It was just about last year at this time that we posted a blog concerning scammers that were targeting global events, including the RSA 2018 Conference. Flash forward to now and scammers are employing an almost identical approach to phishing for the RSA 2019 Conference. Our threat researchers uncovered the malicious website pictured below recently. It is a near duplicate of the one used last year with the only changes made by scammers being an update of the date from 2018 to 2019 on the site and in the phishing site URL address. It’s unclear if the same threat actors are behind this year’s scheme, but a huge security industry conference like RSA must have been too tempting of a target for any cybercriminal to pass up a second time.
Threat actors have posted bogus sites like these for a variety of global shows and industry events with the intent of gathering travel information from the unsuspecting website visitor (which they would share with telemarketing agents) or collecting credit card information from booking fake lodging. Instead of being used for the requested bookings, it’s likely that any and all personal information collected through this process will be used to commit additional fraud.
Web-based phishing attacks are becoming more sophisticated as criminals look for new targets beyond the user inbox. Emails from commodity type phishers and the less skilled attackers can be easily detected with the multitude of security tools out there. But more skillful attackers and targeted attacks, the very attacks that organizations should be the most concerned about, are turning to more deceptive web-based phishing schemes. By mimicking a reputable webpage or domain tied to a recognizable event, attackers can offer a variety of enticing travel and lodging deals through their phishing websites that encourage victims to initiate bookings.
The notion that phishing is limited to emails is just not true in today’s threat landscape. The use of other phishing attack vectors is becoming more difficult to detect with most of the security tools available to organizations. While email phishing attacks are quite prevalent, other social engineering launch points now include disguised websites (like the above RSA Conference scam), hidden compromised web pages in otherwise legitimate sites, fake ads, rogue applications, pop-ups, chat apps, social media, and one that we’re seeing more and more – malicious browser extensions. Many of these web-based phishing threats have all the appearances and features of being legitimate and professional.
Human fallibility and the blind spots in network security provide ample opportunity for fast-moving sophisticated phishing schemes because of latency. SlashNext is cloud-powered and out-of-band, so it does not introduce any network latency. Real-time phishing detection is the only true solution in today’s threat landscape. We use live session emulation in our patent-pending SEER™ technology to detect malicious sites in real-time. By dynamically inspecting suspicious browsing contents and server behavior, we can detect previously unknown phishing threats in just seconds – threats that fall outside of the more common email scams and malware attachments. As you can see below, we detected and blocked the 2019 fake RSA site.
SlashNext is immediate, non-disruptive, and effective enabling organizations to better understand and protect themselves from these types of zero-hour phishing threats on the web.