INKY, a provider of an email security platform, today revealed that since the start of 2022, it has detected 1,288 malicious emails sent via Telegraph. Telegraph is a free minimalist publishing tool that allows users to publish web pages instantly and anonymously without creating an account. These pages can be customized with embedded images and links.
Telegraph is a subsidiary of Telegram, a messaging service that enables messages to disappear after they’re read. As a result, the platform is often used by criminals to share encrypted messages.
Roger Kay, vice president of security strategy for INKY, said Telegraph is now being used to launch phishing attacks by, for example, creating a page that impersonates a Microsoft website that is used to harvest Microsoft credentials.
In another example, a page is used to send a message claiming to have stolen embarrassing personal information that would be deleted once a certain amount of cryptocurrency is deposited in an account.
Kay said these are only the latest examples of the growing sophistication of phishing attacks. As it becomes easier to identify and thwart routine phishing attacks, cybercriminals are engaging in deeper levels of research to create messages that appear legitimate. For example, they may have compromised an email system to identify relationships a potential victim has with other individuals that would enable them to insert themselves within a purchasing process, he noted.
INKY advised that, as part of any security awareness training, email recipients should always be told to be on guard for suspicious messages that ask them to log in with credentials to view a document. Another red flag is asking a recipient to use Microsoft credentials to view, for example, a DocuSign document.
A recipient should never reply or act on any email in which the sender threatens to release embarrassing or personal information unless they are paid in cryptocurrency, INKY advised.
Finally, whenever there is an unexpected email—from a known entity such as a bank, for example—the recipient should always confirm its legitimacy by contacting the institution directly via a different communication platform.
Many organizations will punish employees that fail to consistently recognize phishing attacks, especially when their stolen credentials are used to launch a more lethal ransomware attack. However, as phishing attacks increase in sophistication, even the most well-trained employee can be fooled. Organizations clearly need to augment training with security platforms that thwart phishing emails from ever arriving in the first place. The challenge is that as defenses against phishing emails become more accurate, cybercriminals are responding by spending more time researching potential victims.
It’s not likely that phishing attacks will ever be completely eliminated. However, it’s also far too easy to launch these attacks today. The fallout ranges from outright fraud to damages to brand reputation that, from a monetary perspective, can be hard to calculate. The real trouble, of course, is the cost of launching phishing attacks is dropping as cybercriminals reinvest some of their ill-gotten gains in even more advanced forms of automation.