Clever Ways Cybercriminals Plant Malicious Links

Are you ready for another article preaching about the risks associated with emails? Well, I will make you a deal with you. I will only talk about the stuff you probably already know for just one second and then I’ll spend the rest of the time talking about some crazy new ways on how criminals are having success with malicious links in emails. I know, I know, phishing scams are old news and only your grandparents and Millennials are still falling victim, but you have to remember, criminals are not known for giving up. And just when you think you have it all figured out, they change the game.

First, let's cover the stuff you have probably been told more than once. According to a recent study conducted by IRONSCALES, over 90% of all successful cyberattacks can be directly tied back to a phishing email. That means that phishing scams are clearly working. That said, the amount of breaches has begun to decline, which seems to indicate that people are starting to figure it out. The most obvious lesson that has been learned is simply when you receive an unsolicited email, don’t click the link and don’t open the attachment. By following the basic advice, you can all but eliminate the risks associated with email. Just to be clear, there can also risks that are tied back to phone numbers that may be sent in emails as well. In those cases, the criminal may attempt to trick the recipient into giving personal or private information over the phone. So really it just comes down to not trusting anything in an unsolicited email.

Now, the term “unsolicited email” is interesting because it turns out that it can mean many things to many people. For example, if I am a customer of a bank or credit union and I receive monthly statements via email. Technically that is not unsolicited, because even though it was not a response to an immediate request, it was still something that I had expected. LinkedIn is another example where you may receive an email letting you know someone has requested to “Join your network.” This too is technically not unsolicited, as you are expecting to receive these emails from time to time.

But this is where things start to get complicated, because there are literally thousands of examples where you could receive an email that though unsolicited, they still technically make sense that you received them. Unfortunately, criminals are on to this and have begun to really zero-in on these types of attacks.

Now an argument could be made that in order for a criminal to have success with one of these attacks, they would need to know, or at least be able to guess what services and companies you work with. And while that may be true to a point, the reality is that if they send out 100,000 emails pretending to be from main stream organizations such as LinkedIn, Amazon, or a large bank or credit union in your region, they are likely to have a high success rate in finding people that do business with that organization. That said, if you are even a little tech savvy you might be able to look at the link in the emails and realize that they are pointed to domains that are different than where the email claims to be sent from. For example, an email claiming to be from LinkedIn may have a link that goes to something like linkedin.sec-update.com. This would obviously not be a real link to LinkedIn and that might be enough to keep you from clicking the link.

But things are starting to get even more complicated. Recently criminals have begun using legitimate third-party services to send malicious emails. For example, if a criminal is targeting employees at a specific organization, they will do some research to get a list of the employees at that organization. Often this can be done through LinkedIn. Now, with the help of Facebook or one of the many other social networking sites, it isn’t so difficult to find an employee who has an upcoming birthday. Next, they go to the website evite.com, a service designed to send out invitations to parties and events, and create a new invitation. They will make the invitation look like it is being sent from one of the employees at the organization and announce that there is a surprise birthday party for the employee who has an upcoming birthday. Because real names are being used and because a real service is being used, the email sent is technically 100% legitimate.

Now, to pull off the scam, the criminal will add one more small detail in the message of the evite. They will include a link to either a blog about the upcoming birthday party or perhaps a link to a funny video about the birthday boy or girl. Obviously there are a number of reasons one may want to include a link and the evite.com company will send that link as part of the evite. So, to complete the attack, the criminal sends the email to as many of the employees of that organization as possible.

SOURCE: https://www.stickleyonsecurity.com/sos_advisor.jspx