• Post category:Phishing

Phishing Attack Payloads Leaving Employees Vulnerable as Remote Work Trends Continue to Evolve

In recent years phishing has become the number one threat action over malware. Furthermore, recent workforce changes spurred by the pandemic has led to an exponential increase in phishing attacks. Employees are working from anywhere, using one device for everything and cybercriminals have noticed.

Today’s phishing threats no longer rely on simple phishing emails as cybercriminals launch many different attacks, sometimes using more than one threat vector to trap their victims. SlashNext Threat Lab tracks these trends, so we thought we would take a moment to identify a few of the bigger phishing attack actions.

Credential Stealing
Perhaps the oldest form of phishing, credential stealing is designed to trick the user into giving up their credentials by serving a nearly identical copy of a genuine web page. In the last 3 months, we have identified 1.45M unique credential stealing URLs. Many of these phishing sites mirror legitimate, trusted brands like Google, Microsoft, Dropbox, PayPal, Yahoo, and can trick the savviest professionals into falling victim to these scams (Exhibit 1a, 1b). Some of these sites have complete functional password reset options, and some ask for secondary email accounts, mobile phone numbers, and security questions for “enhanced security”.

Exhibit 1a: Credential Stealing Through Fake O365 Page


Exhibit 1b: Credential stealing with a fake PayPal page using Captcha to avoid detection

Virtually any brand can be easily impersonated, and the inherent trust that the brand has created with its customers is the very thing that attackers use to their advantage. Training can reduce the risk of falling victim , but these attacks are effective because the user usually can’t differentiate between the fake and legitimate pages.


Rogue Software, Rogue Apps & Browser Extensions
With the merging of work and personal devices, it was only a matter of time before cybercriminals realized this was a viable way to execute a breach, which is why we have seen a 36% increase in rogue software, apps & browser extensions attacks since July. These types of attacks typically trick users in downloading malicious software, apps, and extensions. In some cases, these attacks lure victims into installing a malicious video players (Exhibit 2a) or a rogue browser extensions (Exhibit 2b) to gain permission to install socially engineered malware on their system.

Exhibit 2a: Socially engineering malware disguised as a fake player

Exhibit 2b: A Browser Extension designed to Hijack email accounts.

What makes these types of phishing attacks so dangerous is the end goal of gaining access to a device. Cybercriminals can infiltrate the organization to sniff user credentials from memory to sell to on the Dark Web, launch phishing attacks, or actively parsing web page content as Man in the Middle attack, to name a few.


Scareware, Fake Virus Alerts
These scams typically use scare tactics to trick victims into believing their computer has crashed or a virus has been detected. Trying to lure victims into calling a fake technical support hotline or prompting the user into an action that will ultimately infect their device where credit card data can be captured, credentials stolen, or a device compromised. In some instances, clicking the link to fix a fake virus may uninstall legitimate antivirus software, leaving a computer, mobile device, or network vulnerable to attack.

Example of a Technical support scam

Exhibit 3: Scareware Technical Support


Social Engineering, Money Transfer Scams, and Bitcoin Scams

Social engineering uses TTPs (Tools, Techniques, Procedures) to trick users into giving away sensitive information. Social engineering is commonly used in money transfer scams (Exhibit 4a) to obtaining credit card or debit card information to get goods, funds from an account, or credential theft. Another trend in social engineering is Bitcoin scams. SlashNext’s Threat Lab sees a multitude of Bitcoin phishing sites (Exhibit 4b) each day that use celebrity photos and names to conduct similar cryptocurrency scams. Cybercriminals prefer stealing cryptocurrency because it can be used without evidence of where it was obtained.

Exhibit 4a: Example of a Money Transfer Scam


Exhibit 4b: Example of recent bitcoin scam


Exhibit 4c: Example of Gift Scam


Multi-stage phishing attacks. It starts with a link sent in an email that is not malicious but leads to what appears to be a benign site. Once that website is opened, the user performs a task, and a local HTML file is downloaded to their computer. When the user clicks on that file from their desktop, a local HTML page is launched with a link to continue, which sends them to the final domain where the phishing content is delivered. The bad guys are forcing a rational human through multiple steps that security equipment would typically have trouble detecting. They don’t allow a phishing site to appear unless they can confirm that a human is interacting with the site. This means that even if the final phishing domain is on a blacklist, traditional anti-phishing security cannot protect users from it until someone or some technology follows the entire user process and reaches a point where the phishing site is baited.

These are just some of the many phishing attacks that do not rely on traditional email as the sole attack vector. Phishing payloads that traditionally used fake login have morphed into dozens of different payloads, including rogue software, rogue apps, scareware, credit card fraud, man-in-the-middle attacks, and more. These phishing payloads are no longer limited to email but mobile, ads, search engines, messaging apps. With tens of thousands of new phishing sites going live each day with some disappearing in 4 to 8 hours, the speed and volume of these phishing attacks have increased the problem organizations face in preventing these attacks.

SlashNext is the phishing authority and leading the fight to protect the world’s internet users from phishing anywhere. SlashNext end-to-end phishing protection services utilize our patented SEER technology to detect zero-hour phishing threats by performing dynamic run-time analysis on billions of URLs a day through virtual browsers and machine learning. Take advantage of SlashNext’s services using mobile apps, browser extensions, and APIs that integrate with leading mobile endpoint management and IR tools. Contact us today to request a demo.


It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.