HP Warns of Cat-phishing by Threat Actors Through Deceiving Links

Highlights:

• The report’s main finding was that attackers employed open redirection to trick people into clicking on malicious links.
• A different campaign that exploited Windows Background Intelligence Transfer Service and is referred to by HP as “Living-off-the-BITS” is also covered in the report.

In the recently released report, HP warns of cat-phishing by threat actors. They use this technique to mislead and trap victims by redirecting them to malicious pages and websites through links that appear convincingly genuine.

Based on the quarterly HP Wolf Security Threat Insights Report, it was discovered that attackers are using living-off-the-land tactics, late invoice lures, and open redirects as covert ways to get past defenses. The research delves further into elucidating the cybersecurity landscape, drawing on studies of actual hacks to enable firms to stay abreast of emerging threats.

The report’s main finding was that attackers employed open redirection to trick people into clicking on malicious links. Through open redirect vulnerabilities and other flaws in reputable websites, attackers can modify URLs and commit cat phishing. Users may be tricked into clicking on a link that seems to take them to a reliable website but, unbeknownst to them, will instead take them to a malicious website using the supposedly legitimate URL.

A different campaign that exploited Windows Background Intelligence Transfer Service and is referred to by HP as “Living-off-the-BITS” is also covered in the report. Programs and system administrators can download or upload files to online services and share data using the valid BITS method. The LotL approach uses BITS to download malicious files, which helps attackers stay undetected.

Another problem is fake invoices that encourage HTML smuggling attacks. HP’s researchers discovered threat actors concealing malware within HTML files that purported to be delivery invoices. Once the compromised invoices are seen in a web browser, they can be used to launch AsyncRAT, an open-source malware, and other hacking techniques.

Principal threat researcher at HP Wolf Security, Patrick Schläpfer, said, “Targeting companies with invoice lures is one of the oldest tricks in the book, but it can still be very effective and hence lucrative. Employees working in the finance departments are used to receiving invoices via email, so they are more likely to open them. If successful, attackers can quickly monetize their access by selling it to cybercriminal brokers or by deploying ransomware.”

According to additional report results, a minimum of 12% of email threats detected by HP Sure Click Enterprise were found to have circumvented one or more email gateway scanners. Email attachments ranked highest among threat vectors in the first quarter, with 53% of the total. Browser downloads came in second at 25%, and other infection vectors, including USB thumb drives and file shares, came in second at 22%.