In this week’s post, we take a look at “in-the-wild” phishing attacks and how to counter them. Protecting yourself from phishing and malware attacks is not only important, it’s a fundamental Internet survival skill, made even more essential if you have a web presence you depend on. A compromised workstation could lead to compromised credentials, ultimately leading to complete control of your website by bad actors. We don’t want that.
The first attack is an unsolicited email sent to a generic enterprise email address. The attacker attached a zip file (Kyle_hanna_resume.zip), which when decompressed contained a single .shtml file, Kyle_Hanna_resume.shtml.
The .shtml file contained an iframe that loaded PHP from a legitimate site registered in 2009. Legitimate, but compromised. Malicious PHP on the compromised site, loaded from the iframe, downloaded a file stored on Google Drive, my_resume.scr.
Scr files are executable, and this file’s icon was changed to look like a PDF file ready for viewing. This is probably enough to fool more than a few users, especially with the Windows feature ‘Hide extensions for known file types’ turned on by default.
At the time of the attack, VirusTotal had a detection ratio of 7/55. Malicious, yes, but a low detection rate at the time. (Detection is 42/57 now.) The file was a version of ransomware, like Cryptowall or Cryptodefense, which encrypts a user’s files and the files on mounted network drives, demanding money to decrypt them.
Often malware attacks are multi-functional like our next example. Starting again with an unsolicited email and attachment, the attack vector was an actual PDF (p.o document.pdf), which directed the viewer to malicious code at another legitimate, compromised domain.
Once directed to the compromised page, a data URI generated a phishing page that prompted the victim for email credentials to view the ‘protected’ PDF.
The data URI also generated VBScript which attempts to write malware to a file called svchost.exe and run it.
The malicious PDF had a detection ratio of 0/56 on VirusTotal at the time of the attack. Knowing that antivirus would not have caught the malware is something to note. You are the first step in protecting yourself from phishing and malware attacks. Technology alone is not enough to protect you.
To start the discussion of protection, we must first speak of user habits. You are the first line of defense against attacks. Often called the human firewall, users must consider the security implications of their actions and act accordingly when interacting with information technology and the net.
Security conscious decisions include:
- Never opening attachments from unsolicited communication, like email, chat, etc.
- Only visiting known, reputable websites
- Using strong, non-dictionary passwords
- Never reusing those passwords
- Using a password manager like LastPass, KeePass, etc.
- Using two-factor authentication wherever possible
Adopting these security conscious habits improves security effectiveness and, with technology, rounds out a robust security posture. Secure technological habits include:
- Keeping your operating system and third-party programs up to date with the latest versions and patches
- Using antivirus with up-to-date definitions
- Using a malware scanner like Malwarebytes
Both phishing attacks used the compromised websites of legitimate organizations to distribute malware. SiteLock web security products keep your website secure and from becoming one of the compromised. Products like the TrueShield web application firewall and the SiteLock INFINITY Scanner provide 360 degree coverage for your site’s security, 24/7, 365.