By now most of us have been burned enough times to realize there is no Nigerian prince needing our help, nor is the IRS suing us for fraudulent tax filing. Now we know we know better. Now we understand that the IRS doesn’t call or email. Now we know that there is no reason for a Nigerian prince to email us. Now we just laugh and delete these emails when they arrive in our inbox…well most of us anyway.

In the current decade social engineers take a similar, yet simpler approach. They are still betting on curiosity killing the cat. What if a known reputable company contacts you instead of IRS collections? What if that email is not asking you for anything, but just providing helpful information? Not as many alarms go off, naturally.

An attacker sending this message to hundreds of users is betting on one of two things.

  1. Someone actually uses E-Fax regularly, and accepts this authentic looking message.
  2. At least one person will receive the message and their curiosity of the fax contents will get the best of them, (most likely scenario.)

Upon opening or executing the file, the victim will likely view a generic document that they may or may not dismiss, but the damage is done. This type of attack usually opens a command and control channel in memory that is not easily detectable; therefore the typical user is none the wiser to the chaos that is happening in the background. Welcome to the bot-net.

Phishing attacks that spoof legitimate companies are successful because users inherently trust known vendors. To help prevent these attacks organizations should place an emphasis on not opening attachments or links from any external party, not just unknown senders. Additionally, organizations should also incorporate “legitimate” vendors into their security testing and training. The more users see examples such as this, the more cautious they are likely to become about external senders.

Sophisticated spam filters and inline sandboxes can do a great deal to help curb the threat of phishing attacks, but don’t forget, phishing exploits are a result of a breakdown in several controls including technical, human, and administrative; so organizations should incorporate a defense in depth approach to dealing with phishing.