Cybercriminals impersonate Outlook and DocuSign to steal your identity

Attackers are now impersonating popular web services like Microsoft Outlook, DocuSign, and Google Docs to trick you to freely give up your credentials.

laptop security breach password identity theft hacker
Thinkstock

We recently discussed how cybercriminals target mid to low level employees in multi-stage spear phishing campaigns where attackers will impersonate your colleague, partner, or customer via email. The intention is often to steal your credentials in order to successfully commit fraud against you. Now, we are seeing an extremely large volume of web service impersonation email threats, where attackers cunningly impersonate popular web services such as Microsoft Outlook, Docusign and Google Docs to entice victims into logging into fake websites and ultimately give up their credentials.

Evolving sly cyber fraud tactics

This rise in web service impersonation attacks involves placing a link to a web page that prompts employees to log in; however, they are actually sacrificing their credentials to criminals instead of logging in.

From there, when the unsuspecting victim clicks on the link and is directed to a false sign in page, they will provide attackers with their usernames and password without knowing they had done anything out of the ordinary.
After stealing the credentials, the attackers will typically use them to remotely log into the user’s Office 365 or other email accounts and use this as a launching point for other spear phishing attacks. At this point, it becomes even more difficult to detect attackers at work because they will send additional emails to other employees or external partners, trying to entice those recipients to click on a link or transfer money to a fraudulent account.

Traditional email security fails to detect this attack

Unfortunately, these web services impersonation email attacks are not detected by existing email security solutions for several reasons:

  • The links used are typically zero-day where a unique link is sent to each recipient. They never appear on any security blacklists.
  • In many cases, the links included in messages lead to a legitimate website, where the attacker has maliciously inserted a sign in page, and the domain and IP reputation will appear legitimate.
  • Link protection technologies such as “safe links” will not protect against these links. Since the link just contains a sign in page and do not download any malicious viruses, the user will follow the “safe link” and will still enter the user name and password.

Therefore, even with traditional email security technologies enabled, there is nothing preventing the user from providing their credentials to the cunning attacker. The best hope for security to protect users from this type of email borne impersonation attack is by enabling artificial intelligence technologies and training to raise awareness of these types of attacks.

Artificial intelligence security can save the day

AI can be taught to automatically detect and quarantine these emails. In this case, an AI security solution can recognize how a normal email from a popular web service looks based on the signals in the email metadata and body. Here is an example:

You would expect emails from Facebook to come from messages@facebook.com and include a link to facebook.com. It is very unlikely to receive an email from john@facebook.mydomain.com with a link to sdfsdf.co.uk. Even if the sdfsdf.co.uk link has a high reputation and does not appear on any blacklists within the context of an email from Facebook, it is extremely unlikely to be legitimate. An AI engine can spot this discrepancy despite the link being reputable and prevent the email from reaching any end users. This is vital as it is guaranteed that someone in your organization will eventually fall for this bait.

Security training is required for all

Historically, security and awareness training were reserved for executives and high-risk individuals with an organization – but now, cybercriminals know this. We have now seen an immense rise in targeting low and mid-level employees that are not trained to sniff out spam and possible email threats. With 90 percent of attacks starting with an email borne threat, it is imperative that every single employee from the CEO on down is trained and tested regularly on their ability to spot suspicious behavior.

Organizations must plan for email threats such as these and many others, train all of their employees, test them on the latest email threats, and work to ensure everyone is a security advocate. Traditional email security will not catch these threats, and not every employee will delete the email, so incorporating a holistic risk prevention strategy with the latest email security technologies such as artificial intelligence and regular security training will best prepare you for the next threat tactic cybercriminals use to try to steal your information.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Fall 2018 issue of Security Smart