Researchers have discovered a pair of nasty email phishing campaigns that are making use of Microsoft’s Azure Blob Storage in a bid to steal the recipient’s Microsoft and Outlook account credentials.

Both campaigns are noteworthy in that they utilize well-constructed landing pages that have SSL certificates and a windows.net domain, which combine to make them look totally legitimate.

Given that most users don’t pay close attention to the exact address they’re navigating when they click on a link embedded in an email, these things are more than enough to fool many users. The first campaign relies on some basic social engineering to prompt the user to do something.

The subject lines vary a bit, but fundamentally they are called to action like:

“Action Required: (user’s email address) information is outdated – Re-validate now!”

The body of the email reinforces this point and helpfully contains a link to help you on your way to re-validating your account. Clicking on the link doesn’t raise suspicion because the landing page is a carbon copy of the Outlook Web App that’s complete with a box that allows you to “validate” your password. Of course, what you’re actually doing is giving your email password to the hackers, who then have unfettered access to your inbox and contact list.

The second campaign is the weaker of the two, although it’s set up much the same way. The subject line indicates that you need to take action to re-validate your Facebook Workplace service account, but when you click the link, you’re actually taken to a clone of Microsoft’s landing page. This was no doubt a mix-up on the part of the hackers and will be addressed in short order.

In any case, it pays to make sure your employees are aware of both of these, so they don’t inadvertently wind up handing over the keys to their digital kingdom.

Phishing Email

Phishing EmailPhishing emails look surprisingly legitimate when you don’t know what you’re looking for.  74% of targeted cyber attacks come from email.  In a recent FBI report, ransomware and phishing scams are increasing rapidly with over 246 million dollars compromised in 2015.

Email used to be a much safer exchange.  Spam firewalls kept the bad stuff out and Sandboxing stopped zero-day threats, but gateways are blind to social engineering.  Attacks are now coming in through the “back door” and able to get around security gateways.

Think of cyber criminals like super spies who watch you online.  They know who you are, where you work, your online habits, and who you know.  This information allows them to send you emails from a “trusted” source whether it be from a financial institution or a co-worker.

Phishing Emails

Phishing emails are designed to obtain information by having you click on a link to update financial information.  Check out the example below outlining what you should be looking for.

Phishing Email Example
It’s important to thoroughly check your email to make sure it says the correct information and websites. Often times, the website link will be misspelled (ie: faceboook.com, citybank.com).  It’s best to hover over the link to see what it says.  If you do happen to click on it, make sure it’s the correct website in the browser.  If not, close the browser immediately.

Spear Phishing

In spear phishing, cyber criminals do more digging and spend time researching their highly targeted victim.  The criminal stalks your personal social media profiles and websites you access before baiting you with an email that looks legitimate.  The more time they spend observing your actions, the more they can send you a convincing scam you’ll fall for.

Spear Phishing example

Clara was tagged in her boss, George’s photo on Facebook.  The criminal then finds Clara on LinkedIn and finds out information about her job and company.

Anatomy of spear phishing email

Using the information the criminal found out on social media, he sends an email to Clara from “George” mentioning the party they were both at the previous night.  The criminal follows that up with a request for a money transfer.

Facts

Poor employee behavior is a greater email security concern than inadequate tools.  This is why it’s imperative to educate and test your employees about proper protocol on company network, email, and devices.

Interested in training your employees and learning how to protect your company?  Ask about our managed IT services, which includes cyber-security, employee training/testing as well as back-up and recovery options.

Sign up for our cyber security newsletter to receive more tips to keep you safe.









Graphics & info provided by Barracuda.