Hackers impersonate trusted brands to find their way into victims’ inboxes, because leveraging the legitimacy of a trusted domain means security solutions are more likely to view the e-mail itself as legitimate.
So says Jeremy Fuchs, cyber security researcher and analyst at Avanan, a Check Point company. “The content of the e-mail may differ from the services that the domain offers. That’s not necessarily important; what is important is leveraging the legitimate service.”
He says this is called 'the static expressway', or the practice of hackers utilising Web sites that are on static 'allow lists' to get into the inbox.
Beginning in May this year, Avanan researchers have noted hackers using the domain of QuickBooks, quickbooks.intuit.com, to send malicious invoices and request payments.
“The hackers send the e-mail from QuickBooks’ domain, using a free QuickBooks account that they have signed up for, with the e-mail body spoofing brands like Norton or Office 365,” Fuchs explains.
Attackers create accounts in QuickBooks, and then send malicious invoices and requests for payments directly from the service.
A double whammy
Bad actors use classic social engineering tactics, such as urgency and monetary damages, he says. By requiring the end-user to call to see what’s going on, the hackers then also harvest the phone number, allowing them to use it for future attacks.
“This attack then presents a one-two punch,” adds Fuchs. “The hackers get money, and have a phone number for future attacks, whether it’s via text message or WhatsApp.”
He says this attack works because of what hackers on the dark Web call a double spear: making the user call the listed telephone number, and making them pay the invoice. “Add to the fact that there’s built-in legitimacy since the e-mail comes from QuickBooks and this represents a particularly tricky and effective phishing campaign.”
Static allow lists
“This process is not unique to QuickBooks,” he explains. “Over the years, we’ve seen this across many popular brands, such as Microsoft, Google, Walgreens, DHL, Adobe and many more. The idea is to take advantage of the fact that these popular Web sites are on static allow lists.”
For obvious reasons, companies can’t block Google, so Google-related domains are allowed to come into the inbox. “These static lists are continually pilfered by hackers. This has manifested itself in hackers hosting phishing content on sites like Milanote.”
Milanote is a note-taking and collaboration app for creatives that is used to sort notes, collect ideas, organise processes, and more. Major companies, such as Uber, Chanel, Facebook, Google, and Nike, use it on a daily basis.
Share