Anatomy of a Phishing Scam
Recently some hackers grew sloppy and exposed their tactics and results of a major phishing campaign.
The case, which was publicized by Check Point Research as an educational tool, offers a fascinating glimpse behind the scenes of a digital crime ring.
Like all phishing attacks, this one began with fraudulent email templates. In this case, the messages mimicked Xerox scan notifications and included a target company employee’s name or title in the subject line.
The bogus emails were sent through accounts that had been previously compromised so they would appear to be from legitimate sources. This is why you’re often warned that phishing attacks may appear to come from your boss—or your mom.
The payload
The attackers attached an HTML file containing embedded JavaScript code that had one function; it secretly conducted background checks of victims’ password use. When this snooping software detected credential input, usernames and passwords were harvested, and unsuspecting users were sent to legitimate login pages.
The key here is that in order for all this to take place, email recipients had to fall for the phishing message and click the HTML file. That’s a major error.
Apparently, though, it’s a mistake many people make—in this particular campaign, attackers successfully bypassed Microsoft Office 365 Advanced Threat Protection filtering and stole more than 1,000 corporate employees’ credentials, researchers noted.
Keep in mind that the world only learned of this phishing attack because the hackers failed to tie up a few loose ends, leaving a digital trail of their crime. That’s why it’s up to you to educate yourself about phishing, spotting the attacks … and never, ever clicking on links unless you’re certain of their legitimacy.
© National Security Institute, Inc. www.nsi.org
Recent SecuritySense Posts
- 5 Things Crooks Love to See In Your Social Media Profile
- FAQ: Security and the Cloud
- The Ransomware Perfect Storm
- Children More at Risk Online During Pandemic
- Going Back to the Office? You’re a Perfect Target for Phishers
- 5 New Social Engineering Tactics Criminals Are Using Right Now
- April Scam Watch
- Top 4 Emotions Used in Social Engineering
- Security Is Critical to Pandemic Recovery
- Using Instagram Securely
Protect Yourself & Your Company From Cybercrime
Why shouldn’t your life be a little easier?
We want to make it super easy for you to market cybersecurity awareness to everyone at your company. We’re here to help you be more persuasive and support your work to make the entire company cyber-savvy.
Maybe you’re not a “marketer,” but you can be. You can get their attention with content that’s relatable, relevant, concise and enjoyable to read. We get feedback all the time from your peers who tell us their employees look forward to receiving SecuritySense.
SecuritySense is a subscription-based content service that delivers you a consistent supply of fresh cybersecurity awareness content so you can easily maintain an ongoing cybersecurity brand awareness campaign
Our Unique Content Strategy
People pay attention to content they find personally relevant. SecuritySense doesn’t feel like you’re being given extra work to do. It’s a blend of personal and work-relevant cybersecurity tips, warnings, human interest stories, instructions, news and insights that everyone looks forward to receiving. More about our content strategy
The Secret to Creating Awareness
Brand marketers know if you want to create awareness you have to do two things. Steadily promote your message and make sure the message offers content that personally resonates with your audience. SecuritySense makes it easy for you to do both.
Compare Our Per Employee Cost
Compare our per employee annual cost with the $8.00 – $20.00 seat licenses you might pay for training platforms. It’s a no-brainer to add SecuritySense to your overall program.
See pricing