October 09, 2017
Phishing attacks just got worse. Hackers are now intercepting legitimate email conversations between individuals and hijacking them by using highly-customized phishing messages designed to look as if the victim is still communicating with the person they were originally messaging to spread malware to corporate networks.
This method of phishing leads the target to believe that they are still in contact with the person they were originally messaging, while in reality they have fallen victim to a highly targeted cyber attack and may have infected their network via a malicious attachment. The find was made by researchers at the Palo Alto Networks Unit 42 researchers and named it FreeMilk, after words found in the malware's code.
“Our research showed that the spear phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia. We believe that the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send malicious spear phishing emails to the recipients,” said Juan Cortes in a blog post.
There have already been plenty of attacks based on this technique which have infiltrated several networks, including a Middle Eastern bank, European intellectual services firms, an international sporting organization and 'individuals with indirect ties to a country in North East Asia'.
The attack uses a remote code execution vulnerability named CVE-2017-0199 in the same way Microsoft Office and WordPad parse specially crafted files which was subsequently patched in April this year.