Phishers Are Finding New Ways to Bypass Email Gateways
By David Balaban
Phishing attacks are constantly expanding their reach. According to a 2019 report from Retruster, phishing cybercrimes account for 90% of data breaches. Malicious actors employ phishing emails to serve up malware and extract sensitive credentials, which entail billions of dollars in losses worldwide annually.
Learn more from our latest magazine, Preventing a Cyberattack: A Guide to Cyber Readiness. Download it now.
What is the security industry doing about it? A lot. Modern email services are equipped with gateways that filter suspicious messages based on red flags, such as links leading to suspicious sites and attachments hosting dangerous payloads.
Unfortunately, these countermeasures are not enough to fend off the threat. A few recently discovered phishing attacks were able to get around email gateways by incorporating benign services into the incursion chain.
Phishers Were Able to Abuse Google Drive
In mid-August, security researchers unveiled an intricate social engineering phishing campaign zeroing in on a company in the energy sector. The goal was to steal the employees’ credentials used for logging into the corporation’s IT resources. Although the organization uses Microsoft Exchange Online Protection, a popular email filtering instrument, the sketchy messages flew under its radar due to the involvement of Google Drive in the hoax.
The deceptive emails looked as if the CEO of the targeted organization had sent them. To draw the recipients’ attention and create a sense of urgency, the emails instructed recipients to open an “important message.”
Moreover, the bogus file was actually shared via Google Docs, Google’s trusted cloud-based word processing platform. This tactic is exactly what allowed the attackers to circumvent the company’s anti-fraud mechanisms.
Clicking the “Open in Docs” button embedded in the email body redirected the unsuspecting staff to a cloud-hosted document. That document, in turn, tried to dupe the recipients into following another link. The resulting page was a garden-variety phishing site disguised as a login form on which the would-be victims were supposed to enter their sensitive credentials. These details would then be sent instantly to the criminals’ server.
What prevented this attack from causing severe damage? The email address of the CEO who allegedly shared the document didn’t align with the company’s email naming pattern. Therefore, the employees questioned the legitimacy of the messages and didn’t proceed.
The only automated method to stop this type of an attack is to use a network content-filtering solution that blocks newly registered websites. That way, the staff would not have been able to visit the phony login page because it was created only two weeks prior to the attack.
According to analysts who looked into this incident, the emails were created using a template readily available on the Dark Web. Nearly identical phishing messages had previously been observed in a campaign aimed at several educational institutions. Obviously, the Google Docs trick is now trending in the cybercriminal underground.
Malefactors Utilized WeTransfer Service to Fool Email Gateways
In a large-scale phishing campaign first spotted in July, crooks abused the file-hosting network called WeTransfer to evade detection. WeTransfer allows users to share large files (up to 2 GB) for free and without registration. However, this service requires users to have a paid subscription for larger amounts of data.
When someone shares a file via this service, an automatically generated notification shows up in the intended recipient’s email inbox. These alerts typically aren’t filtered due to the immaculate reputation of WeTransfer.
The attackers take advantage of WeTransfer to cloak their malicious URLs and make sure email gateways don’t flag the messages as potentially harmful. Companies across numerous industries, including banking and media, have been targeted in the ongoing phishing wave that revolves around this particular tactic.
Here’s the logic of this raid: Would-be victims receive an email notification saying that somebody has sent them files via WeTransfer. The message usually includes a brief description such as “upcoming project” or “invoice,” which is designed to make the victims curious and entice them to click the “Get your files” button. Since the source with the link is a legit WeTransfer page, email gateways won’t block it.
The file that the victim is duped into downloading contains HTML coding disguised as a PDF document. When the coding executes, it causes the phishing site to open in the user’s default web browser.
In most cases, the phishing site masquerades as a Microsoft sign-in page. The credentials the victim enters immediately go to the phishers, who then use that information to orchestrate data breaches and perform furtive reconnaissance within the host enterprise network.
All in all, this ruse will work unless the targeted organization’s email filters are configured to block file-sharing services like WeTransfer. But that is rarely the case.
Phishing Campaigns Are Getting Better at Disguising Their Fraudulent Activity
Threat actors behind phishing campaigns are refining their operating methods and getting better at disguising their fraudulent activity. Email gateways are undoubtedly useful, but they aren’t effective enough to keep malicious emails from landing in victims’ inboxes.
Additional protection tools like firewalls, VPNs and spam filtering might lessen the chances of being phished. But at the end of the day, the best security approach is to enhance employees’ phishing awareness so they can identify these scams and refrain from clicking on dubious links.
About the Author
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com website, which presents expert opinions on information security matters, social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.