Companies had to deal with more than just COVID complications last year as they faced brutal cyber-attacks. In fact, a new type of phishing attack was discovered after the furniture giant IKEA noticed several malicious reply-chain emails making rounds in the company. While IKEA was able to protect itself against the attack, many companies are still unaware of the lurking danger.
What Is Reply-Chain Phishing?
Reply-chain phishing is a method hackers use to put themselves into legitimate conversations by taking advantage of compromised accounts.
Unlike spear-phishing where they use fake emails similar to authentic ones, reply-chain phishing involves gaining control of a legitimate email account and using that to carry out their nefarious attack.
They obtain these legitimate emails through different methods. Once they have control of an employee’s email account, they scan through email threads looking for those with the highest chance of landing a victim. After identifying an email thread, they send an email with a malicious link attached as a reply to the thread.
Once a recipient clicks on the URL, they will unintentionally download malware that will spread through the network. Another tactic is to insert malicious links in out-of-office replies. Both tactics are a way to spread malware.
The actual owner of the email account doesn't see the reply in the email chain which means that a reply-chain attack can go unnoticed for some time.
Reply-chain phishing attacks are hard for employees to notice and react/report. This is because the emails look like they’re from a colleague when it is in fact from a colleague's account.
How Do Reply-Chain Attacks Work?
It starts with hackers taking over an email account through techniques like password-spraying, credentials stuffing or credentials dumping. They may even be using an already compromised account. After gaining access to one or more accounts, they monitor email threads for a chance to send malware or compromised links to participants in the email chain.
Reply-chain phishing is very effective since the email parties already trust each other. The hackers do not insert themselves as new participants in the ongoing conversation and they are not trying to spoof another employee's email account. Instead, they operate from behind a genuine account.
Since the attacker has access to the full thread, they can customize their nefarious message to fit the topic of an ongoing conversation. This, on top of the fact that the recipient likely trusts the sender, massively increases the chance of the victim opening the malicious attachment or clicking a dangerous link.
To simplify it all, let's say "Taylor's" account was compromised and the attacker sees that Taylor and Bethanie (and a few other team members) have been discussing a new project campaign. The attacker can take advantage of this conversation to send Bethanie a malicious link to a document/article that appears related to the conversation.
How To Protect Your Business Against Reply-Chain Hacking
There are a couple of ways to protect your company against email chain attacks. They include:
- Make sure that all employees follow best security practices with their email accounts. This includes using multi-factor authentication and setting a secure password.
- Inspect inbox and email settings regularly. Check for rules meant to filter replies to a different inbox and particularly those that weren't set by the user. If you notice any, immediately contact your IT team.
- If possible, disable all Microsoft Office Macros. Microsoft Office Macros allow users to personalize manual and automatic email replies. Unfortunately, they are a common vehicle for email attacks.
- Schedule comprehensive training sessions to increase employee awareness and knowledge about cybercrime as well as their responsibility to protect the company.
If an employee notices a reply-chain attack in progress, they should take the following steps:
- Immediately delete the email from every folder (including inbox, spam and trash).
- Reach out to other members of the email chain through a new email thread or another communication means to inform them of the attack and ask them to delete the thread from their email.
- Don't open any other message from the compromised account until the attack has been dealt with.
- Inform your security or managed IT team so they can investigate and make sure the hackers didn't compromise your systems and data.
Conclusion
With a month and a half left in Q2 2022, it's important to start beefing up your cybersecurity. This includes informing your employees about the latest methods of attack, carrying out cybersecurity awareness training, arming your IT team and creating an effective strategy to protect your data from such attacks. If it could work on a large corporation like IKEA, imagine how effective it will be on a small-scale business.
If you need additional support, Sound Computers has your business covered. Reach us on our contact form or call us at (860) 577-8060.
Phishing is the number one method of attack delivery for everything from ransomware to credential theft. We are very aware of it coming by email. However, social phishing has been growing rapidly.
