Phishers are using a new technique where they point to malicious URLs within Google Docs, rather than placing them within the emails.
Speaking to IT Security Guru, PhishMe CEO Rohyt Belani said that with the seasonal shopping period underway, there is nothing specifically different this year, but there are slight tweaks to each attack effort.
“What we are finding is an interesting theme where attackers are finding that systems are creating specific signatures for malware, and while attackers put in effort to change those to avoid detection, they are reusing a lot of content,” he said. “One user received an email that we saw a year ago, which was an invitation to a golf day tournament, and another customer received the same email nine months later but the malware was totally different. Yet the footprints were the same from the attacker.”
Regarding new tactics, Belani said that one it has spotted is that the URL is placed within a Google Drive document as when the service looks at the file, there is no malware and the email just points to that document. “Think about an email you get, it has an URL in the email and it doesn’t go to a malware-laden website, it just goes to Google Docs and in there is another link and when it is clicked on by the user, it takes the user to the malware-laden website,” he said. “In the email, they don’t go into the URL, and that is how they are circumventing the URL controls.”
Belani said that was is interesting in the phishing trend is that it requires holistically looking at the sender, email content and URL and in its entirety to determine if it is bad or not. He said: “A lot of automated systems focus on the content or the URL and why they fail, as an attacker will not leave it exactly the same.”
He said that this year there are lot of e-card and raffle schemes following Thanksgiving and up to Christmas, and attackers are jumping on that as it requires people to enter information. “When we look at the characteristics of reporting, the actions by humans are very reassuring as that there is an overwhelmingly large number of humans who detect suspicious activity over technology, and the time frame for reporting are extremely short – we are talking seconds and you can curb the actions in 80-90 seconds, while in industry it can take weeks.”
