The Phishing Campaign That Uses Variations of Attack Patterns To Evade Detection

  • 158
  •  
  •  
  • 1
  •  
  •  
  •  
    159
    Shares

Researchers have come across a peculiar phishing campaign delivering Trojans to target machines. While this sounds similar to any other phishing campaign, what makes this one distinct is its ever-changing, rather inconsistent attack patterns.

Phishing Campaign Veiled As Paid Invoice

In a blog post published recently, the cybersecurity firm GreatHorn revealed about a malware campaign going on in the wild. The phishing campaign adopts inconsistent attack patterns to evade detection.

As explained, this phishing campaign is like any other typical phishing attack, beginning with an email. However, the ever-changing attack patterns can circumvent email security tools to reach the target user’s inbox. The email masks itself as a payment confirmation to trick users.

“Masquerading as a confirmation on a paid invoice, the attack is sophisticated in that it lacks the consistency of a typical volumetric attack.”

The content of the email includes a malicious URL that automatically downloads a Word template on the victim’s device. This MS Word file carries the Trojan.

To bluff users, the attackers use legit email addresses of compromised accounts. Whereas, the email content includes near-valid details, such as the name of a fellow employee of the victim as the sender, subject lines that hint of a payment invoice, and email content designed as an invoice. Nonetheless, the underlying language of the email may evade detection tools.

“Body content generally follows a pattern that confirms the receipt of a payment for an invoice, but uses slightly different language to evade capture.”

Inconsistent Attack Patterns for Trojan Delivery

According to GreatHorn’s findings, the phishing campaign follows everchanging attack patterns. Thus, it becomes difficult to spot spam emails right away.

“This attack uses a variety of different subject lines, email content, email addresses, display name spoofs, and destination URLs.”

As observed, the subject line of the email may usually carry words likes “receipt” or “payment”. Whereas, the attackers may either use a different email address with a valid employee’s name of the target firm or may use a valid compromised email account of the firm with an arbitrary name.

The researchers observed three different variants of the attack on the same day at different times. This shows the creativity of the attackers to evade identification and subsequent blocking.

“The attack has (so far) consisted of three distinct waves, each wave corresponding with a different destination URL, suggesting an attack pattern that anticipated and planned for relatively quick shutdowns of the destination URLs.”

So, once again, the entire responsibility of staying protected from such phishing attacks falls on the shoulders of the users.

A few days ago, we have heard of at least three other phishing campaigns exploiting Facebook Login feature, LinkedIn direct messaging by sending fake job offers, and the Microsoft Office 365 tech support phishing. (Perhaps, phishing is on a rise these days!)

Do share with us your observations.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!