Anyone can take your email address, and put it into an email subscription form. That is why we have validation emails. We saw this in the UK recently, with the revoke Article 50 petition. Just submitting your email address wasn’t enough. You have to click on the validation email too. But a worrying new trend has emerged. Cyber criminals have managed to take advantage of poor webform security to insert links into validation emails, responding to fictitious signups.
The latest scam is as cunning as ever from a criminal fraternity that has never lacked an ability to apply clever new techniques into tricking us. So what can organisations do to avoid falling victim to such phishing attacks?
One report focused on a phishing attack after cyber criminals were able to insert the suspicious links into validation emails from the perfectly legitimate site The British Newspaper archive. A trained eye could have spotted the tell tell signs. For one thing, the particular phishing attack in question involved a confirmation email sent to a nonsensical name. Clearly, the email address was ‘thrown’ at a subscription form, filling in that part of the questionnaire asking for a name using some kind of automated process. But the biggest hint lies with a suspicious link forming part of the confirmation email.
Another report, this time on Dr Web, focused on a similar scam, in which “Russian users received phishing emails from well-known international companies such as Audi, Austrian Airlines and S-Bahn Berlin.”
Phishing: Avoiding the growing threat to business data
Email phishing is becoming more sophisticated and targeted. How can firms avoid being caught out?
The fix: to avoid phishing the simple methods can help
There is an obvious fix; train staff to be more careful and indeed suspicious of course. As Jake Moore, cyber security specialist at ESET said: “One should always use caution when filling in forms, whether the site and entry form looks legitimate or otherwise. This may sound straight forward but people quickly become influenced by a logo or urgency and simply forge ahead, ignoring any doubts.”
But we are all human, and the most technically savvy of us can get caught out from time to time. As Fabian Libeau, VP for EMEA at RiskIQ, said: “The critical aspect in all social engineering scams is that the intended victim believes the scammer to be legitimate, and as people have become able to spot the most obvious phishing emails, we are increasingly seeing time being spent on crafting well-written and seemingly authentic messages requesting reasonable actions. This means that even if you’re relatively well informed, it’s becoming harder to single out, especially when criminals impersonate.”
Jake Moore added: “Not everyone has the time or the know-how to look for tell tell signs within a malicious link but it can be mitigated by following one rule — don’t go entering information from emails sent to you even if they look genuine. The timing is usually the best giveaway as even if the email looks worthy of someone you are connected with, it may not be timed well. With that said, I still withhold giving away any personal information where possible – especially if a link were to say I’ve won a prize.”
Phishing attacks hook almost half of UK firms
Almost half of UK organisations have been compromised by phishing attacks in the last two years, research shows
But what can organisations do beyond that to avoid falling victim to phishing attacks?
Fabian Libeau said: “Security teams need to go beyond focusing solely on training for junior employees, which while important is not sufficient. Instead, security professionals need to play a more active part in monitoring for such frauds as well. A key part to a robust anti-phishing strategy is to map out the infrastructure associated with flagged phishing campaigns and set up customised blocks that can prevent further action on behalf of the criminal. This will lower the amount of possible attack vectors, and also increase organisations’ resilience to what is becoming unavoidable phishing campaigns targeting those employees that are most likely to fall for impersonation fraud.“
Jake Moore concluded: “Businesses should of course be making use of multi factor authentication for any newsletters and make their users aware of tactics used by hackers.”
Also see: A guide to cyber attacks: Phishing