Imagine this email subject line: “Click Here To Claim Your Two Night Stay at Marriott Hotels.” Would you read an email because of a subject line like this? It’s pretty attractive, and a similar message was sent to millions of people via email with a similar offer. The problem is that the offer was fake, and part of a more intelligent phishing attack designed to take advantage of a recent real Marriott International breach that affected approximately 5.2 million guests. This very sophisticated phishing campaign first referenced the January 2020 breach -- a true and widely publicized story -- and followed it up with the fake offer.
Phishing Is Your Biggest Threat
Phishing, researchers say, is the number one “attack vector” affecting enterprises, mostly because it works. And while it’s no surprise that cyber criminals are coming up with new tactics for those phishing attacks, what is very surprising is the depth, intelligence and sophistication used in these new attacks, including advanced psychological techniques.
The Marriott 2018 Data Breach
According to an article in Security Boulevard, The Marriott 2018 data breach “may have taken personal details such as names, birthdates, and telephone numbers, along with language preferences and loyalty account numbers,” which gives the cyber criminals additional credible information for future cyber attacks. Imagine, for example, a subsequent Happy Birthday email offering you a free night’s stay to celebrate your birthday. Its authenticity could be very convincing.
But in this case, Marriott announced in its own press release that it “is sending emails to guests involved.” To Marriott customers who are aware of the original breach and this specific announcement, the phishing email looks very authentic.
We predict that there will be more phishing campaigns leveraging the news of other hacks and breaches to make their attacks look more legitimate as well. But the increasing sophistication of cybercriminals gets even more clever than this.
Making More Intelligent Phishing Attacks More Believable
Leveraging real breach news is one way that cybercriminals are making more intelligent phishing attacks, but there are others. If you’ve ever negotiated a deal on a new car in a buyer’s market, you know that your willingness to walk away from the deal puts you in control of the negotiations. The same holds true for the sales representative in a seller’s market: If the buyer is not willing to meet the price, all the seller has to do is threaten to take away the offer.
According to ThreatPost Magazine, there’s a new phishing technique that uses CAPTCHA challenges to actually prevent users from accessing a phishing site. This may seem as counterintuitive as leaving a negotiation that you’d like to win, but it’s actually quite clever.
The ThreatPost article describes how users are actually exposed to not one, but three separate CAPTCHA challenges, and quotes researches at Menlo Security who gave two reasons for the effectiveness of this technique:
- CAPTCHA prevents security spiders from identifying these dangerous phishing sites
- CAPTCHA is used by legitimate “benign” websites, not fake sites. In other words, the user assumes the site must be legitimate if it’s using a CAPTCHA challenge.
But we recognize a third reason for this technique being effective:
- CAPTCHA...especially repeated CAPTCHAS...may frustrate users such that once they succeed at answering the challenge questions, they will be more eager to fill out the credential screen and be less aware of the deception that is part of every phishing site.
Thinking back to the car sales analogy, it’s as though the seller has rescinded the offer twice, but finally agrees to your terms. You can imagine yourself eagerly filling out the contract terms.
So not only does this technique help the phishing site hide, but also convinces the victim the site is more legitimate AND makes the victim more eager to comply.
That’s a dangerous combination.
Could Your Users Resist These More Intelligent Phishing Techniques?
The first example above was a travel site, but it could just as easily resemble a recently hacked bank website, such as Bank of America (Hack reported in May 2020 related to PPP applications), CitiFinancial, Wells Fargo and others. It could also be a health related organization, such as American Medical Collection Agency, lab sites like Quest Diagnostics, or other breaches involving health data records
Imagine having your best employee fall for one of these more intelligent phishing attacks, and the damage it could do to your own company (thousands or millions being wired to the criminals’ bank accounts) or to your medical practice (the breach of thousands of HIPAA-protected medical records).
Awareness Training Educates Your Staff
We have many techniques for protecting your business from breaches and hacks, including the more intelligent phishing techniques described here. Firewalls prevent direct attacks on your networks. Advanced Endpoint Protection protects individual workstations and devices from malware. Our Advanced Web Protection can even identify phishing sites. And we have a dozen other methods of protecting your organization from threats. But if your staff unknowingly cooperates and forfeits credentials to valuable resources -- especially on personal or unprotected devices -- the attack has a good chance of getting through.
It’s as though your staff has unwittingly joined the attacker’s team.
That’s why we recommend Awareness Training for all of our clients. Because C-Level executives are the most prime targets for phishing attacks, the training consists of a series of lessons that teach your staff at all levels, from clerical and maintenance staff up to the CEO. And not only do we offer the training, but we offer a console to help you organize and manage the enrollment of each of your employees, and the refresher training needed to keep your staff aware of the latest threats.
If you have cybersecurity insurance, and certainly if your company is required to follow HIPAA regulations, Awareness Training is required to be part of your cybersecurity plan.
Fight More Intelligent Phishing Attacks Today
Cybersecurity always feels like it’s too much until you discover that it’s not enough. Taking a few hours each week to keep your company safe may seem like too much, but you’ll know for sure that whatever you’re doing now is not enough once your company falls victim to a more intelligent phishing attack. As important as Awareness Training is, it’s not nearly as expensive as you might think, and is even added at no additional cost to some of our cybersecurity packages. Contact us online or call us today at 818-913-1335 and let’s talk about protecting your business from a phishing disaster.