Phishers are constantly coming up with new scams that abuse trust. People tend to trust their favorite brands and when email communications are sent by those companies there is a tendency for the emails to be trusted. The same is true when emails are sent from email contacts such as work colleagues and friends. Cybercriminals take advantage of trust to get users to take a specific action, such as clicking on an embedded hyperlink in an email or opening an email attachment.
Many businesses now provide security awareness training to employees and try to teach them to always be vigilant and never to trust emails implicitly, even if they have been sent by known contacts. Just because an email has been sent from a known and trusted email account does not mean the message is genuine. Email accounts are often compromised and used to send phishing emails. The Emotet Trojan hijacks email accounts and uses them to send copies of itself to the victim’s contacts, and several other malware variants do the same. Email addresses are also spoofed. The display name may be correct or believable, but the actual email account used to send the message is anything but.
Another tactic is now being used by at least one cybercriminal group than similarly abuses trust, albeit in a new way. A phishing campaign, which was first detected on September 21, 2020, uses the challenge-response test CAPTCHA to simultaneously make the campaign believable and also to reduce the probability of the scam being detected by email security solutions.
Internet users will be familiar with CAPTCHA, although maybe not by name. The CAPTCHA system is used by many websites as a way to determine if a website visitor is a human or a bot, most commonly on forms.
Google uses CAPTCHA and requires users to pass a pictorial challenge where it is necessary to select all the images in a group that featuring a car, bicycle, bus, or traffic lights. If you pass the challenge you will be allowed to proceed, if you fail you will not. Other versions involve entering in a number or code word that has been heavily disguised in an image.
While these CAPTCHA challenges can be annoying, they are associated with security so if a website has one of these challenges, subconsciously people tend to feel more secure. However, as with a website starting with HTTPS, it does not mean the website is genuine.
In this new phishing campaign, users are likely to feel more secure when credentials are requested since they had to pass a CAPTCHA test, especially considering the page on which the challenge was set up looks just like the genuine login prompt for Office 365. The background is the same, as is the login prompt. The only difference between the genuine login page and the fake version is the URL.
Security teams face a challenge detecting and blocking these phishing pages as email security solutions, despite having AI-based detection mechanisms, are essentially bots and, as such, cannot pass a CAPTCHA challenge.
A second tactic is also used to evade detection. The scammers have set up their campaign so that only a specific set of IP addresses will be presented with the CAPTCHA test on the fraudulent domain. If any IP address outside a specific range attempts to visit the link– the IP range used by the targeted company – a redirection will occur to the genuine Microsoft login page.
While these scams help to ensure that malicious emails are delivered to inboxes, organizations do not need to be totally reliant on their employees recognizing the scams and taking appropriate action (reporting the email to the IT security team).
With a web filtering solution in place, attempts to visit known malicious websites will be blocked. When malicious domains are detected they are automatically added to a web filter’s blacklist, and any attempts to visit malicious domains will be blocked.
WebTitan is a low maintenance security solution that can be set up in about 5 minutes and will protect against the web-based component of phishing attacks and will block malware downloads from malicious websites. WebTitan works in tandem email security solutions to provide greater protection against malware and phishing attacks. The solution can also be used to control the content that employees and guest network users can access over the internet, whether they are on the network or working remotely.
If you have not implemented a web filter or are unhappy with your current solution, give the WebTitan team a call to find out more. A product demonstration can be arranged, you can have a free trial of the solution, and assistance can be provided to help you get the most out of WebTitan during your trial.