Advanced phishing

Seven new (and convincing!) phishing scams to watch out for

by Egress
Published on 11th Oct 2021

Cybersecurity would be so much simpler if criminal groups would stick to the same old tried and tested methods. Sadly, that’s never going to happen – they’re persistent and creative. Instead, cybersecurity teams need to keep up to date with the latest tricks in the criminal playbook.

There’s no standing still when it comes to cybercrime. Just as the neatest garden will eventually be overrun with weeds without a vigilant gardener watching over it, better cybersecurity defences are constantly needed when new phishing attacks pop up. And so the arms race goes on…

It’s important that non-experts stay well-acquainted with phishing tactics too – after all, they’re the ones the scammers are trying to catch out. So, here are seven emerging phishing trends we’re seeing that everyone needs to be aware of.

1. Un-happy birthday! e-Card scams

Surely scamming people on their birthdays is just mean… would cybercriminals sink that low? Of course they would! This new trend of exploiting flattery to trick people into clicking on malicious links has definitely caught our eye.

Attackers are using social media or other online sources to find out when people’s birthdays are, then sending them a link to “View your birthday e-card.”

Unfortunately, the link doesn’t bring up birthday wishes and Amazon vouchers – it’s a weaponized phishing link.

Email with a link to download Flash Player or view your greeting card

Image source: Beacon Bulletin

It’s a clever tactic. This scam catches people with their guard down, and entices them into clicking a (seemingly) low-risk link. If you’re ever in doubt about an e-card – especially one from an unknown source – then we’d highly recommend you don’t click to open it online.

2. Deepfake it ‘til you make it

The next generation of phishing attacks is around the corner. Deepfake technology has been here for a while, but we expect it to become a bigger phishing problem in the coming years. In a nutshell, a deepfake is a piece of video or audio content that has been manipulated with AI. As you can imagine, the possibilities for online mischief are near endless.

Impersonation attacks via email can already be pretty convincing. Cybercriminals trawl social media to make these emails highly believable, picking up on sign-offs, signatures, chains of command, communication style, and even quirks of phrase. Adding a deepfake of a voice message or even a video call would take impersonation attempts to the next level of convincing.

Consider a high-profile case from 2019. AI was used to mimic the voice of a German conglomerate’s CEO and trick an employee at another business into transferring funds to the wrong bank account. Cybercriminals managed to steal almost $250,000 from a UK-based energy company with the scam. The victim said it sounded just like the CEO, even down to his slight German accent.

Deepfakes sound complicated, but they’re surprisingly easy for non-experts to make. The tech is legal to purchase, readily available, and will only get better. It’s likely the only way to stop deepfakes will be to fight fire with fire – AI recognition.

3. Morse code. Yep… morse code!

When we said hackers get creative, we meant it. They don’t just look for cutting-edge technology, but anything that can give them the edge over defences. And sometimes that means turning to older techniques. In this case, Morse code, which is something you might associate more with a World War I movie.

Since July 2020, Microsoft 365 users have been targeted with fake Excel documents that include JavaScript files used to steal passwords. Once opened, a dialogue box appears asking for login details – which are promptly harvested and stored by the hackers. According to Microsoft research, they changed their obfuscation and encryption mechanisms every 37 days during this scam.

However this one tactic in particular caught the eye of the cybersecurity community – during February and May of this year, the links to the JavaScript files were encoded using ASCII, then into Morse code to keep them hidden from detection software.

Morse code uses combinations of dashes and pulses to encode the 26 letters of the alphabet. The famous example for SOS being: ‘. . . - - - . . .’. Hackers took the base elements of Morse code and made it more complex to include numbers too, helping the malicious script to slip past traditional secure email gateways. Here’s an example of what it looks like:

Function that accepts morse code and returns alphabetical letters

Image source: Bleeping Computer 

4. Don’t annoy the ‘boss’. Missed message phishing

This sneaky tactic relies on first compromising the email account of someone within the business – preferably a senior executive. Attackers will often use a targeted spear phishing attack to get hold of an individual’s login credentials. From there, they can take over the email account. The key danger with account takeover is that the attacker now controls a legitimate mailbox within your business, so any further malicious emails won’t be picked up by traditional technology.

