Phishing attacks are getting better and better every day and even the latest spam filters let them through.
One currently being sent out to many email addresses in Germany appears to be from DHL about tracking orders on the way to the recipient's house.
For the German speaking market the quality is very good. Previously, end users have easily detected this kind of phishing attack as they contained spelling errors or bad translations form Google translate.
Today, they no longer include spelling errors and even the graphics and the branding of the email look genuine.
Which one is the phishing email?
Can you spot the phishing email? (Click to enlarge)
The sender address in both emails is not DHL, but the left one with the OXID7 logo is a valid DHL email.
The hyperlink in the DHL phishing email is the malicious content linking to a .org page to start delivering malware for download.
More and more of these advanced and targeted attacks will appear in the future and they can’t be prevented completely. Even if 95% are prevented with up-to-date technology, letting 5% through is still a threat.
>See also: Think you can spot a scam? 97% of people wouldn't know a phishing email if it hooked them
So it’s more and more important that organisations have visibility and the ability to create awareness once they identify that a phishing attack has succeeded.
In this example, an organisation needs to ask eight core questions:
- Which users have received a DHL delivery email in the past?
- When did the DHL campaign start?
- Did someone click on the link within the DHL email or are users well trained enough not to? Tip: hovering the mouse over the link will validate the url
- Did the proxy block the file download if someone clicked the link?
- Did the AV scanner from the endpoint block the malware if it was bypassed by the proxy and executed by the user?
- Was there any unknown IP connection or change on the endpoint configuration after the download of the malware?
- If the phishing website simulated a valid webpage (Amazon, Outlook web access etc.), did the user try to logon and submit their credentials?
- Can a pattern be identified to find out whether more users have had similar attacks?
Organisations that have the capability to get quick answers to their questions lower the risk and can respond with the right actions to prevent further damage.
Sourced from Matthias Maier, security evangelist, Splunk