Researchers have come across a peculiar phishing campaign delivering Trojans to target machines. While this sounds similar to any other phishing campaign, what makes this one distinct is its ever-changing, rather inconsistent attack patterns.
Phishing Campaign Veiled As Paid Invoice
In a blog post published recently, the cybersecurity firm GreatHorn revealed about a malware campaign going on in the wild. The phishing campaign adopts inconsistent attack patterns to evade detection.
As explained, this phishing campaign is like any other typical phishing attack, beginning with an email. However, the ever-changing attack patterns can circumvent email security tools to reach the target user’s inbox. The email masks itself as a payment confirmation to trick users.
“Masquerading as a confirmation on a paid invoice, the attack is sophisticated in that it lacks the consistency of a typical volumetric attack.”
The content of the email includes a malicious URL that automatically downloads a Word template on the victim’s device. This MS Word file carries the Trojan.
To bluff users, the attackers use legit email addresses of compromised accounts. Whereas, the email content includes near-valid details, such as the name of a fellow employee of the victim as the sender, subject lines that hint of a payment invoice, and email content designed as an invoice. Nonetheless, the underlying language of the email may evade detection tools.
“Body content generally follows a pattern that confirms the receipt of a payment for an invoice, but uses slightly different language to evade capture.”
Inconsistent Attack Patterns for Trojan Delivery
According to GreatHorn’s findings, the phishing campaign follows everchanging attack patterns. Thus, it becomes difficult to spot spam emails right away.
“This attack uses a variety of different subject lines, email content, email addresses, display name spoofs, and destination URLs.”
As observed, the subject line of the email may usually carry words likes “receipt” or “payment”. Whereas, the attackers may either use a different email address with a valid employee’s name of the target firm or may use a valid compromised email account of the firm with an arbitrary name.
The researchers observed three different variants of the attack on the same day at different times. This shows the creativity of the attackers to evade identification and subsequent blocking.
“The attack has (so far) consisted of three distinct waves, each wave corresponding with a different destination URL, suggesting an attack pattern that anticipated and planned for relatively quick shutdowns of the destination URLs.”
So, once again, the entire responsibility of staying protected from such phishing attacks falls on the shoulders of the users.
A few days ago, we have heard of at least three other phishing campaigns exploiting Facebook Login feature, LinkedIn direct messaging by sending fake job offers, and the Microsoft Office 365 tech support phishing. (Perhaps, phishing is on a rise these days!)
Do share with us your observations.