What is the preferred method of phishing?

Spear Phishing and Targeted Attacks

Spear phishing is typically used in targeted attack campaigns to gain access to an individual’s account or impersonate a specific individual , such as a ranking official or those involved in confidential operations within the company. Trend Micro researchers found that more than 90 percent of targeted attacks in 2012 were derived from spear phishing emails.

Spear phishing attackers perform reconnaissance methods before launching their attacks. One way to do this is to gather multiple out-of-office notifications from a company to determine how they format their email addresses and find opportunities for targeted attack campaigns. Other attackers use social media and other publicly available sources to gather information.

How to Defend Against Spear Phishing Attacks

No matter where you are in the organizational structure, attackers may choose you as their next spear phishing target to snoop inside an organization. Here are some best practices to defend against spear phishing attacks:

• Be wary of unsolicited mail and unexpected emails, especially those that call for urgency. Always verify with the person involved through a different means of communication, such as phone calls or face-to-face conversation.
• Learn to recognize the basic tactics used in spear phishing emails, such as tax-related fraud, CEO fraud, business email compromise scams, and other social engineering tactics.
• Refrain from clicking on links or downloading attachments in emails, especially from unknown sources.
• Block threats that arrive via email using hosted email security and antispam protection.

Links :

https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf

http://blog.trendmicro.com/anatomy-of-a-spear-phishing-attack/

http://newsroom.trendmicro.com/press-release/cyberthreat/over-90-percent-targeted-attacks-derived-spear-phishing-emails-according-t

http://blog.trendmicro.com/trendlabs-security-intelligence/the-risks-of-the-out-of-office-notification/

Phishing is a form of social engineering used to deceive users and exploit weaknesses in current computer and network security. Phishing is the fraudulent attempt to obtain sensitive information for malicious reasons by disguising the true identity of the sender often posing as a trusted organization or person. Phishing is typically carried out by email spoofing, but can also be used in other electronic communications such as instant messaging. Phishing is the most common method for hackers to gain access to a network to launch malware, including ransomware and viruses, that can damage or destroy your data. Over 90% of successful hacking attempts start with a phishing email. These emails will either ask the recipient for sensitive information, like usernames and passwords, or credit card numbers, or personal information; or these emails will ask the recipient to click on a link, which would then take the recipient to a website that contains malware that will infect the recipient's computer and then possibly their network and other computers on the network. Attempts to deal with the growing number of phishing incidents include legislation, user training, public awareness, and technical security measures.

Types of phishing

There are several types of phishing.

• Spear phishing: Phishing attempts directed at specific individuals or companies have been termed spear phishing. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success.
• Clone phishing: Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
• Whaling: The term whaling has been coined for spear phishing attacks directed specifically at senior executives and other high-profile targets.[15] In these cases, the content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email may be an executive issue such as a subpoena or customer complaint.

Defense against phishing

The best protection from phishing is training and awareness. End-users typically make up an organization's largest attach surface, making them an attractive target for the bad guys. Regular security awareness training and specific phishing training are an organizations most effective and efficient strategy for protecting themselves against phishing attacks.

Identify phishing emails

• There is no single thing that will always identify phishing attempts, the best chance of identifying phishing attempts is to recognize multiple indicators.
• Check the email address of the sender. Does it come from a known sender or domain that you regularly communicate with?
• Look how the sender is addressing you. Is it a generic salutation or do they know your preferred name?

Other phishing identification resources:

Most email security filters are highly effective at ensuring that spam messages never make it to the inbox. However, they’re far less effective at blocking phishing, which has proven to be a more difficult issue to solve. Today’s phishing techniques are highly sophisticated, they’re bypassing email security filters, and they’re targeting your clients and employees.

A well-crafted phishing email is nearly—if not completely—identical to a real email from a known brand. Victims click on phishing links from well-known brands like Microsoft and Facebook, believing they’re logging into a trusted account. In some phishing attacks, victims unknowingly give their credentials to cybercriminals. In others, victims click a phishing link or attachment that downloads malware or ransomware onto the their computers.

The following phishing techniques are highly sophisticated obfuscation methods that cybercriminals use to bypass Microsoft 365 security. In these types of phishing attacks, they’re invisible to the user and easily bypass Exchange Online Protection (EOP) and secure email gateways (SEGs).

1. Using legitimate links

Most email filters scan for known phishing URLs. To evade detection, phishers add legitimate links to their phishing emails. Many email filters will scan a number of legitimate links and assume the email is clean. In recent Microsoft 365 phishing emails detected by Vade, the phisher included a legitimate reply-to email address and legitimate links to Microsoft’s community, legal, and privacy webpages. They also included a link to Microsoft’s contact preferences page, where users can update their preferred communications settings for applications like SharePoint and OneDrive.

In the below example of a Wells Fargo phishing email detected by Vade, the phisher even included a link to the bank’s fraud information center.

2. Mixing legitimate and malicious code

A known phishing email or malware virus contains a signature that can be detected by EOP. One technique for obfuscating the signature is to mix legitimate and malicious code. Sophisticated Microsoft phishing pages, for example, include CSS and JavaScript from real Microsoft webpages, such as the Office 365 login page. Other techniques include encoding characters at random, adding invisible text, inserting white spaces, and assigning random values to HTML attributes. The goal of mixing legitimate and malicious code is to make each email appear unique to the filter, making these types of phishing attacks nearly impossible for signature-based filters to detect.

3. Abusing redirections and URL shorteners

Time is of the essence in phishing. To quell victims into thinking that nothing is awry, phishers will redirect them to a legitimate webpage after the phishing attack. For example, after a user enters their Office 365 credentials on a phishing page, they are directed to Office 365.com or another Microsoft webpage.

Another form of redirect abuse, “time-bombing” is a phishing technique that involves creating a URL redirect from a legitimate webpage to a phishing page. Time-bombing is highly effective because the email includes a legitimate Microsoft link at the time of delivery when it is initially scanned by an email filter; the redirect to the phishing page is only created after the email has been successfully delivered to the victim.

In another phishing technique designed to obfuscate a known phishing URL, phishers use URL shorteners such as TinyURL and Bitly. These free tools transform long URLs into shortened URLs—aliases that have no resemblance to the original URL. Most email filters that are scanning for a signature will not recognize it in a shortened phishing URL.

4. Distorting brand logos

Like other elements of known phishing pages, logos include HTML attributes that can be detected by an email filter that is scanning for signatures. To avoid detection, phishers alter brand logos in ways that are invisible to the naked eye but unique to a filter. For example, by changing an HTML attribute such as color or shape by a single character, the signature will be different from a known phishing page, therefore unique. This slight change is enough to fool an email filter that scans for malicious content but cannot analyze the rendering of an image as a human would.

5. Confusing the filter with little content or excess noise

Some cybercriminals evade detection by including little to no content in their phishing emails. One version of this attack that we’re seeing more of is use of an image instead of text, although this is not obvious to the victim. This is a common phishing technique used in sextortion emails, including the mass wave detected in 2018. With no content to scan, the filter could be fooled into thinking the email is safe. In the below example, the text you see is actually an image.

The opposite approach is to stuff an email with excess content or “noise.” This technique works because of the randomness of the code. It has no purpose, no meaning, and therefore confuses the filter. In the below example, the phisher stuffs the code with a line of dialogue from “Pulp Fiction”:

What can you do to protect your clients?

The increasing sophistication of phishing attacks mandates more sophisticated countermeasures. Traditional email filters are not enough. Clients that use Microsoft 365 need to add another layer of phishing protection to protect themselves from these types of phishing attacks.

Vade for M365 scans for the above phishing techniques by crawling URLs and webpages in real-time, identifying the signature obfuscation methods that EOP and SEGs will miss.

Page 2

Most email security filters are highly effective at ensuring that spam messages never make it to the inbox. However, they’re far less effective at blocking phishing, which has proven to be a more difficult issue to solve. Today’s phishing techniques are highly sophisticated, they’re bypassing email security filters, and they’re targeting your clients and employees.

