MENUMenuIcon OUR STORY

SLASHNEXT LABS

THE KNOWLEDGE CENTER

BLOG

VIEW CATEGORIESHIDE CATEGORIES
SlashNext Labs SlashNext Labs

Credential Stealing with Scareware

August 30th 2017

Credential Stealing with Scareware

Sony and Anthem, two of the largest internet breaches between 2014 and 2015, started with a simple phishing attacks targeted at corporate employees. These phishing attacks convinced unsuspecting employees to visit a website that introduced a malware into their systems. In the case of the Sony breach, the phishing emails appeared to be sent by someone the employee recognized and trusted, therefore adding credibility to the link. After the employee clicked on the link, hackers accessed and used employee credentials to steal over 100 TB of data resulting in  estimated monetary damage of over $100 million. In 2016, phishing attacks grew an estimated 250% creating far more risk for businesses  than ever before anticipated.

Phishing attacks continue to grow faster than any other segment of social engineering attacks. They commonly target stealing personal information like login credentials, credit card information, or other private and sensitive information for malicious intent. A growing majority of organizations have become aware of the danger of phishing and leverage expert security recommendations to guard against phishing attacks. Simultaneously, hackers have become smarter and more inventive. They constantly innovate new social engineering techniques that circumvent existing security measures.

One new technique has been recently labeled  as Scareware. Scareware is a type of social engineering attack used to create fear in a victim. They do so with the help of a red alert screen, with a legitimate company logo, a professional looking web landing page (that even the most seasoned of technology professionals might miss) and a dialog box. It includes a message that directly states that your computer has been compromised and to contact the technical support via the method specified to resolve the issue. Most often, victims act immediately on the alert which leads them to visit a phishing/malicious page, call the helpdesk, or download unwanted software for the purpose of malicious activity. Each of which leads to a compromised endpoint or at the very least, stolen credentials.

The following examples represent recently detected phishing attacks within our customer base.

Real-time Example

Recently, we detected a new attack at one of our customers. The attack used a combination of both credential stealing and Scareware to induce the “flight of fight” response from the end user.

The end user received an email that their Chase banks account had been suspended and to contact technical support for more information. It included the link:
hxxp://safebanking002[.]website

When the customer clicked on the link in the email, the following page appeared:

Since SlashNext analyzes the Web Pages like a human threat researcher would, it immediately and automatically detected the page with the active cyber defense system, where as the rest of the industry plays catch-up for zero day threats. The screenshots below from virustotal taken over a period of 3 days depict the results.

Traditional signature and sandbox based detection engines fail to catch these “zero-day” Scareware pages or other Social Engineering attacks in general. That renders the individual victims responsible to use personal judgement or past experience which most often fall short due to lack of user education.

The SlashNext Active Cyber Defense System automates the detection and blocking process with  a dynamic analysis engine that leverages unprecedented machine learning and artificial intelligence algorithms that, essentially, mimic an intelligent human analysis process at CPU Speed.