Attackers have proven their ability to adapt to improved security measures, and organizations should never assume they’re safe from phishing emails, says Paul Gillin at SiliconANGLE.
Technical defenses are almost always one step behind new attack methods, so the malicious email as an attack vector isn’t going away anytime soon. Gillin points to a study by Avanan which describes some of the tricks attackers are using to bypass email filters.
One of these tricks is a technique called “URL obfuscation,” in which attackers use the font and style attributes of HTML to hide text inside URLs. By changing the font size to zero, they can make certain characters in a URL invisible to the human eye. These characters will still be read by the browser when a user clicks the link, so attackers can disguise their phishing links as legitimate URLs.
While this sounds relatively simple, Avanan security researcher Yoav Nathaniel points out that “HTML can go to several levels of obfuscation and each obfuscation is different.” As a result, URL obfuscation can be very difficult for spam filters to detect. Once a phishing email gets through your filter, the only obstacle standing in its way is the employee it was sent to.
“It moves the weakness in your infrastructure from the smart guys in the IT engine room to Flo in accounting,” said Michael Hiskey, Avanan’s chief marketing officer. “It’s much easier to get Flo to click on a link.”
Your employees are the last line of defense against cyberattacks. New-school security awareness training can build a culture of security within your organization, so that employees at every level can avoid falling for new threats.
SiliconANGLE has the story: https://siliconangle.com/2019/04/19/reeling-us-phishing-email-scams-keep-getting-smarter/