This week it emerged that the Roblox gaming platform had been hacked via a phishing/social engineering attack that led to internal documents being stolen and leaked online in an extortion attempt.
The hacker posted documents on a forum that purported to contain information about some of Roblox’s most popular games and creators, depending on motherboard. Additionally, some of the materials include personally identifiable information about individuals.
But Roblox isn’t alone – it’s just the latest in a long line of corporate phishing victims. The success of these attacks shows how effective phishers have become in manipulating targeted employees in various businesses.
Over the past few months, the IT security news cycle has been dominated by reports of phishing attacks exploiting trusted applications such as email, QuickBooks and Google Drive, to name a few. -ones. This week, research from Avanan shows that hackers have found a new way to access the inbox by creating fake invoices in PayPal, taking advantage of the legitimacy of the site to gain access.
Abuse of legitimate services is a key factor in the latest series of phishing attacks, which use social engineering tactics to trick victims into giving up information such as login credentials. SlashNext Threat Labs reported a 57% increase in phishing attacks from trusted services between the fourth quarter of 2021 and the first months of 2022.
In June, Microsoft 365 and Outlook customers were targeted with voicemail-themed emails as phishing lures, while QuickBooks users fell victim to back-to-back campaigns in June and July, including a vishing scam targeting small businesses. And, indeed, concerns about cross-channel phishing attacks are growing, with a particular focus on smishing and commercial text compromises.
Meanwhile, cloud collaboration and the use of tools like Zoom and Microsoft Teams have exploded in the past two years since the pandemic began and have become standard operating procedures for remote workers. Attackers saw this trend and took advantage of it.
Phishing lures are getting more and more sophisticated
Jeremy Fuchs, cybersecurity research analyst at Avanan, points out that phishing attacks continue to become more sophisticated and social engineering tactics continue to evolve. He says he thinks there will be increased use of legitimate services like PayPal to send phishing emails from a legitimate email address.
“We’ve seen an increase in so-called double spear tactics, where hackers not only get your funds, but they also get your phone number for future attacks,” he says. “We will see more of these attacks that can catch more than one element of an end user.”
Gretel Egan, senior cybersecurity awareness training specialist at Proofpoint, says she continues to see attackers misusing well-known brands and taking advantage of legitimate services to trick people into making fundamental mistakes in the inbox. .
“These are messages that seem ‘right’ on the surface, that tap into working methods,” she says. “These types of subtle manipulations can be difficult for people to spot, and it is essential that workers are made aware of the capabilities and propensities of attackers to operate in this manner.”
Egan explains that threat actors use real-time events and themes that grab the attention of the world.
“If it’s something we talk about as a society, or something that elicits strong emotions, then that’s content that’s likely to be exploited,” she says. “Increasingly, we are seeing threat actors using their social engineering content to move victims from the corporate messaging environment to other communication platforms such as the phone and software. conference.”
Distributed workforce adds to vulnerabilities
Social engineering is inherently people-centric, and in today’s hybrid workforce, organizations struggle to protect data, devices, and systems while remaining agile.
Egan emphasizes that employees must also adapt to stay connected and engaged with their colleagues.
“Those living in remote and hybrid environments rely heavily on collaboration apps and social media, both public and corporate,” she says. “These trends have opened the door to a whole host of social engineering tactics and other cyber threats.”
She notes that social engineering techniques aren’t just found in emails — these tactics are used successfully in text messages, phone calls, direct messages, and more.
Fuchs agrees that working remotely has its challenges, including not being able to stop by the computer desk to ask about an email.
“But when you’re working from home, distraction can play a role,” he adds. “There are more stimuli – the barking dog, the crying child, responding to a thousand Slack messages – than taking the time to focus on the keys in an email that alert you to the fact that he could be suspicious may pass by the wayside.”
Deployment of Advanced ML, AI Tech
Fuchs argues that IT policies need to move away from static “allow and block lists” and move towards advanced AI.
“Static lists allow these legitimate services to be used for phishing,” says Fuchs. “Advanced AL and ML can determine what is real and what is not.”
Egan says multi-layered protection is the best strategy against phishing emails, layered into a culture of security with people at the center.
She adds that it’s important to understand which users are most targeted and which are most likely to fall into the social engineering trap that phishing attacks rely on.
“Users are a critical line of defense against phishing and it’s important that security awareness provides a foundation to ensure anyone can identify a phishing email and report it easily,” she says. “This should be combined with layered defenses at the email gateway, in the cloud, and at the endpoint.”
Fuchs agrees that, for employees, training continues to be a must and should focus on slowing down the user and checking a few critical signs, like the sender’s address and the destination of the URLs.
From his point of view, a two-second verification can often prevent disaster.
“The key takeaway from this deluge of phishing attacks is that hackers have found huge success leveraging legitimate brands,” he says.
Whether it’s brand spoofing or sending phishing emails directly from the service, anything resembling a trustmark is more likely to land in the user’s inbox. and more likely to be treated.
“Impersonation scams are on the rise and given the huge amount of services they can exploit, this is unlikely to slow down,” he warns.
