Update, Nov. 19, 2024: This story, originally published Nov. 17 now includes new reports of other tactics that are increasingly being used by threat actors in phishing cyber attacks.
Just as security professionals will tell you that layered defensive strategies are the best when it comes to staving off successful attacks, so attackers will often look to precisely the same when executing their cyber attacks. Two-step phishing attacks have, in the words of security researchers from Perception Point, “become a cornerstone of modern cybercrime,” leveraging trusted platforms “to deliver malicious content in layers to evade detection.” Everything changes, but everything stays the same. Those same researchers have warned of a new attack methodology employing such 2SP tactics but involving Microsoft Visio files as a new evasion tactic. Here’s what you need to look out for and what steps you can take to mitigate the risk of falling victim to these new 2SP cyber attacks, and why you shouldn’t hold down the Ctrl key when asked.
Two-Step Cyber Attacks Are The Pinnacle Of Phishing By Design
A new analysis published by Peleg Cabra, the product marketing manager at Perception Point, has revealed how security researcher Ariel Davidpur working for the vendor found threat actors increasingly turning to the use of Microsoft Visio .vsdx format files to evade detection during credential stealing cyber attacks.
Because Visio is a commonly used tool employed in the workplace to help visualize complex data or workflows, the use of .vsdx format files fits nicely into the threat actor strategy of “harmless familiarity” being at the heart of many a phishing attack. Now, the Perception Point researchers said, the exact same files are being weaponized in the delivery of malicious URLs as part of a two-step phishing attack scenario: drop the lure, set the trap.
Describing what they referred to as a “dramatic increase in two-step phishing attacks leveraging .vsdx files,” the security researchers explained how the cyber attacks represented “a sophistication of two-step phishing tactics, targeting hundreds of organizations worldwide with a new layer of deception designed to evade detection and exploit user trust.”
Evolution Of The Two-Step Phishing Cyber Attacks
If such a warning were necessary, here it comes: email account security is vital if cyber attacks such as these latest two-step phishing ones are to be stopped. Why so? Because, the researchers said, they started with threat actors leveraging breached email accounts in order to send emails that pass basic authentication checks as they come from genuine domains.
These emails will contain a common phishing component designed to lure the recipient into the trap: a business proposal or a purchase order, accompanied by an urgent request to view and respond to. Of course, when the victim does just that, and click the URL, they get led to the trap itself: an often-compromised Microsoft SharePoint page itself, but whatever one that is hosting a .vsdx Viso file. The layers of the cyber attack start unraveling at this point, with another URL embedded in that file and behind what the researchers described as a clickable call-to-action, most commonly a “view document” button.
Please Hold Down The Ctrl Key Is An Instruction In These Newly Uncovered 2SP Cyber Attacks
This is where these 2SP cyber attacks get really clever, although I hate applying that word to cybercriminals. “To access the embedded URL, victims are instructed to hold down the Ctrl key and click,” the Perception Point researchers said, “a subtle yet highly effective action designed to evade email security scanners and automated detection tools.” By asking for this human interaction, the attackers hope to bypass automated systems that don’t expect such a behavior in an attack.
The victim is now redirected to another fake page, this time one that looks for all intents and purposes to be a Microsoft 365 portal login page which is designed, of course, to steal user credentials. There is no mention in the Perception Point report of this step including a session cookie compromise tactic, which means that one way to stop it from being successful would be to have robust two-factor authentication in place for the account that is being targeted in such cyber attacks.
Scalable Vector Graphics Are Deployed In New Cyber Attacks—Here’s How
A new report by Lawrence Abrams, the editor-in-chief at Bleeping Computer, threat actors are increasingly using another clever tactic involving the use of scalable vector graphics as attachments during the deployment of phishing cyber attacks. This technique is designed to either display malicious forms to the victim, or deploy malware directly, both while evading detection by security software. The tactic relies on the fact that unlike pixel-constructed images, scalable vector graphics are created using a mathematical formula that instructs how lines, shapes and text should be displayed on the screen. Security researcher MalwareHunterTeam, told Bleeping Computer how threat actors are using the fact that SVG attachments can display HTML and execute JavaScript when the image itself is being loaded. The clever bit is that these are used to create credential-stealing forms. Abrams demonstrated how such a technique could display an Excel spreadsheet that comes complete with an embedded login form to send credentials to the threat actor deploying the cyber attacks. It has been noted, however, that other cyber attacks employ JavaScript embedded within the SVG attachments to redirect browsers to sites hosted by the threat actors when opening the image itself.
