•   
  •   
  •   

Technology Why do phishing attacks work? Blame the humans, not the technology

13:15  08 april  2021
13:15  08 april  2021 Source:   zdnet.com

New phishing campaign distributes Windows Trojans to users in North America and Europe

 New phishing campaign distributes Windows Trojans to users in North America and Europe © DEFAULT_CREDIT Malware (Image: Shutterstock / Blue Island) This is the current variant of the Bazar Trojan. It gives hackers a back door to infected systems. The campaign is directed against the logistics, technology and health sectors and is still active. Fortinet has uncovered a new phishing campaign , which is currently primarily directed against users in North America and Europe . The aim is to distribute a current variant of the Windows Trojan Bazar.

a woman sitting at a table with a laptop and smiling at the camera: Confused businesswoman annoyed by online problem, spam email or fake internet news looking at laptop, female office worker feeling shocked about stuck computer, bewildered by scam message or virus © Getty Images/iStockphoto

Confused businesswoman annoyed by online problem, spam email or fake internet news looking at laptop, female office worker feeling shocked about stuck computer, bewildered by scam message or virus

graphical user interface, application © Provided by ZDNet
How hackers exploit the names of brands you trust to trick you into opening phishing emails
Watch Now

Phishing attacks remain a huge problem and crooks are spending a lot of time and effort to ensure that, for the potential victim, clicking on a bad link is the most intuitive and easiest thing to do.

A common technique used in emails sent by cyber criminals attempting phishing attacks is to claim that the victim needs to click a link or download an attachment as a matter of urgency.

A Phishing Scam Targeting Postmates Drivers Pretends to Represent the Company to Empty Out Victims’ Accounts

  A Phishing Scam Targeting Postmates Drivers Pretends to Represent the Company to Empty Out Victims’ Accounts As if gig workers didn’t have it hard enough already, they now have to be on the lookout for possible phishing scams from malicious actors that pretend to represent their company. © Photo: Chris Delmas / AFP) (Getty Images) This illustration photo taken on June 30, 2020 shows the logo of delivery app Postmates on a smartphone screen in Los Angeles. An in-depth report by the Markup published this week describes the phishing scams, which the outlet states have affected hundreds of Postmates drivers.

Privacy

  • How to make privacy your company's 'killer app'
  • Personally identifiable information (PII): What it is, how it's used, and how to protect it
  • Data privacy and data security are not the same
  • Cyber security 101: Protect your privacy from hackers, spies, and the government

This could claim to be anything from important corporate documents in an enterprise environment, to a parcel delivery notification, winning a prize, or even a phony threat about court summons.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

The messages are designed so that clicking on the phishing link is the easiest thing to do, with the aim of directing the user to a page designed to steal login credentials or other personal information.

Ransomware: Sharp rise in attacks against universities as learning goes online

  Ransomware: Sharp rise in attacks against universities as learning goes online Higher education is struggling with ransomware attacks, with gangs seeing an easy target in institutions busy making the switch to remote operations.The number of ransomware attacks targeting universities has doubled over the past year and the cost of ransomware demands is going up as information security teams struggle to fight off cyberattacks.

Crooks will design these phishing pages to look almost indistinguishable from the real one they're mimicking, which is all part of a plan to make the operation as smooth as possible – with no reason for the user to question if anything is wrong.

"Part of the problem is that phishing signals are often indistinguishable from positive user experience attributes," Troy Hunt, creator of HaveIBeenPwned and digital advisor to Nord Security told ZDNet Security Update.

"It's easy when you've got a link, because you just click on it and you go straight to the right place and it deep links you through to that potentially fraudulent transaction," he added.

For example, if a user had concerns that a link claiming to be from their bank could be a phishing email, they could choose not to follow the link, but instead open a new window and go to the bank's website to check to see if there really was a message from their account.

Cybercrime groups are selling their hacking skills. Some countries are buying

  Cybercrime groups are selling their hacking skills. Some countries are buying Nation-state hacking groups don't need to do the work themselves anymore: they can hire criminal gangs to breach targets for them - with the added bonus that it's harder to trace the attack back to them, say researchers.Cyber-criminal hacking operations are now so skilled that nation-states are using them to carry out attacks in an attempt to keep their own involvement hidden.

By doing this, they avoid the potentially dangerous phishing link. But phishing attacks remain successful because people are still coerced into clicking links.

SEE: Ransomware: Why we're now facing a perfect storm

That's despite a recent privacy survey by NordVPN, which suggests that while people say they know how to stay safe online, they'll still fall victim to phishing and other cyberattacks – because cyber criminals are highly capable at using social engineering to coerce victims into doing what they want.

"Humans are ultimately fallible. Unfortunately it's the organic matter behind the keyboard that is often the vulnerable part of the loop," said Hunt.

"We need to have that balance of the education and the training, with the technology to back it up and help us out when things do go wrong," he added.

Organisations can offer training to staff in order to help them identify phishing attacks, while encouraging the use of tools like multi-factor authentication and password managers can also help keep people protected from phishing attacks.

Report: Quality, not quantity, is the hallmark of the latest waves of phishing attacks

  Report: Quality, not quantity, is the hallmark of the latest waves of phishing attacks Cybercriminals have changed tactics since COVID-19, with surgically precise social engineering attacks targeting business apps replacing batch-and-blast phishing.To make matters worse, the majority of phishing attacks now come in the form of impersonation-related attacks focused on breaching business applications like Zoom, Microsoft Office, DocuSign and other collaboration tools that have become fundamental for businesses during the COVID-19 pandemic.

MORE ON CYBERSECURITY

  • Four out of five companies say they've spotted this cyberattack. Plenty still fall victim to it
  • 5 ways to lock down your Microsoft 365 account and keep hackers out
  • What hacking attacks can teach us about defending networks
  • How to combat the security challenges of a remote workforce
  • Ransomware vs WFH: How remote working is making cyberattacks easier to pull off

Survey Scammers Targeting People Who Just Got COVID Shot, Offer Free Prizes .
The ANA Inspiration has played a pivotal role in transforming the LPGA Tour, Hally Leadbetter breaks down the importance of the first major championship of the LPGA season.

usr: 5
This is interesting!