October 30, 2018 By David Bisson 2 min read

A new research paper warned of phishing threats in which malicious actors abuse trusted web services to evade detection.

According to the report by Cofense, fraudsters are getting creative in their efforts to make sure their emails make it through email gateways and firewalls. Specifically, threat actors are using web services such as Google Drive, SharePoint, Dropbox and others to host files containing embedded links that redirect to credential-stealing websites.

Email Remains a Top Attack Vector

Many common email gateways are unable to detect and block the malicious links included within those files. Some perform better when the body of the email contains a malicious link to a phishing page. However, Cofense found several instances in which those gateways failed to rewrite a malicious URL completely, which allowed the attack email to get through. The security firm also noted one instance in which an email security platform successfully rewrote a URL but failed to block it.

This is particularly concerning because email is one of the most popular attack vectors in use today. Verizon recorded 1,192 email phishing incidents over the course of the year in its “2018 Data Breach Investigations Report,” and a Symantec survey found that 1 in 9 users encountered email malware during the first half of 2017. This made users twice as likely to encounter malware through email than through exploit kits. By the end of 2017, Symantec observed that the number of malware-laden emails received by users had nearly doubled in six months to 16.

How to Protect Against Phishing Attacks

Security professionals can protect their organizations against phishing attacks by conducting a simulated phishing engagement to test the organization’s incident response processes. They should also adopt a layered approach to email security that includes perimeter protection, email security solutions and cyber awareness training for all employees.

Sources: Cofense, Verizon Enterprise, Symantec, Symantec[1]

More from

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today