We are currently observing a significant increase in phishing attacks among our customers. These cyber attacks aim to trick users into disclosing sensitive information or opening malicious links using fake emails. We therefore ask you to be more vigilant when dealing with incoming emails and provide you with important measures on how you can protect yourself and your company.
A recently reported incident at one of our customers shows how sophisticated phishing attacks are currently being carried out. The attacker used the email address of a compromised partner company to send a seemingly legitimate message containing a malicious link. This email contained the subject “Offer 17.09.2024” and appeared trustworthy. However, clicking on the malicious link led to a redirect to a harmless video, which served as a distraction for potentially further malicious activity that was contained in time due to the immediate action taken.
Technical details of the incident
- IP addresses and domains: Communication from devices to suspicious URLs was detected. These belonged to a Russian provider and it was recommended to block these addresses in the networks.
- Access to malicious domains: Connections from an internal IP address of the customer to the domains were registered. To prevent further compromise, the affected systems were immediately isolated and the passwords of the affected users were changed. The attacker’s IP address 40.107.21.99, which was listed as the sender in the mail server, was blocked to prevent further phishing attempts. When this domain was analyzed, it turned out that it had only been registered that day. A call via a sandbox environment led to a redirect to a rickroll video. This type of redirect could indicate that the attacker is trying to divert attention from malicious activity or confuse users by directing them to a harmless but unexpected destination.
Immediate measures for all users
To reduce the risk of phishing, we ask you to observe the following immediate protective measures:
- Be especially vigilant for unexpected emails: do not open emails or attachments that you were not expecting, even if they are from seemingly familiar senders. Check the sender and the content of the message carefully.
- Verify links before clicking on them: Hover over links to see the actual URL before clicking. Pay attention to whether the address looks suspicious or unfamiliar (e.g. unusual domain endings or typos).
- Report suspicious emails immediately: Forward suspicious emails directly to your IT department without opening attachments or clicking on links. Your IT security officers can safely check the email and take the necessary steps.
- Ensure that your systems are up to date: Always keep your operating systems, browsers and security software up to date to protect against known vulnerabilities.
- Activate two-factor authentication (2FA): Activate 2FA for all important accounts, if you have not already done so, to provide additional security for your access data.
- Change passwords regularly: Use strong, unique passwords for all accounts and change them regularly. Do not use a simple or reused password set.
What to do if suspicious activity is detected
If you suspect that you have fallen for a phishing email or notice unusual activity:
- Disconnect the affected device from the network immediately.
- Inform your IT department or IT security team immediately.
- Change all relevant passwords.
- Look out for signs of data loss or compromised systems and have them checked thoroughly.
Recommended actions for companies in the event of an incident:
- Block the malicious domains and IP addresses: Immediately block all known phishing domains and IPs to prevent further infections.
- Network segregation of affected systems: All potentially compromised systems should be isolated and thoroughly scanned for malware.
- Password change: Affected users will need to change their passwords and we strongly recommend enabling two-factor authentication (2FA) to make future account takeovers more difficult.
- Abuse report: Report the abuse of the domain “anonymous.top” to the relevant registrar to support the removal of this phishing domain.
- Raise employee awareness: Train your employees regularly to recognize phishing emails. Watch out for suspicious senders, unusual domains and unsolicited file attachments.
- Email security systems: Utilize advanced spam filters and email gateways that block malicious attachments and links. Verify emails that originate from external sources before they are forwarded to internal users.
- Two-factor authentication (2FA): Enable 2FA for all important accounts and systems, especially email services, to provide an extra layer of security.
- Regular software updates: Ensure that all systems and software applications are regularly updated to close security gaps.
- Monitoring and logging: Implement continuous monitoring of your IT systems and carry out regular security checks. Use intrusion detection systems (IDS) and security information and event management systems (SIEM) to detect suspicious activities at an early stage.
- Implement DMARC, SPF and DKIM: These email authentication protocols protect against email spoofing and prevent spoofed emails from reaching your employees.
- Employee testing and phishing simulations: Run regular phishing simulations to test your employees’ behavior in real threat scenarios and create security awareness.
Conclusion
Phishing attacks continue to increase and are becoming ever more sophisticated. We therefore ask you to exercise increased caution and implement these preventive measures. Together, we can help reduce the attack surface for cybercriminals and ensure the security of your data. If you have any further questions or concerns, please do not hesitate to contact our team.