Phishing Report: False Amazon Email Confirmation
Be wary of these new, high-quality phishing attempts making its way to email inboxes
Phishing is a method of Business Email Compromise (B.E.C.) in which bad actors attempt to steal authentication credentials like usernames and passwords. Cybercriminals then access business accounts and can cause plenty of issues once they have control. If those phishing emails bypass our Email Filtering System, our users are trained to detect sophisticated phishing emails due to our rigid Cyber Security Awareness program.
Recently, Proven Data received the following email:
This particular email caught our attention as it appears to be an authentic order email from Amazon. Unlike some phishing attempts, this message users high-quality graphics and a professional layout which makes the message appear more authentic. Anyone without previous knowledge of Social Engineering and phishing emails would be inclined to click on the link to see the order that was placed. We deployed the email on a Windows 7 SandBox in order to determine its behavior and potential damage to computer systems.
Google Chrome appears to be able to block the link contained in the email. On our SandBox, we obtained the following message:
Many companies, however, are still utilizing Internet Explorer as their default browser. IE does not offer security measures against these types of attachments, and users can open or download the attachments directly into their computers as shown below.
Upon saving the link, we see that it downloads a document called ORDER_DETAILS.doc. The document then asks the user to Click “Enable Editing” and “Enable content” to deploy the embedded macro malware.
During the Wireshark capture, we see that the document initiates a connection with an outsider HTTP protocol.
To determine if this document contains any malicious macros, we can use a free Linux utility called Olevba.
Thanks to Cisco AMP, we can look into further background work of
Looking at the HTTP traffic we can see that two IPs are being communicated on port 80 and 20. Word documents should not initiate any outside communication to unknown servers. Moreover, the document establishes communication to port 80 and 53 at the IP address 188.8.131.52 from Turkey.
Cisco AMP also detected an Emotet banking trojan during file execution. According to Cisco, once the Trojan is deployed, it will steal Outlook information, modify HTTPS traffic, and distribute spam.
How to Stay Protected
Upgrading can sometimes represent a challenge to small to medium size companies that are on a budget. It is important to note that many of the C
As we can see in this post, utilizing Google Chrome offers an advantage over IE. IE vulnerabilities range from memory overflows to Cross Site Scripting (XSS) bypass. Google Chrome is not perfect, but it has much fewer vulnerabilities than IE.
Having layered protection against phishing emails also includes an Email Security System. Thanks to the latest advancements in AI, email filtering has improved, increasing chances of stopping phishing attacks before reaching the end user.
Security Awareness Training
Social Engineering is one of the reconnaissance methods that Cybercriminals utilize to obtain information or access to prohibited systems. Therefore, users must be aware of the latest techniques available. Through a Security Awareness Training Program, staff can be trained to improve their phishing detection abilities.
If you want to