The Latest in Phishing: October 2017

We bring you the latest in phishing statistics and attacks from the wild.

Phishing Statistics and News:

• Our data reveals that end users are getting better at identifying phishing scams. Released in September, our 2017 Beyond the Phish™ Report examines how real end users are performing on security awareness topics including and beyond phishing. Download the full report to learn more.
• PwC has identified that current employees “remain the top source of security incidents” in its 2018 Global State of Information Security® report. The survey drew from the responses of “9,500 executives in 122 countries and more than 75 industries.” To read the full report, visit the PwC website.
• Despite increased cybersecurity spending, fewer than half of SMB IT professionals feel confident that they can deflect phishing attacks and data breaches, according to the results of a new survey report from Cyren and Osterman Research. The benchmarking survey also revealed that 29% of SMB IT managers experienced a successful phishing attack in the past year, and more than half reported being the victim of at least one breach. More high-level stats from this report can be found on TechRepublic.
• According to the Webroot Quarterly Threat Trends Report, more than 46,000 new phishing sites are created per day. Analysis shows that phishing is the top cause of data breaches, with Webroot stating that “today’s phishing attacks are highly targeted, sophisticated, hard to detect, and difficult for users to avoid.”

Increase your security response team's efficiency with PhishAlarm Analyzer

Phishing Attacks:

• NBC News is reporting that North Korea was behind a series of spear phishing emails sent to U.S. electric companies back in September that contained malware-laden attachments with fake invitations for a fundraiser. According to coverage of the incident by eSecurity Planet, researchers believe the attacks were for recon purposes, stating, “There’s no evidence that North Korean hackers yet have the ability to manipulate or disrupt energy sector operations.”
• Facebook users are being warned to watch out for a phishing attack that utilizes the platform’s Trusted Contacts functionality, a feature that helps members regain access to their accounts after being locked out or forgetting their password. A series of codes are generated between groups of “Trusted Contacts,” and when one of the accounts has been compromised, hackers can gain access to the victim’s account by requesting the code, which appears to come from someone they know. Internet advocacy nonprofit Access Now discovered the attack, and identified some of its first targets as activists from Africa and the Middle East. More details and ways to avoid attacks like these can be found on International Business Times.
• iOS users should exercise caution when they see a pop-up window that prompts them to sign into their iTunes or App Store accounts using their Apple IDs, as scammers have begun to spoof these windows to trick victims into revealing their credentials. According to developer Felix Krause, executing the simple scam requires less than 30 lines of code. 9to5mac outlines Krause’s advice for avoiding this scam, which includes bypassing a pop-up in favor of opening Settings manually and accessing applications directly.
• Aptly named KnockKnock due to its “backdoor” approach to accessing accounts, a new (and relatively small) botnet has been targeting Office 365 system and admin accounts since May, operating under the assumption that these types of accounts are “often automated and ignored, not protected by two-factor authentication and secured with poor passwords.” Past victims include those in the manufacturing, finance, healthcare, and public sectors. The attackers’ clever and stealthy techniques are outlined in an article by ZDnet.
• A spear phishing campaign dubbed “FreeMilk” was discovered by researchers at Palo Alto Networks. According to ZD Net, the highly targeted attack intercepts and highjacks legitimate ongoing email chains, inserting malware-laden messages into conversations that appear to be to coming from the original senders. Victims include an international sporting organization and a Middle Eastern bank, among others.
• Criminals have begun to capitalize on fears sparked by the Equifax breach, as consumers are on high alert for related scams. Barracuda Networks’ September Threat Spotlight highlighted a growing trend in phishing email variants impersonating “secure messages” from large financial institutions like Bank of America. Though Barracuda’s Fleming Shi told The Washington Post that it’s “too early to confirm a definite correlation between these secure message attacks and the Equifax breach,” he noted that the company had tracked “roughly 300,000 fraudulent emails in recent weeks impersonating Bank of America, and 150,000 pretending to be CIBC.”
• The launch of Google’s Accelerated Mobile Pages (AMP) was a win for websites trying to optimize for mobile, but it has recently been exposed that this highly controversial feature “raised concerns that AMP pages obfuscate true URLs,” among other disadvantages for readers as noted in an article from Salon. This approach is a goldmine for cybercriminals who use fake security alerts to steal information. The Salon article goes on to note, “Because of the way that Google has implemented AMP, however, Gmail users and people using Google apps for institutional use are now more vulnerable to such attacks. Phishers who use AMP pages can thereby employ official "google.com" web addresses to direct users to malicious sites.” Despite a number of changes since launch, Google has yet to remedy the situation.
• Government staff of Bucks County, Pennsylvania, were hit with a phishing attack that affected hundreds. The fake emails were soliciting payment on fake invoices. If a recipient clicked the attached PDF, his or her computer was infected with malware and the malicious email was distributed to everyone on the user’s contact list. Officials suspect the source of the attack stemmed from a state agency that emailed an employee who was working from home, but have yet to confirm. Read the full story on the Bucks County Courier Times.
• The Better Business Bureau has warned of a phishing scam that uses its name and logo to claim that certain companies are violating federal laws such as the Fair Labor Standards Act, or the Safety and Health Act. To avoid downloading credential-stealing malware, recipients are urged not to click any links in any unsolicited email coming from the BBB. Further instructions can be found on the BBB website.