3 phishing attacks sneaking by IT’s defenses

IT pros know that phishing attacks are rampant. Most will train users to recognize the warning signs. But some recent attacks show that hackers are smart enough to try to stay one step ahead – and have devised attacks that can be successful even when users’ guards are up.

arrows in the centre of tagret

These attacks all use methods that might not raise red flags even among users who know the warning signs and typical patterns of phishing attacks. The attacks:

Make sure you take a careful look at these tactics, and advise your users about the ever-changing attacks.

Phish 1: Third-party delivery

There’s usually something that will tip off users that a phishing email isn’t quite right – a misspelled domain name or an unrecognized sender.

But at least one hacker has found a way around those warning signs, actually encouraging users to not only open a malicious attachment, but also forward it to other users in an organization.

How it worked: When companies posted jobs on the CareerBuilder website, hackers would apply with a resume attached.

But that resume actually contained malware.

Hiring managers would of course want to check out the document and even foward it to others in the company for their approval.

Essentially, the phishers relied on CareerBuilder’s trusted reputation to pass on the malware for them.

While CareerBuilder has fixed this flaw, other job posting sites or unrelated companies may also assist hackers by forwarding malicious content to their customers.

Best bet: Warn HR pros to be on the lookout for this kind of attack and urge them to use web-based forms instead of attached resumes.

And be sure to check the security features of all web-based services your company uses.

Phish 2: Spearphishing from within

One way phishers often try to trick users is by impersonating someone they know, such as a co-worker.

In a case covered here recently, however, the spearphishing emails actually was a known co-worker.

To recap: A former Department of Energy employee was indicted tried selling sensitive nuclear and weapons-related information to a foreign government by attempting to trick his own co-workers into opening malicious attachments in emails.

This put systems at danger even if users are usually skeptical of suspicious emails. The sender is someone they know and work with, so many would put their guard down.

Fortunately, the FBI was aware of the situation ahead of time and was able to take steps to make sure the systems were protected.

But the intersection of two big security trends, internal threats and spearphishing, is bound to alarm IT pros everywhere.

Best bet: Make sure your security plan addresses internal threats of all kinds and make sure your email system scans for threats from internal and external emails.

Phish 3: Hacking legitimate sites

When a phishing email redirects users to a malicious website, the damage might already be done – these sites can often install malware with little or no interaction from users.

And phishers may have found a way to make it even more likely users will visit these sites.

Rather than redirecting to a fake, malicious site, a recent attack involved hacking a legitimate, trusted site, loading it with malware, then directing users to visit the site.

The attack may have even targeted the White House and U.S. Department of State.

Best bet: Urge users to be skeptical of strange messages that prompt them to visit any site – whether it’s one they’ve been to before or not.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy