the letterforms rather than the specific letter identities.
Human Brain Responses
Anand favors email recipients using some basic analysis to thwart credential harvesting scams. He agrees that busy employees can’t look at every email with the rational, slower thinking part of their brain. But they can learn to be wary of identity, behavior, and language signals in the emails they read.
For example, under identity, users should confirm that the email is actually coming from the person/organization that it claims to come from, including domain, sender name, etc. Under behavior, users should question whether the email is consistent with previous behaviors exhibited by the email sender. Ask yourself if Bank of America usually sends emails to your work address. Under language, users should be wary of any email that attempts to trigger urgency, fear, and authority.
“It is unfair to put all this onus on the end-users. Organizations should look to invest in native and third-party email security controls that analyze these signals and more,” suggested Anand.