The Research, Analysis, and Intelligence Division (R.A.I.D.) here at PhishLabs interacts with a multitude of malware samples in our day-to-day operations. Occasionally, we come across a campaign that stands out from the rest. One such instance occurred recently when one of our Phishing Threat Monitoring service clients was targeted with DNSMessenger, a sophisticated, memory-based infection technique, which has been previously associated with a financially-motivated Advanced Persistent Threat (APT) actor group. Also notable is the delivery method – the increasingly popular Dynamic Data Exchange (DDE) protocol Office document attack. This delivery method has recently been adopted by actors ranging from nation-state APTs to spammers peddling downloaders and ransomware. In this article, we will examine this delivery vector and dissect the initial DNSMessenger payload.
The Electronic Frontier Foundation (EFF) has reported that activists at Free Press and Fight for the Future were hit over the summer with a targeted spear phishing campaign that involved nearly 70 phishing attempts. If you haven't read their report, you should. Very few organizations would come out of the same situation unscathed.
Since May 9, PhishLabs has tracked multiple phishing campaigns that uses DocuSign branding that lures victims into downloading malicious files. These campaigns followed a breach of a DocuSign database containing user email addresses. Each of the campaigns associated with this breach contain similar, yet distinct, characteristics. The third, and most recent, campaign was launched on May 17.
Frustrating, isn’t it?You put all that effort into designing a security awareness training program…
But is it helping keep your organization safe? Or is it just satisfying your compliance requirements?
The truth is you have no idea. After all, how can you measure return on investment (ROI) for something intangible like security awareness training?
Everybody knows phishing is costly to their organization.
But how costly? Few organizations know for sure.
Plenty of studies have claimed to calculate the cost of phishing, but the results are usually hard to swallow. For instance, does phishing cost your organization $1.6 million per incident? Or $3.7 million per year?
Perhaps... but probably not.
The issue with these figures is that they're averages, heavily skewed by data from huge organizations. The results may be interesting, but they're of little use to most organizations.
Most security awareness training is boring, infrequent, and ineffective. And the worse part is… everybody knows it.
But why? How did we get to this point? And who does all this sub-par security awareness training benefit?
To answer these questions we’ll need to examine one of the main drivers: Compliance.
Modern threat actors devote huge amounts of time to identifying and exploring new exploits, tactics, and techniques
for circumventing security and compromising corporate networks. The majority of headline breaches are initiated by spear phishing attacks, and not only are they sophisticated enough to make it past most spam filters, some are able to fool even seasoned security personnel.
When it comes to security, it pays to be completely honest with yourself. After all, you may be able to hide weaknesses in your network from yourself, but that won’t stop threat actors from finding them.
If you are totally honest with yourself, you’ll realize there’s no way to completely shield your users from attacks.
You can tighten your spam filter, keep a watchful eye on user permissions, and buy in the best endpoint security package you can afford… but still, some attacks will make it through. And if your users are like most people, right now they aren’t even close to being ready to cope with that. We explored this previously in Why Some Phishing Emails Will Always Get Through Your Spam Filter.
We believe people can be the last line of your network defense – and do a damn good job of it – but first they have to be trained.
Here are a few ideas to get you started.
Frustrating, isn’t it?
It seems like no matter what you do, a few phishing emails always find their way into your users’ inboxes. You’ve tweaked your spam filter, and you’re scanning every attachment… But nothing seems to work.
Is it you? Are you making some glaring mistake?
Probably not. We've discussed before why your users keep falling for phishing scams, and there's more to it.
The fact is that no matter how good your security, a small percentage of phishing emails will always reach your user’s inboxes.
We’ve all been there. That awful moment, when you realize it’s happened again.
“Why do they never learn?” You ask yourself. “It really isn’t that hard!”
Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better.
So why do they keep falling for phishing scams? Is it just complacency? Or something more?