This year's most clever phishing tricks include hijacking Google search results and abusing 404 error pages.
Earlier this month, Microsoft released a report on this year's malware and cyber-security trends. Among the few trends highlighted in the report was that phishing was one of the few attack vectors that saw a rise in activity over the past two years.
Microsoft said that phishing attempts grew from under 0.2% in January 2018 to around 0.6% in October 2019, where 0.6% represented the percentage of phishing emails detected out of the total volume of emails the company analyzed.
While phishing attacks increased, the number of ransomware, crypto-mining, and other malware infections went down, the company said at the time.
In a blog post published today, the Redmond-based tech giant reviewed three of the more clever phishing attacks it seen this year.
HIJACKING SEARCH RESULTS
The first is a multi-layered malware operation through which a criminal gang poisoned Google search results. The scheme went as follows:
- Crooks funneled web traffic hijacked from legitimate sites to websites they controlled
- The domains became the top Google search result for very specific terms
- Phishers sent emails to victims linking the Google search result for that specific term
- If the victim clicked the Google link, and then the top result, they'd land on an attacker-controlled website
- This website would then redirect the user to a phishing page
One might think that altering Google search results takes a gigantic amount of effort, but this was actually pretty easy, as attackers didn't target high-traffic keywords, but instead focused on gibberish like "hOJoXatrCPy."
Furthermore, Microsoft said "the campaign was made even stealthier by its use of location-specific search results." "When accessed by users in Europe, the phishing URL led to the redirector website c77684gq[.]beget[.]tech, and eventually to the phishing page. Outside Europe, the same URL returned no search results," the company said.
ABUSING 404 ERROR PAGES
Another clever trick used by phishers this year was first spotted in a phishing campaign Microsoft detected back in August and documented in this Twitter thread.
This campaign is deviously clever.
While most phishing emails include a link to the phishing URL they want to lure users on, for this campaign, attackers included links that pointed to non-existent pages. When Microsoft's security systems would scan the link, they'd receive a 404 error back (because the link didn't exist), and Microsoft would deem the link safe. However, if a real user accessed the URL, the phishing site would detect the user and redirect them to an actual phishing page instead of the server's standard 404 error page.