HP Reports High-Impact Cat-Phishing Targeting Users


A new report from HP has revealed a troubling trend where cybercriminals are increasingly using “cat-phishing” tactics to deceive unsuspecting victims. The report, published on May 16, 2024, as part of the quarterly HP Wolf Security Threat Insights series, exposes how attackers are exploiting open redirect vulnerabilities and other Living-off-the-Land techniques to bypass traditional security measures.

What is Cat-Phishing?

The term “cat-phishing” refers to a method where cybercriminals manipulate seemingly legitimate links to redirect users to malicious websites without their knowledge. This deceptive practice makes it nearly impossible for the average user to distinguish between a safe and a compromised site, thus facilitating the success of phishing attacks.

Notable Campaigns Identified by HP Threat Researchers

  1. WikiLoader Campaign: In a sophisticated operation, attackers leveraged open redirect vulnerabilities within reputable websites, often through compromised ad embeddings, to redirect users to malicious domains. This technique exploits the trust users have in well-known sites, making it difficult for security systems to flag malicious activity.
  2. Living-off-the-BITS: Several campaigns abused the Windows Background Intelligent Transfer Service (BITS) – a legitimate mechanism used by programmers and system administrators to download or upload files to web servers and file shares. This LotL technique helped attackers remain undetected by using BITS to download the malicious files.
  3. Abuse of Windows BITS: Several campaigns were found to misuse the Windows Background Intelligent Transfer Service to download malicious files covertly. By utilizing a legitimate system component, attackers can maintain a low profile, evading standard detection mechanisms.
  4. Fake Invoices Leading to HTML Smuggling Attacks: HP identified a tactic where threat actors concealed malware within HTML files disguised as delivery invoices. Once opened in a web browser, these files initiate a series of events that deploy open-source malware like AsyncRAT. The lack of effort in designing the lure suggests a low-cost, high-volume approach.
  5. Ursnif Returns: Ursnif, also known as Gozi or IFSB malware targets Windows devices and first appeared in 2006. In the first quarter of 2024, HP researchers identified the return of Ursnif as part of different malicious spam campaigns against users in Italy.
    A fake invoice dropping Ursnif malware (Screenshot: HP)

    Other Findings

    Other findings in the report highlight that at least 12% of email threats managed to evade detection. The primary threat vectors identified during the first quarter included email attachments, accounting for 53%, followed by downloads from browsers at 25%, and other infection vectors at 22%.

    Notably, there has been a notable growth in document threats, with exploits surpassing macros as the preferred method of executing malicious code, constituting at least 65% of document-based threats.

    Expert Insights

    In a press release, Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., emphasized the limitations of relying solely on detection in the face of Living-off-the-Land techniques. He advocated for a defence-in-depth approach, including threat containment, to mitigate risks effectively.

    Targeting companies with invoice lures is one of the oldest tricks in the book, but it can still be very effective and hence lucrative. Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them. If successful, attackers can quickly monetize their access by selling it to cybercriminal brokers, or by deploying ransomware.”

    Patrick Harr, CEO at SlashNext, pointed out the prevalence of open redirects and other deceptive techniques in email and messaging platforms. He underscored the need for AI-based security solutions that utilize computer vision and URL sandboxing/behavioural analysis to counter these advanced threats.

    Conclusion

    The HP Wolf Security Threat Insights Report is just another piece of evidence showing how cybercriminals have mastered the art of deceiving unsuspecting businesses and individuals. Organizations must move beyond detection-centric security and adopt a defence-in-depth strategy, incorporating threat mitigation and advanced technologies like AI to effectively combat sophisticated attacks, including the growing threat of “cat-phishing.”

    1. Check Point Research: Microsoft the Most Phished Brand
    2. Google, Microsoft and Oracle generated most vulnerabilities
    3. Microsoft Office Most Exploited Software in Malware Attacks
    4. Malicious Office documents make up 43% of all malware downloads
    5. HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk





Source link