Mitigating SVG Attachment Cyber Attacks
“The problem is that since these files are mostly just textual representations of images,” Abrams said, “they tend not to be detected by security software that often.” This means that the last line of defense is the same as the first: you, the human being. Ask yourself why you would be getting an attachment in scalable vector graphics format in the first place, if these are not commonplace within your workflow. If you are a developer or someone else who is used to seeing SVG attachments, then ask yourself who is sending them and whether this is normal behavior for them. Treat all emails that come with an SVG attachment as suspicious, and that way, you might just save yourself and your organization from falling victim to these phishing cyber attacks.
Tackling Cyber Attacks During International Fraud Week 2024
International Fraud Week is taking place this year between Nov. 17 and 23, with the aim to promote anti-fraud awareness and education globally. There is no doubt that technology provides both a powerful weapon and equally has the potential to mitigate fraud which is often the ultimate payload of many cyber attacks. With that in mind, what better time to examine the new forms of fraud facing businesses from the cyber side of the threat fence. The instruction to hold down the Ctrl key when clicking on a link during the two-step phishing attack detailed above is one such example, but there are many more.
As Muhammad Yahya Patel, lead security engineer at Check Point Software, pointed out, the advancement of technology has empowered both legitimate industries and cybercriminals alike, which makes fraud prevention simultaneously more critical and complex. “From cyber fraud and internal fraud to increasingly sophisticated scams like CEO fraud and AI-driven schemes,” Patel said, “the landscape of business fraud is both diverse and evolving.”
While the trajectory of cyber fraud has undoubtedly evolved alongside advancements in technology, some might even say it has overtaken the technological trend line, understanding what the main fraud categories, the most prevelant cyber attacks, are is essential in being able to defend against their impact.
Patel suggests the following six categroies need to be on your awareness list:
- Cyber Fraud: The use of phishing, malware, and ransomware remains prevalent. Cybercriminals target sensitive data and disrupt business operations.
- Internal Fraud: A significant threat from within, internal fraud involves fraudulent actions by employees, including document falsification, embezzlement, and theft.
- Invoice Fraud: Fraudsters send fake invoices to businesses, hoping they’ll be processed without scrutiny.
- CEO Fraud: Often referred to as business email compromise (BEC), fraudsters pose as high-ranking executives to trick employees into transferring funds or sharing sensitive information
- Return Fraud: Especially common in retail, return fraud occurs when customers exploit return policies for financial gain.
- Payroll Fraud: When employees manipulate payroll systems for personal gain, it can lead to unexpected financial losses.
A Shift Away From Generic To Targeted Cyber Attacks
Ransomware is an excellent example of how a threat evolves over time and, as a result, becomes much more dangerous. Ransomware started as a totally untargeted type of cyber attack that took a scattergun approach to malware distribution. By sending as many “infected” emails to as wide an audience as possible, regardless of ability to pay or value of data held, the threat actors hoped enough victims would bite to make it profitable. Almost inevitably, the attackers making the most money were the ones who realized that strategic targeting of those with the most to lose and the biggest bank balances rose to the top. This ended up changing the entire ransomware landscape to one where sophisticated reconnaissance methods, infiltrating systems over extended periods and extracting sensitive data to leverage against individuals or companies in double-extortion schemes became the norm. “This heightened level of personalization makes it harder to detect and often more devastating,” Patel said, “as cyber fraud grows in sophistication, our defenses must evolve accordingly. With AI enhancing the reach and impact of fraud, organisations must adopt security that is equally dynamic, leveraging AI-powered solutions to outpace and outsmart attackers.” There can be little arguing that building a resilient defense against cyber attacks not only prevents fraud but, as Patel concludes, “fosters a safer, more trusted environment for all.”
