Phishing campaign tricks financial industry employees
Researchers at Menlo Labs have spotted a new phishing campaign aimed at tricking employees of US banks and financial firms into downloading Houdini Malware.
It’s no surprise that cybercriminals are going where the money is – in this case, literally. A phishing campaign that has been running since August has been identified seeking to compromise business endpoints using a combinations of tactics:
- Reputation Jacking – all of the files were hosted on Google’s Cloud Storage (storage.googleapis.com). This use of well-known, popular hosting services helps to avoid detection. (According to Menlo Lab’s most recent Annual State of the Web Report, 4,600 phishing sites used legitimate hosting services.
- Archived Files – the files linked to in these campaigns were zip or gz archive files, further obfuscating the malicious payload.
- Links over Attachments – links to Google’s Cloud Storage (and other reputable sites) are less likely to be flagged as suspicious than an attachment that can be scanned locally.
- Scripting – .vbs and .jar files were used as droppers.
- Script Obfuscation – all of the scripts were obfuscated three levels via VBScript.
- Contextual filenames – because financial institutions were the target, the names like “remittance invoice” and “transfer invoice” were used.
- Socially Engineered – traditional social engineering tactics, specific recipients, and requests appropriate for their role were used.
Gain endpoint (users’ computers) control
The end goal of the attack was to install a remote access trojan (RAT) from the Houdini/jRAT malware family to take control of the endpoint, likely to gain access to internal financial applications.
As attackers use more and more sophisticated attacks like the one outline above, it’s important to focus on the one part of the equation that hasn’t changed – the attack requires a user. Without someone falling for the scam, this attack is powerless.
Security Awareness Training is the ultimate solution
Organizations consistently putting their users through Security Awareness Training have a better chance of avoiding becoming a victim to scams like this. With educated users completely aware of the tactics used by cybercriminals, what to look for, and how to spot a malicious email, the likelihood of them falling prey to an attack is significantly reduced.
—
Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/malicious-business-email-campaign-uses-google-cloud-storage-to-target-banks-and-financial-services-companies. Cyber Safety Net – keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.