Cybercriminals are replacing common words in phishing scams with synonyms in order to bypass security filters, according to researchers at Avanan. For example, one phishing lure contained a malicious file titled, “Remittance Advice,” instead of “invoice,” since many phishing emails contain the word “invoice,” and “invoice” is widely recognized as a word that flags a message as suspicious. Avanan says this technique was effective in fooling technical defenses in this case.
“Because of the rise of invoice related phishing emails, many security vendors have resorted to treating emails with the word ‘invoice’ in the subject/body/attachment(s) with higher scrutiny and this has led to attackers beginning to use synonyms to get their targets to load email attachments,” Avanan says. “This email, missed by ATP, uses ‘advice’ instead of invoice to get through to the inbox.”
The full email stated, “Hello Accounts, Please find attached your remittance advice for payment. If you have any questions, please let us know.” It’s not very fluent, and the idiomatic control is poor, but at least it doesn’t contain a term likely to be screened out.
The researchers note that the file in this email was actually a hyperlinked image designed to look like a PDF attachment. If the recipient tried to open the attachment, they would be sent to a phishing site.
“The attacker used obfuscation attempts by sending a PNG file above the body of the email that had a malicious website as the hyperlink,” Avanan writes. “This was particularly clever because the PNG image resembled an Outlook PDF attachment. Naturally, the victim will recognize that because they have seen thousands of PDF attachments sent to them via Outlook before and therefore they will not hesitate to click on the image as an attempt to download the attachment only to be redirected to a malicious website for a credential harvesting attack.”
Criminals are constantly evolving their tactics to stay ahead of security technology. New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to identify red flags associated with social engineering.
Avanan has the story.