90% of cybercrime starts with an email
Phishing attacks continue to be one of the biggest security threats to businesses and individuals, with 90% of cybercrime sparked by an email containing malicious intent.
And now these attacks, which according to Verizon’s 2018 Data Breach Investigations report still fool 4% of targets, are becoming even more difficult to spot.
Over the last week, researchers have warned about techniques used by attackers to bypass security scanners to evade detection, including one method leveraged by a vulnerability in Office 365.
In this instance, attackers were able to conceal the malicious links sent to Microsoft users by adding zero-width spaces (ZWSPs) to the middle of the URL, contained within the HTML version of the phishing email.
The ZWSPs – a random set of numbers and characters stuck between a word or, in this case, in a URL – make a malicious link appear normal to Microsoft security features URL reputation check and Safe Links URL protection.
Researchers at Avanan said that they saw this attack attempted on over 90% of their Office 365 clients throughout the month of November, when they first noticed the issue, and that
Microsoft had since fixed the problem.
Another current phishing campaign was described in a recent report by Proofpoint, where attackers implement custom web fonts into their malicious URLs to further obscure their intent from security scanners and the human eye.
The custom web fonts are known as the Web Open Font Format, or WOFF, and were used to apply a substitution cypher that makes the source code of the phishing landing page appear safe.
Last year, The Daily Swig reported on a similar font-manipulation technique that was being used to bypass Office 365 security scans.
Also discovered by Avanan, the trick allowed an attacker’s phishing email to go undetected by inserting random words into the HTML code and setting the font size to zero.
These words aren’t visible within the email and can trick Microsoft scans into believing that it’s just business as usual.
The tool, named “Modlishka”, is designed to intercept traffic by forcing a victim to connect to a server through a phishing domain it hosts.
Modlishka is then able to send the user a legitimate website that they wish to visit, before scooping up any credentials that are inputted.
Its creation has been met with some concern from the security community, but Duszyński maintains that it will assist with penetration testing.