Follow multi-factor authentication and password management best practices.Augment native email security to stop socially engineered attacks.Avoid opening emails that you are not expecting.Perhaps these two campaigns were identified and stopped, but what about the next one? Or the one after that? Or other campaigns we haven’t heard about, because they weren’t successfully identified by a security team?Īrmorblox’s report suggested four main areas where employees can focus to protect themselves against phishing. In that case, too, hundreds of employees were exposed as a result of dutiful brand impersonation, clever social engineering and a valid email domain that bypassed traditional security measures. Just a few weeks ago, cyberattackers impersonated the DocuSign e-signature software to steal Microsoft account credentials from a U.S. Still, the domain itself was perfectly legitimate – allowing it to bypass traditional spam filters – and, the researchers explained, “the sender crafted a long email address, meaning that many mobile users would only see the characters before the sign, which in this case is ‘membershipform’ – one that would not raise suspicion.” How to Defend Yourself In the sender field, the “I” in “Instagram Support” was, in fact, an “L.” And the email domain itself – – clearly didn’t come from Instagram. They made grammar, spelling and capitalization errors in the body of the phishing email. The attackers certainly left clues along the way. Source: Armorblox.Īt no point did any of these steps “look to be malicious to the common end user, and every touch point, from the email to the account verification form, include Meta and Instagram branding and logos,” the researchers noted. That information would go straight to the malicious actor, of course, unbeknownst to the target themselves. Targets who did so ended up on a landing page, where they were asked to submit their Instagram account login information. If you can’t verify within 24 hours your membership will be permanently deleted from our servers.” This message fostered a sense of urgency, to goad the unsuspecting into clicking on a malicious “account verify” link. “You have been reported for sharing fake content in your membership,” read the body of the email. The intention, according to the report, was “to create a sense of urgency while instilling trust in the sender.” Disguised as an alert from Instagram’s technical support team, it indicated that the recipient’s account was under threat of deactivation. life insurance company headquartered in New York, researchers have revealed.Īccording to a report published by Armorblox on Wednesday, the attack combined brand impersonation with social engineering and managed to bypass Google’s email security by using a valid domain name, eventually reaching the mailboxes of hundreds of employees. A phishing campaign used the guise of Instagram technical support to steal login credentials from employees of a prominent U.S.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |