Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords.
The alert from the UK’s National Cyber Security Centre (NCSC) — the cybersecurity arm of intelligence service GCHQ — warns that the phishing attacks are targeting individuals and organisations in a range of sectors.
The end goal of the phishing attacks is to dupe the victim into clicking malicious links that direct to fake, but realistic-looking, login pages, where the victim will enter their login credentials, providing the attackers with access to their account, which hackers abuse directly or use to gain access to other victims.
Many of the malicious links are designed to look like commonly used cloud software and collaboration tools, including OneDrive, Google Drive, and other file-sharing platforms. In one case, the attackers even set up a Zoom call with the victim then sent a malicious URL in the chat bar during the call. They’ve also created multiple characters in the phishing thread (all controlled by the attackers) to add the appearance of legitimacy.
The first stage of the spear-phishing attacks is research and preparation, with the attackers using publicly available profiles, such as social media and networking platforms, to find out as much as possible about the targets, including their real-world professional and personal contacts.
It’s also common for the attackers to set up fake social media and networking profiles based on real people to help make the approaches look convincing, while some of the approaches are designed to look like they’re related to real events, but are false.
According to NCSC, the campaigns are the work of cyberattackers based in Russia and Iran. The Russian and Iranian campaigns aren’t related, but the tactics overlap because they’re effective at tricking people into falling victim to phishing attacks. No matter who the attackers are impersonating, or what lure they’re using, one feature common to many of the spear-phishing campaigns is how they target personal email addresses.
It’s likely that this tactic is being used to help get around any cybersecurity controls in place on corporate accounts and networks, although corporate or business email addresses have also been targeted.
Another key technique behind these phishing campaigns is patience by the attackers, who take time to build a rapport with their targets. These attackers don’t immediately dive in, asking their target to click a malicious link or open a malicious attachment. Instead, they build up trust slowly.
This process usually begins with a first email that looks benign, often related to a topic that — thanks to meticulous preparation — has a high chance of being interesting and engaging to their target.
The attackers will then send emails back and forth with their target, sometimes for an extended period, waiting until they’ve built up the level of trust required for the victim to have no qualms about opening a link or an attachment.
The malicious link will be sent under the guise of a document or a website that is interesting and relevant to the victim — for example, a conference invite or agenda — which redirects the victim to a server controlled by the attacker.
When the victim enters their username and password to access the malicious link, these details are sent to the attackers, who can now exploit the victim’s emails and additional accounts.
According to NCSC, this exploitation includes stealing information and files from accounts, as well as monitoring future emails and attachments the victim sends and receives.
The attackers have also used access to a victim’s email account to enter mailing-list data and contacts lists, which is information that is then exploited for follow-on campaigns, with the attackers using the compromised email address to conduct further phishing attacks against others.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” said Paul Chichester, NCSC director of operations.
“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online,” he added.
NCSC warns users to be vigilant and on the lookout for techniques detailed in the alert, such as emails purporting to be related to professional circumstances, which are sent to personal email addresses.
It’s recommended that you use a strong password to secure your email account, one which is separate to passwords for any of your other accounts, so that in the event of attackers somehow managing to steal your email password, they can’t use it to gain access to your other accounts.
Another way to help protect your account against phishing attacks is to turn on multi-factor authentication, which can prevent hackers from accessing your account, even if they know your password, as well as providing you with a warning that your credentials might have been compromised.
You should also protect your device and network by applying the latest security updates, which is something that can prevent attackers from exploiting known software vulnerabilities to deliver attacks or gain access to your account.
MORE ON CYBERSECURITY