phishing

Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Posted on Updated on

Originally seen: Helpnetsecurity on May 20th, 2019

Users of Software-as-a-Service (SaaS) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report.

SaaS webmail phishing increased

The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks, for the first time eclipsing the payment-services category which suffered 27 percent of attacks recorded in the quarter.

Online SaaS applications have become fundamental business tools, since they are convenient to use and cost-effective. SaaS services include sales management, customer relationship management (CRM), human resource, billing and other office applications and collaboration tools.

“Phishers are interested in stealing logins to SaaS sites because they yield financial data and also personnel data, which can be leveraged for spear-phishing,” said Greg Aaron, APWG Senior Research Fellow.

Stefanie Ellis, AntiFraud Product & Marketing Manager at MarkMonitor said: “The total number of confirmed phishing sites increased in early 2019, with the biggest jump in March.”

The total number of phishing sites detected in 1Q of 2019 was 180,768. That was up notably from the 138,328 seen in the fourth quarter of 2018, and from the 151,014 seen in the third quarter of 2018.

Payment Services and Financial Institution phishing continued to suffer a high number of phishing attacks. But attacks against cloud storage and file hosting sites continued to drop, decreasing from 11.3 percent of all attacks in the first quarter of 2018 to just 2 percent in the first quarter of 2019.

Meanwhile, cybercriminals deployed HTTPS-protected phishing websites in record numbers, according to PhishLabs, posting a record high of nearly 60 percent of detected phishing websites in 1Q 2019 employing this data encryption protocol.

Phishers turn this security utility against users, leveraging the HTTPS protocols padlock icon that appears in the browser address bar to assure users that the website itself is trustworthy.

SaaS webmail phishing increased

“In Q1 2019, 58 percent of phishing sites were using SSL certificates, a significant increase from the prior quarter where 46 percent were using certificates,” said John LaCour, CTO of PhishLabs.

“There are two reasons we see more. Attackers can easily create free DV (Domain Validated) certificates, and more web sites are using SSL in general. More web sites are using SSL because browser warning users when SSL is not used. And most phishing is hosted on hacked, legitimate sites.”

Clever Phishing Attack Enlists Google Translate to Spoof Login Page

Posted on Updated on

Originally seen on ThreatPost by Lindsay O’Donnell: February 26th, 2019

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.

 

Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate.

The phishing campaign uses a two-stage attack to target both Google and Facebook usernames and passwords, according to researchers at Akamai who posted a Tuesday analysis. But in a tricky twist of events, the scam also evades detection through burying its landing page in a Google Translate page –  meaning that victims sees a legitimate Google domain and are more likely to input their credentials.

“When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action,” Larry Cashdollar, with Akamai, said in a Tuesday post. “This is an interesting attack, as it uses Google Translate, and targets multiple accounts in one go.”

Cashdollar said that he first noticed the attack on Jan. 7 when an email notification on his phone informed him that his Google account had been accessed from a new Windows device.

The message, titled “Security Alert,” features an image branded with Google that says “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.” Then, there’s a “Consult the activity” button below the message.

phishing email

Interestingly, the message looked much more convincing in its condensed state on his mobile device, rather than on a desktop where the title of the email sender is more apparent, he said.

Upon closer look at the email, Cashdollar found that the “security alert” was sent from “facebook_secur[@]hotmail.com.”

That triggered two suspicions: Firstly, the email is from a Hotmail account, raising red flags – but also, the entire address had nothing to do with Google, instead referencing Facebook.

“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”

When clicking on the “Consult the activity” button, Cashdollar was brought to a landing page that appeared to be a Google domain, prompting him to sign into his Google account.

However, one thing stuck out about the landing page – it was loading the malicious domain via Google Translate, Google’s service to help users translate webpages from one language to another.

phishing facebook google translate

Using Google Translate helps the bad actor hide any malicious attempts through several ways: Most importantly, the victim sees a legitimate Google domain which “in some cases… will help the criminal bypass endpoint defenses,” said Cashdollar.

Using Google Translate also means the URL bar is filled with random text. Upon further inspection of that text, victims could see the real, malicious domain, “mediacity,” being translated.

Luckily, “while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer,” said Cashdollar.

For those who fail to notice red flags regarding the landing page, their credentials (username and password) are collected – as well as other information including IP address and browser type – and emailed to the attacker.

“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.

However, the attack didn’t stop there. The attacker then attempts to hit victims twice, by forwarding them to a different landing page that purports to be Facebook’s mobile login portal as part of the attack.

These type of two-stage attacks appear to be on the rise as bad actors look to take advantage of victims who already fell for the first part of the scam, Cashdollar told Threatpost: “It seems this is becoming more common as the attacker knows they’ve gained your trust and try to steal additional credentials.”

Like the Google page, this Facebook landing page has some red flags. It uses an older version of the Facebook mobile login form, for instance.

“This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums,” said Cashdollar.

Despite these mistakes, the two stages of the phishing attack suggest a certain level of sophistication on the part of the attacker.

“It isn’t every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device. But it’s highly uncommon to see such an attack target two brands in the same session,” he said.

Phishing attacks have continued to grow over the past year – and this particular scam is only one example of how bad actors behind the scams are updating their methods to become trickier.

phishing attack google translate

According to a recent Proofpoint report, “State of the Phish,” 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017.  That may not come as a surprise, as in the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.

Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.

Here’s what keeps your CISO up at night

Posted on

As seen on February 14th, 2018 on Helpnetsecurity.

89.1 percent of all information security leaders are concerned about the rise of digital threats they are experiencing across web, social and mobile channels, according to the 2018 CISO Survey by RiskIQ.

ciso worry

Some 1,691 U.S. and U.K. information security leaders across multiple verticals, including enterprise, consulting, government and education, provided insights into their cyber risk concerns and plans for 2018.

Overall, the survey revealed a coming “perfect storm,” where the problem of staff shortages collides with escalating cybercrime, leaving organizations ill-equipped to manage and respond to cyber risks and threats that are accelerating in an era of digital transformation, pervasive connections and increasingly sophisticated attack strategies sponsored by nation-states and rogue actors.

As the Spectre and Meltdown security flaws in Intel chips dominated the news in early 2018, and after a year of major security breach announcements and settlements, including Equifax, Yahoo and Anthem, the following findings are hardly surprising:

  • 67 percent of cybersecurity leaders do not have sufficient staff to handle the daily barrage of cyber alerts they receive
  • 60 percent expect digital threats to grow as their organizations increase online engagement with customers
  • The top three digital threats information security leaders fear are phishing and malware attacks on employees and customers; brand impersonation, abuse, and reputational damage; and information breaches
  • The top risk organizations face today is a lack of experienced staff to monitor and help protect networks from cybercrime
  • Currently, 37 percent of firms have engaged a managed security services provider (MSSP) to help monitor and manage cyberthreats.

ciso worry

“The RiskIQ 2018 CISO Survey illuminates a growing industry-wide problem, which is that cybercrime is growing at scale, and enterprises are already experiencing critical staff shortages. That’s one reason 1 in 3 organizations have engaged with an MSSP to combat cyber risks and threats, and we expect that number to grow as the competition for top security talent gets far more intense,” said Lou Manousos, CEO at RiskIQ.

 

Check out all of our services offered at our website or call us today: 518-479-3881.