I think I wrote in a previous blog about how Phishing scams have
become much more powerful and sophisticated, and it’s not because that the
Cyberattacker is getting smarter. It’s
because they now have much more powerful tools at their disposal in order to
make a fake email message more convincing.
Gone are the days of looking primarily at misspelled words,
typos, URL links that don’t match up, etc.
Now, you have to look at the picture that is embedded in the
email in order to see if an email is genuine or not. But how can one go about doing this? That’s the problem. It is very difficult to do, even for a
trained eye. That is why Cyberattackers
are now using this tactic in order to lure in their bait.
But in this instance, no ordinary picture heisted from
Google will do the trick. Rather, it has
to be a glossy like picture of a major brand, such as Target, Panera,
McDonald’s, etc., where people do most of their online shopping at.
In their Phishing email messages, the Cyberattacker will
very often hide a malicious link behind the image. It will offer something enticing, such as
getting a gift card, or getting reduced pricing on a product or service that
you want to buy.
But what is worse about this is that if you hover over the
image, no link appears. You won’t know
until you actually click on the image, and from there, you will be taken to a
phony, but very authentic looking site of the major brand.
In fact a Cyber vendor, known as Avanan, just recently
demonstrated how stealthy this can be.
More information about this experiment can be found at the link below:
https://www.avanan.com/blog/the-picture-in-picture-attack
The threat researchers who researched this have named this
kind of attack the “Picture In Picture”.
But given how AI is now becoming freely available to just about
everybody (thanks to ChatGPT), this kind of new attack has become that much
more dangerous, because it is so difficult to discern. This is primarily due to the following
reasons:
1)
Filters cannot pick them up:
Although Corporate America has done
a much better job when it comes to deploying filters to sort out and quarantine
spam emails before they reach the inbox of the employees, when it comes to
scanning emails with images, they only scan the images themselves for any
malicious payloads. At this
point in time, they simply cannot detect anything malicious that is behind the
picture or image. This is
technically known as “Picture Obfuscation”.
There is way around this, and it is also called “Optical Character
Recognition”, or “OCR” for short. This
is where the filtering system has to break down every pixel in the image to see
if there is anything malicious hidden.
But this can take some time to do, and because of that, many companies
have not adopted it into the mainstream yet.
2)
Come in AI:
As mentioned earlier in this blog,
the hysteria and boom around AI has not made things easier for the IT Security
team. Case in point is ChatGPT. Although Open AI has claimed that there are
safeguards built into the system from creating malicious code, people have
still been able to do this. A prime
example of this is a researcher at a Cyber vendor known as Forcepoint that
convinced ChatGPT to create an image that can be used in a Phishing campaign,
but also directed it not to create any kind of direct malware. More information about this can be seen at
the link below:
Tools like ChatGPT are going to
only make the problems of creating convincing Deepfakes even worse, as many
Cyber experts now fear will be the case.
My Thoughts On This:
This new kind of Phishing attack just described should not
be confused with yet another kind of Cyber-attack, which is known as
“Steganography”. This is much more
complex to not only create, but to even execute as well. More detail about this can be seen at the
link below:
It should be noted here that the “Picture In Picture” attack
is much easier to create, and is considered to be a watered-down version of
Steganography based attacks. Although
many businesses in the United States have tried to the hybrid work model, the
truth of the matter is that many employees still prefer to work from home, for
many different reasons.
Because of this, the Cyberattacker is now targeting this
group of people.
This is because many employees still receive their work
email on their personal devices (even though they should not be), and they are
very often not up to snuff with company issued devices when it comes to
security. As a result, these emails fall
into the inbox of the employee, and when they see something very enticing, he
or she will of course jump on it.
After all, who can’t resist a substantially marked down trip
to Cancun?
There are now cries in the Cyber industry that URL
protective mechanisms should be put into place as well as spam filters. That way, if a suspicious looking email does
arrive, the filtering system can then look beyond the image and actually look
at the URL embedded into it.
If the major web browsers can do this (such as Edge, Chrome,
and Safari), why cant a spam system look for this also?
But despite all of the technology you may want to use to
combat this new Phishing attack, it all comes down to the old-fashioned ways of
protection. And that is, keep educating
your employees about this. Always tell
them to trust their gut, and if something does not feel right, just simply
delete the message and/or forward it onto the IT Security team for further
inspection and review.
No comments:
Post a Comment