In this week’s post, we take a look at “in-the-wild” phishing attacks and talk about how to counter them. Protecting yourself from phishing and malware attacks is not only important, it’s a fundamental Internet survival skill, made even more essential if you have a web presence you depend on. A compromised workstation could lead to compromised credentials, ultimately leading to complete control of your website by bad actors. We don’t want that.

Phishing Attack Examples

Here are two examples of phishing attacks that were carried out.  In each example, we will give you the detection ratio of a free service for detecting malware, VirusTotal, just to demonstrate the likelihood that the malware in the example would have been caught by a standard antivirus tool.

Attack 1

The first attack is an unsolicited email sent to a generic enterprise email address. The attacker attached a zip file (Kyle_hanna_resume.zip), which when decompressed contained a single .shtml file, Kyle_Hanna_resume.shtml.

phishing attack email

Gee, thanks, Kyle

The .shtml file contained an iframe that loaded PHP from a legitimate site registered in 2009. Legitimate, but compromised. Malicious PHP on the compromised site, loaded from the iframe, downloaded a file stored on Google Drive, my_resume.scr.

iframe used in phishing exploit

Google doc download linked to in phishing email

The iframe and file download

Scr files are executable, and this file’s icon was changed to look like a PDF file ready for viewing. This is probably enough to fool more than a few users, especially with the Windows feature ‘Hide extensions for known file types’ turned on by default.

Fake pdf icon

PDF it is not.

At the time of the attack, VirusTotal had a detection ratio of 7/55. Malicious, yes, but a low detection rate at the time. (Detection is 42/57 now.) The file was a version of ransomware, like Cryptowall or Cryptodefense, which encrypts a user’s files and the files on mounted network drives, demanding money to decrypt them.

Attack 2

Often malware attacks are multi-functional like our next example. Starting again with an unsolicited email and attachment, the attack vector was an actual PDF (p.o document.pdf), which directed the viewer to malicious code at another legitimate, compromised domain.

Once directed to the compromised page, a data URI generated a phishing page that prompted the victim for email credentials to view the ‘protected’ PDF.

URI to phishing attack page

Login page from phishing attack

Data URI and phishing page

The data URI also generated VBScript which attempts to write malware to a file called svchost.exe and run it.

VBScript malware file from phishing attack

Malicious VBScript

The malicious PDF had a detection ratio of 0/56 on VirusTotal at the time of the attack. Knowing that antivirus would not have caught the malware is something to note. You are the first step in protecting yourself from phishing and malware attacks. Technology alone is not enough to protect you.

Protecting Yourself

In the examples above, both phishing attacks used the compromised websites of legitimate organizations to distribute malware.

To start the discussion of protection, we must first speak of user habits. You are the first line of defense against attacks. Often called the human firewall, users must consider the security implications of their actions and act accordingly when interacting with information technology and the net.

Security conscious decisions include:

  • Never opening attachments from unsolicited communication, like email, chat, etc.
  • Only visiting known, reputable websites
  • Using strong, non-dictionary passwords
  • Never reusing those passwords
  • Using a password manager like LastPass, KeePass, etc.
  • Using two-factor authentication wherever possible

Adopting these security conscious habits improves security effectiveness and, with technology, rounds out a robust security posture. Secure technological habits include:

  • Keeping your operating system and third-party programs up to date with the latest versions and patches
  • Using antivirus with up-to-date definitions
  • Using a malware scanner like Malwarebytes

 

SiteLock website security products keep your website secure and from becoming one of the compromised. Products like the TrueShield web application firewall and the SiteLock INFINITY scanning solution provide 360 degree coverage for your site’s security, 24/7, 365.  Call SiteLock at 855.378.6200 to speak with one of our website security consultants today.