If you work in the IT trenches, there has likely come a
moment while you were sitting in your office, reviewing the latest news about
current phishing campaigns, when you suddenly looked up and cast your eyes
across the floor, pondering a very basic question: just what are your users doing
with all those malicious emails that you know are washing up in their inboxes
despite your best efforts to stem the tide?Most organizations these days have deployed multiple layers
of security to monitor and protect their networks, servers, and endpoints. But
no matter how good your anti-virus and Exchange security software is, no matter
how granular the logging available for review may be, you know there are two
things you still can't guarantee.You can't guarantee that your users will never be forced to
deal with increasingly sophisticated malicious emails, all of them driven by
proven social engineering schemes cooked up and road-tested by malicious
parties.
Worse, you can't tell your boss that you have deep insight
how your users are actually handling those phishing emails. The best you can do
is wait for all your organization's various layers of security to alert you
that something is amiss (and then hope it isn't too late to head off disaster).So, as you watch your users staring intently at their
screens, it's difficult not to wonder: just what are they doing?Let us show you, using actual phishing emails reported by
customers who have deployed the Phish Alert Button (PAB).
In what follows we will take you through all-too-common examples of what we see
users doing every day when handling phishing emails. Fair warning: it ain't
pretty.Say It Ain't So, Joe!When your users show up for work every day, most of them
have one primary concern: doing their jobs as quickly, efficiently and
effectively as they can. Although they have been told that security should be
on their minds, most will have little experience dealing with savvy bad actors.
And the decisions they make when actually confronted with live phishing emails
reflect that inexperience.One of more common decisions that employees make when they
encounter suspicious emails is to hit the Reply button in order to confirm that
those worrisome emails are, in fact, safe to open.What all too many of these employees do not realize,
however, is that the answers they receive will be from bad guys operating from
compromised emails accounts. And you can guess what these fraud artists are
telling your users.Some of these bad guys are so confident in their ability to
pull the wool over your users' eyes that they're even willing to subtly taunt
them.When users see a familiar name in the From: line of an
email, the temptation to trust what comes from those familiar email accounts
will be powerful.Sharing the WealthAnother common behavior we see among users dealing with
malicious emails is a troubling tendency to share and forward those emails,
most of them laden with malicious links or attachments. And every person who
receives those emails represents another opportunity for the bad guys to
capture login credentials or drop malware inside your network.Many users forward on malicious emails without little
awareness that in doing so they are doing the work of malicious parties. This
particular user, having received a fake court notice with a malicious, thought
it only reasonable to alert his boss. The boss, of course, opened the malicious
attachment straightaway.Even when users do suspect that danger may be lurking within
emails they have received, they still forward those malicious emails to others.
When they do, they inadvertently kick off a chain of forwards, exposing
multiple users to malicious links and attachments.Consider this senior consultant at an engineering consulting
firm who receives a fake invoice phish and proceeds to sets off a chain of
forwards by instructing a junior consultant to look into it.The whole mess eventually lands in the lap of a lowly
"Receptionist/Office Assistant" working in completely different
office.Note that at this point multiple employees have likely
clicked the malicious link and absolutely no one has checked the original email
with IT, despite suggestions to do just that.Asking for MoreUsers can remain oblivious to email-borne threats even in
the face of obvious alarms -- like odd behavior when they attempt to open
malicious attachments and links. Determined to do their jobs, such users can
find themselves blithely inviting malicious actors to provide them with still
more opportunities to compromise their PCs as well as the networks of their
employers.We recently observed this depressing phenomenon after users
received a phishing email delivered unwittingly by Dropbox itself and pointing
to a malicious file hosted on a compromised Dropbox account. A number of users
confused by that malicious file ended up posting their email addresses to a
virtual "wall of shame":
Indeed, we often see users stymied by the inexplicable
behavior of malicious links and attachments demonstrating their willingness to
go the extra mile to get their hands on files they do not realize are
malicious.Pleading IgnoranceAnd then there are the users who simply throw up their hands
when the bad guys ask them to engage in dangerous behavior. This particular
user tried to plead ignorance when asked by the bad guys to assist with a wire
fraud scheme.Unsurprisingly, the bad guy in this case was having none of
it. Fortunately, the user here clicked the Phish Alert Button (PAB)
instead of forwarding this request to others in his organization who might have
