Phishing attacks have reached the highest level in three years!
Did it come as a shocker?
Well, if it has, then there’s plenty more lined up for you.
The number of phishing sites detected by September 2019 in total was 266,387. The number was 182,465 during mid-2019. And thus, we can witness a rise up to 46%, as the figure suggests. It’s nearly double the 138,238 seen in the fourth quarter of 2019.
Aren’t all these enough to raise the alarm?
Even Greg Aaron, the President of Illumintel has shared his concerns about this grave issue. He has reportedly said, “This is the worst period for phishing that the APWG has seen in three years, since the fourth quarter of 2016”.
With the world at constant risk from such dangerous threats, you must stay alert of every kind of phishing attack and call cyber-security guys when needed. They come unannounced and that’s the worst part!
Did you know there’s a considerably new kind in the block?
Yeah, it’s time to jot down yet another name in your list of phishing attacks!
Third-party phishing – the new spear-phishing attack
Let's give you an example first, to get things started. Matt in accounting is credible as a tech-savvy person. Unlike other naive souls, he stays distant from emails that are packed with masked URLs or convincing password reset requests. He is pretty aware of the varied phishing attack types.
Matt’s smart, right? We bet you he is!
And he’s pretty much non-vulnerable to cyber-attacks too, correct?
See, this is where it gets interesting. One fine day, Matt receives an email from a trusted third-party vendor, raising a recent payment concern and demanding action. And if it turns out that the vendor has been compromised, it could be one of those cyber-criminals trying to phish him!
Possibly, Matt is a target of a spear-phishing attack from the vendor’s domain. And if assumptions hit the right place, then he is in big trouble.
You can emphasize on the word ‘big’ when we say trouble.
Third-party phishing is considerably new and appears a lot similar to legitimate emails from your vendor's domains. And the most terrifying thing being traditional defenses don't work that well against them.
Digging deep into this topic
Cyber-criminals have come up with something new, again!
This devised scheme involves creating a phishing page that disguises as a retailer’s third-party payment service platform (PSP). Many e-commerce websites outsource their monetary transactions by redirecting users to a secure page operated by PSP firms.
However, in this scam, as discovered by Malwarebytes researchers, the attackers swap out the genuine PSP payment processing and replace it with a fraudulent one that requires customers’ personal as well as financial data.
It will be followed by an intense skimming and uploading of details to an attack-controlled server, making the victim go through some tough times in the coming days! Researchers at Malwarebytes recently uncovered a fraud that led to such heinous crime come to the light.
They came to know about a newly registered phishing attack website titled "payment-mastercard.com”. It contained a skimmer that’s so unique, it can imitate the PSP.
How did this scam work?
Experts at Malwarebytes noted that the page was created for an Australian store that operates the PrestaShop Content Management System and utilizes the Commonwealth Bank platform to facilitate payments.
An unaware customer puts up his credentials on the phishing page. After the data is entered and sorted, the customer is then redirected to a ‘seemingly’ legitimate Commonwealth Bank payment site. To make it believable, the right purchase amount is displayed.
Everything appears right, thus, assuring you to proceed without any hesitation!
Experts suggest this is done by developing a unique session ID and reading browser cookies. By mixing phishing and skimming together, cyber-criminals have devised a threatening scheme. Most users, being unaware, will leak their private information to these fraudsters easily.
Some ways to stay safe from such scams
So, having understood how this threat works and reading about such real-life phishing attack examples, we’re sure you are craving for some effective remedies against these malicious practices.
We got these covered!
Detect potential threats with AI
Many use artificial intelligence (AI) to analyze user behavior and detect any such threat quickly. Machine learning, along with AI, can’t help but notice troubling patterns in unstructured data. Also, they provide security teams with the actionable data needed to respond quickly.
Use ahead-of-threat attack prevention tools
Phishing attacks need a series of systems to work. Ahead-of-threat prevention incorporates tracking DNS along with domain registrations and other data that can help thwart future attacks by diligently blocking suspicious requests as well as URLs.
These are 2 ways you can stay safe from a third-party phishing attack. And if you don’t have a clue regarding how to proceed, then you can always get help from expert cyber-security personnel .
Leave a Comment:
Get Exclusive Cyber Security Tips On:
Prevention from damage dealt to an organization’s reputation.
Investments on fixing the issues caused by attack.
Preventing confidential data and Intellectual Property being stolen
Prevention of revenue loss due to service disruption and much more.