Research conducted by the Ponemon Institute suggest that 77 percent of today’s phishing attacks are launched via file-less techniques that go undetected by standard endpoint security solutions. Hackers are using attack vectors that no longer rely on suspicious emails or attachment files. Many of these phishing attacks are sophisticated and even the most seasoned IT professionals are falling victim.
Here are five phishing attack methods that fall outside of the email inbox that you need to be aware of.
Malicious browser extensions
Browser extensions by design have full access to most of the browser’s resources and information being entered and rendered within the browser. It was just a matter of time before cybercriminals realized that injecting malicious code inside browsers disguised as benign looking browser extensions would not only give them unlimited access to all the data within browser, but also provide them with much needed cover from security systems that are designed to catch only malware executables and software exploits.
In fact, “according to a recent report, cybercriminals infected more than 100,000 computers with browser extensions that stole login credentials, mined cryptocurrencies, and engaged in click fraud. The malicious extensions were hosted in Google’s official Chrome Web Store.”
Credential stealing
Credential stealing is actually the oldest form of phishing attack. It’s designed to trick the user into giving up their login credentials by representing a clone of a legitimate website. These replica pages often leverage reputable brands such as Dropbox, Yahoo, and Microsoft and some come complete with functional “password reset” options and even security questions for piece of mind.
Technical support scams
Technical support scams use scare tactics to trick gullible victims into believing that their computer has either crashed or that a virus has been detected on their computer. These scams try to lure victims into calling a fake technical support hotline which, if successful, can lead to telephone fraud. The goal is usually to gain remote access to the system and collecting sensitive user information. These scammers may also ask their victims to pay for their fake support.
Once the hacker is connected, they may install malware for remote access or data exfiltration, or they can disable endpoint protection or re-configure them to whitelist, trust or ignore tools that the scammer may want to use.
Rogue software
These type of Phishing attacks usually trick users in downloading fake system cleaners and anti-virus tools by showing fake infections and malware activities on their computer or device. In some case, these types of phishing attacks lure their victims into installing fake videos players with an offer to watch a cool video.
Ultimately, these attacks fundamentally try to exploit the user’s trust in global brands with the end goal of getting them to wittingly (or unwittingly) permit socially engineered malware to get onto his or her system.
Gift and prize scams
Who doesn’t like to win a prize? Exactly! These type of Phishing attacks create a sense of excitement for their victims and ask them for sensitive information in order to claim a reward. In a recently observed attack, the victim is promised one of several possible prizes. All he has to do is spin the wheel to see what he will win. After spinning the wheel, the user will be asked to log-in to Facebook to claim his prize. However, the Facebook login page is fake and under control of the attacker. The purpose of the scam is simply to capture the user’s Facebook login credentials.
Once they have your login credentials, they can try them at other sites – such as banking sites – since many people use the same login credentials across multiple websites.
To tackle these sophisticated phishing attacks, we pioneered an entirely new, cloud-powered, adaptive approach to real-time, zero-page phishing site and threat detection. We use live Session Emulation and patent-pending SEER™ detection technology to detect malicious sites in real-time. By dynamically inspecting suspicious browsing contents and server behavior, we can detect previously unknown phishing threats in just seconds – threats that fall outside of email scams and malicious attachments.