Cybercriminals using new tactics for phishing attacks: what you need to know
A new report shows that cybercriminals used three new tactics, including abusing web translations, image-only emails, and adding special characters to phishing attacks in January 2023.
Although the total number of attacks using these tactics is currently low (each tactic accounts for less than 1 percent of phishing attack attempts), they are widespread, affecting 11 to 15 percent of organizations, often with multiple attacks. IT security company for Barracuda Networks.
“Cyber-attacks have increased significantly in India recently, so cybercriminals continue to develop their phishing methods to trap unwary recipients and avoid detection and blocking. To defend your organization, you need the latest AI-enhanced email security that can effectively inspect context, subject, sender and more to determine whether a good-looking email is actually a well-disguised attack,” said Parag Khurana, country. Director, Barracuda Networks India.
The first tactic involves using Google Translate web links.
Attackers use poorly formatted HTML pages or unsupported language to prevent Google from translating the web page. Google responds by providing a link to the original URL and stating that it cannot translate the underlying website.
Attackers embed a URL link in an email, and if the recipient clicks on it, they are redirected to a fake but genuine-looking website, which is actually a phishing site controlled by the attackers.
Another tactic involves the use of image-based attacks by spammers, and researchers have found that attackers are now increasingly using images without text in their phishing attacks.
These images, which may be fake forms such as invoices, contain a link or callback number that leads to phishing.
According to the report, these attacks do not contain text, so traditional email protections may struggle to detect them.
The data shows that around one in ten (11 percent) organizations were targeted by this type of phishing email in January 2023, with each receiving an average of around two such emails per month.
A third tactic involves hackers using special characters such as zero-width Unicode code points, punctuation, non-Latin script, or spaces to avoid detection.
This tactic is also used in “typo-squatting” attacks on URLs that mimic the real site but with a few typos.
However, when used in a phishing email, the special characters are not visible to the recipient.
Such attacks can also be difficult to detect because special characters can be used for legitimate purposes, such as email signatures, the report states.
In January 2023, more than one in seven (15 percent) organizations received phishing emails using special characters in this way, with each receiving an average of about four such emails per month.
Read all the Latest Tech News here.