In response to reports that indicate cybercriminals behind a recently observed phishing campaign used a clever ruse in the form of a bogus NortonLifelock document to fool victims into installing a remote access tool (RAT) that is typically used for legitimate purposes, experts provide an inisght below.
Any scam which installs a RAT is quite worrying as it can stay on a victims computer for a long time before being discovered, allowing criminals to see all activity that they undertake, including accessing their passwords, and even MFA codes.
This, like most malware attacks we see, these begin with social engineering. Be those malware-ridden documents, or emails claiming to be from a provider asking to download updates.
It is why it is increasingly important for organisations to provide effective security awareness and training to employees so that they can not only identify potential phishing attacks, but be able to easily report them for further investigation.
This is another great example of sophisticated phishing that bypasses many technical security controls and people’s commonsense. It’s no surprise that social engineering and phishing account for 70% to 90% of all malicious data breaches. The bad guys like to use password-protected documents because any IT inspection tools can’t easily open the document to look for malicious code, so the document swishes right past all the technical defenses. All that is left is for the email and document cover to trick the user into typing in the password and allowing the contained malicious content to execute. It’s surprising to most IT people that someone could be tricked into ignoring one or more warnings against enabling malicious content, but if those people aren’t educated about what a serious and risky decision it is to enable document active content they just don’t know. That’s what security awareness training is all about. Even with the right information and education, some people will make the wrong decision, but that percentage is far, far less…near zero. That should be the goal of any security awareness training program — to create a healthy level of skepticism and to help people spot and report suspicious things. Because phishing emails will always make it past your technical defenses, no matter how good they are; so you have to make users be aware and train them what to do when they see something suspicious.