A new report out today from mobile security platform provider Zimperium Inc. is warning of the growing sophistication of “spear phishing” campaigns targeting corporate executives, particularly through their mobile devices.
For the past few months, researchers at Zimperium’s zLabs have observed spear phishing attempts that demonstrate social engineering sophistication: Threat actors are impersonating trusted business platforms and internal communications that leverage mobile devices to improve the effectiveness of their attacks. More recently, the researchers analyzed a targeted campaign that leveraged Docusign Inc. in an impersonation scheme that attempted to harvest corporate credentials from company executives.
The investigation into the Docusign impersonation campaign revealed a multistage attack that was meticulously crafted to exploit trust and urgency. The campaign began with a well-designed email appearing to originate from Docusign with the email containing a link that prompts the recipient to review an urgent document, a common tactic used to exploit a sense of authority and immediacy.
Once users clicked on the link, they were redirected through several stages designed to evade detection. At first, the link led to a legitimate-looking domain to obscure its malicious origin. From there, it then redirected to a compromised university website to leverage its credibility and avoid raising suspicion.
The final destination of the attack path varied depending on the type of device being used. Mobile users were presented with a cloned Google sign-in page designed to steal credentials, while desktop users were redirected to legitimate Google pages to avoid detection. The device-specific targeting is noted as highlighting a focus on mobile users, where security defenses are often not as strong as those found on standard computers.
For the bonus round, the attackers employed CAPTCHA image verification to add an additional layer of sophistication to the scheme and make the dubious landing page look more legitimate.
The attackers were also found to set up domains and SSL certificates only days before the phishing emails were sent, suggesting a high degree of planning that made their phishing attempts even harder to detect.
The researchers advise that companies should focus on educating employees, especially executives, about spotting phishing attempts and suspicious links. Companies are also advised to prioritize mobile device security and keep security policies and detection tools updated to stay ahead of new threats.
Mika Aalto, co-founder and chief executive officer at human risk management platform provider Hoxhunt Oy, told News via email that “the most important thing that companies can do is to shift left and equip senior management and employees with the skills and tools to recognize and safely report a mobile phishing attack.”
“We can hope that technical filters and endpoint detection and response technologies quickly develop to be able to pick up these highly obfuscated, native code-based malware attacks and pinpoint irregular signals and traffic,” Aalto added.
Image: News/Ideogram
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU
