Cybercriminals Lean Hard on Low-Tech Solutions for Email Phishing in Q3

We’ve all used the adage, “Try smarter, not harder”. Well, it seems cybercriminals are really getting the message.

VIPRE Security Group’s Q3 Email Threat Trends Report noted an uptick in non-advanced phishing tactics like Callback phishing and the use of QR codes. It would seem with so much heavy technology barring the door, bad actors are searching desperately for a window.

Here are some key takeaways from the report that can help us be savvier wardens of our inboxes in 2023.

  1. PDFs as an attack vector | Beware of those attachments. In under a year, the use of attached PDFs to transport malware has quintupled. This is largely due to a majority of devices possessing an integrated PDF reader. Without any compatibility issues hindering reception, PDFs are easy to send to a large number of recipients.
  2. Callback phishing | As noted by Bleeping Computer, “Callback phishing attacks are email campaigns pretending to be high-priced subscriptions designed to lead to confusion by the recipient as they never subscribed to these services.” When the recipient calls back, their information is verified (to “ensure safety”) and then just like that, cybercriminals have access to their data. There’s nothing particularly high-tech about this kind of attack – leaving a callback number is something that can be done on a voicemail, and a voicemail on a landline for that matter. And that’s exactly it. With the level of email security tools out there, attackers are realizing that the weakest link in the chain might be humans, and not our technology. Instead of crafting time-consuming and expensive exploits to dupe our NDR or email defense solutions, they instead trick us with psychology to get us to dupe ourselves. It’s hard to not call when “Verizon” says your account will be suspended for lack of payment if you don’t call back, especially when you’ve paid. However, if you really are concerned, just look up the official contact information of the service in question and call directly from there – never use the callback number provided. It is anything but convenient.
  3. LinkedIn Slinks | You might have run into some LinkedIn Slinks recently; those LinkedIn smart links are designed to give platform members a way to redirect users to an external site, while being able to track their ad campaigns. While this is useful for marketing, it has also become an unforeseen threat. These links manage to evade typical security protocols, making them fertile ground for attackers hoping to scam us with malicious URLs. Be careful what you click and try to navigate to the URL manually, by entering the correct URL yourself, or via a Google search.
  4. QR codes as bait | It seems today we’re apt to click anything with a QR code. After that history-making Superbowl commercial in which Coinbase offered $15 in free Bitcoin to anyone who’d scan the QR code bouncing on the screen, similar strategies have been tried (and continue to be tried) by avid marketers everywhere. If we’re not careful, our brains could indelibly associate QR codes with “free stuff” and then where would we be? The report notes that cybercriminals are playing off this growing trust/Pavlovian dog syndrome by slipping the codes into our emails, beckoning us to “buy”, “discover”, “win”, or more. The whole thing is known as “quishing” and TechTarget notes that analysts at HP have observed this type of activity nearly every day for a period of months. Be careful when you see a promotional item in your inbox, especially one that’s too good to be true, and especially one that only requires a scan. Remember, visiting a malicious website alone could often be enough to automatically download malware onto your device. Resist the impulse and try to navigate another way if it doesn’t pass the smell test.
  5. Good websites gone bad | In another attempt to evade detection, threat actors this past quarter relied heavily on compromised legitimate websites to launch their attacks. In fact, 33% of malspam was sent via good websites last quarter. These websites don’t have a rap sheet, but they do have a strong, safe reputation, and are therefore perfect for sneaking malicious links into so traditional email security methods don’t catch them. The user opens an email and finds a link. The security protocol scans the link and finds nothing – giving the impression, it’s okay to open. The user opens the page and then clicks a link, and, all of a sudden, things aren’t so safe after all. Attachment sandboxing will help with this, as will a critical eye. Don’t just check for compromise – check for context. Does this message make sense from this sender? Was it unsolicited? Both can be big clues.

Finally, RedLine malware was distinguished as the top malware family of Q3. This malware can take full control of a victim’s computer, exfiltrate sensitive information like banking credentials and Bitcoin, and is sent via the most innocuous of means; namely Office docs and PDFs (and of course, executables).

The common thread through much of this is that attackers seem to be seeking the easiest, most technologically subtle (or nonexistent) ways to dupe us. Brian Krebs noted this pattern back in March when he covered GoDaddy’s multi-year breach. He noted, “Media coverage understandably focused on GoDaddy’s admission that it suffered three different cyberattacks…But it’s worth revisiting how this group typically got into targeted companies: By calling employees and tricking them into navigating to a phishing website.”

Anything that ticks the technological radar has a good chance of getting caught. But preying on human behavior, has a greater chance of success, or so it appears attackers would think. Judging by the number of successful QR code scams, Callback phishing ploys, compromised LinkedIn redirects, and (deceptively) clean URL exploits, they might be right.

About the Author:

About the Author:An ardent believer in personal data privacy and the technology behind it,
Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.