Secure document phishing attacks are some of the latest in client endpoint exploits that have been plaguing the computing world. While these phishing attempts may fool the uninformed, by reading this article you will be better able to detect and prevent secure document phishing from effecting your Information Security environment.

What is a Secure Document Phishing Attack?

A Secure Document Phishing Attack occurs when cybercriminals send either a fake PDF or DocuSign document to a user on your network, often using a fake (or spoofed) email address to make the recipient trust that it is from someone that they know. The email will normally request that the user clicks on a link to “receive a secure document.” This opens up a web page asking for credentials or other personal information, to click on a secure DocuSign document link that will instead download malware, or to click a link on a word document that contains macros that can download malware.

Technically speaking, Secure Document Phishing Attacks are a form of what is called Spear Phishing. Spear Phishing is the most specific type of phishing attack because it specifically targets a user or organization by using information that the potential victim would be familiar with, thus establishing trust. This type of phishing attack is one of the most successful types in existence today.

Real Life Example

Let’s say that your organization periodically sends out emails to all employees. You receive an email that looks like it may be from someone in your organization but it seems, well, phishy. The email that you receive looks like the following:

This is a prime example of a Secure document phishing email. Confirm with the sender if it is legitimate as the first step but do not expect to do anything but delete the email.

How to Detect Secure Document Phishing Attacks

There are many ways to detect whether the email you received is a Secure Document Phishing Attack. Before we explore these ways, what must be kept in mind is that the cybercriminals that are sending these emails have at least some corroborative information about the potential victim. This information can include names of other people in their organization, the email addresses of others in the organization, and potentially other personal information (such as banking and financial). For that reason, it can take a little bit of analysis of the email to detect whether it is truly a Secure Document Phishing Attack.

First, Secure Document Phishing emails will often contain links to other sites that include the legitimate name of the organization that the victim works for as part of the subdomain of another URL. For example, if you work at Acme, and the link is something like “acme.otherwebsite.com,” you know that this is probably a Secure Document Phishing Attack. You can easily determine if this is the case by simply hovering your cursor over the link briefly until it displays the link’s URL.

Second, do not take the email’s display name at face value. Cybercriminals frequently use the proper display name of someone or an organization that you may interact with, but these display names do not match up to the email address that it is connected to. For example, let’s say you received an email from an organization that you know called Acme. This email may say something like “From: Acme accounts@security.com.” When you see this, you will know that the email is actually not from Acme and that it is indicative of a phishing attack.

Ethical Hacking Training – Resources (InfoSec)

How to Prevent Secure Document Phishing Attacks

Cybercriminals can get around email spam filters with unique, directed Secure Document Phishing Attacks. This puts the onus on the end user because, in all honesty, it is the user that is the one responsible for actually clicking on phishing click-bait. Therefore, organizations must focus on their users and educate their users with the knowledge required not to fall victim to these attacks.

The best way to educate an organization’s employees about secure document phishing attacks is to implement an email phishing attack awareness campaign. On a regular basis, organizations should address their employees about recent high-profile phishing cases (from the news for example) and provide tips about what to look for when determining if an email is actually a phishing attack. Learning is best performed by the act of doing and determining if an email is a phishing attempt is no exception. The awareness campaign should incorporate quiz questions to see if an organization’s employees are up to speed with how to determine if an email is a secure document phishing attack.

Some tips that organizations interested in organizing a phishing attack awareness campaign are:

  1. If an email seems suspect or there is any doubt whatsoever regarding the authenticity of the email, contact the sender. If the email is authentic, the sender will probably not have an issue with confirming its authenticity for you.
  2. If the email is from a sender that you have communicated with, analyze the pattern of the communication. If the pattern appears different from how the sender normally communicates with you then heed caution and report the email to your system administrator or IT department.
  3. Pay close attention to the spelling of the words used in the email subject and body. Often secure document phishing attack emails will include at least a word or two that are spelled differently, capitalized inappropriately, or include excess spaces between words. Secure Document Phishing emails often contain at least one instance of the errors listed above.

References

https://blog.returnpath.com/10-tips-on-how-to-identify-a-phishing-or-spoofing-email-v2/

https://blog.knowbe4.com/scam-of-the-week-secure-document-phishing-attacks-trap-employees

https://www.incapsula.com/web-application-security/phishing-attack-scam.html

https://blog.lumen21.com/2016/06/08/secure-document-phishing-attacks/

http://hyphenet.com/docusign-phishing-emails-loaded-with-data-stealing-trojan/