Worm Phishing Campaign Success On The Rise

Worm Phishing Campaign Success On The Rise

The majority of us have been through phishing training for our jobs, where the simplified best-practices for all employees are laid out. These usually include reporting to IT when you receive emails from suspicious accounts, those that contain links without a description or subject lines that don’t make sense, or content you’re not familiar with or normally asked for, among other questionable communication.


So what happens when a dangerous phishing email doesn't include any of the characteristics you’re told to look out for? A recent phishing attack revealed just how sneaky, and devastating email attacks can be with a new “worm” technique from hackers.

Living in plain sight

During a recent worm phishing attempt reported at an organization remaining anonymous, recipients opened scam emails without hesitation because the sender addresses were from real employee accounts that had been compromised. The emails were sent in response to an email chain the malicious actors identified as recent, and were those where the receipts would be expecting a link in response. The emails from compromised accounts weren’t sent out of context, weren’t asking for anything out of the ordinary, and were a part of an existing conversation. 

While hacking attempts like this aren’t yet prevalent because they require more effort on the part of the bad actor to gain access to someone's account and read through their recent email conversations manually, the effectiveness of constructing emails that make sense in context to the receiver goes way beyond those of your usual phishing attempt. Infiltrating just one organization with worm emails gives malicious actors access to the vendors and outside organizations in their network, so it’s hard to tell where the damage ends from any one email.

The wildfire spread

Because the emails received were so believable, the number of recipients who clicked into the compromised link was higher than a normal phishing attack, with the number of compromised accounts exponentially increasing almost immediately. As more and more employees fell for the scam, more accounts were accessed and in turn, more phishing emails were sent out across the company and more personal passwords and protected information were compromised. 

The malicious actors of course didn’t just limit their targets to internal company communication, they sent the worm emails to chains including business partners, third party vendors, and other external chains. That’s how the company believes the initial account was compromised internally: the first employee clicked on the bad link when it was sent to them by an outside vendor.

Despite the initial panic at the large volume of compromised accounts, the IT department was able to track down the shared URL pattern among all of the phishing links being sent, and succeeded at blocking more attempted scam emails from entering their systems. If the malicious actors had spaced out their attacks and not gotten eager, the damage could have been worse for the organization.

Attack Surface Analytics Report

Request your free custom report and see how you can start reducing your cyber risk exposure across your digital ecosystem: cloud assets across all geos & subsidiaries; discover shadow IT; security risk findings; and more!

Multi-factor authentication - not just a suggestion but a must 

As the compromised organization admits, the best way to prevent these detrimental phishing attacks from infiltrating both your personal data and your company network is to require multi-factor authentication for all employees with access to a work email, company devices, and who might connect to the company network. 

In today’s cybersecurity environment of increasingly sophisticated attacks, organizations must require multi-factor authentication even if they haven’t paid much attention to cybersecurity in the past, or if they think it would be hard to implement in their systems. For smaller businesses that are growing their networks, implementing network protection like this is an easy way to avoid hacking attempts that will cost both money and reputation down the road.  

Other protective measures your organization can take

Of course multi-factor authentication won’t protect you from every threat your systems are exposed to. By utilizing data-driven technology solutions, security leaders are able to manage risk across their threat landscape efficiently and effectively to prevent the onslaught of new tricks from hackers. 

Arm yourself with the data to help take proactive steps when threats occur. You can prevent damaging cyber attacks to your systems by preparing for how to act when threats arise. As seen with the new worm phishing attacks on organizations, malicious actors are always finding new ways to access your system. While we might not know where the next threat will come from, we can use technology and data-driven solutions to get the most out of our security investments and plan for different threats. Set up task forces and remediation plans now, and take the time to learn what your cyber security system includes so you can act efficiently when threats arise on your network.

Make sure your TPRM program is running efficiently. One of the most common ways malicious actors access your systems is through a vulnerable third-party access point. Even if you have spent resources protecting your internal cyber security posture, you are still vulnerable to your vendors’ open ports and access points where infiltration can occur. With Bitsight’s Third-Party Risk Management platform, users can enable their security team to efficiently mitigate any risk absorbed from your vendors’ network. 

By implementing an efficient TPRM program, you can reduce risk in your third-party landscape and help locate the vulnerability points in your vendors’ network. Including cybersecurity management requirements in your vendor contracts is also a good protection measure.    

Continuously monitor your threat landscape. It’s not enough anymore to audit your vendors’ cybersecurity practices once a year. What happens when threats arise between audits? Are your vendors giving you a full view into their cybersecurity practices with their assessment responses?

continuous monitoring strategy gives security teams a constant view into their threat landscape. With Bitsight for Third-Party Risk Management, users are alerted when threats pop-up on their network, as well as directed to the compromised location. Continuous monitoring technology runs year-round to give a complete look into an organization’s threat landscape, not just a snapshot in time when assessments occur.

Protect your network today

Are you aware of the vulnerability points in your network? Gain insight into where malicious actors could expose your data with Bitsight’s Attack Surface Analytics