The U.S. Supreme Court maybe the highest authority in the United States, but it has now become the latest victim of Brand impersonation. This time cyber criminals have taken the law by its horns, and have spoofed the U.S Supreme court.
The latest Phishing attack pretends to deliver a summons, but actually ends up collecting the victims’ Microsoft Office 365 credentials. The highly-sophisticated attack has managed to surpass Microsoft Office security controls, and has targeted several C-levels.
The cyber criminals have used scare as a tactic to lure targets to click on the embedded link. The email informs the victim of an order to attend court by the Supreme Court. For victims to view the Summons, they have to click on the link. Armorblox exclusively shared with Threatpost, “Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response.” According to Chetan Anand, Co-founder and architect with Armorblox, “From a social-engineering lens, the email was crafted to trigger urgency and fear.” Therefore, busy employees would not have the time to think about the email and would immediately react.
Armorblox researchers have provided reasons as to why this attack was successful enough to get into the user’s inboxes:
- Only a few people received it
- It used CAPTCHA technology for authenticity
- The cyber criminals created a lookalike website to spoof Microsoft 365 login page
- Plus they had impersonated the Supreme Court- now that would caught anyone’s eye during a busy morning.
Although this was a highly sophisticated attack, several red flags gave the attack away. For instance, the CAPTCHA page contained domains that did not seem legitimate, as well as a grammatical error, “Kindly verify you human.”
As the number of attacks increase, the only way to stay safe is to join a security awareness training program. Security awareness training has long term benefits, such as giving users regular updates on various scams and attacks.
About Siccura Cybershield
Siccura Cybershield is the most interactive Cyber security training awareness program. With a philosophy as simple as Test. Aware. Engage, we’ll help you:
- Test your employees and IT defences by playing the role of an attacker.
- Make your employees aware of the types of attacks such as Phishing, Vishing, Ransomware and more
- Engage your employees by sharpening their knowledge, and teaching them how to combat threats.
Through the training progam, we’ll help you turn your employees into a Human Cybershield ready to defend your business.