Protecting Your Remote Workforce From Phishing Schemes
While the Covid-19 Pandemic has changed the way many workforces are conducting business, it hasn't slowed down cybercriminals in their attempts to harvest credentials and hack into organization's systems and data. Many organizations scrambled to create last minute remote work procedures and cybercriminals unsurprisingly continue to use this time to take advantage of holes or gaps in security.
Scammers are using old tricks with new twists to take advantage of your remote workforce. An important step in protecting your organization is being aware and educated on what threats are prevalent. Here a couple recent threats that have been making their way through organizations.
Long gone are the days of super easy to identify phishing schemes that were filled with horrible grammar and spelling mistakes that could easily be ruled as a scam. Hackers have gotten much more sophisticated and deciphering real from fake continues to be a challenging task.
Credential phishing is largely considered the foundation of email phishing. It is the easiest way for anyone to get into your secure files because they simply use your password that you gave them. The pandemic seems to have brought about a new wave of credential phishing attempts.
"In terms of the overall rate of phishing generally, we have seen nearly a three-times increase in phishing emails since the pandemic started," Baggett told TechNewsWorld.
Armorblox recently released its latest discovery of a new credential phishing attempt. The report details how cybercriminals use an email with a malicious link leading to a fake website. The landing page looks nearly identical to the Bank of America login page.
These new phishing attacks sidestep any Single Sign-On or Two Factor authentication measures in place and attackers also target security-challenge questions to increase attack legitimacy and obtain even more personal information. To successfully pass email authentication checks, the attackers sent the email from a reputed domain and created a zero-day domain for the phishing site to escape detection by threat feeds.
These newly packaged credential harvesting attacks are aimed at organizations of all sizes but especially small and medium sized businesses who may not have all of their security processes in place yet. Once an attacker gets ahold of an employees credentials they use the email account to launch attacks both within the organization and on customers, partners, and vendors.
Call to Action Gotchas
The Covid-19 pandemic has led to an increase in government impersonations offering health tips, relief funds, or the ability to track new cases in the area. Criminals lure users into responding by notifying them of a new document, voicemail, fax, or invoice. When a teammate clicks the link or downloads the item malware is then installed on the users system.
While many workers are working remotely criminals are looking at how they can leverage application-based attacks to gain unwarranted access to valuable data in cloud services. Developers are continuing to build apps that integrate user and organizational data from cloud platforms to enhance and personalize the users experience.
Consents phishing is a method where attackers trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user's password, an attackers is seeking permission for an attacker-controlled app to access valuable data.
According to Microsoft the core steps of consent phishing look something like this:
An attacker registers an app with an OAuth 2.0 provider, such as Azure Active Directory.
The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem.
The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or other techniques.
The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
If a user clicks accept, they will grant the app permissions to access sensitive data.
The app gets an authorization code which it redeems for an access token, and potentially a refresh token.
The access token is used to make API calls on behalf of the user.
If the user accepts, the attacker can gain access to their mail, forwarding rules, files, contacts, notes, profile, and other sensitive data and resources.
Cybercriminals are always looking for the easiest point of compromise or entry. One way they do this is by ripping lures from the headlines and tailoring these lures to geographies and locations of their intended victims.
The Covid-19 pandemic has given cybercriminals the unique opportunity to look closely at local virus updates and headlines and use them to mimic local developments on the crisis and reactions to them.
As headlines in your organization's locality change, watch out for new ways that criminals will try to lure your employees into clicking links, giving credentials, or downloading malicious files.
While the Covid-19 outbreak has truly been a global event, cybercriminals continue to use it to take advantage of new victims using existing malware threats. Organizations of all sizes have had a lot to consider dealing with a newly remote workforce, changes in work flow, and economic slowdowns, now is not the time to slack on cybersecurity.
Organizations should continue to put emphasis on their security policies and procedures as well as making sure their workforce stays educated on spotting phishing and social engineering attacks.