Over the past several weeks, Trustifi has identified an increase of 250%-300% in email attacks from hackers that impersonate the targeted campaign while they shrouded themselves inside known global sites (AWS/YouTube/Google Translate) to host their malicious links. This combination is unique. Trustifi successfully quarantined emails associated with an advanced phishing campaign across all its clients.
- To avoid detection, the attacker impersonates the organization’s domain and often sends the email from a newly created domain.
- The email content is designed to mimic a legitimate password expiration email and includes a link for users to reset their password.
- The email may include a Microsoft or Office 365 logo to deceive the recipient further.
Who is Impacted by this New Attack Method?
This attack strategy could impact every vertical market. Specifically, The campaign targets C-levels or companies with HR or finance systems.
Why is This attack so Troublesome for Organizations?
- This attack is not coming from one attacker. This new campaign combines multiple tactics to bypass security detection, which is why this campaign is unique and different from the phishing attack we’re used to seeing.
- The most important thing is the abuse of YouTube and Google Translate as it’s a new tactic that deserves to scan links that belong to known brands that are not supposed to redirect to any link and not to the malicious link.
- Hackers use Amazon.com as a disguise point to redirect from one site to another. The email security solutions do not see the second redirection, only the initial redirect to Amazon or YouTube.
How Does the Attack Work?
To host the malicious link, the attacker becomes shrouded inside AWS services or leverages YouTube or Google Translate to redirect users to the malicious website. The attacker may also use redirect services to obscure the final (malicious) link and evade detection.
- To increase the email’s credibility, the attacker may use the recipient’s email address or the organization’s domain multiple times throughout the email subject and content.
- Using multiple techniques to bypass email security systems, this phishing attack represents a significant threat to organizations and their sensitive data.
- While analyzing these new attack methods, Trusitifi Security researched the source of these phishing attacks. 93% of the phishing links are currently emanating from Russian domains.
This new attack vector is complex for most email security solutions to stop because most of the messages are a single image with little text.
Most security metrics tools will not stop this next-generation phishing attack due to the lack of text to analyze.
If we click the final link, it becomes redirected to 2-3 websites, including the anti-bot check as above, and finally, we get to the last phishing link:
Result of the Attack
If a person enters his credentials, the attacker will use them to steal his data. It can also lead to email account compromise so that the attacker will send emails on behalf of the victim. The phishing email links redirect the users to a known public site like Amazon/Youtube/Google Translate.
How Trustifi Detected and Stopped this Multi-Threaded Attack?
Trustifi successfully detects and quarantines this phishing campaign email by using multiple metrics, including headers and links. The mail headers metrics notice whether the email is impersonating the recipient’s organization or tagging it as a pre-vishing attack (it aims to make the recipient contact the sender).
The link may be tagged with multiple metrics depending on the attacker’s technique. The most common metrics are Trustifi proprietary phishing metrics, multiple-engine malicious tags, and new domain creation.
Most of the embedded links check for anti-bot metrics – a way to detect if the link was opened by a human or a bot (=security company machine).
If it detects a bot has opened the link, it automatically redirects to a well-known and safe website such as Wikipedia.org or google.com; the scan result will report the link as safe, and the email will reach the recipient’s mailbox.
Once the recipient clicks on the same links, the anti-bot identifies it as human and redirects to the malicious link. Trustifi can detect and bypass those anti-bots to get to the final malicious link, resulting in this attack’s termination before it redirects.
Trustifi constantly improves this metric as there are always new anti-bot detectors.
Trustifi successfully inspects the email headers metrics to notice whether the message is impersonating the recipient’s organization or tagging it as a pre-vishing attack (it aims to make the recipient contact the sender).
Trustifi may tag the link with multiple metrics depending on the attacker’s technique. The most common metrics are Trustifi proprietary phishing metrics, multiple-engine malicious tags, and new domain creation.
The Trustifi Answer to Business Email Compromise
BEC attacks are becoming commonplace, and if successful, they can cause significant financial damage to your company. Hence, it is vital to take action against such attacks and make your security airtight. Trustifi offers the most advanced email security service in the market today.
Why Trustifi?
Trustifi is a cyber security firm featuring solutions delivered on software as a service platform. Trustifi leads the market with the easiest-to-use and deploys email security products, providing both inbound and outbound email security from a single vendor.
As a global cybersecurity provider of both inbound and outbound email protection, Trustifi currently supports customers from countries including the USA, Canada, Brazil, the Dominican Republic, the UK, the Netherlands, India, the UAE, China, and Japan, Cyprus, the Philippines, and more. The company has also developed “One-Click Compliance” capabilities that cater to world security regulations, including PDPO for Hong Kong, POPI for South Africa, GDPR for Europe, and LGPD for Brazil.
