Four New Phishing Tactics Savvy Attackers are Using to Trick Users into Responding
1. Callback Phishing Attacks
Callback phishing emails are email campaigns that reference a high-priced subscription (that the recipient never subscribed to), leading them to panic thinking that they’ve been the victim of identity theft/fraud. There’s a phone number in the email to call for help.
Once the person calls the phone number, attackers are pretending to help victims, but they are actually carrying out the attack by seeming to walk the victim through steps to cancel the subscription but actually launching the ransomware attack.
The “specialist” on the phone appears to be helpful, even telling the victim that the email was likely “spam” and offers additional technical support to make sure they weren’t compromised. The actions the hackers recommend are steps that carry out the attack.
Check out this article in bleepingcomputer.com for more details and an see an example of this type of phishing email. This is a useful training tool for your teams.
Takeaway – always look up the actual company’s phone number and call the company directly when you suspect fraud.
2. Sending Ransomware via Calendar Meeting Invites
Based on our intelligence, there is a large increase in phishing attacks where the attackers are sending meeting invitations to their victims. The meeting invite may include an attachment. The title of the meeting and the invite may appear to be familiar.
You should use extreme caution before you accept any Microsoft Teams or other meeting invitations from any external email; including client or partner email addresses.
You should delete any invite your feel is suspicious for any reason. If the invite comes from a client, partner, or colleague, or a name you recognize, yet you feel it is suspicious or out of character, you should delete the invite and then contact that person to see if they really sent you an invitation.
Under no circumstances should you accept, decline, set a tentative response, reply or open the attachment as this is the action that will kick off the ransomware.
Takeaway: Be diligent about scrutinizing every email, even meeting notices, and don’t click if you think it’s suspicious.
3. Bring Your Own Vulnerable Device Exploits - Finding legitimate ways to enter a system and then executing the exploit
Cyber attackers use legitimate systems and system tools to exploit known vulnerabilities to access systems. This is a prime example of attackers getting very savvy. They find existing, known vulnerabilities (all they have to-do is read industry reports), and use that as their access point.
For example, one group used a known driver security issue to enter the system and shut down the other security measures of the drivers, giving them the ability to move around freely in the system, therefore impacting thousands of systems.
This, “Bring Your Own Vulnerable Driver” is very effective because they are using a valid certificate and get high privilege access to systems.
You can read more in this article in bleepingcomputer.com that shares exactly how attackers are exploiting these vulnerabilities and what you can do about it.
Takeaway: Pay attention to reports of known vulnerabilities in software and systems that you use. Always patch or keep systems updated and keep an eye out for any anomalies in your environment.
4. Phishing-as-a-Service (PhaaS) – yes, it’s a thing
Phishing-as-a-Service allows new threat actors to get in the business of launching their own phishing attacks. For a monthly fee, they get templates, instructions, tools and even a tracking dashboard!
A new, specific PhaaS program targets phishing campaigns for Microsoft 365, and is called Caffeine. It comes with some more advanced features for the hackers to use to carry out their phishing attempts.
More details can be found in this article from bleepingcomputer.com
Takeaway: Phishing is big business for hackers, so staying on top of their tactics is even more important now than ever before.
Lastly, the Department of Health and Human Services (HHS) recently published a paper discussing how tools used to operate, maintain, and secure healthcare systems and networks can be turned against their own infrastructure. You can access the paper here.
These are just a few examples of how cyber attackers are advancing their tactics to fool us. For a deeper dive into other ways attackers can access your network, and to understand what they do once they are there (hint: they are typically in your network for up to 197 days before they make themselves known) … you can access this 6-PartTraining Series that covers threats from the attacker's perspective and give tips for what you can do about it.
Request Access to the 6-Part Training Series here.