In recent years, phishing over social media has skyrocketed by 500%. There has also been a 100% increase in fraudulent social media accounts.
Phishing over social media often tricks the victims because people tend to let their guard down when on social platforms like Facebook, Instagram, Twitter and LinkedIn. They are socializing and not looking for phishing scams.
However, phishing scammers are out there looking for you and will reach out via friend requests and direct messages. Learn several ways you can secure your social media use to avoid these types of covert attacks.
MAKE YOUR PROFILE PRIVATE ON SOCIAL PLATFORMS
Phishing scammers love public profiles on social media because they can gather intel on you to strike up a conversation and they can also clone your profile to put up a fake page for phishing your connections.
Criminals do this in order to try to connect with those on your friends or connections list to send social phishing links that those targets will be more likely to click because they believe it is from someone they know.
You can limit your risk by going into your profile and making it private to your connections only. This means that only someone that you have connected with can see your posts and images. The general public cannot see your posts.
For sites like LinkedIn where many people network for business, you might still want to keep your profile public. However, you can follow the other tips below to reduce your risk.
HIDE YOUR CONTACTS/FRIENDS LIST
You can keep social phishing scammers from trying to use your social media profile to get to your connections by hiding your friends or connections list. Platforms like LinkedIn and Facebook both give you this privacy option.
Just be aware that this does not keep scammers from seeing you as a friend or connection on someone else’s profile unless they too have hidden their friends list.
BE WARY OF LINKS SENT VIA DIRECT MESSAGE & IN POSTS
Links are the preferred way to deliver phishing attacks (especially over social media). Links in social posts are often shortened which makes it difficult for someone to know where they are being directed until they get there. This makes it even more dangerous to click links you see on a social media platform.
A scammer might chat you up on LinkedIn to inquire about your business offerings and give you a link that they say is to their website. Unless you know the source to be legitimate, do not click links sent via direct message or in social media posts. They could be leading to a phishing site that does a drive-by download of malware onto your device.
Even if one of your connections shares a link, be sure to research where it is coming from. People often share posts in their own feeds because they like a meme or picture on the post. They usually don't take the time to check whether the source can be trusted.
DON’T PARTICIPATE IN SOCIAL MEDIA SURVEYS OR QUIZZES
While it may be fun to know what Marvel superhero or Disney princess you are, stay away from quizzes on social media. They’re often designed as a ploy to gather data on you. This data can then be used for targeted phishing attacks or identity theft.
The Cambridge Analytica scandal that impacted the personal data of millions of Facebook users did not happen all that long ago. It was found that the company was using surveys and quizzes to collect information on users without their consent.
While this case was high-profile, they’re by no means the only ones that play loose and fast with user data and take advantage of social media to gather as much as they can.
It’s best to avoid any types of surveys or quizzes on any social media platform because once your personal data is out there, there is no getting it back.
AVOID PURCHASING DIRECTLY FROM ADS ON FACEBOOK OR INSTAGRAM
Many companies advertise on social media legitimately. However, many scammers use the platforms as well for credit card fraud and identity theft.
If you see something that catches your eye in a Facebook or Instagram ad, go to the advertiser’s website directly to check it out. Do not click through the social ad.
RESEARCH BEFORE YOU ACCEPT A FRIEND REQUEST
It can be exciting to get a connection request on a social media platform. It could mean a new business connection or connecting with someone from your Alma mater. This is another way that phishing scammers will look to take advantage of you. They will try to connect to you as a first step before reaching out direct via DM.
Do not connect with friend requests without first checking out the person on the site and online using a search engine. If you see that their timeline only has pictures of themself and no posts, that is a big red flag that you should decline the request.
CAN YOUR DEVICES HANDLE A PHISHING LINK OR FILE?
It’s important to safeguard your devices with things like DNS filtering, managed antivirus, email filtering and more. This will help protect you if you happen to click on a phishing link.
Sound Computers can help you navigate the process of securing your devices. Contact us at info@soundcomputers.net or give us a call at (860) 577-8060.