Scammers harvesting user credentials is nothing new. Every week brings details of a new scam and phishing attack. Training users to spot these attacks is not easy as they are continually evolving. Additionally, most corporate training is about scaring users into not making mistakes, something that plays into the hands of the scammers.
Email security company, Inky, led by one-time games developer (Crash Bandicoot), Dave Baggett, has detailed how one particular phishing attack took place. It looks at a credential harvesting attack where scammers impersonated the US DoJ to steal victims details.
In a blog, Baggett says: “If you think credential harvesting couldn’t happen to you, you’ll be surprised to know that there are plenty of blog posts and videos online that attempt to teach the average Joe how to set up their own successful credential harvesting scheme.
“That alone should tell you two things — first, that more people than you realize (at all skill levels) could be attempting this type of email phishing scheme. And, secondly, you should take the steps now to protect yourself, your employees, and your company.”
The DoJ Example
The Inky report titled: Understanding Phishing, Credential Harvesting: Department of Justice Scam is something all users should read. It begins with an introduction to what credential harvesting is. The report walks the reader through a real-world example of a known attack. It highlights key signs that users can use to spot a phishing attack.
The DoJ attack relies on shock and surprise by telling victims a court judgement has been entered against them. It relies on victims not looking carefully at the email and noticing the grammatical errors. It provides a link that promises more information about the subject. Clicking on that link takes the user to a fake but very realistic website.
The website then asks the victim to provide their email address and password. With so many online services relying on an email address and password, many victims will simply enter the data. This is all the attackers want, and they then redirect the victim to the real US General Services Administration website.
It is an example of a simple yet unsophisticated attack that can be created within just a few minutes. Like many phishing attacks, it will successfully harvest the email credentials from numerous victims. However, some things give it away, and these are highlighted in the report.
Enterprise Times: What does this mean
An attack does not need to be sophisticated to succeed. All they need to do is persuade the victim to do something that doesn’t seem strange. The use of the email address and password combination is a good example. Most cloud-based services use that credential combination for access.
2020 has seen many workers suddenly using cloud-based services and applications for the first time. They are isolated from colleagues whom they would typically ask for help over this sort of phishing email. It increases the likelihood of a user clicking on the link and becoming a victim.
User education is often tedious, ignored and ineffective. Short, well-written walkthroughs like this are a quick way to raise awareness. Of course, for Inky, there is an alternative motive. It will hope that by helping people understand how a phishing email works, they will look at Inky’s anti-phishing solutions for Microsoft Exchange, Office 365 and G-Suite.
