Hackers impersonate trusted brands to find their way into victims’ inboxes because leveraging the legitimacy of a trusted domain means security solutions are more likely to view the e-mail itself as legitimate.
Researchers at Avanan say this is called ‘the static expressway’, or the practice of hackers utilizing Web sites that are on static ‘allow lists’ to get into the inbox. Beginning in May this year, Avanan researchers have noted hackers using the domain of QuickBooks, quickbooks.intuit.com, to send malicious invoices and request payments.
“The hackers send the e-mail from QuickBooks’ domain, using a free QuickBooks account that they have signed up for, with the e-mail body spoofing brands like Norton or Office 365,” Fuchs explains.
Attackers create accounts in QuickBooks and then send malicious invoices and requests for payments directly from the service.
Static allow lists
Over the years, we’ve seen this across many popular brands, such as Microsoft, Google, Walgreens, DHL, Adobe, and many more. The idea is to take advantage of the fact that these popular Web sites are on static allow lists.”
For obvious reasons, companies can’t block Google, so Google-related domains are allowed to come into the inbox.
Lucidchart is generally famous and notable as a web-based diagramming application that allows users to visually collaborate on drawing, revising, and sharing charts and diagrams, and improve processes, systems, and organizational structures.
This cloud-based device is utilized by an incredibly vast majority of the Fortune 500. From outlining business cycles to information streams, the application has various purposes.
Since it is such a popular site, it is more likely to be trusted by email security services. Static Allow and Block Lists condense the Internet by focusing on trusted sites to go through into the inbox.
Hackers know this, and so they embed phishing links into these shareable documents. The offending page is not scanned, and thus the phishing link goes undetected.
In this attack, hackers are embedding credential harvesting links into Lucidchart documents.
The user is presented with an email that asks to verify an invoice has been submitted for payment. The user is encouraged to click on the attachment, which says “Open Invoice”. The document goes to the Lucidchart page.
The Lucidchart page has a message saying a new document is attached. That “Open Docs” link goes to a credential harvesting page.
The user is then directed to this fake Microsoft login page, which actually steals credentials
Hackers continually leverage legitimate sites to embed phishing materials that get delivered directly to the end-user. Whether it is PayPal or QuickBooks, we’ve seen a significant jump in these attacks. Because they rely on the legitimacy of the site, it is more likely to not only get into the inbox, but also be acted upon by end-users.
Combining social engineering with legitimacy is an effective way to get into the inbox and gain credentials from users.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Always hover over any link to see the destination URL before clicking on it
- Encourage end-users to ask IT if the email is legitimate or not
- Encourage users to ask finance before acting on invoices