Phishing Messages That Even Email Filters Can’t Stop

When it comes to the prevalence and financial footprint, phishing is one of the top threats to individuals and organizations. This vector of cybercrime is aimed at obtaining users’ sensitive credentials, defrauding companies of funds, stealing proprietary business data, or distributing predatory programs via rogue emails.

According to recent findings by security analysts, these attacks account for almost half of all breaches in the enterprise sector. The FBI claims a phishing spin-off called business email compromise (BEC) causes eyebrow-raising losses of roughly $5 billion every year.

With the scale of phishing scams steadily growing, numerous security vendors provide tools that prevent deceptive emails from reaching customers’ inboxes. Crooks have picked up the challenge by playing a cat-and-mouse game with white hats. Their efforts are mostly focused on finding new ways to bypass email filters.

Public Cloud Becomes a New Safe Haven for Phishing Pages

Threat actors are increasingly mishandling trusted cloud services to hide their treacherous resources and files. In one of these campaigns spotted by Check Point, phishers use Google Drive to host a decoy PDF document that supposedly includes important business data. The intended victims receive a message stating that they need to enter their Office 365 credentials to view the shared file.

Typing the username and password actually provides access to a legitimate marketing report by a reputable consulting firm, but with the caveat that criminals retrieve the victim’s Office 365 sign-in details. This information may be used to orchestrate BEC hoaxes, corporate data theft, and malware outbreaks.

The campaign under scrutiny fits the context of statistics saying that Microsoft Office is the most heavily exploited entity across the spectrum of applications – it ends up in the crosshairs of cybercriminals in 72.8% of cases.

Harmful ZIP File under Benign Wrapping

Another clever technique is to cloak a dangerous payload inside an unconventional archive attached to an email. Here is some theory: a regular ZIP file has one “End of Central Directory” (EOCD) value that marks the final element of its composition. To conceal an extra archive tree, malefactors use an additional obfuscated EOCD parameter.

Secure Email Gateways (SEGs) only see and analyze the normal ZIP hierarchy while overlooking its evil counterpart. When extracted, the file quietly triggers an info-stealing Trojan on the unwitting recipient’s computer.

Foreign Language Puts a Spanner in the Works

One more trick is to fool email filters by inserting text in a foreign language. It can be effective because some protection tools check messages for manipulative content in English or the language corresponding to the recipient’s locale. Some malicious actors tailor phishing messages in Russian and include a recommendation to use the Google Translate service. With this tactic, emails may arrive in one’s inbox without being flagged as dangerous.

Messages Impersonating Well-Known Banks

Mimicking financial institutions to hoodwink users is nothing new, but a recent phishing wave took it up a notch. Scammers have been sending emails that pretend to come from the Bank of America or Citigroup and include a link redirecting to a clone of the bank’s official site, which is a credential phishing page in disguise. It seems like a garden-variety trick, but the messages easily get around filters, and here is why.

First off, the crooks only zero in on several employees in an organization. Traditional anti-phishing tools typically identify suspicious messages that come in large quantities, and therefore a few emails might fly under the radar.

Furthermore, the messages hail from a personal email account and don’t spoof the source domain. Consequently, popular defenses such as the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) fail to detect them. The credential phishing page uses a valid SSL certificate and its registration date is recent, so it doesn’t raise any red flags either.

HTML Code Written Backwards

A fairly complex method in some phishers’ repertoire is to reverse HTML code strings and then change the text direction back to normal so that the recipient can read it. The catch is that these materials appear in a skewed shape when email filters are inspecting them, so the message can sneak inside. The use of Cascading Style Sheets (CSS) to combine Latin and Arabic text in raw HTML code further enhances the trickery because the natural directions of these scripts are opposite.

SharePoint Account Takeover

In some cases, crooks leverage previously hacked SharePoint accounts to host their credential phishing pages. Since security services trust this collaborative system from Microsoft, there is a good chance that an email with a SharePoint link in it will go unnoticed. The landing site is redesigned to display a fraudulent OneDrive for Business sign-in form. Once a user enters their password, it falls into criminals’ hands.

Shore up Your Phishing Protection

There is no denying that automatic defenses with email filters at their core are incredibly effective in fending off phishing attacks. However, the tricks above demonstrate that this strategy alone is not enough. With that in mind, you should additionally nurture your security awareness by sticking to the following tips:

• Don’t click links in emails no matter how enticing they seem.
• Never open attachments sent by someone you don’t know.
• When you are about to enter your credentials on a login page, make sure it’s HTTPS rather than HTTP.
• Even if an email appears to come from a trusted individual or organization, check it for typos and other inaccuracies.
• Steer clear of messages that specify a deadline for some action or otherwise put pressure on you.
• Be skeptical about wire transfer requests from co-workers. Verify them with the purported initiator in person before sending out the money.
• Avoid oversharing personally identifiable data (PID) on publicly available resources such as social networks.
• Turn on a firewall and use reputable Internet security software that comes with an anti-phishing module.

In summary, phishing attacks are fueled by a combination of human slip-ups and imperfections of mainstream protection tools. Stepping up your online hygiene is half the battle when it comes to avoiding these hoaxes, and email filters should take care of the rest.

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

Written By: David Balaban