Major Phishing Attack Underway

[As part of my efforts to protect my clients, I’ve been part of the FBI’s Infraguard team along with Homeland Security and will start passing on essential alerts when they’re likely to affect you.

I’m also adding a What-to-Do Section to these articles, near the end. So if you already know about Spear-Phishing, you can jump to that section.

Craig.]

The FBI and Homeland Security alerted the public about an increasing number of spear-phishing attacks. This now pervasive cybercrime targets different industry sectors, individuals, government agencies, and institutions. If you receive a suspiciously appealing email about receiving money containing links, it would be best not to click it.

The attackers identify your business emails and send an email which contains punchy lines such as: “You Have Received Payment” or “Claim your Payment” out of nowhere. The whole purpose of this catchy subject is to get you to open a dangerous link. When you click, it secretly downloads a virus that can let hackers access your enterprise network. Clicking the malicious link will result in your computer being infected by malware and branch out to other hacktivities — such as Business EMail Compromise, Identity Theft, Ransomware and more.

“Often, the emails contain accurate information about victims obtained via a previous intrusion or from data posted on social networking sites, blogs or other websites. This information adds a veneer of legitimacy to the message, increasing the chances the victims will open the email and respond as directed,” the FBI warning states.

Clicking the email link will download malware quietly — you won’t notice a thing. Using vulnerabilities found in some common software, this two-step hack can ultimately rob you of everything in your bank accounts. The most dangerous plugins: Flash, Java applications, Adobe Acrobat. Through exploiting unpatched or undetected zero-day vulnerabilities, the hacktivists can easily put malware into your machine virtually undetected.
Once the malware is secretly installed on your machine, the attackers can now access your system. They can pry on your corporate networks, discover your passwords, use your credentials, steal intellectual property and phish even your financial assets.

“In spear-phishing attacks, cybercriminals target victims because of their involvement in an industry or organization they wish to compromise,” the FBI has advised.

While this malware seems to be undetectable, we can avoid it.

All businesses, no matter the size, should invest in cybersecurity and employee education [reach out to me if you need pointers. Craig]. These hackers worked their way through systems from observing employees and the corporate hierarchy. Their good social engineering and snooping skills allow them to get domain email targets and craft a very convincing mail to start with. In fact, the emails they write seem to be very personalized. No reasonable person would think it is fake.

—

Here are some ways to protect your business from the spear-phishing attacks:

1. Disable drive-by downloads. You have to stop plug-ins from accepting everything and saving them to your drive, please. REMOVE Flash, Java and Adobe Reader if possible.
2. Protect enterprise credentials. Your emails can be found easily from data extraction, but do not save your passwords in your browser.
3. Conduct training for new hires, employees and even the executives. Everyone can avoid opening these emails or clicking bad links if they are well-informed to its structure.
4. Do not click any link from a suspicious email. Whether the email is about winning the lottery, someone sending a payment, claiming a prize or receiving tokens, do not fall for it. Check and verify your transactions first.
5. Hire a cybersecurity expert to oversee things will be the best option. The expert can help you train employees, watch your systems and minimize damages if you have been breached. While this might sound like a low-priority, it can be a good investment. Paying for someone to protect your system is a lot cheaper than paying damage costs or lawsuit advisory once you have been compromised, right?