Threat Spotlight: Caught in the Wild—Millions of Phishing Attempts each Month try to Hook your Users

When Barracuda first opened shop as an email security company nearly 15 years ago, spam was causing major problems in corporate inboxes. While spam bogged down users, the messages themselves weren’t typically malicious—a lot has changed since then. Today, criminals are using all types of tactics to launch attacks through email, including some clever phishing campaigns where the most effective line of defense is the human firewall.

The human what? You know, in a world where organizations have vendors jumping in front of each other to deploy their “best-of-breed” security solutions at HQ and everywhere else—the only thing between your company and a ransomware attack, could be whether or not your users click, or don’t click on a malicious link.

Let’s take a closer look at the types of phishing emails your users are up against each day, and what they can do to stay safe from creative cybercriminals.

Highlighted Threat: 

Every day cybercriminals come up with a wide-variety of phishing tactics with the intent of scamming innocent users. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people). So far in June, we’ve already blocked 1.7 million phishing emails with over 2,000 unique attempts. Below, we’ve highlighted some of the real attempts sent by criminals—let’s take a look.

The Details:  

Money scam

In this first example, the criminals are attempting to entice the recipient with a money scam, which is pretty much what it sounds like. The intent here is to scam users out of money, but in similar attempts we’ve also seen criminals attempt to acquire information or infect a computer with malware.

Money scams like this are fairly common, and they often promise a large sum of money to the user like this one. When the recipient replies, the criminals usually request a smaller sum from the user, and in return promise to send a larger sum back—which of course never happens.

Information scam

The next example highlights an attempted information phishing scam where criminals are hoping to gather information from the user. Criminals are always trying to gather information from users, and in this case a spoofed bank message is used to convince the user to act on their request.

The criminals did a decent job of making this message appear like it could actually be coming from a bank. However, if the user clicks on the link, they could be prompted to enter their credentials in a different window—ultimately surrendering their username and password.

Malware distribution

Another common problem users face from phishing is the distribution of malware. The goal of these messages is to trick a user into either opening an attachment (like the example below) or clicking on a URL.

As you can see with this example, the criminals are trying to convince the user to open an attachment by acting as if the document is pertaining to an urgent matter. In order for the malware to work, criminals have to get the user to install the software on their computer. Malware can be distributed in many forms including viruses, worms, bots, ransomware, password stealers, and more.

Multiple file extensions

As mentioned above, phishing attempts often require a user to open an attachment in order to install malware. However, there are a lot of different ways criminals attempt to convince users to do this. One way is that they will include attachments with multiple file extensions in an attempt to trick users into thinking that the file type is different than it actually is.  

Here the criminals are using a “PDF.zip” file extension, which should raise a red flag to the user because they are two different file types; however, this could easily be looked past since they are also file types that most people would find familiar.

Disguised links

Not all threats come in the form of email attachments, which is why links should also be handled with just as much scrutiny. This example shows exactly why.  

The link itself doesn’t look suspicious; however, the link actually points to an entirely different URL. Not only can links like this be used to spread malware, but they can also direct users to sites set up by criminals in order to capture credentials or other personal information. When unsure—it’s best to not click on a link. You can also hover the cursor over the link without clicking, to identify the actual location of a link.

Spear Phishing   

While phishing refers to mass targeting, spear phishing messages are specifically crafted to target a single, specific individual in order to create a sense of trust with that person. Spear phishing attempts regularly use impersonation techniques to convince recipients that the message is coming from a real source. Effective spear phishing takes a great deal of reconnaissance about the target in order to increase the probability of a user actually falling for an attack. Here’s an example where the criminals actually took the time to register a deceptive domain that contains the name of an actual entity in order to appear legitimate.

They obviously want the message to appear like it’s coming from Netflix; however, if you look closely at the URL—you’ll notice that “Netfliix” is actually misspelled. This technique is called typosquatting, which is often used to sell the ruse when the attacker wants the user to click a link.

All of these examples are just a small sample size of the many variations of phishing scams criminals are sending out each day, but these examples certainly make the case for why today’s users need to be properly trained in order to stay safe online.

 Take Action: 

The best defense against phishing and spear phishing is to help make users aware of the threats and techniques used by criminals. I’ve included a few tips below based on the examples above; however, the best approach would be for organizations to implement a simulation and training program to improve security awareness for their users. Barracuda PhishLine helps humans recognize the subtle clues to identify phishing attempts, and uses a two-pronged approach to meet this end. First, computer-based training gives users a baseline understanding of the latest techniques attackers are using. Second, PhishLine embeds learning into business processes by launching customized simulations that test and reinforce good user behavior. A large library of curated content means faster time to value, while rich reporting and analytics provide visibility.

Here are a few quick tips to help avoid phishing scams like the ones highlighted above:

• Don’t click on attachments or URLs from unknown sources. Sometimes even sources that you think are safe—could have been impersonated by criminals. If there’s ever a question of legitimacy, you can always go to the site directly in your browser.
• Attachments and emails with attachments should always be treated with care because with much of the malware being distributed today—simply opening a single file can result in infecting your computer almost instantly. Attachments may give off some indicators
• Many information scams claim that an email login is required to access some resource or document. A good practice is to never enter login credentials on a page that was reached via an email link, regardless of whether or not the email was legitimate. Instead, go to the site directly in your browser to log in.
• Money scams are notorious for displaying poor grammar, and in many cases the language used could appear to be coming from someone who may be writing English as a secondary language. Just remember, if something sounds too good to be true—it probably is.

Barracuda Dokumentation: 

Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.

User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. A solution like Barracuda PhishLine provides comprehensive, SCORM-compliant user training and testing as well as phishing simulation for emails, voicemail, and SMS along with other helpful tools to train users to identify cyberattacks.

 More Threat Spotlights: 

• Threat Spotlight: Cybercriminals Working Hard to Take Over Email Accounts
• Barracuda Threat Spotlight: New URL File Outbreak Could be a Ransomware Attempt
• Threat Spotlight: Attached Password Stealer
• Threat Spotlight: Cybercriminals are Impersonating Google Docs, Outlook and DocuSign to Steal Your Credentials

Read all Barracuda Threat Spotlight articles here.