Supply Chain Defense
An Uptick in Phishing Attacks
“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
Over the past four months, remote workers have faced over 100K phishing attacks. A report from Barracuda Networks estimates around 65% of the phishing attacks observed involved the Google brand. Microsoft branded sites account for around 13%.
The form-based phishing attacks applied various methods including:
- Using legitimate sites as intermediaries,
- Using online forms for phishing, and
- Getting access to accounts without the use of passwords.
Other brands used to target remote workers included sendgrid.net, which contributed to 10% of the phishing attacks. Mailchimp.com and formcrafts.com accounted for 4% and 2%, respectively.
Barracuda Networks senior product marketing manager for email, Olseia Klevchuk, said cybercriminals prefer to use Google’s services because they are more accessible, free to use, and allow users to create multiple accounts. She added that the methods criminals use, such as sending a phishing email with a link to a legitimate site, make it harder to detect these forms of phishing attacks.
Researchers at two different security firms are tracking separate phishing campaigns that are targeting customers of Wells Fargo and Bank of America. A report from security firm Armorblox revealed a phishing campaign that targeted a select group of Bank of America customers, in an effort to ensure malicious emails can bypass security protocols and reach the intended victim.
Abnormal Security researchers are investigating a much larger campaign aimed at Wells Fargo customers. According to their report, the threat actors are imitating the bank's security team and alerting victims with a fake message that if they don't update their security key, they will lose access to their account.
In both cases, the victims are directed to malicious domains where they are asked to input their credentials. The credentials are then harvested by the attackers. While neither report indicated the success of these campaigns, the Abnormal Security researchers noted the Wells Fargo phishing emails may have reached as many as 20,000 inboxes.
In the Bank of America campaign discovered by Armorblox, the threat actors sent phishing emails to customers asking them to update their email addresses. If the victim clicked on a malicious link embedded in the message, they were taken to a domain designed to look like the actual Bank of America login page. The domain, however, is controlled by the cybercriminals and collects usernames and passwords if those credentials are entered into the fields. (The phishing emails were sent through a personal Yahoo account through SendGrid.)
In the Wells Fargo phishing campaign that Abnormal Security found, the threat actors attempted to steal customers' data, such as usernames, passwords, PINs and account numbers.
Victims received phishing emails that appeared to come from the Wells Fargo security team that asked customers to update their security key. Included in the email was an ICS calendar file that is supposed to store scheduling information.
If the victim opens the calendar file, it contains a link to a SharePoint page, which then asks the target to open yet another webpage. This final page is the malicious domain controlled by the fraudsters and is designed to look like a legitimate Wells Fargo website. If customers' data is entered, it's collected by the attackers.
The report also notes that the calendar invite file is designed to encourage victims to click and asks that they open it up on their mobile device. According to Abnormal Society, "The attacker is attempting to exploit a setting where the event will automatically be added to a user's calendar. Most of these programs will send an automatic notification to the user and attackers hope that potential victims will click on the event and follow the malicious link. As a result, these attacks are more likely to be seen by recipients."