Businesses Warned As Phishing Attacks Continue

Alert staff about the dangers of opening suspicious links

Police Service of Northern Ireland (PSNI) warns that a phishing campaign currently circulating in Northern Ireland remains a current threat to local businesses.

The campaign involves the compromising of an email account within a business and subsequent use of its contact list in an attempt to spread both internally and externally.

How does this phishing campaign work?
This phishing campaign generally operates in the following fashion:

1. Victim receives an email from a third party already compromised and holding their address in their contact list.

2. The email prompts the recipient to open a PDF containing a URL, or to click on a link to open an invoice or secure document.

3. Victim then visits malicious URL and enters account username and password thus compromising their email account.

4. Suspect then enters the compromised account from external IP and sets up mail rule (ie diverts incoming mail with suspect subject line to trash).

5. Suspect sends phishing email to the victim’s contact list hoping to compromise further accounts. Any bounce backs or challenges go to trash due to the mail rule, and the victim remains unaware.

6. Unless detected, the account will remain compromised until the victim changes their password. Until then, the suspect can view emails and, if appropriate, attempt an invoice redirect, CEO fraud, etc.

The PSNI warns that they have seen mail forwarding set up as an alternative to ‘divert to trash’, meaning a password change will not secure the account.

Firewall rules may not be enough
The use of compromised accounts to send phishing emails increases the chances of a recipient clicking on the link. This, along with the changing malicious URLs, can make it hard for firewall rules to be put in place that will give anything more than a short-term protection.

Warn staff not to click on suspicious links
Key to this type of incident is the willingness of staff to click on or follow a link. Irrespective of whether they enter a username and password, navigating to the suspect URL obviously risks exposure to malware.

The PSNI strongly urges all businesses to:

  • make staff aware of the risks of entering a username and password as the result of following a link
  • give clear guidance on the processes and procedures for contacting relevant IT department or provider

Those involved as system administrators or incident managers should consider seeking membership of the Cyber Security Information Sharing Partnership (CiSP).

Learn more about phishing scams and how to protect your business against phishing.

Source: nibusinessinfo.co.uk