Pay close attention to email links, because they might not send you where you expect. Attackers found a new phishing strategy to steal your credentials.
New Phishing Strategy Renders Known Security Practice Obsolete
A classic and almost famous internet security practice just bit the dust. For decades, email users were advised to hover their mouse over a URL to see where it led. You were good to go if you saw the link to a legitimate website.
However, on Tuesday, Microsoft disclosed details on a new phishing strategy: phishing emails containing malicious links disguised as URLs to reputable sites. The links redirect victims to a credential-stealing page.
How It Works
This approach relies on a type of link used by marketers to gather information about who clicks on a URL in a newsletter or on social media. Known as open redirector links, the structure of the link begins with a primary domain, followed by a string of analytics data and a destination website.
“Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks,” according to a post on its security blog.
According to Microsoft, this phishing strategy uses open redirects to take advantage of an average user’s security awareness training.
Adding to its complexity, the new campaign uses captchas to inspire a sense of authenticity to its targets. Unsuspecting users who believe they’re on a legitimate site will enter their login credentials thinking they’re accessing a notification, report, or even a Zoom meeting. Unfortunately, they could not be more wrong, as the fake error page displayed prompts a second entry of login credentials only to steal them.
After the phishing attempt has successfully stolen the user’s credentials, they will be redirected to another genuine website.
“This phishing campaign is also notable for its use of a wide variety of domains for its sender infrastructure—another attempt to evade detection. These include free email domains from numerous country code top-level domains (ccTLDs), compromised legitimate domains, and attacker-owned domain generated algorithm (DGA) domains. As of this writing, we have observed at least 350 unique phishing domains used for this campaign. This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs,” Microsoft said.
Fight Phishing Attacks With ATTACK Simulator’s Security Awareness Training
A phishing attack can be extremely damaging to your business. Your employees are the most attractive targets, so you should seriously consider implementing security awareness training in your company.
When you provide your employees with extensive and relevant knowledge on how to spot the red flags of a phishing attack, they can take their time to calmly examine the situation and take in all the details the devil may be hiding in, which otherwise would go unnoticed.
To objectively assess your company’s exposure and vulnerability to phishing attacks, we strongly advise you to use our free security awareness training trial.
Our realistic phishing simulations will expose your employees to life-like hands-on fake phishing attacks.
Here’s what we put on the table:
- Automated attack simulation – we simulate all kinds of cyberattacks: phishing, malware, ransomware, spear-phishing, identity theft, online privacy attacks, online scams etc.
- Real-life scenarios – we evaluate users’ vulnerability to give company-related or pesonal data away using realistic web-pages.
- User behavior analysis – we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.
- Malicious file replicas – our emails contain malware file replicas, to make the simulation as realistic as it can be.
- Interactive lessons – if employees fail to recognize our traps and fall into one, they will be redirected to landing pages with quick reads on the best security practices.
- We impersonate popular brands on our simulated phishing pages – the user will be more tempted to click on the URL or open the attachment in the email.
Choose ATTACK Simulator’s Security Awareness Training program to provide your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers.
Feature Image: Technology vector created by freepik – www.freepik.com