A well-crafted phishing email is nearly—if not completely—identical to a real email from a known brand. Victims click on phishing links from well-known brands like Microsoft and Facebook, believing they’re logging into a trusted account. In some phishing attacks, victims unknowingly give their credentials to cybercriminals. In others, victims click a phishing link or attachment that downloads malware or ransomware onto the their computers.

The following phishing techniques are highly sophisticated obfuscation methods that cybercriminals use to bypass Microsoft 365 security. In these types of phishing attacks, they’re invisible to the user and easily bypass Exchange Online Protection (EOP) and secure email gateways (SEGs).

1. Using legitimate links

Most email filters scan for known phishing URLs. To evade detection, phishers add legitimate links to their phishing emails. Many email filters will scan a number of legitimate links and assume the email is clean. In recent Microsoft 365 phishing emails detected by Vade, the phisher included a legitimate reply-to email address and legitimate links to Microsoft’s community, legal, and privacy webpages. They also included a link to Microsoft’s contact preferences page, where users can update their preferred communications settings for applications like SharePoint and OneDrive.

In the below example of a Wells Fargo phishing email detected by Vade, the phisher even included a link to the bank’s fraud information center.

2. Mixing legitimate and malicious code

A known phishing email or malware virus contains a signature that can be detected by EOP. One technique for obfuscating the signature is to mix legitimate and malicious code. Sophisticated Microsoft phishing pages, for example, include CSS and JavaScript from real Microsoft webpages, such as the Office 365 login page. Other techniques include encoding characters at random, adding invisible text, inserting white spaces, and assigning random values to HTML attributes. The goal of mixing legitimate and malicious code is to make each email appear unique to the filter, making these types of phishing attacks nearly impossible for signature-based filters to detect.

3. Abusing redirections and URL shorteners

Time is of the essence in phishing. To quell victims into thinking that nothing is awry, phishers will redirect them to a legitimate webpage after the phishing attack. For example, after a user enters their Office 365 credentials on a phishing page, they are directed to Office 365.com or another Microsoft webpage.

Another form of redirect abuse, “time-bombing” is a phishing technique that involves creating a URL redirect from a legitimate webpage to a phishing page. Time-bombing is highly effective because the email includes a legitimate Microsoft link at the time of delivery when it is initially scanned by an email filter; the redirect to the phishing page is only created after the email has been successfully delivered to the victim.

In another phishing technique designed to obfuscate a known phishing URL, phishers use URL shorteners such as TinyURL and Bitly. These free tools transform long URLs into shortened URLs—aliases that have no resemblance to the original URL. Most email filters that are scanning for a signature will not recognize it in a shortened phishing URL.

4. Distorting brand logos

Like other elements of known phishing pages, logos include HTML attributes that can be detected by an email filter that is scanning for signatures. To avoid detection, phishers alter brand logos in ways that are invisible to the naked eye but unique to a filter. For example, by changing an HTML attribute such as color or shape by a single character, the signature will be different from a known phishing page, therefore unique. This slight change is enough to fool an email filter that scans for malicious content but cannot analyze the rendering of an image as a human would.

5. Confusing the filter with little content or excess noise

Some cybercriminals evade detection by including little to no content in their phishing emails. One version of this attack that we’re seeing more of is use of an image instead of text, although this is not obvious to the victim. This is a common phishing technique used in sextortion emails, including the mass wave detected in 2018. With no content to scan, the filter could be fooled into thinking the email is safe. In the below example, the text you see is actually an image.

The opposite approach is to stuff an email with excess content or “noise.” This technique works because of the randomness of the code. It has no purpose, no meaning, and therefore confuses the filter. In the below example, the phisher stuffs the code with a line of dialogue from “Pulp Fiction”:

What can you do to protect your clients?

The increasing sophistication of phishing attacks mandates more sophisticated countermeasures. Traditional email filters are not enough. Clients that use Microsoft 365 need to add another layer of phishing protection to protect themselves from these types of phishing attacks.

Vade for M365 scans for the above phishing techniques by crawling URLs and webpages in real-time, identifying the signature obfuscation methods that EOP and SEGs will miss.