In what appears to be a new phishing technique, hackers have been using newsletter subscription forms from high-profile brands as a means of targeting potential victims.
In April it was reported several Russian users received emails from well-known companies including Audi, Austrian Airlines and S-Bahn Berlin, which contained links to a phishing website. Requiring victims to complete a survey in order to claim a (non-existent) monetary prize, the methods employed to steal money and financial details weren’t particularly unusual. The methods used to actually send the phishing emails, on the other hand, most certainly were.
Using official email newsletter sign-up forms on brands’ websites, hackers populated the “first name” field with an enticing incentive such as “money for you” or “lucky email”, and the “last name” field with a link to the phishing website. As they originated from official company addresses, the emails would have appeared trustworthy to the victims and – importantly – their spam filters. Indeed, the recipients would have had no reason to suspect that clicking on the link in the email would do anything more sinister than confirm their subscription to that company’s newsletter.
The right solution
As phishing scams become ever more sophisticated, greater caution should be exercised with regard to URLs within emails. While many people may be wary of emails from unknown senders, it’s important to make users aware of this new approach, so that they know not to click on links appearing in the opening line of what appear to be legitimate newsletter sign-up or confirmation emails. Users should be encouraged to delete emails, too – even those from well-known brands – if they’ve never signed up to a newsletter.
They shouldn’t have to deal with this threat on their own though; technology is available that can help. Most email security solutions will scan and rewrite links in email messages when they are received, our unique LinkScan technology goes one step further to provide dynamic time-of-click protection for users. But attackers are getting wise to the level of scrutiny a URL contained in an email is under. This has led to an increased use of links with multiple redirects to the final destination malware. As phishing tactics evolve, so too should the tactics and solutions used to tackle them. Censornet’s LinkScan will check not only the initial link, but also other redirect links and links in cloud documents against multiple threat intelligence feeds, at time-of-click.
Organizations can take steps too to help prevent their newsletters being hijacked for criminal purposes. If the companies exploited in this recent phishing campaign had used input validation on fields in their newsletter sign-up forms, for example, and restricted entries to just upper and lower case letters, the attackers would have been unable to enter malicious URLs in the “last name” field.
Attacks are diversifying
This latest campaign demonstrates how attackers are moving away from putting links to phishing websites in the body of email messages. Another similar technique currently growing in popularity is the practice of putting such links in files uploaded to cloud storage applications such as Microsoft OneDrive. Hackers will send a link to the legitimate – and therefore trusted – cloud storage app which opens the file in the viewer/previewer included in most storage apps, from where unwitting users will then click on the malicious URL.
With hackers turning to more sophisticated and diversified methods, closer integration between email and web security is required. Employing a comprehensive combination of Censornet’s Web Security, CASB (Cloud Access Security Broker) and Email Security (EMS), for example, will provide the coverage needed to ensure fewer phishing attempts of this nature slip through the net.
If you would like to discuss how Censornet can enhance your capability to fight phishing, contact us to set up a preliminary conversation or request a demonstration.
