Our friends at Barracuda run their Email Threat Scanner over hundreds of thousands of customer mailboxes and discovered a highly effective phishing attack that tricks a whopping 90% of the victims. You need to tell your users about this right away.This evil airline phishing attack combines all "criminal best-practices" to steal credentials and drop malware on disk which is used to then further hack into your network.
The campaign targets companies that deal with frequent shipping of goods or employee travel, for instance logistics, shipping, or manufacturing, but almost any organization has people that frequently visit customers or business partners.
The phishing attack targets these employees, and the attackers do quite a bit of research before sending the phishing emails. The messages are constructed with subject lines and bodies that include destinations, airlines, and other details that are specific to each victim, helping them appear more authentic. Here is an example subject line:
Fwd: United Airlines: Confirmation – Flight to Tokyo – $3,543.30
“After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. The attachment, usually a flight confirmation or receipt, is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon the opening of the document,” Asaf Cidon, vice president of content security services at Barracuda, said in a post explaining the attacks."
To start with, send this to all employees, no matter if they travel or not. Feel free to copy/paste/edit:
There is a new spin on an existing phishing scam you need to be aware of. Bad guys are doing research on you personally using social media and find out where and when you (might) travel for business. Next, they craft an email especially for you with an airline reservation or receipt that looks just like the real thing, sent with a spoofed "From" email address that also looks legit.
Sometimes, they even have links in this email that go to a website that looks identical to the real airline, but is fake. They try to do two things: 1) try to steal your company username and password, and 2) try to trick you into opening the attachment which could be a PDF or DOCX. If you click on the link or open the attachment, your workstation will possibly get infected with malware that allows the bad guys to hack into our network.
Remember, if you want to check any airline reservations or flight status, open your browser and type the website name in the address bar or use a bookmark that you yourself set earlier. Do not click on links in emails to go to websites. And as always.... Think before You Click!
What To Do About It
Barracuda recommends the following. (Here at KnowBe4 we call it defense-in-depth but it is the same concept):
"Companies should use a multi-layered security approach to block this type of attack.
- The first layer is sandboxing. Effective sandboxing and advanced persistent threat prevention should be able to block malware before it ever reaches the corporate mail server.
- The second layer is anti-phishing protection. Advanced phishing engines with Link Protection look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document.
- The third layer is employee training and awareness. Regular training and testing of your employees will increase their awareness and help them catch targeted attacks without compromising your internal network."
We could not agree more.
If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know need to be done, step your employees through effective security awareness training. It will help you prevent compromises like this or at least make it much harder for the bad guys to social engineer your users. More than 9,000 of your peers are using KnowBe4. Find out how affordable this is for your organization. Get a quote now:
Don't like to click on redirected buttons? Copy & Paste this link in your browser: