(Source – Shutterstock)

Cybercriminals using novel phishing tactics to get their target

Getting your Trinity Audio player ready...

When it comes to phishing tactics, cybercriminals continue to successfully bypass security measures and avoid detection. No matter how much organizations spend on cybersecurity, cybercriminals still manage to find a way to infiltrate the organization.

Over the years, cybercriminals learn new ways of improving their cyberattacks, as businesses continue to invest in improving their cybersecurity. Yet, every month, there are still reports of data breaches and ransomware wreaking havoc on businesses around the world.

Phishing attacks continue to make headlines in the Asia-Pacific region, with hackers using the attacks to steal user data, including login credentials and credit card numbers. According to cybersecurity vendor Barracuda, these attacks are constantly evolving, as attackers introduce new techniques and tactics to outsmart security teams.

While ransomware remains a major threat, phishing tactics by cybercriminals continue to evolve, targeting victims without any mercy. In fact, Barracuda has uncovered three new phishing tactics cybercriminals are using, according to its most recent Threat Spotlight.

The three novel tactics used to defy security teams and catch unsuspecting victims include the misuse of web translation, image-only emails, and the insertion of special characters. Barracuda analyzed data from thousands of phishing emails it blocked during January 2023 to identify novel phishing tactics.

Three novel phishing tactics

1) Attacks using Google Translate web links

Barracuda researchers found evidence of hackers using Google Translate web links to mask malicious URLs. In these attacks, scammers use poorly-formed HTML pages or a non-supported language to prevent Google from translating the webpage – and Google responds by providing a link back to the original URL stating that it cannot translate the underlying website.

The attackers embed that URL link in an email and if a recipient clicks on it, they are taken to a fake but authentic-looking website that is in fact a phishing website controlled by the attackers. Affecting at least one-in-eight organizations (13%) being targeted by an average of eight emails during January 2023, these emails are incredibly difficult to detect, as they contain a URL that points to a legitimate website.

phishing tactics

(Source – Barracuda)

2) Image-based attacks

About one-in-ten (11%) organizations were also being targeted by at least two image-based attacks, which did not contain any text. These images, which can be fake forms such as invoices, tend to include a link or a call-back phone number that, when followed up, leads to phishing. Because these attacks do not include any text, traditional email security can struggle to detect them.

3) Special-character attacks

Hackers often use special characters, such as zero-width Unicode code points, punctuation, non-Latin script, or spaces, to evade detection. This type of tactic is also used in “typo-squatting” web address attacks, which mimic the genuine site but with a slight misspelling.

When they are used in a phishing email, the special characters are not visible to the recipient. They can be inserted into a malicious URL embedded in a phishing email, breaking the URL pattern so that security technologies do not detect it as malicious. Detection of such attacks can also be difficult because there are legitimate purposes for the use of special characters, such as within email signatures.

In January 2023 alone, Barracuda researchers found more than one in seven (15%) organizations received phishing emails that use special characters in this way, each receiving on average around four such emails during the month.

For Mark Lukie, Director of Solution Architects, APAC, Barracuda, phishing is a common starting point for many cyberattacks, including ransomware, financial fraud and credential theft, and cybercriminals continue to develop their phishing approaches to trap unwary recipients and avoid being spotted and blocked.

“We continue to see these attacks affecting business across the Asia-Pacific region, a trend which is unlikely to go away anytime soon. To defend your organization, you need AI-enhanced email protection that can inspect the context, subject, sender, and more to determine whether a benign-looking email is in fact a well-disguised attack,” commented Lukie.

At the same time, Lukie also reminded organizations to train employees to understand, identify and report suspicious messages, plus have tools that enable them to quickly identify and remove any traces of a malicious email from user inboxes and compromised accounts should a malicious email manage to break through.