2021 review of phishing scams

Phishing attacks are among the biggest security threats that organisations face. Verizon’s 2021 Data Breach Investigations Report found that 43% of all breaches involve phishing, while the total number of attacks is growing exponentially.

Over the past year, we’ve been tracking the more notable scams that target the general public, which we’ve summarised in this blog.

Vaccine scams

COVID-19 has been the source of countless phishing attacks over the past two years, whether it’s been through the spread of health information, government guidelines or, most recently, vaccine rollouts.

Researchers at Check Point and KnowBe4 both spotted phishing campaigns exploiting the public’s uncertainty or eagerness to receive a vaccine.

Check Point’s threat intelligence teams found multiple scams that incorporate the topic in emails.

Many of them contained malicious attachments that that install malware and, in some specific cases, keyloggers, which can be used to steal the victim’s data, including usernames and passwords.

Oded Vanunu, the head of products vulnerabilities research at Check Point, noted that people can protect themselves by looking for the usual signs of phishing.

This includes:

  • Checking the sender’s email address to see if the domain is legitimate;
  • Seeing whether the destination address of attached links matches the context of the message; and
  • Looking for language designed to make you panic or act immediately.

Although vaccine rollouts are now in full swing in much of the world, we wouldn’t be surprised if attackers continue to use a variation of this attack in regard to boosters.

Office 365 scam tricks senior employees with reCAPTCHA

Microsoft Office 365 is one of the most frequently used applications worldwide, so it’s no surprise that attackers often use it to launch scams.

In one notable attack last year March, attackers sent a series of automated messages from the victim’s unified communications tool, saying that the victim had received a voicemail.

One such message says that “(503) ***-6719 has left you a message 35 second(s) long on Jan 20” along with an attachment titled “vmail-219.HTM”, while another tells the recipient to “review secure document”.

Source: Zscaler

When the victim opened the attachment, they were asked to pass the fake reCAPTCHA before being redirected to a mock-up of an Office 365 login page.

The page used Microsoft logos as well as branding from the organisation that the victim works at, suggesting that these were highly targeted attacks.

Those who entered their credentials were told that the validation was successful – although they had in fact given their details to the scammers controlling the page.

To cover their tracks, the attackers included a genuine voicemail message that victims can listen to once they’ve handed over their details. As such, many people will be unaware that anything suspicious occurred, and won’t think to report it as a phishing email.

Gamers warned about fake PlayStation 5 giveaway

In April, scammers jumped on the public’s increasing frustration at not being able to purchase a PlayStation 5 by creating a fake promotion designed to steal people’s personal data.

Researchers at Kaspersky spotted the bogus email, which offered recipients the chance to win a console if they supply their personal and financial details.

The scam was particularly dangerous because it has been almost impossible to purchase a PlayStation 5 since the console’s release, due to supply shortages and delays caused by COVID-19.

The message contains a large graphic that could easily be mistaken for a genuine campaign. It’s free of obvious spelling mistakes, comes complete with small print and has almost no risks; to enter, you only need to provide your email address.

Source: Kaspersky

However, if you look closely, there are clear signs that this is a phishing email.

There are typos (“Be the first to play [the] PS5” and an improperly styled “Playstation”), the small print lists the closing date as 31 December 2020, and the company supposedly running the promotion, India Pharma, seems an unlikely to be offering such a deal.

Although there haven’t been any sightings of this scam recently, the PlayStation 5 is still unavailable to many, so it wouldn’t be a surprise if attackers return to this pretext in a future scam.

Scammers target holidaymakers as lockdowns ease

Remember spring, when vaccine rollouts were in full swing, social distancing measures were practically non-existent and we began to think that the “new normal” might soon make way for the “normal normal”?

But as is often the case, where anticipation and excitement can be found, so too can cyber crime. A Webroot report from April revealed that there had been a sharp increase in malicious web domains related to the word ‘travel’ in 2021. 

Analysis from its real-time anti-phishing protection system found that cyber criminals increasingly targeted people who were searching for holidays and weekend breaks. 

It’s a trend that was seen throughout the year, with people eager to find cheap deals as the demand for flights and accommodation pushed up prices. 

Meanwhile, April also saw one of the biggest breach of the year, after 553 million Facebook users’ phone numbers and other personal details were leaked onto the web. However, although the sheer number of records affected is frightening, the severity of the breach was relatively low. 

That’s because neither financial records nor login credentials (which could be used for financial gain) were compromised. 

Phishing scam uses COVID-19 as lure to target DocuSign and SharePoint users

And so began a fresh wave of COVID-19-inspired phishing attacks. In July,  researchers at Bitdefender revealed an ongoing scam that used COVID-19 messaging in an attempt to trick DocuSign and SharePoint users.

One of the scams purportedly asked the recipient to review a COVID-19 relief fund that had been approved by the board of directors.

The objective of the scam was to get victims to follow a link, which directed them to a mock-up of a login screen. If the recipient provided this information, the attacker would be able to compromise the account and access sensitive data or send malicious emails.

Although the attack originated in the US, a significant proportion ended up targeting European organisations.

