How Phishing is Evolving

Security concept Lock on digital screen, illustration-1Attackers are always using new tactics to stay ahead of defenders, and Microsoft’s Office 365 Threat Research Team describes three noteworthy phishing techniques they’ve observed in 2019. The first was the use of hijacked search results to redirect users to malicious sites. Attackers used a traffic generator to artificially push a baited website to the top of Google search results for specific keywords. When a user clicked on the harmless bait website, they would be redirected to a phishing site or a malware download. This allowed the attackers to send phishing emails with benign links in order to bypass email security filters.

The second technique involved using custom 404 pages as phishing sites. Phishing campaigns are much more efficient when attackers have an easy way to move their phishing page to a different URL, because security technologies are constantly flagging and taking down malicious URLs. By using a URL for a non-existent page on the phishing domain, attackers could use an unlimited number of URLs in their phishing campaigns. When a user clicked on one of these URLs, they would automatically be redirected to the domain’s 404 Not Found page. These pages can be customized just like a normal webpage, so the attackers made them appear to be sign-in pages in order to steal credentials.

A third phishing technique abused Microsoft’s secure rendering site to automatically generate a duplicate of the targeted company’s Microsoft login page. The researchers explain that this allowed the attackers to create targeted phishing sites for each recipient with minimal effort. “Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages,” the researchers write. “The server identified certain specific information based on the recipient’s email address, including the target company, and then gathered the information specific to that company. The result was the exact same
experience as the legitimate sign-page, which could significantly reduce suspicion. Using the same URL, the phishing site was rendered differently for different targeted users”

Attackers will continue finding ways to increase the efficiency of their scams. Security technologies for the most part react to new attack techniques, and attackers know this. New-school security awareness training can enable your employees to anticipate and recognize unfamiliar attacks.

Microsoft has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews