Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Tessian Named Representative Vendor in the 2022 Gartner® Market Guide for Data Loss Prevention. Download →

Threat Intel

Tessian Threat Intelligence and Research team uncovers trends and insights in email security related to phishing, social engineering, and more. Learn more!

ATO/BEC Threat Intel
Cybercriminals Take Advantage of Mass Unemployment in Phishing Scams
By Charles Brook
07 April 2021
The global COVID-19 pandemic has wreaked havoc on job markets. In the US, the unemployment rate stands at 6.2 percent and in the UK, it’s estimated that around 2.2 million people, or 6.5% of all workers, could be unemployed at the end of the year.  Cybercriminals are taking note.  When Tessian researchers analyzed suspicious emails relating to ‘unemployment’ and terms associated with unemployment that were flagged by our inbound solution Tessian Defender, they saw a notable spike in suspicious emails related to unemployment and COVID-19 in the week of 24th February – the week in which President Biden announced the third round of stimulus checks, which would send billions of dollars to people without jobs. Our researchers also noted a spike in suspicious activity during the week of 8th March which is when COVID-19 the stimulus checks started being received. They found that: In the week of 24th February, the number of suspicious unemployment and COVID-19 related emails was 40% higher than the weekly average of such emails detected since the start of 2021. The number of unemployment themed emails alone was 16% higher than the weekly average. In the week of 24th February, the number of unemployment and COVID-19 related emails was 50% higher than previous week.  In the week of 8th March, the number of suspicious unemployment and COVID-19 related emails was 51% higher than weekly average recorded since the start of 2021. The number of unemployment and COVID-19 related emails detected during this week was 69% higher than the previous week.  Over the last 12 months, cybercriminals have capitalized on the fear, uncertainty and doubt created by the global pandemic to make their scams as believable and convincing as possible. At the start of 2021, for example, Tessian reported a surge in newly registered domains related to the vaccine roll-out and confirmed that a number of these websites were malicious and designed to harvest people’s financial information and account credentials. Now, cybercriminals are launching scams to prey on people who are vulnerable, out of work and urgently looking for relief. They are well aware that these individuals may be applying a little less scrutiny to the messages they receive – especially if the emails appear to have come from a legitimate and trusted sender. How do unemployment scams work?  Here’s how a typical unemployment related scam works: A fake job posting is listed on legitimate job sites. Often, scammers will target small businesses to spoof or impersonate as it is less likely for these companies to monitor their job listings.  An applicant will respond to that ad and will be sent a generic email asking them to perform a task for the interview process. These phishing emails could contain malicious attachments that applicants are asked to download or links to fake websites that ask applicants to input sensitive or personal information. This information could, then, be used to commit identity fraud.  Scammers will also ask applicants to click on a link that refers them to a fake credit check website. Here, they will ask the applicant to share financial information or wire money. Cybercriminals can also identify targets via social media sites like LinkedIn. A recent report from Tessian found that 93% of people share job updates online, and while it’s common for people to let their networks know that they’ve been laid off and are looking for jobs, they are also unknowingly giving cybercriminals the information they need to craft convincing social engineering attacks that are designed to steal personal information.  The FBI has released warnings of unemployment scams, disclosing that many U.S. citizens have been victimized by bad actors “impersonating the victims and using the victims’ stolen identities to submit fraudulent unemployment insurance claims online.” In fact, figures from a watchdog for the U.S. Department of Labor reveal that Americans have lost a shocking $63 billion of unemployment funds during the pandemic to improper payments and fraud, while the Illinois Department of Employment Security reports having stopped around 1.1 million claims involving identity theft in the past year. In many cases, victims don’t even realize they’ve been targeted until they later try to file for unemployment insurance benefits, receive a notification from the state unemployment insurance agency or even get notified by their employer that a claim has been filed while the victim is still employed.
