Ever feel like phishing scams are on a never-ending quest for supreme deception? From fake delivery notifications to impersonated CEOs, it’s like picking from a basket of tricks – each one meticulously crafted to catch people and organizations off guard. Let’s take a closer look at some recent phishing tactics that prove just how crafty threat actors and scammers can be:
1.Just in time for tax season: Fake alerts deliver malware.
The threat research team at Securonix uncovered a sophisticated tax-themed phishing campaign using Microsoft Common Console document files to deliver malicious payloads. An MSC is a configuration file typically used by the Microsoft management console to manage administrative tools like Event Viewer or Task Scheduler. The campaign begins with a phishing link or an attachment containing tax-related lures, such as “urgent” government documents, to distract victims. Once the user clicks on the file, it triggers a stealthy, dual-purpose loader that deploys a highly obfuscated backdoor, granting attackers full access. This shift to MSC files highlights cybercriminals’ evolving tactics to bypass detection and exploit trusted file types.
2.Fake game beta test messages steal money.
A phishing campaign is targeting gamers with bogus offers to allegedly beta test unreleased video games. Victims receive messages via Discord, a popular communication platform, with fake offers to beta test new games. These invites, purportedly from game developers, contain links and a password to download an archive containing the promised installer. The archive is hosted on platforms such as Dropbox, Catbox, or Discord’s content delivery network, and are then delivered via compromised accounts, which adds another layer of credibility. When victims download and install the file, it loads an infostealer that extracts browser credentials, Discord tokens, cryptocurrency wallet details, and more. The compromised Discord accounts are then used to spread the fraud further, exploiting trust among friends to launch additional attacks.
3.Fake Amazon Prime renewal notices expose credit card details.
Cybercriminals are targeting Amazon Prime customers with a sophisticated phishing campaign. Victims receive emails claiming their membership is about to expire, complete with a link to a PDF file. Opening the PDF redirects users to a fake Amazon login page designed to steal Amazon user credentials. Once entered, the page requests additional sensitive information, such as home address and credit card details. Instead of renewing their Prime account, victims unknowingly hand over their personal and financial data to scammers. Researchers at Palo Alto Networks, who discovered the campaign originally, collected 31 unique PDF files linking to phishing sites – none of which had been submitted to the antivirus scanning service, VirusTotal.
4.Smishing exploits trust in USPS.
A recent surge in smishing campaigns impersonating the U.S. Postal Service has caught the attention of researchers at DomainTools. Cybercriminals send SMS texts claiming that a package cannot be delivered due to an incomplete address, urging recipients to open a PDF file to update their details. Clicking a button in the PDF redirects victims to a false USPS website, where they’re prompted to enter personal information and credit card details. However, there is no package: the page is a front controlled by scammers. These messages are tied to a vast network of malicious domains with high-risk scores, indicating a history of threat activity.
5.Fake copyright violation emails hijack Facebook credentials.
Per Checkpoint researchers, cybercriminals are targeting Facebook users with a phishing scam falsely informing recipients that their account violated copyright laws. The email mimics Facebook branding and contains urgent warnings to impose restricted access if no action is immediately taken. It directs users to click a button, leading them to a fake Facebook support page that prompts them to enter their login credentials for a “review.” This page is obviously controlled by scammers, and no copyright violation exists. Once victims enter their credentials, cybercriminals can gain access to their accounts. To deliver these fraudulent emails, scammers are exploiting Salesforce’s automated mailing service and using the sender ID noreply@salesforce.com to bypass detection by email security filters.
Best Practices to Avoid and Prevent Phishing
Phishing attacks show no sign of slowing down. However, organizations and individuals can take steps to thwart these attacks:
Stay informed: Regularly educate yourself and your team about the latest phishing tactics and red flags, such as urgent or threatening language, or suspicious sender addresses. Avoid sharing sensitive information or financial details on websites even if they appear legitimate.
Phish training for employees: Use phishing simulation exercises to test employees’ ability to identify social engineering ploys, ascertain the level of security maturity and knowledge. Reinforce best practices, such as avoiding click bait on unknown links, and reporting threats to the IT team.
Enable multi-factor authentication on all accounts: Add an extra layer of security to web accounts to prevent unauthorized access, even if credentials are compromised. Consider implementing phishing-resistant MFA as recommended by CISA.
Use email and web filters: Deploy advanced email security solutions and URL filters to detect and block phishing attempts before they reach the inbox. If you encounter a phish, notify the IT department or email provider to help prevent others from falling victim.
Monitor accounts regularly: Check your bank, email, and social media accounts for unusual activity, and report any unauthorized changes immediately. Businesses must establish automated alerts for suspicious transactions or login attempts and promptly investigate anomalies or any signs of account compromise.
Phishing scams are evolving and are increasingly exploiting customer trust to steal credentials, deliver malware, and compromise accounts. Staying vigilant, training stakeholders, and adopting robust security practices are essential to avoid succumbing to phishing attacks.
__
About the Author
Erich Kron is Security Awareness Advocate for KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management with over 70,000 customers and more than 60 million users. A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, he was a security manager for the U.S. Army’s 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and other certifications. Erich has worked with information security professionals around the world to provide tools, training and educational opportunities to succeed in information security.
LinkedIn: https://www.linkedin.com/in/erichkron/