been able to perform the wire transfer.Eager BeaversNot many users are willing to resort to the ignorance excuse
when dealing with bad guys posing as senior executives within their
organization, though. It is much more common to observe users all too willing
and eager to spring into action when the bad guys come calling.One of the more alarming cases we witnessed recently
involved an employee named Ashley, who fell victim to one of the more prevalent
phishing campaigns currently in use: the iTunes gift card phish.Asked by a bad guy posing as her boss to purchase a whopping
twenty $100.00 iTunes gift cards, Ashley promptly hopped in her car and drove
around town, hitting multiple stores (because no single store would allow her
to buy more than four or five cards at a time), then sitting in her car and
emailing screenshots of each card's scratch-off code. Worse she put the entire
$2000.00 in gift cards on her own personal credit card.Targeted in yet another form of CEO fraud phishing, Phyllis
was so helpful in getting her boss's direct deposit data changed that even the
bad guys posing as her boss were impressed, wishing her "compliments of
the seasons."Decidedly less impressed was her actual boss, who found that
Phyllis was handing over his paycheck to the bad guys when she helpfully cc'ed
his work email address:Ignoring the ObviousSome users are just clueless and overly eager to get stuff
done or keep their bosses happy. Others, however, deliberately ignore obvious
signs of trouble when handling malicious emails. And while it's one thing to
ignore red flags when opening a link or attachment on one's own PC, it's quite
another to blow through an explicit warning from an anti-virus program, as this
employee did......and then request the bad guys themselves send on that
same malware to one of the organization's customers or clients. Once again,
this kind of response simply provides the bad guys more opportunities to sow
destruction and chaos.Unfortunately, it's not just lay users who are prone to
ignoring malicious threats, even when those threats are staring them in the
face. Less experienced IT employees are perfectly capable of doing much the
same.We had to chuckle at this response from one organization's
help desk when a user reported the opening salvo in an obvious email scam:Yes, the malicious party spoofing Pastor Paul would almost
undoubtedly be asking for "donations," just not the charitable kind.There's also something darkly humorous in this exchange
between another user and his organization's help desk. When the user received a
fake invoice phish from the compromised email account of someone named
"Joseph F," he had several good reasons to suspect a rat, not the
least of which was the fact that the organization's anti-virus had flagged the
attachment as malicious. But there was another reason.The bad guys have a lot of tricks up their sleeves. Even
they, however, haven't quite figured out how to get dead guys to send emails
from six feet under.Users (sometimes) Get a ClueAs depressing as it can be to watch users scoring "own
goals" for Team Bad Guys, we do occasionally see signs of hope. Sometimes
users do manage to come up with the right answers when the bad guys come
knocking -- even if does take a few minutes for the light bulb to blink on.Consider this user, who received a fairly standard CEO fraud
email requesting her to change the direct deposit details for the head of
finance.Apparently Kim chewed a bit more on her lighthearted
observation -- the proverbial gears turning in her mind -- before deciding to
report this phishing email to her IT department via the Phish Alert Button
(PAB).Bad Guys Get a ClueThe bad guys can also think on their feet, though. Like poor
Ashley, whose encounter with the bad guys we considered earlier, Matt also
found himself bamboozled into providing close to $2000.00 in iTunes gift cards
to a malicious actor spoofing one of his bosses.Not being an idiot, the bad guy quickly realized he had
hooked a sucker and made the obvious play.ConclusionYour users and employees are your organization's greatest
strength. Those same employees, however, can also prove to be your biggest
headache -- a real life bonified security threat -- if they haven't been
properly trained on how to recognize and respond to the malicious emails
landing in their inboxes on a daily basis.Instead of sitting in your office, wondering what your
employees and users are doing and dreading the next sign that malware is inside
the wire or your company's bank accounts drained, a better course of action is
to turn your users into security assets. Step your users through New-school
Security Awareness Training, test their resilience in face of threats
through simulated
phishing campaigns, then give them the tools to report phishing emails
directly to your IT department so that you and your users can live in the light
instead dreading disaster in the dark.
Security Affairs reports that malicious cheat tool-impersonating Java or .NET stealers spread through the Stargazers distribution-as-a-service network have been compromising Minecraft players with multi-stage malware since March.
Threat actors have deployed a more advanced fileless version of the Masslogger credential-stealing malware as part of a new campaign aimed at French users, Cyber Security News reports.
More than 3,775 Android devices have been infected with the AntiDot Android malware-as-a-service botnet across 273 attack campaigns, reports The Hacker News.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news