Cybercriminals have added a new weapon to their arsenal: spear-phishing using Google Alerts.
Internet Security Awareness Training (ISAT) firm KnowBe4 is warning small and medium enterprises (SMEs) to proceed with caution before clicking any links in alert results, as cyber thieves are now creating bogus articles to lure their victims to infected websites.
Many companies use Google Alerts to track online mentions of their company name, executive names and product names.
The user specifies a topic, and Google will send an email or update an online feed with the latest news stories pertaining to that subject. The results are gathered from all over the Web; and while most come from legitimate sources, cybercriminals have realized that they can use this valuable tool for their own illicit purposes.
According to KnowBe4 founder and CEO Stu Sjouwerman (pronounced “shower-man”), cybercriminals begin by creating a website that is designed to deliver a “drive-by” malware download when a user arrives at the site. Next, they publish a phony article featuring the name of the company, product or person they are targeting.
This is considered “spear-phishing” because the attack is aimed at a specific organization or individual, and the perpetrator often uses prior knowledge of the target to make the message more believable. When recipients see this planted story in a Google Alert and click to read the article in its entirety, they arrive at the infected website – which then delivers its malicious payload and immediately compromises the user’s PC. Once the cybercriminals have gained control of a single computer, they can leverage that access to penetrate the entire network.
“I’ve been using Google Alerts for years to track stories about my business, so once again I’m amazed at how creative and enterprising the bad guys are proving to be,” said Sjouwerman. “This spear-phishing tactic is an advanced persistent threat that can sneak in under the radar, hidden among other valid news stories. Most people are so familiar and comfortable with Google Alerts that they don’t think twice before clicking a link to view an article – and that’s what cybercriminals are banking on.”
Sjouwerman notes that this type of attack can be especially hard to prevent because it’s so targeted: “Basic anti-virus software is no match for these emerging threats, which play to the human element and use social engineering to convince people to click. All layers of your IT security defense must be deployed and effective for this latest spear-phishing tactic to be caught. Make sure you address each level of security, including your policies, procedures and end-user awareness, as well as your perimeter, internal network, host, application and data security measures.”
KnowBe4 offers a free phishing security test to help business owners and managers find out what percentage of their staff is Phish-prone™, or susceptible to phishing attacks.
“After completing our phishing security test, some of our clients found that nearly half of their employees were Phish-prone – which gives you an idea of the severity of this issue,” remarked Sjouwerman.
“However, the good news is that implementation of Internet Security Awareness Training can immediately reduce that Phish-prone percentage by 75% or more. After four weeks of subsequent testing and retraining, all of our clients achieved a Phish-prone percentage that was at or close to zero.”
What’s the remedy?
Sjouwerman advises Google Alerts users to preview the URL before clicking any link. “By hovering a mouse over the link, readers can see the URL it is directing to. If it’s an unknown website, do not click! It’s best to only view stories posted on familiar news and syndication websites. While it’s not always safe to travel the Web, security awareness training can help users stay abreast of cybercriminals’ latest tricks and techniques.”