Creators of phishing messages usually want to create anxiety in their targets so they’ll unwittingly download malware. And nothing gets stomachs churning more than the possibility of losing your job.One of the latest examples of this was detected by Cloudflare, which issued a report Thursday on a recent job termination phishing scam that included some novel techniques.The report is a reminder to CISOs that all employees have to be regularly warned not to click on links or download documents in messages that spark an emotional response, and to carefully check the email header to verify the sender is legitimate.Defenders may also want to expand the number of brands and organizations their reputation detection software should cover.”Fear of losing your job is an incredible social engineering tactic,” said David Shipley of Canadian-based security awareness provider Beauceron Security.It’s tied in persuasiveness with phishing campaigns promising a document listing what your fellow employees are being paid, he added. “That one is dynamite,” because staff have what he called “an insatiable curiosity about what their colleagues are making.”This particular high-volume campaign was aimed at people in the United Kingdom who are subject to that country’s Employment Tribunals Service that hears employment-related complaints, which would be a huge chunk of the working population.Targets received an email, supposedly from the “Employment Court,” that bore a copy of the Tribunal’s logo. The subject line read: “Action Required: Tribunal Proceedings Against You,” and the message started with “Immediate action required.” It listed what looks like official case information data, including an alleged case number, and the so-called case topic was “Termination Notice.”The message added that failure to comply with the instructions to download and reply to a document could result in “serious legal consequences.”If a user clicked on the included link, it didn’t directly download malware. That might be detected by defenses. So instead the link went to a fraudulent website that impersonates a Microsoft service. It said the user couldn’t access the document on their current device, a trick to get them to download the file.Actually, there was no document that the victim could read. The downloaded file was a .rar archive that contained a malicious Visual Basic script. That script contained command obfuscation, which Cloudflare noted made the malicious payload less likely to be flagged by traditional scanning techniques. It led to the further system compromise. There were signs within the email that savvy employees could have picked up on.While the message was supposedly from “Employment Court,” the actual sender was “postmaster[at]agra.wog.gr.”And while the supposed case number included a string of numbers, it ended with “%number%.” An unsuspecting employee might think the email system had scrambled something, but that should be a warning sign.Fortunately, according to Cloudflare, this campaign was high-volume enough that it was detected by a number of cybersecurity honeypots and triggered automatic reputation-based email and IP blocking from many sources.What are broadly called “termination scams” to trick recipients into downloading malware aren’t new, and have a variety of themes that don’t necessarily deal with employment. For example, the message might say a person’s email account is about to be terminated unless they fill in a form. The goal in this case is to get the user’s login credentials. In January, the University of Pittsburgh sent out a warning of a phishing scam like this aimed at its students.
Education is important
Workplace-related phishes, particularly if they are sent in an environment of wide-spread industry economic layoffs or layoffs due a medical emergency like covid 19 or the flu, carry an air of legitimacy, Shipley pointed out.”That’s why it’s so important we continue to educate people about this, because email filters fail,” he said.With phishes often trying to prompt a “sense of dread” and the feeling “Oh my goodness, I’ve got to do something,” awareness training should teach employees to recognize those emotions, Shipley said. That’s the moment they should be taught to slow down, step away from their computer, and think before clicking. “Teaching people emotional intelligence and mindfulness can reduce susceptibility by as much as 50%,” Shipley said.It’s also important that organizations encourage staff to report a suspicious/unusual email to a superior, to IT, or through an internal warning mechanism, Shipley said, and to give a pat on the back, or more, to those who do. That shows other employees that reporting will be rewarded.This Employment Tribunal scam is an example of how threat actors take advantage of economic trends or the time of year, noted Blake Darché, head of Cloudflare’s Cloudforce One threat intelligence service. CISOs should now be on the alert for Black Friday/Cyber Monday and Christmas phishing lures, he said.The lesson for CISOs from this report, he said, is the need to have multiple layers of defense on their infrastructure. “You need multiple layers of email security solutions, you should look at zero-trust types of architectures, so if a user’s device is compromised, it won’t take over your whole network. Take a look at remote browser isolation. Threat actors will continue to innovate to accomplish their mission.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3610039/job-termination-scam-warns-staff-of-phony-employment-tribunal-decision.html
