Cybercriminals use many tactics to obtain credentials that they then use to remotely access corporate accounts, cloud services, and gain access to business networks. Phishing is the most common method, which is most commonly conducted via email. Attackers craft emails using a variety of lures to trick the recipient into visiting a malicious website where they are required to enter their credentials that are captured and used by the attackers to remotely access the accounts.
Businesses are now realizing the benefits of implementing an advanced spam filtering solution to block these phishing emails at source and ensure they do not reach inboxes. Advanced antispam and anti-phishing solutions will block virtually all phishing attempts, so if you have yet to implement such a solution or you are relying on Microsoft Office 365 protections, we urge you to get in touch and give SpamTitan a trial.
Phishing is not only performed via email. Rather than using email to deliver the hook, many threat groups use SMS or instant messaging platforms and increasing numbers of phishing campaigns are now being conducted by telephone and these types of phishing attack are harder to block.
Smishing for Credentials
When phishing occurs through SMS messages it is known as Smishing. Rather than an email, an SMS message is sent with a link that users are instructed to click. Instant messaging platforms such as WhatsApp are also used. Many different lures are used, but it is common for security alerts to be sent that warn the recipient about a fraudulent transaction or other security threat that requires them to login to their account.
Recently, Allied Irish Bank (AIB) customers in Ireland were targeted with such as smishing campaign. The SMS message advises the recipient that there has been a suspected fraudulent transaction which they are required to review by clicking a link and logging in. Their credentials are harvested, and they are instructed to provide codes from their card reader or one-time passwords as part of the security check. Doing so will allow the scammers to access the account and make fraudulent transactions. A variation on this theme involves the user being told they have been locked out of their account.
In this campaign the scammers use a URL on the domain secureonlineservicepayeeroi.com, although these domains frequently change. Many campaigns mask the destination URL using URL shortening services, and one recent campaign conducted by an Iranian threat group used a seemingly legitimate google.com URL and several redirects before the user landed on the phishing page. Smishing is also often used in PayPal phishing attacks using messages warning about the closure of an account.
Vishing Attacks on Businesses Spike
In December 2019, the U.S. Federal Bureau of Investigation (FBI) identified a campaign where cybercriminals were conducting phishing over the telephone – termed vishing. Since then, the number of cases of vishing attacks has increased, prompting the FBI and the Cybersecurity and Infrastructure Security Agency to issue a joint alert in the summer about a campaign targeting remote workers. This month, the FBI has issued a further alert following a spike in vishing attacks on businesses.
Cybercriminals often target users with high levels of privileges, but not always. There has been a growing trend for cybercriminals to target all credentials, so all users are at risk. Once one set of credentials is obtained, attempts are made to elevate privileges and reconnaissance is performed to identify targets in the company with the level of permissions they need – I.e. permissions to perform email changes.
The scammers make VoIP calls to employees and convince them to visit a webpage where they need to login. In one attack, an employee of the company was found in the company’s chatroom, and was contacted and convinced to login to their company’s VPN on a fake VPN page. Credentials were obtained and used to perform reconnaissance. Another target was identified that likely had advanced permissions, and that individual was contacted and scammed into revealing their credentials.
How to Block Smishing and Vishing Attacks
Blocking these types of phishing attacks requires a combination of measures. In contrast to email phishing, these threats cannot be easily blocked at source. It is therefore important to cover these threats in security awareness training sessions as well as warning about the risks of email phishing.
A web filtering solution is recommended to block attempts to visit the malicious domains where the phishing pages are hosted. Web filters such as WebTitan can be used to control the websites that employees can access on their corporate-issued phones and mobile devices and will provide protection no matter where an employee accesses the Internet.
It is also important to set up multifactor authentication to prevent any stolen credentials from being used by attackers to remotely access accounts. The FBI also recommends granting network access using the rule of least privilege: ensuring users are only given access to the resources they need to complete their jobs. The FBI also recommends regularly scanning and auditing user access rights given and monitoring for any changes in permissions.