What would you do if you received this message on Linkedin?
Phishing attacks are a nightmare for security managers, and for good reasons. The vast majority of successful breaches (over 70% according to research) starts with a phishing attack. Compared to other attack vectors, phishing is less costly and easier to execute on a large scale. And because it relies heavily on human error to succeed, it is harder to prevent. Software tools and staff training do help but some attacks seem so well built it is easy to see why we all are potential victims. In this case, it takes only one tired office worker, maybe at the end of their shift, maybe unsatisfied about the current job, to fall for this scam. Allison Charnews looks like legit employee at Amazon, offers you a job via DM, as a C-Suite executive, nonetheless. Her Linkedin account states she is indeed an employee at Amazon. This sounds almost too good to be true, but wouldn’t you at least want to check the job description? When clicking on the link to see more details about the JD, we are sent to a lookalike M365 login page. We input our credentials, and we are shown the job description:
Except that – that was not the real M365 login page and we just provided our M365 credentials, and to all our M365 data (emails, files, chat, possibly third party apps and so on) to the attacker.
Are we helpless against phishing?
The problem is that our eyes are very easily deceived and we likely did not notice the URL on the M316 lookalike site was not on outlook[.]office[.]com. Unfortunately, traditional web-filtering via firewall or avdanced anti-virus might also have likely failed us in this case as it is unlikely they would have had dsdstaffing[.]cc on their blacklist. This is why at AP Lens we have reversed the approach.
The game changer
Instead of focusing of trying to identify unsafe sites in order to block them, AP Lens goes the other way.
In a work environment, employees tend to spend most of their time on a relatively small number of sites. These websites are whitelisted by AP Lens, and users can browse them as usual. Other websites, that haven’t been vetted, and might potentially be unsafe are visualised on the user device via AP Lens sandbox browser running on a cloud server. In the case above, if the user is protected by AP Lens, before being redirected to the attacker’s website dsdstaffing[.]cc they will be warned they are about to visit a non vetted / whitelisted site on which it is not recommended to input any credentials if asked. The user will have also been made aware that they are not on the real M365 website, which they can open without being redirected.
Update:
Turns out, Allison’s Linkedin profile itself had been hacked in order to perform this attack – as stated on their Linkedin page a few days after the attack had been reported to us:.
How it works video?