Ireland was the most frequently targeted, receiving 26% of the emails identified by Bitdefender. Meanwhile, Sweden received 12%, Denmark received 5% and Finland and the UK also saw instances of the scam.

Scammers impersonate U.S. Department of Transportation in phishing attack

In one of the more bold attacks of the year, cyber criminals were found to be luring people into handing over their personal details under the pretence of bidding for U.S. Department of Transportation contracts.

The phishing campaign, which targeted organisations in the engineering, energy and architecture sectors, told recipients that the government had invited them to submit a bid for a department project.

A link at the bottom of the message instructed them to “Click Here to Bid”, where they were asked to provide their Microsoft 365 login details.

his attack didn’t use any novel techniques, but it was carefully planned – and more importantly, it was well timed.

On 10 August, the US Senate passed a $1 trillion infrastructure bill, half of which will be dedicated to transportation, broadband and utilities. Less than a week later, the attackers created the domain transportationgov.net, and sent their first batch of messages.

The domain uses ‘gov’ in the second-level domain, which can easily be mistaken for a genuine message from a ‘.gov’ email address.

Meanwhile, the message is well constructed and there are no clear typos, which would otherwise be signs of a scam.

Source: INKY

The combination of opportunity, with the message coinciding with news that the Department of Transportation will be leading projects, and an authentic-looking email makes this scam particularly dangerous.

Anyone who follows the link is directed to another site that uses a similarly realistic email domain, where they are asked to click a “Bid” button and sign in with their email provider.

YouTubers’ channels hacked in cookie-stealing scam

In October, Google announced that it had discovered an ongoing phishing campaign designed to hijack high-profile YouTube channels.

The company, which owns YouTube, revealed that more than 4,000 accounts had been compromised, with attackers either selling the login details or using the channel to broadcast cryptocurrency scams.

The attack started with a phishing email that appeared to be from a legitimate service offering to sponsor their content.

These included VPNs, photo editing apps and antivirus software, which are all common, and often lucrative, sponsors for YouTube channels.

It’s therefore understandable that a victim who receives an offer like this might jump at the opportunity.

Those who agree to the offer were sent an attachment that claimed to be the product in question. However, the file in fact contains malware that infects the victim’s computer with malware, which is designed to steal cookies and passwords.

Google found more than 1,000 domains that were created to target YouTubers, although it suspects that the scale of the attack was actually much larger.

Its research uncovered 15,000 email accounts associated with the attackers and more than a million messages.

Once the malware is on the victim’s systems, it grabs specific cookies, known as “session cookies” from their browser.

These are files that confirm that a user has successfully logged on to their account. Provided they were captured in time, criminal hackers can upload these cookies to bypass login mechanisms and access the victim’s account.

The attacker would then be able to change the user’s password, locking them out of their own account. From there, the crook could sell the login details on the dark web, with accounts being sold for up to $4,000 (about £2,900).

Spider–Man fans warned about No Way Home online streaming scam

December saw the release of Spider-Man: No Way Home, arguably the most hotly anticipated film of the year.

However, with COVID-19 cases again surging, many people were unable or hesitant to go to the cinema to see it, leading some to search for ways to watch it online.

But with no way to stream the film online legally – despite that becoming the norm during the height of the pandemic – some people resorted to illegal online streams.

Such sites are questionable enough, often exposing users to spam and malware, but at most at least let you watch the film you’re looking for. However, researchers at Kaspersky noticed a surge in new sites – some specifically promoting the latest Spider-Man film – which have the sole purpose of stealing people’s sensitive data.

Visitors to the scam sites are told that they can either stream or download No Way Home for free, but they must first provide their bank details to “verify” their account.

The site “guarantee[s] that no charges will be applied for validating your account” and that “no charges will appear on your credit card statement unless you upgrade to a Premium membership or make a purchase”.

But this is simply part of the scam. Once the victim has provided their payment card details, the attackers can do what they want with the information. This typically means transferring funds to an account they own or using the stolen details to make fraudulent purchases.

In addition to credit-card harvesting, cyber criminals are enticing viewers with the prospect of downloading the film. However, those who attempt to download the file will instead receive adware or Trojans.

Do you understand the risks of phishing?

As we move into 2022, organisations should consider phishing awareness at one of their most important new year’s resolutions.

All companies are vulnerability, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme. This online course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

Meanwhile, you should be considering the other mechanisms you can use to protect your staff. Effective processes and policies are an essential complement to staff training, while technological solutions can filter out threats before they reach employees’ inboxes.

Additionally, it’s advisable to have a strategy in case an employee does fall victim. The faster you are able to identify and contain the threat, the smaller the disruption will be.

This is where business continuity planning helps. It ensures that you know how to respond in the event of a data breach – whether it’s a phishing attack, ransomware or a technical malfunction – and that everybody understands their responsibilities.

If you’re looking for help implementing any of these, or simply want to know more about the steps you can take to protect your organisation, IT Governance is here to help.

Our website provides tips on the lessons you can learn from 2021 and tools that can bolster your defences, including staff awareness training, documentation toolkits and consultancy packages.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.