A pair of related phishing campaigns this year took the unusual step of intentionally avoiding malicious links or attachments in its emails – a sign that threat actors may recognize the need to come up with new tactics. Here, workers prepare a presentation the day before the CeBIT 2012 technology trade fair. (Sean Gallup/Getty Images)
A pair of related phishing campaigns this year took the unusual step of intentionally avoiding malicious links or attachments in its emails – a sign that threat actors may recognize the challenges posed by secure email gateways and sandbox rules and increasingly savvy users.
In a blog post this week, Cofense reported that actors using the BazarBackdoor malware have been experimenting with roundabout ways of getting users to self-infect. One campaign featured a fraudulent invoice referencing a malicious website, but not directly linking to it. Instead, the attackers are counting on users typing or pasting the URL into their browsers. A second campaign included a phone number that, if called, reaches a fake company representative who will try to trick the user into visiting an attacker-controlled website.
“The notable part about this is that we don’t usually see this sort of thing,” said Joseph Gallop, an intelligence analysis manager at Cofense, in an interview with SC Media. “Usually, threat actors try to make the path to compromise as simple as they can for the victim to follow.”
While perhaps unusual, it might become more commonplace over time. “There is an increase in fileless, linkless attacks that are engineered toward luring users to do something they are not supposed to do outside of the scope of clicking on links or opening attachments,” said Ironscales CEO Eyal Benishti. “Most of these attacks ..