Attackers have amped up their use of X-rated phishing lures in business email compromise (BEC) attacks. A new report found a stunning 974-percent spike in social-engineering scams involving suggestive materials, usually aimed at male-sounding names within a company.
The Threat Intelligence team with GreatHorn made the discovery and explained it’s not simply libido driving users to click on these suggestive scams. Instead, these emails popping up on people’s screens at work are intended to shock the user, opening the door for them to make a reckless decision to click. It’s a tactic GreatHorn called “dynamite phishing.”
“It doesn’t always involve explicit material, but the goal is to put the user off balance, frightened – any excited emotional state – to decrease the brain’s ability to make rational decisions,” according to the report.
Breach, Exfiltrate, Blackmail, Repeat
GreatHorn observed the malicious URLs largely do one or more of the same three things: Download malware; send users to a bogus dating site to trick victims into entering payment data; or track users for a follow-up attack, which the report said is likely to involve blackmail. Scammers use a tactic called email pass-through to track their victims.
“The same technology enables legitimate email senders to auto-populate an unsubscribe field with a user email address,” the report said. “Once a user clicks on a link in the email, their email address is automatically passed to the linked site. In these attacks, the cybercriminal leverages the information they gleaned in order to set up a second stage.”
GreatHorn shared an example of the type of X-rated phishing lure, which includes a your-place-or-mine proposition.
The link, the researchers explained would take the user to a photo site, then to a scam dating site, which in this case is at hungrygrizzly.com.
“User data gleaned in this way will be transmitted to cybercriminals, who will use it for various malicious purposes, such as money withdrawal, blackmailing or committing further frauds,” GreatHorn added.
Besides being personally embarrassing, these phishing attacks are becoming increasingly dangerous to organizations.
‘Astounding’ Phishing Attacks
To demonstrate just how effective and insidious phishing lures have become, Agari Cyber Intelligence Division (ACID) put 8,000 account credentials under their control on phishing sites just to watch and see what would happen next.
The report called what happened next “astounding.”
A quarter of the account credentials were automatically tested as soon as they were posted.
Additionally, they found three families of attacks were responsible for 85 percent of attacks, demonstrating it that was a small number of threat actors, or versions of phishing code, launching wide-scale campaigns.
Nearly all (92 percent) of the compromised accounts were manually breached by an attacker. About 20 percent (one in five) were accessed within the first hour, and 91 percent were accessed within a week of compromise, the firm found.
“And while a majority of compromised accounts were only accessed one time by actors, we observed a number of examples where a cybercriminal maintained persistent and continuous access to a compromised account,” the ACID team explained.
And worse, as these attackers gain access to an increasing number of accounts, those are then used to launch additional attacks.
“We saw scammers create forwarding rules; pivot to other applications, including Microsoft OneDrive and Microsoft Teams; attempt to send outgoing phishing emails, sometimes by the thousands; and use the accounts to set up additional BEC infrastructure,” they warned.
Phishing As Biggest Security Threat
Phishing is one of the biggest cybersecurity challenges any organization faces, Hank Schless from Lookout told Threatpost.
“Phishing attacks can be used as the catalyst for almost any cyberattack,” he explained. “In the past year, we’ve seen countless ransomware attacks and data leaks that started with an individual’s login credentials being compromised.”
Schless added the risks are only compounded on mobile devices, where users are toggling back and forth between communications streams, apps and more.
Netenrich’s Sean Cordero said it time for organizations to completely rethink their IT operations and risk-management strategies to effectively cope with phishing.
“They need to understand the scope of the attackable surface,” he explained. “An organization cannot protect assets and connections to their environment if they are not aware of the amount of exposure they are facing. Unfortunately, the attackers who are well organized and funded have the time and resources to identify the weaknesses.”
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.