Phishing Scams: The Evolving Cyber Threat

Phishing is a term used to describe cyber crime that targets victims via email, telephone, or text message. We hear it most in reference to malicious emails, where criminals are disguising themselves as legitimate companies to trick their victims into clicking on links in the email or open documents attached to the email. These links and attachments can be used to introduce malware and viruses onto your computer or to trick you into entering your password on a website controlled by the criminals, which can ultimately result in data being stolen, financial loss, or identity theft.  

Any organisations best line of defence against phishing attacks is their employees. Training people to spot and report phishing messages prevents malware or hackers gaining access to your computer systems and networks and protects your data. 

A report from threat researchers Cymulate (June 2022) shows that phishing attacks were used by cyber criminals to gain initial access into their victims computer systems and networks more than any other form of cyber crime in 2021, making up 56% of all cyber attacks that took place that year. When cyber criminals send phishing messages, they often impersonate a well-known brand or service provider in order to trick their victims into thinking they have received legitimate communication from that company. Check Point’s Brand Phishing Report for the second quarter of 2022 reveals the top 10 brands impersonated by cyber criminals in phishing attacks.  

Although the emails you receive may appear official, using stolen graphics and logos, there are often signs that they are fake. Images may be pixelated and distorted, and the content of the email may include mis-spelled words, which you might expect when communicating with others in your team, but large companies will have spell-checked email templates for all their communications. URLs (web links) included in the message may also be shortened, and hovering over this with your mouse cursor will usually display a box that let you see where the link will take you. For example, you. Might receive a link to “Mirosoft.com”, a slight misspelling of a brand name, that will actually direct you to the criminal’s web page. 

Cyber criminals can design sophisticated web pages that mimic the look of the actual login page used by the company they are impersonating. When you enter your login details on this page, instead of being able to log in to your account, you are handing your details over to the cyber criminals. They now have the details they need to log into your account and pretend to be you, access your data, and depending on the login details they’ve stolen, financial information, or messaging capabilities to pretend to be you, and trick your colleagues into falling for their scam.  

Recently, a new phishing technique has been discovered that uses Chrome's Application Mode feature, available in all Chromium-based browsers, such as Google Chrome and Microsoft Edge. Criminals can create a spoof of a desktop application using this feature, which are treated with much less suspicious than login pages on web links. They use this to steal login information in the same way as they would with spoofed web pages. Earlier this year, hackers created a fake version of the games launcher software ‘Steam’. They targeted this system because it uses a pop-up window for users to enter their login details, which was easy for them to copy. This attack resulted in Steam accounts being stolen and significant players accounts were then sold for hundreds of thousands of dollars. This phishing technique is known as a browser-in-browser attack because it has been created using web browsers and is launched in a new browser window. 

These web-based attacks have become more prevalent than previous attachment-based phishing scams, which relied on the victim opening a document attached to the email, rather than clicking on a web link. This is because Microsoft have been increasing security around files opened in Office applications, especially those downloaded from the internet. A feature of Office documents called ‘Macros’ were previously used by cyber criminals to contain dangerous code and malware. When a victim opened these documents, the code would run, and their computer would become infected with the malware. Microsoft have recently blocked macros in files from the internet across all Office applications. This helps to protect users from a common form of phishing attack and has made criminals have to change their tactics. 

Phishing scams are generally broad and sent to many people. The idea behind this is so that the cyber criminals catch as many ‘fish’ as possible by casting such a wide net. A more targeted approach to phishing, known as spear phishing, uses social engineering techniques to find out personal information about the victim to make the scam more believable. This can include criminals searching your social media posts, and the posts of your friends and family, to discover what companies you use, what your interests and hobbies are, and what bank you hold an account with.  

The 2022 Falcon OverWatch Threat Hunting Report from CrowdStrike compiles the recent trends in cyber crime from July 2021 to June 2022. They have tracked the most prevalent techniques used by cyber criminals, and have found phishing to be the most common technique used as a first point of access by criminals into their victims computer systems and networks. Spear phishing involving both attachments and web links were also found to be used to support this attack. 75% of the attacks they observed were classified as ‘eCrime’, a term they use to describe attacks by financially motivated attackers.  

CrowdStrike also observed an increase in the use of ISO files in phishing attacks. ISO 9660 files are what are used in old CD-ROMS, and ISO-images is a term used for what is essentially a digital copy of a disc. Today, ISO-images are widely used for the distribution of software and large programmes, including operating systems. Between December 2021 and March 2022 an attack by Russian cyber criminals was observed using the ISO image file (Covid.iso). It is evident in this attack how cyber criminals will utilise current events to further manipulate victims into falling for their phishing scams. This has been seen very commonly with cyber criminals impersonating the NHS and other COVID-19 related bodies, as well as other national news events, such as the recent death of Her Majesty The Queen, where fake communications about attendance to the Lying-in-State where people were asked to register in advance, or pay for the ability to attend. These were not legitimate communications, but a sophisticated cyber scam.  

Identifying and reporting all suspected phishing attempts is the best way to protect yourself at home and at work. When using an email reading programme such as Outlook, or when accessing emails online such as through Gmail, you can report phishing messages directly. This is done by opening the (…) menu when you have the phishing message open and click the ‘Report Phishing’ option.  

For more strategic security advice and support, get in touch with us at Cool Waters, and find out what we can do to help improve the cyber security of your business.