[German]The fact that the names of well-known services or providers such as DHL, Fedex, banks, PayPal or online storage providers such as iCloud, Google Docks etc. are misused is nothing new. But security researchers from Avana (part of Check Point Technologies) are now warning about a new method called "Phishing Scam 3.0" to trick users. I have prepared the information that was made available to me.
Avanan's security researchers have come across a new scam and warn of new types of phishing attacks that misuse everyday services, such as iCloud, PayPal, Google Docs and Fedex, to send attacks on their behalf.
Phishing Scams 3.0 via Service Accounts
It is a new approach that cybercriminals are using for their phishing campaigns. Dubbed Phishing Scams 3.0, the method requires only a free account for hackers to penetrate people's inboxes. Over the past two months, February and March 2023, security researchers have observed a total of 33,817 email attacks with messages posing as legitimate, popular companies and services. The process is simple:
- The hackers create a free account, such as with Paypal.
- The hackers locate email addresses to send to.
- The hackers create a fake invoice that either pretends that the user is being billed for something or that a new feature is coming.
- The hackers send the email.
Figure 1: Frequency of attacks by misused organization name
Jeremy Fuchs, spokesperson at Avanan, says of the evolution of phishing attacks, "Business Email Compromise (BEC) has evolved again. A traditional BEC attack depends on how well an influential person within an organization or a trusted partner can be impersonated. Later, attacks shifted to hijacking a user account belonging to an organization or a partner's organization, using it to infiltrate legitimate email traffic and respond as if it were the real employee. Now we are experiencing something new, as the attackers are using legitimate services to carry out their attack. In such scams, the victim receives an email from real companies and programs (e.g. PayPal, Google Docs or iCloud) that contains a link to a fraudulent website. Over the past two months, our researchers have observed a total of 33,817 such email attacks. We refer to this new type of cyber-attack as Phishing Scams 3.0 or BEC company impersonation. The important note is that these popular services have not become malicious, nor do they have a vulnerability. Instead, hackers use the familiar names of these services to get into inboxes. I strongly recommend that all users implement two-factor authentication and use email filters to protect against these types of attacks."
Examples of such campaigns
Avanan's security experts described some examples of how phishers operate in practice.
Example 1
Here, the hacker has added a comment to a Google Sheet. All the hacker needs to do is create a free Google account. Then he can create a Google document and mention the intended target in it. The recipient will receive an email notification.
Figure 2: Email notification from Google with malicious content, click to zoom
For the end user, this is a typical email, especially if they are using Google Workspace. Even if not using Google Workspace, the message makes it unsurprising, as many organizations use Google Workspace and Microsoft 365.
Example 2
Here is another example of a Phishing Scam 3.0 approach used this time Google Docs.
Figure 3: Email notification from Google with malicious content, click to zoom
The email comes from a legitimate sender, namely Google. The URL, which is a script.google.com URL, is also legitimate at first glance. This is because this domain is legitimate.
However, those who click on the link will be directed to a fake cryptocurrency site. These fake websites work in different ways. They can be pure phishing sites to steal credentials, but there are also a variety of other ways, be it direct theft of money, or crypto-mining.
More examples
Security researchers have provided more mail examples, which I reproduce below.
Figure 4: Example of PayPal impersonation, click to zoom
Figure 5: SharePoint mockup example, click to zoom
Figure 6: Phishing link set on SharePoint, click to zoom
In all the recorded examples, the email address from which the email was sent looked completely legitimate, and the email address contained the correct domains, which makes it much more difficult to detect and identify for the average user who receives it. A similar situation applies to filters or systems used to block spam. More details can be read on the CheckPoint blog in the article Beware of Phishing Scams 3.0- The email you receive might not be from who you think it is.
Founded in 2015, Avanan offers patented inline email protection based on machine learning. Check Point Software Technologies Ltd. is a provider of cybersecurity solutions.