alt tag

New Phishing Technique Hijacks Legitimate Conversations


A new spear phishing technique, being used in a hacking campaign called FreeMilk, takes advantage of a Microsoft Office vulnerability in order to hijack existing email conversations to spread malware to high-profile targets. This new technique phishing technique is particularly bothersome because it hits people where they least expect. Imagine you’ve been having a conversation with a coworker about posting pictures from last week’s company outing. However, when you receive the email from your coworker including the link to the Dropbox account containing the images, you instead receive a link to a malware downloader. This new technique and exploit are being used in a wide scope attack, targeting high-profile targets all over the world.

How It Works

The hacker is spear targeting a high-value target and has decided a direct attack is not the desired course of action. This is likely because the high-value target is well protected. Instead, the attacker aims to steal the email account of a regular email contact, who may not be as well protected through a credential theft technique.

Once the hacker compromises an email conversation on a participant’s account, the hacker can pose as the original sender undetected. Next, the hacker will continue already existing conversations with the intended target and embed links or attach files to trick the target into downloading malware. The hacker can also use the compromised account to target other individuals in the same business network with the goal to spread malware.

Why It Works and Who Should Be Concerned

The strategy works on the premise that the high-value target would not expect a phishing scam to come through a conversation with a trusted colleague. Because of the sophistication and high level of customization necessary to pull off the proxy-attack technique, high-profile targets like C-level executives and government employees are the ones that need to be worried about these attacks as opposed to the general public.

What It Means

The bad news is that compromised account spear phishing attacks mean that phishing scams don’t just come through unrecognized accounts or new conversations with hackers posing as legitimate interests, but from existing conversations with trusted individuals as well. The FreeMilk campaign showcases the need for software-based phishing interception; since IT security is a shared responsibility, the anti-malware, antivirus, browser, ISP, email client, and other involved programs need to be on the lookout for bad links. Additionally, people will need to examine URLs for legitimacy in all conversations.

The attacks also reinforce the notion that software updates are essential. The specific exploit which takes advantage of Microsoft Office vulnerability was patched back in April of 2017. This is another example of how hackers were able to take advantage of a closed security hole that was identified months ago, just because users put off updating. However, even with the patch, the indirect spear phishing technique can be used through other security holes.

The experts at MPA Networks are ready to help your San Francisco Bay Area business implement the email tools that will best help protect your business from email intrusions and keep your computers safe through implementing software updates as they come out. Contact us today.

Tags: , , ,

Leave a Reply