Hurricanes, Politics, and Sports: How to Defend Against Juicy, Topical Phishing Campaigns

Hurricanes, Politics, and Sports: How to Defend Against Juicy, Topical Phishing Campaigns

Phishing Campaigns FIHurricane season 2019 is now upon us. Between now and mid-autumn, there will be storms whose devastation will disrupt people’s lives. Unfortunately, there will also be fraudsters who’ll attempt to capitalize on these disaster victims’ misery.

The Cybersecurity and Infrastructure Security Agency (CISA) is well-aware of these despicable characters. In years past, it dealt with phishing campaign scams following hurricanes Harvey, Florence, Matthew, Irene, and others. Acknowledging this collective experience, it’s no wonder why the DHS entity decided to warn users to be on the lookout for fraudulent emails targeting hurricane victims and potential donors back in May.

As quoted in its advisory:

Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a hurricane-related subject line, attachments, or hyperlinks. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.

All’s Fair in Love and Phishing

I wish those tips were enough for organizations to protect themselves and their users against phishing campaigns. But defending against phishing attacks is just not that simple. Indeed, the problem is that fraudsters aren’t just capitalizing on hurricanes and other natural disasters. They’re constantly looking for all kinds of topical issues around which they can craft phishing campaigns, seize upon users’ interest in a high visibility story, and end up stealing credentials or infecting the victims’ systems with malware.

Here are just a few topical phishing operations that have recently circulated the web:

  • Election Scams: In October 2018, the Better Business Bureau (BBB) warned consumers to beware of scams seizing on the buzz surrounding the U.S. mid-term elections. BBB identified three types of political ploys commonly employed by criminals around election time. The first leverage phone calls and fake fundraisers to pressure users into contributing to urgent campaign issues such as healthcare reform. Second, individuals posing as pollsters collect consumers’ personal and financial information under the guise of filling out a campaign survey and entering to win a prize for their participation. Lastly, scammers use soundbites of real candidates to trick users into connecting with one of their “agents” over the phone and making what they believe is a campaign contribution.
  • Sporting Event Ruses: Fraudsters have always had a particular interest in preying upon the fans of significant sporting events such as the Olympics, the FIFA World Cup, the U.S. Open, and the World Golf Championships-FedEx St. Jude Invitational. Case in point, digital criminals, spent a year leading up to the 2014 World Cup targeting Brazilians with the made-up offer of lottery-won tickets to the event. In all, they launched 87,776 phishing attempts containing trojans. Those attacks that went after the banking sector between 19 May and 19 June 2014 helped make Brazil the most-targeted country in the world for digital attacks. As reported by SCMagazine, Brazil received four times as many attack attempts as Russia during that time period.
  • GDPR Attack: Per ZDNet’s reporting, security firm RedScan came across a phishing email that pretended to be from Airbnb. The fraudulent message assumed the recipients were Airbnb hosts and informed them that they could neither accept new messages nor send messages to guests until they accepted a new privacy policy as a result of GDPR. Those who clicked on the acceptance link found themselves redirected to a website that prompted them to enter their personal and financial information.

These are the phishing campaign attacks that have been documented and represent the lengths to which criminals will go. But you can imagine many other events taking place this summer that could also be likely targets. Certainly all of the election activity in the US, and Brexit in the UK. There’s ongoing political tension between the US and China, North Korea and Iran that could provide juicy fodder for a phishing attack. There’s extreme weather beyond the potential hurricanes mentioned earlier. There are financial events, such as interest rate changes, stock market results, IPOs, and more. The list goes on and on. And you can be sure that the phishers are considering all of them in an effort to fool just enough people for them to be successful.

Defending Against Phishing Campaigns

The variety of attacks illustrated above shows just how difficult it is for organizations to defend against phishing tricks using security awareness training alone. In response, many organizations decide to set up email security controls. But even these utilities aren’t foolproof. Criminals take a sophisticated approach towards evaluating potential topics: email send times, delivery as well as open and click-through rates in an ongoing effort to determine what works. They also configure HTML emails to download malware automatically – essentially a drive-by attack – as soon as the email content is rendered, even in preview mode, and even if the user never clicks on anything in the email.

And let’s face it: some attacks are difficult to spot. As a result, if the topic and time of landing in an inbox is right, there is always an opportunity your users could be caught off guard.

The problem, of course, is that a criminal rarely stops once they’ve been successful in getting an unsuspecting user to take the bait. They can use stolen credentials to access personal or corporate accounts. And often their original target is meaningful only as an initial compromise; a foot in the door. To be successful, the criminal looks to move laterally within the network, arrive at their true destination and then exfiltrate sensitive data.

To prevent digital criminals from realizing these goals, start with having your employees turn off HTML rendering in both business and personal email. I also encourage organizations to consider a network threat detection solution that can detect suspicious or anomalous activity that follows the initial compromise. This tool should ideally do several things.

  • Spot anomalies and catch suspicious activity quickly before it spirals out of control and evolves into a data breach.
  • Specifically, pay attention to signs of lateral movement. That’s because digital attackers often compromise a landing system through a phish but then move laterally across the network to their intended destination.
  • Have access to and automatically incorporate threat behavior data in the fight against phishing attacks. If not, the tool will likely flag anomalous, yet benign events as malicious. This will send security professionals down a number of rabbit holes as they waste their time investigating false positives.
  • Facilitate rapid response to detected threats, either through automated blocking techniques or high-fidelity alerts that provide analysts with every detail about the scope of the attack so they can thoroughly remediate it.

Lastline’s network detection & response solution is capable of monitoring the network for signs of lateral movement from assets that bad actors might have initially compromised using a successful phish. One way it succeeds in this regard is with the help of its Global Threat Intelligence Network. This body of threat data automatically and continually receives updates whenever any of Lastline’s customers or partners detects an attack. Lastline then shares that information with all other customers, thereby improving their ability to detect a similar attack and prevent email phishing campaigns from being delivered. Finally, Lastline has integrations with scores of technology partners to facilitate automatic response, disrupting the further spread of the attack.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing