This week, it came to light that gaming platform Roblox was breached via a phishing/social-engineering attack that led to the theft of internal documents and the leaking of them online in an extortion attempt.
The hacker has posted documents on a forum that purport to contain information about some of Roblox’s most popular games and creators, according to Motherboard. Additionally, some of the documents include individuals’ personally identifiable information.
But Roblox is hardly alone — it’s just the latest in a long line of corporate phishing victims. The success of these attacks showcases just how effective phishers have become at manipulating employee targets at various enterprises.
In the last few months, the IT security news cycle has been dominated by reports of phishing attacks exploiting trusted applications like email, QuickBooks, and Google Drive, to name just a few. This week, research from Avanan shows that hackers have found a new way into the inbox by creating fake invoices in PayPal, leveraging the site’s legitimacy to gain access.
The abuse of legitimate services is a key factor in the latest spate of phishing attacks, which use social engineering tactics to lure victims into giving up information like login credentials. SlashNext Threat Labs reported a 57% increase in phishing attacks from trusted services between the fourth quarter of 2021 and the first months of 2022.
In June, Microsoft 365 and Outlook customers were targeted with voicemail-themed emails as phishing lures, while QuickBooks users were victims of back-to-back campaigns in June and July, including a vishing scam targeting small businesses. And, indeed, concerns over multichannel phishing attacks are growing, with a particular focus on smishing and business text compromises.
Meanwhile, cloud collaboration and the use of tools like Zoom and Microsoft Teams have exploded during the past two years since the onset of the pandemic, and have become standard operating procedures for remote workers. Attackers have seen this trend and capitalized on it.
Phishing Lures Grow in Sophistication
Jeremy Fuchs, cybersecurity research analyst at Avanan, points out that phishing attacks continue to become more sophisticated, and social engineering tactics continue to evolve. He says he thinks there will be increased usage of legitimate services like PayPal to send phishing emails that come from a legitimate email address.
“We’ve seen an uptick in so-called double-spear tactics, whereby the hackers not only get your funds, but they also get your phone number for future attacks,” he says. “We’ll see more of these attacks that can snag more than one item from an end user.”
Gretel Egan, senior cybersecurity awareness training specialist at Proofpoint, says she continues to see attackers abusing well-known brands and taking advantage of legitimate services to trick people into making fundamental mistakes in the inbox.
“These are messages that look ‘right’ on the surface, that tap into ways of working,” she says. “These types of subtle manipulations can be difficult for people to spot, and it’s critical that workers be made aware of attackers’ capabilities and propensities to operate in this manner.”
Egan explains that threat actors are using real-time events and themes that have the attention of the wider world.
“If it’s something we are talking about as a society, or something that elicits strong emotions, then it is content that is likely to be exploited,” she says. “Increasingly, we are seeing threat actors use their social engineering content to move victims out of the corporate email environment to alternate communication platforms such as the telephone and conferencing software.”
Distributed Workforce Adds to Vulnerabilities
Social engineering is inherently people-centric, and in today’s hybrid workforce, organizations are struggling to protect data, devices, and systems while remaining agile.
Egan points out employees are also having to adapt to remain connected and engaged with their co-workers.
“Those in remote and hybrid environments are relying heavily on collaboration applications and social media, both public and enterprise,” she says. “These trends have opened the door to a whole host of social engineering tactics and other cyber threats.”
She notes social engineering techniques aren’t seen only in emails — these tactics are being used successfully across text messages, phone calls, direct messages, and more.
Fuchs agrees remote work has its challenges, including not being able to stop by IT’s desk to ask about an email.
“But while working from home, distraction might play a role,” he adds. “There are more stimuli — the dog barking, the child crying, answering a thousand Slack messages — that taking the time to focus on the keys in an email that alert you to the fact it might be suspicious can go to the wayside.”
Deploying Advanced ML, AI Tech
Fuchs argues IT policies must move away from static “allow and block lists” and move toward advanced AI.
“Static lists allow these legitimate services to be used for phishing,” Fuchs says. “Advanced AL and ML can suss out what’s real and what’s not.”
Egan says multilayered protection is the best strategy against phishing emails, layered within a culture of security with the placement of people at the center.
She adds that it’s important to understand which users are most targeted and which are the likeliest to fall for the social engineering that phishing attacks rely on.
“Users are a critical line of defense against phishing and it’s important that security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it,” she says. “This should be combined with layered defenses at the email gateway, in the cloud, and at the endpoint.”
Fuchs agrees that, for employees, training continues to be a must and it needs to focus on having the user slow down and check a few critical signs, like sender address and URL destination.
From his perspective, a two-second check can often avoid disaster.
“The key takeaway from this this deluge of phishing attacks is that hackers have found tremendous success leveraging legitimate brands,” he says.
Whether it’s spoofing the brand or sending phishing emails directly from the service, anything that looks like a trusted brand is more likely to land in the user’s inbox and more likely to be acted upon.
“Impersonation scams are on the rise, and, given the tremendous amount of services they can leverage, it’s not likely to slow down,” he warns.