What can you do to avoid falling victim to the scams? It’s always worth remembering that an official government agency or state workforce agency (SWA) will not contact you out of the blue, asking you to apply for UI benefits via an email or a text. So if you do receive a message like this, then do not click on the links or comply with the actions. We also recommend that you: Inspect emails carefully. Look for the .gov URL in the sender’s email address and check that the sender’s email domain matches the sender’s name. Don’t click on anything unless it’s from a legitimate source. Verify the legitimacy of the sender by calling the organization or agency directly. Adopt two-factor authentication and try to not use the same password across different sites. Password generators like 1Password create unique passwords and protect them with encryption software. Monitor your bank accounts on a regular basis to check for any fraudulent activity.
Threat Intel
How Easy is it To Phish?
By Charles Brook
17 March 2021
You might assume that to carry out a phishing campaign you’d need to be fairly tech savvy or have committed a lot of time to learning how to become a “hacker”. But this is not necessarily the case.  Part of the continued increase in both the volume and sophistication of phishing attacks is due to the availability of free to use open source social engineering tools. These tools are primarily intended for use by security professionals but are not exclusively available to them. With a little bit of Googling, these tools can be easily found and be put to use by anyone—not just experienced cybercriminals. Of course, it is easier if an individual already has a fairly technical background, but this is not a requirement.  This blog is for educational purposes only, intended to help security professionals protect themselves against these email threats by better understanding how they are created. Creating a phishing campaign All anyone needs to be able to create their own phishing campaign is: An anonymous or disposable email address A target The ability to follow instructions One tool available that is commonly used by malicious and ethical hackers alike is the Social Engineering Toolkit, or SET for short. This is part of the default toolset that comes preinstalled on Kali, a Linux distribution built specifically for penetration testing and information security purposes. SET provides an intuitive command line interface, which provides step-by-step guidance for creating a social engineering scenario. This includes steps for phishing. With this tool a cybercriminal can easily create a phishing campaign on a mass scale against a list of email addresses they’ve sourced. Or they can create a more personalized and targeted spear phishing campaign. Depending on the type of attack a cybercriminal wants to perform, it can even include instructions on how to automatically clone a website login page to harvest credentials, or create a malicious file to infect targeted user machines.
SET is an extremely powerful tool in crafting social engineering attacks. It does require a cybercriminal to have a reasonable level of technical understanding though and, as stated at the start of this blog, not all cybercriminals need a deep technical background to create a phishing attack. Worryingly, there are a number of free open source tools that provide wannabe attackers with simple guides to building and deploying phishing campaigns.  Gophish is an example of another free and open source tool which provides a platform for crafting and deploying phishing campaigns, but with the added benefit of a friendly-looking graphic user interface. These tools tend to be used by security professionals for the purpose of testing and educating, but are available to anyone, which unfortunately includes people with bad intentions or motivations. That means bad actors could leverage them to potentially compromise an individual or organization. Tools like these require only a small amount of research in order to find, and there is no shortage of tutorials available explaining how to operate them. They often have the functionality to clone existing web pages and create fake or look-alike landing pages, to help campaigns appear more convincing. Additionally some even provide reporting functionality that allows you to visualize the “performance” of a campaign. For example, an attacker can view metrics on how many people were reached, how many clicked on a link, and how many credentials were captured or machines infected etc.
An even more basic method of phishing is display name impersonation, which does not require any special tools. All an attacker has to do is register a new email address and simply change the display name on the account to appear as someone else. This can be effective against recipients viewing emails on mobile devices, which typically only show the display name of a sender.  Phishing for Hire A cybercriminal doesn’t have to carry out an attack on their own. Hacking for hire is available across some of the less reputable parts of the internet, like the dark web—the part of the internet only accessible by means of special software that will allow someone to remain anonymous and untraceable while browsing. This is an online area where illegal or blackmarket activity regularly takes place. All you need to hire a hacker for a phishing campaign is: Ability to view the dark web via an anonymous browser Some cryptocurrency Accessing and browsing the dark web is also not as difficult as many might think. The Tor Project offers the most commonly used browser that will allow individuals to browse the internet anonymously and access the dark web From this browser, you can start searching using the default search engine provided to look for pages that will offer links to dark web marketplaces. Some of these links are even referenced by articles or research pieces that are indexed by major search engines making them easier to find. With enough browsing you will find more and more “hidden wiki” pages that will provide many more links that help navigate the dark web. There is a reasonable element of risk that comes with browsing the dark web. Plenty of scams and fake services exist, which even an experienced cybercriminal could fall victim to. But, if careful and persistent enough, it isn’t too difficult for an individual to find someone who could build and deploy a phishing campaign for them. These will be pages maintained by cybercriminals, outlining their services for hire, the specific techniques they offer, and their pricing structure. There are even reviews of hacking-for-hire services available, so that users can find the ones that will be the most reliable!
