- | 9:00 am
Phishing scammers in the Middle East are getting sophisticated. Is anyone safe?
Threat actors are tricking victims into clicking on phishing bait to steal account and cloud app credentials, and with increasing success
We are just over a month into 2024, and phishing attacks in the Middle East continue to surge, causing serious concerns for anyone who uses email, text messaging, and other forms of communication.
Designed to fool a user into providing sensitive information, the goals of phishing attacks include financial fraud, credential harvesting, data exfiltration, surveillance, and damage to an organization’s reputation.
Over the past few years, these types of attacks have become increasingly sophisticated. They are harder to spot, even for the well-trained eye.
“The big shift in phishing is away from the ‘spray and pray’ approach to far more targeted and convincing attacks, often using AI tools to enhance believability, scale, and effectiveness,” says David Boast, General Manager – MENA, Endava. “An entire ecosystem has formed around this threat vector.”
“Poor grammar has been replaced by well-formed and targeted communications. Attacks are now being triangulated through multiple means to bring perceived validity to the attacks through multiple channels,” adds Boast.
In the lead-up to the World Cup in Qatar in 2022, many emails purported to come from the FIFA help desk or ticketing office, while some impersonated specific team managers and departments. Others claimed to be notifications about bans implemented by FIFA, or spoof Snoonu, the official food delivery partner of the World Cup.
The UAE recorded a steep increase in the number of emails that contain phishing threats in the second quarter of 2023, according to Kaspersky, with the volume of such emails increasing by 77% quarter over quarter.
Last year, the Telecommunications and Digital Government Regulatory Authority warned consumers to be alert for unexpected text messages that appear to be from well-known courier companies, including Emirates Post, Aramex, and DHL Express, as they could be phishing scams.
Etisalat by e&, the UAE’s biggest telecoms operator, and Dubai Police issued similar warnings over fake rewards and bogus fine payments.
RISE IN PHISHING ATTACHMENTS
Netskope’s recent Cloud & Threat Report demonstrates that the rising prevalence of cloud application use in the workplace – up 35% yearly- has not gone unnoticed by attackers.
In fact, threat actors are tricking victims into clicking on phishing bait explicitly designed to steal software and cloud app credentials, and with increasing success.
“In 2023, organizations with 10,000 employees would have seen 348 of their employees click on a phishing link, on average. What’s more, there is a rise in the use of phishing attachments,” says Steve Foster, Head of Solutions Engineering, MEA at Netskope. “This is a particular worry for security teams because attachments are less likely to be detected and blocked by anti-phishing enterprise security barriers.”
In the first ten months of 2023, Kaspersky identified 30,803,840 phishing attacks targeting online shopping, payment systems, and banking institutions, with e-commerce platforms used as a lure in 43.5% of the attacks.
“Moreover, we have observed several trends where criminals exploit social engineering techniques, such as impersonating HR recruiters or delivery services to deceive individuals,” says Maher Yamout, Lead Security Researcher at Kaspersky.
There have also been instances of criminals adopting the identity of police officers, instilling fear in people to coerce them into revealing sensitive information.
“Another concerning trend involves criminals using AI and leveraging it for phishing attacks. This includes perfecting email drafts and creating hyper-realistic images or videos, like those seen in donation scams,” adds Yamout.
One of the iterations of phishing that people need to be aware of is spearphishing, a more targeted form of phishing that often uses topical lures.
Now, there are reports of burgeoning attacks taking advantage of the Israel-Gaza war. These emails, aimed at various industries and organizations, have links containing “Israel-Palestine,” along with an HTML attachment. The emails are disguised as a donation confirmation notice, either with or without an attachment.
Although the reasons for phishing attacks are speculative, localization of phishing attacks can be tied to geopolitical instability and the Israel-Gaza war, says Morey Haber, Chief Security Officer, BeyondTrust.
“Governments, financial systems, and news agencies can be undermined when critical services on the web are targeted. All residents in an affected region should be aware that military conflict in today’s modern world is more than just a ground war. Information services can be impacted in regional conflicts in a malicious hope that others can be drawn into a conflict.”
CAAS MARKETPLACE
Cybercriminals show little signs of slowing down—partly due to the rapidly growing Crimeware-as-a-Service (CaaS) market.
