informa
/
Vulnerabilities/Threats
Commentary

Online Businesses Become a Phisher's Playground

A global shift to online business this year has led to an increase in phishing attacks through website builders and CMS platforms. But not nearly enough businesses have deployed sufficient security measures against these campaigns.

2020 had an enormous impact on physical businesses. Companies across the world were forced to adapt their operations as in-person collaborations and transactions essentially ended overnight. Becoming a solely online business meant big changes for some companies, but the benefits were quickly recognized. Having a website boosted credibility, and operations were no longer restricted by the usual opening times of nine to five. Instead, enquiries and transactions could be made over a 24-hour period.

Unfortunately, numerous cyber threats awaited companies making the transition. The most predominant were phishing campaigns. Phishing attempts are continuously growing in sophistication, meaning they're more evasive and can circumvent basic email security systems. Most attacks now exploit the human workers — the weakest link in any business — and deploy social engineering tactics.

Now that almost all businesses possess a digital presence, this is likely to continue. McKinsey reported that more than three-quarters of buyers and sellers now say they prefer digital self-serve and remote human engagement over face-to-face interactions. Part of what makes this possible is those facilitating fast and efficient digital solutions. Website builders and content management system (CMS) platforms have experienced a boom in business as companies look for simple, accessible, and cheap ways to establish an online presence.

Equipping the Phishers' Toolbox
Domains including Wix, Weebly, and Squarespace are popular options for website development. However, these sites are not only sought after by legitimate businesses. Phishing activity using these domains has increased as hackers make use of the simplicity and accessibility on offer. The likes of Wix and Weebly are known by most businesses, and they are recognized by detection engines as being trustworthy, so phishing emails are often granted access to the inbox.

The number of phishing attempts through user-generated content (UGC) has greatly increased — predictably, given the global shift to online business. Criminals use UGC platforms to either create their own phishing page, or to exploit already compromised websites. With the right level of technical knowledge, both techniques will evade security defenses and grant hackers access to the victim's inbox.

Breaking Down the Threats
While website builders allow criminals to design their own phishing page from scratch, most will look to take advantage of compromised webpages. The recent WordPress hack is a good example, as criminals were able to input malicious content which then went on to infect victims' devices. Another method used is when a threat actor posts a phishing page with the intention of stealing data or redirecting users to other phishing sites containing malware.

UGC platforms are often used by hackers to operate the distribution of phishing campaigns, with one example making use of the Wix webpage developer. A phishing email was sent to a user, asking to verify one of their Outlook accounts. The "confirm" button directed the victim to a false Outlook login page, asking for further credentials. It was at this point that any details given would be sent straight to the phisher. With these credentials, attackers can then commence further exploitations with ease.

More sophisticated hackers will go even further and use multistage attacks, using multiple website builders to fool the victims. One uncovered campaign used two builders, Weebly and Zyro: The former was used to build a fake Outlook page, and the latter for a SharePoint site. Victims received an email containing a hyperlink to an encrypted document, with an access button in the form of "click here to view." The user was then taken to the SharePoint space, which was a phishing page, storing an unread fax message. Another link to "document preview" triggered the Outlook 365 page where credentials were requested, thus completing the attack.

Strengthening Defenses
There are very few workers who have not experienced a phishing attack at some point in their lives, but there is still a significant proportion of businesses yet to deploy sufficient security measures against these campaigns. Advanced email security solutions provide continuous monitoring and detection, using machine learning to evolve when new attacks are discovered. 

Employee training is important, but only when applied in the correct way. Crowdsourced user detection is highly effective as it not only makes employees part of the solution, but also contributes to the businesswide security strategy. At the press of a button, employees can take control of their own security and initiate an inspection of suspicious emails received as the system delivers real-time consultation. The information captured by the solution after the inspection is then fed back into the wider system, which triggers automatic remediation in company inboxes.

While website builders can provide simple and inexpensive solutions for businesses wanting to grow their digital presence, there are several threats hidden behind the convenience. Raising awareness of these dangers and deploying sufficient protective solutions will help ensure business continuity in the digital world.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5