The cost of hiring a hacker? It can vary depending on who is hired and the specific service required, but services that might need social engineering could start from as little as $200 – $300 in cryptocurrency.  An example of a phishing attack detected by Tessian Phishing attacks can take many forms. Here is one example of a phishing email that was flagged by Tessian Defender:
In this example, an attacker is attempting to convince the recipient that they are a new HR Manager from an outsourced firm (a third-party vendor).  The key indicators that identify this as a phishing email are: It contains hyperlinked text concealing a link to a malicious website. Upon hovering, the suspicious URL is revealed. The sender plays on human kindness by pretending to be a new starter looking for help. A sense of urgency is used to encourage the recipient to act fast or something bad might happen. There are some minor grammatical errors, which are common amongst phishing emails. The email domain is not often seen across networks defended by Tessian. This is an additional flag made possible from insight generated by the Tessian Defender platform. This type of phishing email could have been easily constructed, distributed and tracked by a cybercriminal using an open source social engineering tool. Tessian Defender was able to identify the anomalous signals in this email and nudge the recipient into exercising caution. Looking for more examples of phishing attacks flagged by Tessian Defender? Check out this article. Conclusions The main conclusion to be drawn here is that it really isn’t very difficult for anyone to launch a phishing attack as long as they have the time and the will to do so. Some methods may require a little more technical ability or effort to research than others, and some may be riskier. But the availability of advanced and intuitive social engineering tools make phishing very accessible and simple to do.  This is likely to be a factor in why the volumes of phishing attacks are so high and why there are new campaigns appearing all the time. It’s the newer and more targeted spear phishing campaigns that present the greatest threat to individuals and organizations as they are more difficult to spot. The newer a phishing campaign is, the less likely it is to be flagged by conventional spam filters or rule-based detection platforms. If the campaign is highly targeted, then it will likely have been tailored to have the best chance of bypassing legacy controls and deceiving the target. The social engineering tools described in this post make it much easier for someone to customize and tailor a phishing campaign against a specific target demographic. What can you do to protect yourself? Most spam filters or rule-based email protection platforms are capable of detecting and mitigating the majority of known or recurring phishing campaigns. But this only applies to known campaigns and the detection platforms are only as good as their latest release, which is why it is important to keep your software up to date. One way to reduce your risk of compromise if you do ever fall for a phishing attack aimed at credential harvesting, is to make sure all your major online accounts have two-factor or multi-factor authentication enabled. This makes it more difficult for an attacker as they would also need the authentication token required to login with your credentials. It is also best practice to avoid using the same password repeatedly across different accounts. A common technique used by attackers with a list of stolen account credentials is to attempt to login with them across multiple online services on the off chance any of the same email address and password combinations may have been used. This technique is referred to as credential stuffing. Organizations can also make sure it is difficult for cybercriminals to spoof their domains by publishing and maintaining their DMARC authentication protocol records. They can also go a step further by adding canarytokens to their webpages so it’s easier to spot when cybercriminals are cloning their website for use in phishing campaigns. But, even DMARC isn’t enough to stop targeted impersonation attacks. Learn why.
Targeted spear phishing can be much harder to detect with automated tools. This is why it is important to be vigilant if you receive a suspicious looking email appearing to originate from someone you trust. If the content of the email or the behavior surrounding it feels abnormal in any way, then this can be a strong indicator that something is not right. You can find some specific examples of red flags to look out for in this article: What Does a Spear Phishing Email Look Like? Tessian Defender aims to identify this sort of anomalous behavior to help keep you protected from attackers who may try to socially engineer you into letting your guard down so they may achieve their malicious goals. You might have assumed that phishing requires a lot of skill and technical knowledge, but you’d be mistaken. Anyone can be phished by anyone.