{"id":931,"date":"2024-11-21T14:15:00","date_gmt":"2024-11-21T14:15:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=931"},"modified":"2024-11-21T14:15:00","modified_gmt":"2024-11-21T14:15:00","slug":"job-termination-scam-warns-staff-of-phony-employment-tribunal-decision","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=931","title":{"rendered":"Job termination scam warns staff of phony Employment Tribunal decision"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Creators of phishing<\/a> messages usually want to create anxiety in their targets so they\u2019ll unwittingly download malware. And nothing gets stomachs churning more than the possibility of losing your job.<\/p>\n

One of the latest examples of this was detected by Cloudflare, which issued a report Thursday on a recent job termination phishing scam that included some novel techniques.<\/p>\n

The report<\/a> is a reminder to CISOs that all employees have to be regularly warned not to click on links or download documents in messages that spark an emotional response \u2014 and to carefully check the email header to verify the sender is legitimate.<\/p>\n

Defenders may also want to expand the number of brands and organizations their reputation detection software should cover.<\/p>\n

\u201cFear of losing your job is an incredible social engineering tactic,\u201d said David Shipley of Canadian-based security awareness provider Beauceron Security.<\/p>\n

It\u2019s tied in persuasiveness with phishing campaigns promising a document listing what your fellow employees are being paid, he added. \u201cThat one is dynamite,\u201d because staff have what he called \u201can insatiable curiosity about what their colleagues are making.\u201d<\/p>\n

This particular high-volume campaign was aimed at people in the United Kingdom who are subject to that country\u2019s Employment Tribunals Service that hears employment-related complaints, which would be a huge chunk of the working population.<\/p>\n

Targets received an email, supposedly from the \u201cEmployment Court,\u201d that bore a copy of the Tribunal\u2019s logo. The subject line read: \u201cAction Required: Tribunal Proceedings Against You,\u201d and the message started with \u201cImmediate action required.\u201d It listed what looks like official case information data, including an alleged case number, and the so-called case topic was \u201cTermination Notice.\u201d<\/p>\n

The message added that failure to comply with the instructions to download and reply to a document could result in \u201cserious legal consequences.\u201d<\/p>\n

If a user clicked on the included link, it didn\u2019t directly download malware. That might be detected by defenses. So instead the link went to a fraudulent website that impersonates a Microsoft service. It said the user couldn\u2019t access the document on their current device, a trick to get them to download the file.<\/p>\n

Actually, there was no document that the victim could read. The downloaded file was a .rar archive that contained a malicious Visual Basic script. That script contained command obfuscation, which Cloudflare noted made the malicious payload less likely to be flagged by traditional scanning techniques. It led to the further system compromise.<\/p>\n

Signs this was a scam<\/h2>\n

There were signs within the email that savvy employees could have picked up on.<\/p>\n

While the message was supposedly from \u201cEmployment Court,\u201d the actual sender was \u201cpostmaster[at]agra.wog.gr.\u201d<\/p>\n

And while the supposed case number included a string of numbers, it ended with \u201c%number%.\u201d An unsuspecting employee might think the email system had scrambled something, but that should be a warning sign.<\/p>\n

Fortunately, according to Cloudflare, this campaign was high-volume enough that it was detected by a number of cybersecurity honeypots and triggered automatic reputation-based email and IP blocking from many sources.<\/p>\n

What are broadly called \u201ctermination scams\u201d to trick recipients into downloading malware aren\u2019t new, and have a variety of themes that don\u2019t necessarily deal with employment. For example, the message might say a person\u2019s email account is about to be terminated unless they fill in a form. The goal in this case is to get the user\u2019s login credentials. In January, the University of Pittsburgh sent out a warning of a phishing scam like this<\/a> aimed at its students.<\/p>\n

Education is important<\/h2>\n

Workplace-related phishes, particularly if they are sent in an environment of wide-spread industry economic layoffs or layoffs due a medical emergency like covid 19 or the flu, carry an air of legitimacy, Shipley pointed out.<\/p>\n

\u201cThat\u2019s why it\u2019s so important we continue to educate people about this, because email filters fail,\u201d he said.<\/p>\n

With phishes often trying to prompt a \u201csense of dread\u201d and the feeling \u201cOh my goodness, I\u2019ve got to do something,\u201d awareness training should teach employees to recognize those emotions, Shipley said. That\u2019s the moment they should be taught to slow down, step away from their computer, and think before clicking.<\/p>\n

\u00a0\u201cTeaching people emotional intelligence and mindfulness can reduce susceptibility by as much as 50%,\u201d Shipley said.<\/p>\n

It\u2019s also important that organizations encourage staff to report a suspicious\/unusual email to a superior, to IT, or through an internal warning mechanism, Shipley said, and to give a pat on the back, or more, to those who do. That shows other employees that reporting will be rewarded.<\/p>\n

This Employment Tribunal scam is an example of how threat actors take advantage of economic trends or the time of year, noted Blake Darch\u00e9, head of Cloudflare\u2019s Cloudforce One threat intelligence service. CISOs should now be on the alert for Black Friday\/Cyber Monday and Christmas phishing lures, he said.<\/p>\n

The lesson for CISOs from this report, he said, is the need to have multiple layers of defense on their infrastructure. \u201cYou need multiple layers of email security solutions, you should look at zero-trust types of architectures, so if a user\u2019s device is compromised, it won\u2019t take over your whole network. Take a look at remote browser isolation. Threat actors will continue to innovate to accomplish their mission.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Creators of phishing messages usually want to create anxiety in their targets so they\u2019ll unwittingly download malware. And nothing gets stomachs churning more than the possibility of losing your job. One of the latest examples of this was detected by Cloudflare, which issued a report Thursday on a recent job termination phishing scam that included […]<\/p>\n","protected":false},"author":0,"featured_media":927,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-931","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/931"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=931"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/931\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/927"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}