The Latest in Phishing: March 2015

We bring you the latest in phishing attacks from the wild and phishing news.

• Spam is down and phishing is up. More cybercriminals are using targeted spear phishing attacks instead of spam. According to Trend Micro, the theme of 2014 for hackers was “quality over quantity.”
• Did you know there are such things as “phishing kits?” Phishing kits are not simulated phishing attacks, instead they’re sets of templates and websites available on the black market for hackers to quickly and efficiently phish.
• Phishing on Facebook? Facebook users should be aware of private messages claiming they were tagged in a photo or video. As more people fell for the attacks, more and more messages were sent out to friends of friends.

Increase your security response team's efficiency with PhishAlarm Analyzer

• Do you use social logins on apps or websites? A tool called “Reconnect” is allowing attackers to hijack accounts on sites using Facebook logins due to a security gap. Citing compatibility issues, Facebook declined to fix the problem when it was brought to light in 2014, so researchers released the tool in order to encourage a speedy fix.
• CTOs at American companies were targeted in a tax-themed spear phishing attack. The attachments contained Microsoft Word files with malicious macros. If infected, the Trojan from the macros could collect login credentials for online banking and social networking sites.
• A phishing attack targeting Bank of America customers asks them to verify account information, but instead steals your online banking login information and drains your funds.
• Did you get an email from a .gov account? Researchers have discovered a security loophole that allows attackers to bypass the Sender Policy Framework (SPF) email validation, making it difficult for filters to mark phishing attacks from .gov email addresses as spam.
• Google Apps had a serious flaw that allowed cybercriminals to register a corporate administrative email address and send white-listed phishing attacks.
• The average time for an attacker to access your compromised account following a successful phishing attack where they steal your password is under 30 minutes. And, even worse, 45% of users that visit convincing phishing pages are tricked into sharing their information, according to Google.