Once an executive account is compromised, the attacker sends a junior colleague over a piece of complete ‘work’, such as a report. Of course, it’s actually malware. With almost everyone on LinkedIn these days, it’s not rocket science for hackers to work out the chains of command within a business. It’s even better for the attacker if the targeted employee is a recent joiner.

The clever part is they’ll mention that this piece of fake work was ‘missed’ in a previous, fictional email. This pressures the victim into reacting quickly, as they think they’ve annoyed their boss by missing something. Urgency is key in phishing, as the longer we think about the email and its request, the more likely our cybersecurity training will kick in and we will spot the signs of something not being quite right.

Remember to take a second to think when opening attachments (even if your boss does sound grumpy).

5. Hiding in plain sight (or site)

Criminals are now exploiting vulnerabilities to create malicious (but real!) pages on well-known brand sites. Because the link is genuinely going to a page on the brand’s site, it’s impossible to tell whether the link is malicious. This is exactly what happened with the recent UPS case.

A phishing campaign exploited a vulnerability on that looked extremely realistic. All the links in the phishing emails were legitimate, except for the tracking number. When victims clicked it, they were taken to the actual UPS website. From there, a malicious JavaScript injection made the page display a message letting users know a file was going to be downloaded. It was (of course) malware.

Image source: Bleeping Computer

What makes this phishing method particularly concerning, is the fact that attackers can run an automated scan of hundreds of thousands websites at once to detect these vulnerabilities. This gives them a ready-made list of websites that can be easily compromised.

The attackers will either go after these sites themselves, or make the most of the ‘Crime-as-a-Service’ marketplace and sell their intelligence to other criminal groups.

6. Supercharged spoofing

Spoofing is nothing new – it’s where a scammer creates a fake display name, email address, or website to trick someone. They can look believable at first glance, but are often intercepted by email authentication tools. Now attackers are upping their game to get around traditional defences.

We’ve seen impersonations of well-known and trusted brands such as YouTube, DropBox, LinkedIn and Zoom. Even more sinister are the impersonation attempts of people you actually know. You might be surprised how well a good hacker can mimic the communication style and mannerisms of a CEO after studying their social media posts and blogs or videos available on corporate websites. 

Netflix email asking you to update your payment details

Image source: Federal Trade Commission Consumer Information

We’re seeing new attempts to develop spoofed emails that escape the clutches of authentication tools. They do leave certain traces of the technology used to create them – but this is near impossible to spot with the human eye. Only intelligent tech powered by AI can pick up on the tell-tale signs.

Don’t believe us? Have a crack at our spot the phish game and see how many you can catch. 

7. Safe with MFA? Don’t be so sure…

There’s a good reason so many businesses have adopted multi-factor authentication (MFA). Asking for two or more forms of authentication makes it much harder for hackers to compromise accounts. Even if they manage to steal a password, it’s useless without a second piece of information like an SMS texted to a phone, an RSA token, or even a biometric identifier such as a fingerprint.

However, cybercriminals don’t tend to sit on their hands and accept defeat.

We’re seeing attackers find new ways to get around MFA. When a victim enters their credentials into a phisher’s false web page, the attacker will log into their email account in real time. If they see MFA is enabled, they’ll send the victim a request for their MFA credentials too, enabling them to bypass the protection it offers.

Some phishing emails contain a fake invite to view or edit a file. Once you’ve clicked the malicious link, a pop-up will offer a prompt along the lines of “Yes, give me access.” What you’ve actually done is grant the hackers permanent access to your account – even if you change your password or have MFA enabled.

Dropbox email with link to view a file shared with you

Image source: Spam Stops Here

MFA is a valuable tool… but it’s not foolproof.

Found this article helpful? Check out our dedicated phishing hub for more.