Microsoft’s recent announcement that the new version of Microsoft Windows, Microsoft Windows 11, will be released soon is capturing headlines around the world. Microsoft will allow Windows 11 to be downloaded and installed to qualified user computers.
It is a great news event to remind security awareness advocates of the high likelihood of phishers to use the newsworthy event, and especially the download image capabilities, to phish people into installing malware. Certainly, Microsoft’s download process will not be a direct, “here is a URL link in an email” process. Microsoft’s processes and licensing verification processes will ensure that the actual downloading offering service is sophisticated and safe.
The same cannot be said of phishers. They will no doubt send out tens of millions of emails claiming to be from Microsoft, service providers and IT departments, claiming that the targeted receiver MUST immediately download and install Windows 11 using the provided URL link under some threat of penalty or disruption. You know it is going to happen. You know that some small percentage of users will fall for it. Hackers would not do it if a small percentage of people were not prone to these sorts of phishing attacks.
It is a great time to remind users about how newsworthy events, like the release of Windows 11, will be used by scammers and phishers. It is a great time to create simulated phishing campaigns based around Microsoft’s announcement and other newsworthy events (e.g., COVID, earthquake, celebrity deaths, global news, etc.) and see who could be susceptible to a real phishing attack using the same tactics.
It is also important to remind users to be very suspicious of any unexpected links to software install disc images. This applies to image file format extensions including ISO, IMG, BIN, MDF, VM, VMDK, VMX, and VHD. Most the phishing attacks will claim to link to disc image files, but really point to executables (e.g., EXE, ELF, DLL, etc.), archive file types (e.g., ZIP, ARC, etc.), scripts (e.g., PS, CMD, BAT, etc.) and commonly used document types (e.g., DOC, DOCX, PDF, etc.). But many of the links will point to real, but maliciously used, disc image file formats. This is because many computer defenses do not block them by default and many people do not understand what those image files are and can do. Many antivirus programs do not scan them before they launch.
It is a big risk for the scammer. Disc image file types are less likely to be downloaded by most users (that is a big negative), but if attempted by the user, the included maliciousness is possibly more likely to evade mitigations and be able to execute upon end users.
All defenders should, for sure, block all of the known disc image formats, from being able to be sent to users in email and from being freely downloadable by users, or at least try to automatically warn the users of the potential risks. Regardless of automated mitigation deployment, all users should be educated about the risks associated with unrequested disc images files. Sysadmins should routinely scan the network and managed user machines for disc image files and investigate suspicious looking or placed findings. It is also a good time to make sure your antivirus or endpoint detection and response software protects your environment from disk image threats.
Phishing using disc images have never been super popular, but expect an uptick in their use during Microsoft’s Windows 11 rollout. It is never bad to be prepared.