As if it isn’t tough enough to spot social engineering scams and phishing attacks these days, along comes a devious new threat. A recent post by Sophos Group shares a new phishing scam every business leader and IT pro needs to be aware of.
For context, Sophos explains the three steps scammers typically take when phishing for your digital gold. It’s worth recounting those here:
Step 1: Emails with click-through links
Impersonating a trusted (or recognized) sender, the email includes a link. Once clicked, you’re on the edge of trouble, but not over the edge. That takes you to…
Step 2: Imposter web pages
After you’ve clicked on the email it’s likely there’s a password page in front of you, and often, it looks much like it belongs to the same trusted or recognized source. And, just as often, the imposter pages will be on a legitimate website that’s been hacked. If you don’t stop here you’re opening the door to…
Step 3: Password stealers
Once you’ve entered your private data and pressed submit, it’s likely that data isn’t going where you think it is. Hackers frequently “hide” a password-stealing link within the HTML, taking you to what looks like a trusted URL, but is, in fact, a malicious domain.
Step Two With a Twist
Here’s the new wrinkle. While most hackers follow the three steps above, Sophos explains that in step two the hackers didn’t use a link to catch a phish, instead, they used a fake web page that was included with the email as an attachment. Since it isn’t a document that could contain macros or an executable program that can cause an instant disaster, to most people it doesn’t seem dangerous.
You might assume that clicking on an attached HTML page will simply open the enclosed web page in the relative safety of your browser, with its (hopefully) strong prevention measures.
Here’s where it gets sneaky. Since there isn’t a link in the email, you can’t check it in advance to see if it’s fake. And, because the URL in the address bar is what appears to be a harmless looking local filename, there’s no website name or security certificate you can check. That’s when it’s easy to take Step 3 and bring the house down.
Cyber Safety Phishing Tips
Developers and security specialists will find the Sophos Group’s story is worth reading for a deeper technical dive into these new phishing schemes. For everyone else, here is a list of recommended tactics that will help you fight back against phishing.
- Don’t open HTM or HTML attachments unless they are from someone you know, and you are expecting them.
- Don’t log in to web pages that you received in an email. It’s better to reach the page by directly entering the URL in your browser.
- Use two-factor authentication when possible. That gives you one more very strong defense against attacks.
- Change passwords if you think you’ve been attacked. And do it fast so criminals have less time to do their bad deeds.
- Use a solid web antivirus solution. That should stop malware from getting in, and, at the same time, it should check outbound web requests to prevent your data from being stolen.
No matter what you do, hackers may still get into your systems, phishers may still steal your data, and ransomware attackers may still lock up your computers. Check out StorageCraft’s wide range of backup and disaster recovery solutions built to help you can bounce back quickly and minimize the impacts of a successful attack.