Social engineering follows seasonal patterns. It’s also connected to major events. We see this every year with holiday-themed phishing attacks between Thanksgiving and New Year’s Day.
We’re seeing it now with last week’s implementation of GDPR, the European Union’s General Data Protection Regulation. GDPR took effect on May 25th. In this case the phishbait is the claim that Apple is proactively preparing to better protect your data.
This sophisticated phishing scam targets Apple users, threatening them with account suspension. If your user falls for this social engineering tactic and is manipulated into preventing a negative consequence, they’re redirected to an “account rescue site” which of course is established to extract credentials and other personal financial information.
The phishing website is a legitimate-looking but fake Apple site. It presents itself as a place where the users can rescue their account from being “restricted.”
In addition to looking legitimate, this website is more sophisticated than most phishing sites because the bad guys correctly set the web directory permissions, and encrypted the spoofed site using Advanced Encryption Standard (AES) – allowing it to bypass some anti-phishing tools embedded in antivirus solutions.
One of the things the victims are asked to do is “update payment details.” Once they’ve entered the requested information, the scammers say, the victims will see their accounts “returned to normal”. Upon completion the victims are asked to click a button labeled “unlock.” Doing so sends the information they’ve just entered directly to the scammers.
The site looks legitimate, but as usual there are red flags: First, the phishing emails were not all that highly targeted. Some of the recipients haven’t even been Apple users. Second, the URL is off. For all of its convincing appearance, it’s not an Apple site at all.
Companies worldwide are indeed working on becoming GDPR compliant—part of that, train your users! —and try to make sure that the people whose data they’ve collected have in fact consented to give them their information. Criminals are aware of this, and are following suit. You should remind your users that GDPR took effect last week, and that they should be wary of this flavor of social engineering.
Expect other, similar campaigns to hit the wires in the next few weeks. Do not click on links in emails, or open suspicious attachments that claim any kind of problem with “GDPR”.
Cyber-attacks are rapidly getting more sophisticated. GDR Group will help train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now and email firstname.lastname@example.org to request a quote for security awareness training for your organization.