The phishing attack hugely attacking organizations financial departments by tricking victims into downloading trojans and malicious code meant for stealing credentials and causing other serious network threats.
According to the researchers at Barracuda Networks, the attacker focuses on tricking the victim that the message is from someone that they trust or the idea that might lead them into panic mode causing them to click on a malicious link which downloads different malware into the system which may lead users to lose money and data.
The phishing attack which has caused havoc among millions involves attacker sending legitimate looking invoices which may look crucial, authentic and a threat to the reviewer coming from someone they might trust, thus making them vulnerable enough to click on the malicious link provided in the email or text messages.
In one of the examples of this attack, the attacker sends an email to the target asking about the payment status of an invoice.A legitimate looking invoice number is written in the email and the sender name is chosen such that receiver trust the source. The information regarding receiver's close connections can be curated very easily from public profiles like LinkedIn or Facebook.
The message may look authentic at first glance, but an invitation to click on the link should be treated with suspicion. Once the recipient clicks on the link it supposedly downloads the invoice containing the word document but goes on further by downloading trojans and other malicious codes which are meant to steal data from the system.
The attackers are using different templates to lure potential victims. The second type of template tries to convince the recipient to check the address change of someone they trust through the malicious link.
"Impersonation is a proven tactic that criminals are regularly using to attract victims into believing that they are acting on an important message when that couldn't be further from the truth," said Lior Gavish, VP at Barracuda Networks.
For the protection against this kind of phishing attacks, training of employees can be very helpful.