This campaign tries to steal account credentials by convincing users that their email service has quarantined three messages, says Cofense.
Savvy cybercriminals who specialize in phishing attacks are continually devising new strategies to lend greater authenticity to their handiwork. The goal is to concoct phishing emails and landing pages so convincing that they can fool even the most sharp-eyed user. A new phishing campaign described by phishing awareness provider Cofense in a Friday blog post uses several tactics to appear legitimate.
As analyzed by the Cofense Phishing Defense Center, this phishing attack is directed toward employees within an organization. Impersonating the technical support team of the user’s employer, the campaign pretends to have quarantined three email messages, blocking them from reaching the recipient’s inbox.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
Clicking on a link promises access to these messages but instead directs the person to a phishing page. The user is then prompted to sign in with their email account credentials, which are then captured by the attacker.
The campaign seems convincing in a variety of ways, according to Cofense. By spoofing the account of the internal support staff, the phishing email appears to come from a trusted source. The quarantine notice sounds real, even claiming that the quarantined messages failed to process and must be reviewed to confirm their validity.
Further, the notice has an air of immediacy by saying that two of the messages are considered valid and will be deleted in three days unless action is taken. Such a notice could convince the recipient that these are messages of importance to their organization, requiring a quick response to review them before they’re gone.
The landing page is where the scam really pulls a clever trick. Clicking the “Review Messages Now” link in the email takes the user to this page. Rather than appear as some generic form, the landing page is unique to the specific employer. That’s because the page on display is the actual company’s home page but with a phony login panel overlaid on top.
The user can even move the login panel around the screen to see that the page is a familiar one for their organization, which instills a certain degree of comfort. The login panel asks the user to sign in to their company account. Those credentials are then passed along to the attackers, who now have access to the organization through one single account.
To direct employees to their specific organization’s home page, the attackers refer to the address and domain name of the original recipient of the phishing email. The domain name is then captured and used as a parameter to pull up the associated home page.
The phishing emails have already gotten through different security email gateways and have targeted a variety of industries. How can organizations and individuals better protect themselves against these types of phishing attacks?
“In the past, you could simply check the From email address and see if it looked legitimate,” Michael Callahan, senior vice president Global Marketing at Cofense, told TechRepublic. “With the advancement of phishing techniques, it’s becoming more difficult to quickly detect. Obviously, if an email is promising you riches, a new car or worldwide fame, it’s probably not legitimate. But, that same sense you get from something obvious will be piqued with advanced techniques as well. Anything that asks for credentials or tries to create urgency or, based on your experience with phishing simulations doesn’t feel right, probably isn’t. That extra few minutes is worth saving your organization from potential breach, ransomware attack, or other theft.”