avatarRonke Babajide

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2024

Abstract

ke. When they do, they will use all the information they gathered from websites, social media, phone calls, etc., to make the attack as difficult to detect as possible.</p><h1 id="e333">Why Phishing Attacks at Work Are More Likely to Succeed</h1><p id="514d">Why are we especially vulnerable to fall into this trap at work?</p><ul><li>Hackers use more diligence when attacking companies because there is more to be gained</li><li>The familiarity of the work environment lowers our defenses</li><li>Hierarchies make us more prone to follow instructions without questioning</li><li>Humans are social beings. We aim to please. Especially at work, we try to garner our peers’ and superiors’ favor.</li><li>Constant distractions and overload at work make it more likely for us to slip up.</li></ul><p id="f7f3">When you receive an email from a co-worker or a superior that looks genuine, your first thought surely isn’t: “They are trying to trick me!”. Instead, you will immediately think about what you need to do to fulfill the request, check what they need, or work on the problem.</p><p id="ec97">This is precisely what studies show. Take a look at the Infographic below. You can see that only the fear of something embarrassing showing up on Social Media is nearly as strong a motivator to click on a link or attachment in an email.</p><figure id="c9c8"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*ht0p_MoBkVPTmsLJqcqlSA.jpeg"><figcaption>Infographic from <a href="https://www.knowbe4.com/">KnowBe4</a> on <a href="https://blog.knowbe4.com/which-phishing-emails-fooled-the-most-people-infographic">KnowBe4.com</a></figcaption></figure><h1 id="df10">How Doubledrag, Doubledrop, and Doubleback Trick You</h1><p id="2947">When we receive an email from our bosses or a coworker containing a PDF attachment that doesn’t open, we’ll likely click on the second attachment in the mail to see if it has more information.</p><p id="77c3">The new Malware strains dubbed Doubledrag, Doubledrop, and Doubleback, rece

Options

ntly found <a href="https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html">by the FireEye team</a>,<b> </b>target global finance. Their modus operandi is exactly this.</p><p id="b4c4">In a summary of recent findings on the <a href="https://blog.knowbe4.com/heads-up-new-malware-families-found-in-phishing-campaign">KnowBe4 blog</a>, <a href="https://blog.knowbe4.com/author/stu-sjouwerman">Stu Sjouwerman</a> explains:</p><blockquote id="6c36"><p>While the phishing emails contain a PDF attachment it also included a .js file. Victims believed that since the PDF file was ‘unreadable’, they attempted to double click on the .js file. Unfortunately, that resulted in the Doubledrag downloader being executed.</p></blockquote><p id="06b6">If the email contained only the .js file, most users would be suspicious and wouldn’t click on the attachment. But clicking on the familiar PDF attachment lowers the suspicion to the point that the users fall into this trap easily.</p><p id="965e">The combination of social engineering and familiarity with a PDF attachment is especially dangerous.</p><p id="9c75">The familiarity of the sender name, the constant flow of emails with similar attachments make it easy to put the entire company at risk with one click.</p><h1 id="b4dd">How to Protect Yourself and Your Company</h1><p id="04c4">The security team in your company is aware of the problem and is doing its best to protect you. But they can only protect you if you remain vigilant.</p><p id="a5c7">Frequent security training for employees and internal phishing campaigns are tools companies can use to keep employee awareness high. But this doesn’t protect against a momentary slip.</p><p id="bfd0">Every time you get an unexpected email from your boss or colleagues with links or attachments, take a moment to think. Is this dangerous? If there are instructions to do something unusual, pick up the phone and ask the sender. Thank yourself and me later.</p></article></body>

A New Strain of Malware Is on Its Way to Your Inbox

Don’t be the person responsible for your company being mentioned on the breaking news

Photo by Sigmund on Unsplash

Maybe you’ve heard of the 2019 email scam attack on Toyota where employees wired $37 million to some hacker's account because they thought the email with the instructions came from top executives inside the company.

If you’re unfamiliar with the power of social engineering, this seems like an outlandish scenario from a cheap TV thriller. Who would fall for such a scam? This would never happen to me. I’m sure this is what you thought when you first read about the incident. I sure did.

But hear me out. It could happen to you — or me, for that matter. 68% of us would be fooled by a phishing email if they thought it was from a coworker.

BEC attacks, as well as ransomware attacks, are widespread. If you are working in finance and accounting for a large corporation, you can be sure that someone out there is currently trying to gather information about you and your colleagues to find a possible angle.

The attackers will learn as much as possible about you and your company before they strike. When they do, they will use all the information they gathered from websites, social media, phone calls, etc., to make the attack as difficult to detect as possible.

Why Phishing Attacks at Work Are More Likely to Succeed

Why are we especially vulnerable to fall into this trap at work?

  • Hackers use more diligence when attacking companies because there is more to be gained
  • The familiarity of the work environment lowers our defenses
  • Hierarchies make us more prone to follow instructions without questioning
  • Humans are social beings. We aim to please. Especially at work, we try to garner our peers’ and superiors’ favor.
  • Constant distractions and overload at work make it more likely for us to slip up.

When you receive an email from a co-worker or a superior that looks genuine, your first thought surely isn’t: “They are trying to trick me!”. Instead, you will immediately think about what you need to do to fulfill the request, check what they need, or work on the problem.

This is precisely what studies show. Take a look at the Infographic below. You can see that only the fear of something embarrassing showing up on Social Media is nearly as strong a motivator to click on a link or attachment in an email.

Infographic from KnowBe4 on KnowBe4.com

How Doubledrag, Doubledrop, and Doubleback Trick You

When we receive an email from our bosses or a coworker containing a PDF attachment that doesn’t open, we’ll likely click on the second attachment in the mail to see if it has more information.

The new Malware strains dubbed Doubledrag, Doubledrop, and Doubleback, recently found by the FireEye team, target global finance. Their modus operandi is exactly this.

In a summary of recent findings on the KnowBe4 blog, Stu Sjouwerman explains:

While the phishing emails contain a PDF attachment it also included a .js file. Victims believed that since the PDF file was ‘unreadable’, they attempted to double click on the .js file. Unfortunately, that resulted in the Doubledrag downloader being executed.

If the email contained only the .js file, most users would be suspicious and wouldn’t click on the attachment. But clicking on the familiar PDF attachment lowers the suspicion to the point that the users fall into this trap easily.

The combination of social engineering and familiarity with a PDF attachment is especially dangerous.

The familiarity of the sender name, the constant flow of emails with similar attachments make it easy to put the entire company at risk with one click.

How to Protect Yourself and Your Company

The security team in your company is aware of the problem and is doing its best to protect you. But they can only protect you if you remain vigilant.

Frequent security training for employees and internal phishing campaigns are tools companies can use to keep employee awareness high. But this doesn’t protect against a momentary slip.

Every time you get an unexpected email from your boss or colleagues with links or attachments, take a moment to think. Is this dangerous? If there are instructions to do something unusual, pick up the phone and ask the sender. Thank yourself and me later.

Cybersecurity
Malware
Email
Phishing Awareness
Breaking News
Recommended from ReadMedium
avatarKevin Beaumont
Recall: Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible.

Photographic memory comes to Windows, and is the biggest security setback in a decade.

9 min read
avatarProf Bill Buchanan OBE FRSE
Who Would Ever Want to be a CIO: The Largest Data Hack Ever?

This week could see the largest data hack ever, and which are linked to the Snowflake cloud provider. This includes breaches against…

5 min read
avatarChristopher M. Gage
Are Autonomous Vehicles a National Security Risk?

4 min read
avatarParvez M
OSINT for Email, Passwords, and Usernames

OSINT, short for Open Source Intelligence, involves gathering and analyzing publicly available information from diverse sources to glean…

5 min read
avatarBaran
Pwnagotchi: A Virtual Pet That Eats Wi-Fi Handshakes As Treats

In this article I will give you some information about my Pwnagotchi, an A2C based virtual pet running on a Raspberry Pi Zero W system…

8 min read
avatarXIT
😱 35 Google’s Dark Dorking Operators for Effortless Searching

Find What You Need Easily with These 35 Google Dorking

6 min read