Email volume has surged, and so too have phishing attacks. And it’s not just the volume or frequency of attacks that’s a concern: it’s their evolving, AI-fueled sophistication that’s so troubling. To better target victims, attackers are constantly updating and modifying their phishing techniques. Let’s explore some novel email phishing scams recently caught by cybersecurity researchers.
Pastejacking: So-called “pastejacking” is a clever technique in which threat actors trick victims into copy/pasting and running malicious code on their devices. The attack begins with a phishing email containing sentences that invoke urgency, urging the recipient to open an HTML attachment. When the document gets opened, a fake OneDrive folder appears, yet it cites some error message with the Microsoft cloud storage service. The victim then gets shown a “How to Fix” button, offering step-by-step instructions on how to open a Windows terminal and PowerShell console and paste certain lines of code. When victims follow these instructions, malware gets immediately loaded, allowing ready access to the user’s data and environment.
Phishing via Google Drawings: Researchers recently stumbled upon an interesting phishing attack where scammers leverage Google Drawings, a collaborative drawing tool, to evade detection. With this trick, the user gets presented with an Amazon account verification link, appearing as a graphic hosted on Drawings. Since security teams categorize this tool as safe, the phishing email flies under the radar, undetected. Because the message appears urgent to the user, they click on the verification link containing a URL that’s also masked using a WhatsApp URL shortener. When the victim enters the mock Amazon page, they are asked to complete a security check which involves entering personal data such as date of birth, phone number, billing address, and credit card details.
Abuse of URL protection services: Security tools have become more effective at detecting malicious URLs. To overcome this obstacle, scammers are increasingly abusing URL protection services, something originally designed as an anti-phishing measure. How do they work? Basically, URL protection rewrites links received by business email accounts and directs them back to the protection service which scans the original link for maliciousness. If no threat is found, users are redirected back to the original URL. Bad actors somehow hack into business accounts that use URL protection services and then re-write and re-embed their own phishing URLs. Once this gets done, re-wrapped URLs are employed in targeted phishing campaigns. As of late, most URL protection providers are unable to tell whether the URL protection service is being used by a legitimate customer or an intruder.
Mass phishing attacks with traces of spear phishing: Researchers are discovering a new trend in email phishing attacks that appears to comprise a blend of spear phishing and mass phishing techniques. Spear phishing and mass phishing attack techniques are typically different. Spear phishing targets specific individuals (or groups) using email content and a style that mimics trusted entities. In contrast, mass phishing campaigns send generalized emails to a large pool of addresses. Since late 2023, mass email messages have shown signs of personalization, where recipients are addressed by their name or company. Sender names are spoofed to add an air of authenticity. This evolution indicates that attackers are harnessing AI-powered tools to mass-personalize attacks and enhance email designs, delivery and content.
Real-time phishing: A certain flavor of a man-in-the-middle attack, real-time phishing was designed to bypass traditional two-factor authentication mechanisms. For example, potential victims receive phishing emails (or messages) directing them to a fraudulent banking website. When users enter their credentials, namely usernames and passwords, one-time passwords or codes, they are stolen by fraudsters. Users are redirected back to their original banking site because the spoofed pages are connected to the bona fide banking website. Such real-time phishing attacks are fairly common now. Ready-made phishing kits are available on dark web markets, capable of bypassing traditional multi-factor security controls.
Other hacking techniques used to phish individuals include the use of Microsoft forms, QR codes, chatbots, and other multi-channel methods combining email phishing with SMS, instant messaging, social media, and collaboration tools. Phishers are also known to exploit recent world events such as the global CrowdStrike outage and the Paris Olympics.
How to respond to the threats
Here are three ways organizations can mitigate phishing attacks:
- Improve user resilience through regular training: Teach employees the importance of cybersecurity and the need to remain vigilant and cautiously aware. Conduct phishing simulation tests to train users on identifying scams. Include training on topics such as social media, deepfakes, and business email compromise (BEC). Educate users on the latest phishing techniques via newsletters and communications. Encourage the reporting of suspicious emails to prevent contagion.
- Use PKI-based or FIDO2-based MFA: Attackers can bypass traditional multi-factor authentication (MFA). By using a smart-card based MFA or an MFA that uses a physical token (phishing-resistant MFA), teams can reduce e the risk of a successful phishing attack.
- Streamline phishing policies and protocols: All organizations must mandate that employees read, sign, and agree to an Acceptable Use Policy. The policy should emphasize the importance of using strong passwords (and password managers), keeping systems and software regularly updated, and avoiding the use of unauthorized software, unsecured IoT devices, and unauthorized personal computers (shadow IT).
For mitigation to succeed, teams must think of these response techniques as a continuous process of understanding phishing techniques as they evolve, adapting security controls, policies and processes, as well as educating and empowering employees with the right knowledge, awareness training, and skills.
Erich Kron, security awareness advocate, KnowBe4
