True North Networks Blog
Coronavirus-themed attacks proving more successful than typical phishing campaigns
Phishing emails try to ensnare potential victims by highlighting a subject designed to intrigue or alarm them. Often, they feature some topic in the news as a way to catch the recipient's attention. With the coronavirus striking panic around the world, cybercriminals have been exploiting the outbreak for their latest phishing campaigns. Apparently that strategy is working, according to Menlo Security.
In a report published on Wednesday, Menlo found a booming success rate in COVID-19 related phishing attacks. From February 25 to March 25, the volume of successful daily attacks rose from 200 to 6,400. This indicates the number of people who clicked on a link in a coronavirus-themed phishing email and visited a malicious website. The initial surge started on March 11, the day the World Health Organization called the virus a pandemic, and has continued to grow since.
Phishing emails often employ a single technique or attack type, giving security products the necessary clues to combat them. But with the latest coronavirus-themed campaigns, cybercriminals have been using different strategies, such as leveraging email, PDF attachments, and SaaS services. In one example cited by Menlo, an attacker implemented a phishing campaign directed toward key executives and financial employees at certain organizations with the goal of stealing their account credentials.
To carry out the attack, the person behind it conducted the necessary research beforehand. This helped the attacker create a personalized email with a footer and layout that mimicked the emails used by the targeted organizations. As composed, the email itself claimed to be from the CEO of each organization with critical COVID-19 employee information.
Instead of putting an obvious link in the body of the email, the attacker included a PDF attachment that contained a shortened URL link. Placing the link in the attachment helps the email evade traditional security products. Plus, PDFs are often considered safe and allowed to pass through many security filters.
Next, the attacker used an actual Microsoft service to host the form that asked targets to enter their usernames and passwords. Using a respected SaaS service, instead of a fake one, is another way to help these types of attacks elude most security protection. Enterprise SaaS-based attacks are becoming more prevalent, according to Menlo, which said that 97% of these attacks use just five popular SaaS services.
In the end, the email seemed to come from the CEO, contained a "safe" PDF attachment and directed people to a well-established Microsoft service. With that multi-layered scheme, the attack was able to successfully bypass existing security defenses and trick people into opening the form that prompted them for their credentials.
With the coronavirus spreading, such phishing attacks are likely to increase, while attackers are expected to continue to evolve their techniques. Since these types of attacks are able to avoid typical security protection, they are difficult to thwart. Still, organizations obviously need to protect themselves from these threats. How can they do that?
"The use of single sign-on (SSO) products or increasing the frequency for password changes can help," Menlo Security Chief Technology Officer Kowsik Guruswamy said. "But the unfortunate reality is that there really is not a good way for organizations to protect themselves against these types of attacks. One of the challenges the industry faces today is that most products and security strategies rely on an attack having been identified previously. The number of successful attacks that we read about in the news demonstrates that criminals are able to innovate and evolve their tactics to bypass the defenses in place."
Since phishing emails often end up in the inbox of employees, what can individuals do to protect themselves?
"Employees need to be hyper vigilant and evaluate any email that covers the COVID-19 topic right now," Guruswamy said. "To mitigate some of these attacks, they should make sure they do not use the same passwords for multiple accounts and change their passwords more frequently. There is a surge in COVID-19 based attacks and we do not see the growth in attacks flattening. The problem is after COVID-19, criminals will move to another tactic and different techniques."
Pointing to one type of defense, Menlo does advise organizations to turn to a threat isolation strategy to combat them. By isolating all browser traffic, potential threats can be contained.
"Isolation refers to a security technology available today that allows a company to separate their employees from the public web while providing full access to the Internet," Guruswamy explained. "The technology also can block the entry of user credentials on phishing sites to protect users from being tricked into entering information or uploading unauthorized data. Isolation is used by eight of the 10 largest banks in the world and large government agencies such as the Department of Defense."