Web-Based Social Engineering Attacks Taking Increasingly Popular Forms

Organizations and their security professionals must be prepared for nearly anything when it comes to how attackers will attempt to exploit them. A new report highlights several interesting attack types that security pros should be aware of.  The best overall defensive approach against them is a strategy built around cyber resilience, combining prevention, user training, and efficient responses.

A new article from ZDNet highlighted the findings from a newly-released FireEye report that included this not too surprising fact: the use of malicious web sites are made to appear legitimate through the use of HTTPS (HTTP over SSL), quarter-on-quarter, has risen 26%. At the same time they report seeing a decrease in email attachments infested with malware, showing that attackers will shift their techniques as needed.

The report also claimed that file-sharing services, such as Dropbox or Google Drive, have seen a “dramatic increase” in their use to deliver malicious payloads initiated through phishing. Phishing in general is also up significantly, as additionally confirmed in Mimecast’s latest State of Email Security report.

What is HTTPS?

According to WhatIs.com, HTTPS “is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the web server. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks.”

Numerous entities and services use HTTPS on their sites and that lock you see on the browsers address line is intended to give the user a sense of trust in the site they’re viewing. But, attackers can use HTTPS just like legitimate web site owners.

Why attackers are using these new tactics

It makes all the sense in the world for attackers to regularly switch up their tactics against their potential victims. If technology and organizations get better at stopping attacks that come directly through email attachments, for example, it makes sense to ramp up URL-centric attacks in response. Attackers simply do what works.

Unfortunately, there is a disconnect in the case of HTTPS for users about what is secure and what isn’t. People have been trained or simply concluded that having the lock on a webpage means it is “secure.” In fact, it means the communications between your browser and the web site have been encrypted and thus should be considered private, but not necessarily secure, as the web site could be under the control of an attacker. It is not that big a lift for an attacker to get a security certificate for their web site just like legitimate web sites do.

In addition, well-known Internet brands are a common target for site-spoofing or impersonation because they’re well known and trusted. And it’s likely that the intended victim does business with sites such as Apple, Amazon and PayPal among others, so the hit rate for targets should be pretty high. Also, it’s valuable to the attacker to steal your credentials to these sites as there are things they can steal and monetize from them.

In addition, the rise in using file-sharing services in attacks is an interesting and growing tactic for adversaries. These services are generally trusted and thus can’t be blocked out-of-hand. But, they also deliver files, after all, and it’s very easy for an attacker to get their malware in one of those services and ready it for delivery. It has become a requirement that the security system of record inspect the emails delivering the links as well as the file downloads from these file sharing services before allowing them to be delivered.