Saturday, June 3, 2023

Beware Of The Phishing Variant: The "Picture In Picture" Threat

 


I think I wrote in a previous blog about how Phishing scams have become much more powerful and sophisticated, and it’s not because that the Cyberattacker is getting smarter.  It’s because they now have much more powerful tools at their disposal in order to make a fake email message more convincing. 

Gone are the days of looking primarily at misspelled words, typos, URL links that don’t match up, etc. 

Now, you have to look at the picture that is embedded in the email in order to see if an email is genuine or not.  But how can one go about doing this?  That’s the problem.  It is very difficult to do, even for a trained eye.  That is why Cyberattackers are now using this tactic in order to lure in their bait. 

But in this instance, no ordinary picture heisted from Google will do the trick.  Rather, it has to be a glossy like picture of a major brand, such as Target, Panera, McDonald’s, etc., where people do most of their online shopping at.

In their Phishing email messages, the Cyberattacker will very often hide a malicious link behind the image.  It will offer something enticing, such as getting a gift card, or getting reduced pricing on a product or service that you want to buy. 

But what is worse about this is that if you hover over the image, no link appears.  You won’t know until you actually click on the image, and from there, you will be taken to a phony, but very authentic looking site of the major brand.

In fact a Cyber vendor, known as Avanan, just recently demonstrated how stealthy this can be.  More information about this experiment can be found at the link below:

https://www.avanan.com/blog/the-picture-in-picture-attack

The threat researchers who researched this have named this kind of attack the “Picture In Picture”.  But given how AI is now becoming freely available to just about everybody (thanks to ChatGPT), this kind of new attack has become that much more dangerous, because it is so difficult to discern.  This is primarily due to the following reasons:

1)     Filters cannot pick them up:

Although Corporate America has done a much better job when it comes to deploying filters to sort out and quarantine spam emails before they reach the inbox of the employees, when it comes to scanning emails with images, they only scan the images themselves for any malicious payloads.  At this point in time, they simply cannot detect anything malicious that is behind the picture or image.  This is technically known as “Picture Obfuscation”.  There is way around this, and it is also called “Optical Character Recognition”, or “OCR” for short.  This is where the filtering system has to break down every pixel in the image to see if there is anything malicious hidden.  But this can take some time to do, and because of that, many companies have not adopted it into the mainstream yet. 

2)     Come in AI:

As mentioned earlier in this blog, the hysteria and boom around AI has not made things easier for the IT Security team.  Case in point is ChatGPT.  Although Open AI has claimed that there are safeguards built into the system from creating malicious code, people have still been able to do this.  A prime example of this is a researcher at a Cyber vendor known as Forcepoint that convinced ChatGPT to create an image that can be used in a Phishing campaign, but also directed it not to create any kind of direct malware.  More information about this can be seen at the link below:

https://www.darkreading.com/attacks-breaches/researcher-tricks-chatgpt-undetectable-steganography-malware

Tools like ChatGPT are going to only make the problems of creating convincing Deepfakes even worse, as many Cyber experts now fear will be the case.

My Thoughts On This:

This new kind of Phishing attack just described should not be confused with yet another kind of Cyber-attack, which is known as “Steganography”.  This is much more complex to not only create, but to even execute as well.  More detail about this can be seen at the link below:

https://www.darkreading.com/endpoint/picture-in-picture-obfuscation-spoofs-delta-kohls-credential-harvesting

It should be noted here that the “Picture In Picture” attack is much easier to create, and is considered to be a watered-down version of Steganography based attacks.  Although many businesses in the United States have tried to the hybrid work model, the truth of the matter is that many employees still prefer to work from home, for many different reasons. 

Because of this, the Cyberattacker is now targeting this group of people.

This is because many employees still receive their work email on their personal devices (even though they should not be), and they are very often not up to snuff with company issued devices when it comes to security.  As a result, these emails fall into the inbox of the employee, and when they see something very enticing, he or she will of course jump on it. 

After all, who can’t resist a substantially marked down trip to Cancun?

There are now cries in the Cyber industry that URL protective mechanisms should be put into place as well as spam filters.  That way, if a suspicious looking email does arrive, the filtering system can then look beyond the image and actually look at the URL embedded into it. 

If the major web browsers can do this (such as Edge, Chrome, and Safari), why cant a spam system look for this also?

But despite all of the technology you may want to use to combat this new Phishing attack, it all comes down to the old-fashioned ways of protection.  And that is, keep educating your employees about this.  Always tell them to trust their gut, and if something does not feel right, just simply delete the message and/or forward it onto the IT Security team for further inspection and review.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...