Rather than cyber criminals directly executing tasks, there is a rising reliance on outsourcing services from others. “This shift makes cybercrime more complex and challenging to combat. The increased knowledge-sharing among cybercriminals further complicates the landscape, fostering the development of more sophisticated and intricate attacks,” says Yamout.
For instance, cybercriminals can now buy phishing kits—which trick users into opening links or visiting harmful sites that then infect their computers—for as little as $40.
“Today, the payback from phishing is at an all-time high ($44.2 million in 2021 alone), and for those willing to take risks, the rewards can also be high,” says Boast. “AI, automation, and advanced hacking methods have made it possible to ‘productize’ the toolsets and capabilities needed for phishing, and consequently, these can now be bought as a service.”
ERODING TRUST
The impact of phishing in the Middle East is relatively straightforward, reflected in the constant warning texts and emails received by various entities such as banks, currency exchange companies, governmental authorities, and malls.
“Despite the continuous warnings, there is a noticeable demand for more specific and frequent alerts,” says Yamout.
Text phishing attacks from threat actors pretending to be large companies are rampant. Often, people are targeted under the guise of a reputable shipping company, stating that a shipment has been stopped due to an incorrect address or lack of appropriate KYC documentation.
“They urge people to click links to settle payments or update information, resulting in potentially large-scale financial loss and theft of sensitive information,” says Foster.
Phishing erodes trust in the marketplace when customers who have fallen victim to phishing scams often have no recourse from their banks or retailers. It creates a culture of inherent distrust and nervousness.
“This is a big concern, especially in the Middle East where transactions are often highly relationship-oriented,” says Boast. “Commerce needs to be built on a basis of trust and consumer protections. Otherwise, confidence wears thin, and business suffers as a consequence.”
CAN WE LIMIT THE DAMAGE?
Individuals can take steps to better defend themselves against phishing attacks. One must be vigilant when giving out personal information, whether to a person or on a website. If an email is unexpected from a specific sender, asking someone to do something urgently or asking for information or financial details not normally provided, take a step back and look closely at the sender.
While cashless transactions are becoming increasingly common, it’s prudent to be caution-worthy. Fraudsters often use phone calls, SMS messages, or email to trick users into divulging their PINs or other personal information, which results in embezzlement of virtual money from the wallet.
“Do not conduct online payments unless you fully understand the source,” says Yamout. “Remember, criminals may urge you into what could be a potential criminal attack. When shopping online to avoid financial phishing, consider creating a card with a limited amount and use it exclusively for online payments.”
Users must thoroughly check website addresses and employ password managers to ensure unique, robust passwords for each account when entering sensitive information, such as bank card details. Implementing two-factor authentication, preferably with hardware-based keys, adds an extra layer of protection.
It’s a good idea to stay up on the latest phishing techniques.
While threat actors have been using technological advancements, including AI, experts say businesses can use the same technology to fight against it.
For example, the latest deep-learning techniques can be harnessed to implicitly learn the patterns of phishing websites and then inform machine learning algorithms to detect and block those websites.
“We also strongly recommend looking for security solutions that offer multi-vector, cross-platform visibility, and controls to achieve the broadest coverage and increase the chances of catching and preventing data loss or remote access breaches,” says Foster.
Haber says three primary solutions can prevent, not just limit, the damage from phishing attacks.
Firstly, education and an understanding of how these attacks leverage our traits to be successful, implementing a solution that checks the website before it is rendered to ensure it is legitimate and safe to use. “The good news is that most modern antivirus, EDR, and firewalls contain this functionality and just need to be turned on.”
Lastly, managing privileges assigned to the end user uses the concept of least privilege. “This minimizes the impact of malicious content that may be accidentally delivered to the end user.”
Another good practice is to use anti-phishing software and other cyber security tools to protect against potential attacks and keep personal and work data safe. This includes automated behavior analytics tools to detect and mitigate potential risk indicators.
“Luckily, when it comes to phishing, it’s not all bad news. We can all take steps to minimize the chance of falling victim. For businesses, ensure the right defenses are in place, they are multi-layered, and they provide effective prevention and detection capabilities so you can not only repel intruders but also detect them should they get in,” says Boast.