Reputation Jacking: A New Hacker Trick
Cyber criminals use yet another trick. Besides using phishing emails to steal money and data from businesses, hackers now employ a technique known as reputation-jacking by using popular, legitimate cloud storage services or get into trusted sites to deploy malware. Phishing methods impersonate trusted brands, while reputation jacking uses the actual trusted brand or site to unknowingly host malware, while helping attackers avoid detection. Threat actors place malicious content on reputable sites in order to gain access to user’s devices. Instead of an outside attack, they wait for the victim to download software from a trusted source. And as quickly as these sites can neutralize uploaded malware, more arrives.
Threat actors routinely use Remote Access Trojans (RATs) in these attacks. RATs allow control of an infected machine, they are versatile and particularly dangerous. Through this backdoor, an attacker gains total access to the infected machine and connected systems. Beyond monitoring activities, they can change settings, copy files, use the connection for even more criminal activity and a host of other unfortunate scenarios.
Security researchers at Menlo Labs uncovered a scam that answers why this technique is gaining popularity among hackers. In this scam, cyber criminals sent customized phishing emails to employees at banks and financial services. The emails use a convincing pretence to get employees to download malicious files from the Google Cloud storage service. Click here for an outline of training tips for your employees to help combat these phishing expeditions.
Storing files on Google Cloud likely provided the employees a false sense of security that their files were safe being on a popular, legitimate cloud service. By storing the files on Google Cloud, it allowed the hackers to circumvent possible security measures at the companies. If the hackers attached malicious files to the emails, they probably would have otherwise been caught by email security software as the files were Visual Basic Script (VBS) and Java Archive (JAR) files.
Downloading and opening malicious VBS and JAR files initiated a process designed to infect the employees’ computers with remote access trojans. Cyber criminals use these trojans to gain control of compromised machines so they can remotely run commands that will let them scout out companies’ networks. Hackers then use what they learn to determine the best tools and techniques to deploy and accomplish their goal of stealing money or data.
With reputation-jacking on the rise, it is important to discuss this when you are educating employees about phishing and business email campaign (BEC) scams. Be sure to stress that anytime an email urges them to access a file, they should think twice about doing so. Refer to the old saying “When in doubt – don’t!” It is not worth the risk as the file may be malicious, even though it is located on a legitimate cloud storage service or reputable site.