Cybercriminals are continuously evolving their phishing attacks, introducing new techniques and tactics to trick victims, bypass security measures, and avoid detection. A new Threat Spotlight from Barracuda Networks details three novel tactics detected in phishing attacks during January 2023.
Barracuda researchers analysed data from phishing emails blocked by Barracuda systems. And while the overall volume of attacks using these tactics is currently low, with each tactic making up less than 1% of attempted phishing attacks, they are widespread, with between 11% and 15% of organisations affected, often with multiple attacks.
The first tactic involves using Google Translate web links.
The attackers use poorly-formed HTML pages or a non-supported language to prevent Google from translating the webpage. Google responds by providing a link to the original URL stating that it cannot translate the underlying website. The attackers embed that URL link in an email, and if a recipient clicks on it, they are taken to a fake but authentic-looking website that is in fact, a phishing website controlled by the attackers.
These attacks are difficult to detect since they contain a URL that points to a legitimate website. As a result, many email filtering technologies will allow these attacks through to users’ inboxes. Further, the attackers can change the malicious payload at the time of email delivery, making them even harder to spot.
“Our data shows that just under one-in-eight (13%) of organisations were targeted with this type of phishing email in January 2023, each receiving on average around eight such emails during the month," says Barracuda.
The second tactic involves image-based phishing attacks, where attackers use images instead of text in their phishing emails, which Barracuda predicts will be increasingly popular.
These images, which can be fake forms such as invoices, include a link or a callback phone number that, when followed up, leads to phishing. Because these attacks do not include any text, traditional email security can struggle to detect them.
“Our data shows that around one-in-10 (11%) organisations were targeted with this type of phishing email in January 2023, each receiving on average around two such emails during the month," adds Barracuda.
The third tactic involves using special characters, such as zero-width Unicode code points, to evade detection in phishing emails.
Hackers often use special characters, such as zero-width Unicode code points, punctuation, non-Latin script, or spaces, to evade detection. This tactic is also used in "typo-squatting" web address attacks, which mimic the genuine site but with a slight misspelling. However, when used in a phishing email, the special characters are not visible to the recipient.
The tactic can work like this. An attacker inserts a zero-width (no) space within the malicious URL embedded in a phishing email, breaking the URL pattern so that security technologies do not detect it as malicious. Detection of such attacks can also be difficult because there are legitimate purposes for using special characters, such as within email signatures.
Barracuda researchers found that in January 2023, more than one-in-seven (15%) organisations received phishing emails that use special characters in this way, each receiving, on average, around four such emails during the month.
“Phishing is a common starting point for many cyberattacks, including ransomware, financial fraud and credential theft, and cybercriminals continue to develop their phishing approaches to trap unwary recipients and avoid being spotted and blocked,” says Olesia Klevchuk, product marketing director, Email Protection at Barracuda.
“To defend your organisation, you need AI-enhanced email protection that can inspect the context, subject, sender, and more to determine whether a benign-looking email is in fact a well-disguised attack. You also need to train your employees to understand, identify and report suspicious messages, plus tools that enable you to quickly identify and remove any traces of a malicious email from user inboxes and compromised accounts should a malicious email manage to break through."