New Phishing Attack

This week we [Layer3] have seen a new phishing attack being launched within New Zealand, and it’s a zinger.

Scammers and hackers are getting smarter. Have a good firewall, antivirus and spam filtering within your organisation only goes so far to stop phishing attacks. What we’ve seen this week goes beyond traditional security measures to break out of the box in order to trick end users to enter their credentials.

I’ve blanked out the name to protect the victim. This is a real email I received today.

Here’s how it works:

Initial email

You receive an email, with an attachment, asking you to open it. We’ve all had these, but this one is a little different.

No alt text provided for this image

So far, it looks normal. The email address here is legit (I’ve checked the technical details). So you click the attachment.

Link

The attachment is another email. When opening this email, it looks like there is a toolbar with another attachment. This isn’t an attachment, it’s a link. This link takes you to a legitimate Microsoft OneDrive account which is still active at the time of writing. Because of this, your security software and firewalls will not detect any malicious behaviour.

No alt text provided for this image

The link is legitimate

No alt text provided for this image

OneDrive PDF Attachment

Now you are viewing a PDF attachment on a legitimate Microsoft OneDrive account.

No alt text provided for this image

This PDF yet again has another link to download a PDF. This is where the attack happens. This link sends you to a credential harvesting page asking you to login via Office 365 or by using your Google account.

No alt text provided for this image

Upon selecting your provider, in this case, Office 365, you are prompted for your credentials

No alt text provided for this image

The link for this site is

No alt text provided for this image

Which is not a legitimate website.

If you have entered your information, your account has now been compromised.

Conclusion

The simple solution is to have your staff trained. We engage our customers with free security seminars all year round. These are hands on seminars aimed at engaging with staff to make them look at security differently.

Daniel Bohan showing staff how not to be reeled in

As well as running phishing simulators on and on-going basis to ensure staff and management stay vigilant.

If you’d like to see more of these sorts of stories, please let me know.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *