In this week’s post, we take a look at “in-the-wild” phishing attacks and talk about how to protect against a phishing attack and how to counter them. Protecting yourself from phishing and malware attacks is not only important, it’s a fundamental Internet survival skill, made even more essential if you have a web presence you depend on. A compromised workstation could lead to compromised credentials, ultimately leading to complete control of your website by bad actors. We don’t want that.
Here are two examples of phishing attacks that were carried out. In each example, we will give you the detection ratio of a free service for detecting malware, VirusTotal, just to demonstrate the likelihood that the malware in the example would have been caught by a standard antivirus tool.
The first attack is an unsolicited email sent to a generic enterprise email address. The attacker attached a zip file (Kyle_hanna_resume.zip), which when decompressed contained a single .shtml file, Kyle_Hanna_resume.shtml.
The .shtml file contained an iframe that loaded PHP from a legitimate site registered in 2009. Legitimate, but compromised. Malicious PHP on the compromised site, loaded from the iframe, downloaded a file stored on Google Drive, my_resume.scr.
Scr files are executable, and this file’s icon was changed to look like a PDF file ready for viewing. This is probably enough to fool more than a few users, especially with the Windows feature ‘Hide extensions for known file types’ turned on by default.
At the time of the attack, VirusTotal had a detection ratio of 7/55. Malicious, yes, but a low detection rate at the time. (Detection is 42/57 now.) The file was a version of ransomware, like Cryptowall or Cryptodefense, which encrypts a user’s files and the files on mounted network drives, demanding money to decrypt them.
Often malware attacks are multi-functional like our next example. Starting again with an unsolicited email and attachment, the attack vector was an actual PDF (p.o document.pdf), which directed the viewer to malicious code at another legitimate, compromised domain.
Once directed to the compromised page, a data URI generated a phishing page that prompted the victim for email credentials to view the ‘protected’ PDF.
The data URI also generated VBScript which attempts to write malware to a file called svchost.exe and run it.
The malicious PDF had a detection ratio of 0/56 on VirusTotal at the time of the attack. Knowing that antivirus would not have caught the malware is something to note. You are the first step in protecting yourself from phishing and malware attacks. Technology alone is not enough to protect you.
In the examples above, both phishing attacks used the compromised websites of legitimate organizations to distribute malware.
To start the discussion of protection, we must first speak of user habits. You are the first line of defense against attacks. Often called the human firewall, users must consider the security implications of their actions and act accordingly when interacting with information technology and the net.
Security conscious decisions include:
Adopting these security conscious habits improves security effectiveness and, with technology, rounds out a robust security posture. Secure technological habits include:
SiteLock website security products keep your website secure and from becoming one of the compromised. Products like the TrueShield web application firewall and the SiteLock INFINITY scanning solution provide 360 degree coverage for your site’s security, 24/7, 365. Call SiteLock at 855.378.6200 to speak with one of our website security consultants today.