Cybercriminals have always managed to stay ahead of the cyber security experts in terms of their ability to swiftly adapt to the everchanging technological dynamics. Phishing attacks are getting more sophisticated with time- thanks to the advent of artificial intelligence and its easy accessibility.

No matter how hard the cyber security experts try to curb cyber crimes, the threat actors still deceive the naive victims and compel them to reveal personal information and sensitive details. With every upgrade in technology, cybercriminals keep upskilling themselves and coming up with innovative phishing activities.

Threat actors are no longer restricted to just fraudulent emails. Nowadays, phishing actors leverage CAPTCHAs, QR codes, and steganography to exploit victims.

To safeguard one’s sensitive details and hard-earned money, it is important to understand how these phishing activities take place!

 

 

Suspicious Captchas!

CAPTCHAs (Completely Automated Public Turing Tests to Tell Computers and Humans Apart) are used by websites to prevent bot activities such as the creation of fake accounts, spam messaging/commenting, and so on. At times, it does get boring for website visitors to keep solving the CAPTCHAs in order to gain access to the website. 

However, CAPTCHAs do successfully evade bot activities. They also safeguard websites by preventing unauthorized access and brute force attacks. CAPTCHAs are effectively used to differentiate between automated inputs and authentic user inputs.

 

 

But it seems they have become the current favorite among threat actors!

Phishing actors are using CAPTCHAs to camouflage their illegitimate activities. CAPTCHAs are used to create a sense of security among the users. Also, these CAPTCHAs successfully create a sense of urgency whereby naive users enter personal details without giving too much thought to it. Threat actors use these CAPTCHAs to cleverly redirect the users to malicious sites.

 

Quishing

Quishing is the ultimate blend of phishing and QR codes. QR codes or Quick Response codes were initially used to track automotive parts. Later on, people started using them for different purposes, such as storing and sharing information, making contactless, swift payments, connecting any physical object to virtual content, and so on. If you are not living under a rock, then you must know that QR codes are basically black squares organized and arranged systematically inside a white square grid. They will also consist of encoded text, URLs, or any other form of data.

Threat actors use quishing techniques to attack users and carry out their malicious activities.

The age-old social engineering technique is now accompanied by QR codes. It convinces the users to scan codes by leveraging spam messages, emails, and physical placements.

QR codes are also being used by phishing actors to divert naive users to phishing websites. They entice the users to enter personal information, login credentials, etc. This, in turn, increases the risk of identity theft

Phishing actors dexterously design malicious websites and use them to mimic legitimate brand websites. This is more like an identity theft and convinces users to share their sensitive details by scanning the QR codes

 

 

QR code fraud activities are now widely used in deceitful activities such as payment fraud, brand or identity impersonation, or malicious downloads. It is important for the users to stay vigilant enough in order to avoid the risks related to quishing activities.

Conventional cybersecurity measures that specialize in identifying text-based phishing attempts fail to decode the quishing tactics.

 

Steganography

Steganography is the practice of concealing important data inside images, videos, and different forms of media. It is different from cryptography. 

Steganography is mainly used for covert communications where messages are hidden within different formats of data, such as audio files, images, texts, etc. This type of data transmission ensures suspicion-free communication.

Steganography is also used for protecting significant information and data by preventing unauthorized access to it.

Now, threat actors are using steganography to carry out fraudulent activities. For instance, they tweak the spacing or formatting of text messages to embed information through text steganography. Changing or adjusting the frequencies of audio or creating sound alterations to conceal any data is also a popular practice among phishing experts. Image-based steganography is also widely practiced by phishing actors to avoid any kind of tracing activity.

 

Image source

 

Phishing actors can conveniently embed malware by using image-based steganography. Malicious websites, too, leverage steganography to conceal potentially dangerous files, images, and URLs

 

Multi-Stage Phishing Approach Breaking Into Your PC and Bank! 

Below mentioned are some of the popular instances of multi-stage phishing activities:

Phishing actors deceitfully entice users to scan QR codes, which direct them to fake websites. These websites often mimic legitimate bank portals. Clicking on these malicious links successfully deploys bank trojans into the system of the users.

Another instance is that of credential harvesting, where threat actors use CAPTCHAs to gain the trust of users and cleverly persuade them to give away their credentials.

Malicious emails are sent out in which suspicious email attachments are camouflaged by using steganography. 

Cyber security is increasingly becoming a matter of concern, as the conventional approach seems inadequate to curb the state-of-the-art tactics of the threat actors. Multi-stage phishing attacks are gradually penetrating deep into the various spheres of society, whereby professionals and homemakers are falling prey to their deceits.

 

 

A multi-layered cyber security system is the need of the hour, whereby both traditional and modern phishing protection approaches are leveraged to protect users from malware and other cyber crimes. 

Next time you see a QR code, a suspicious email, or a CAPTCHA, be mindful enough to check whether it’s a genuine one. Phishing awareness training could be a crucial factor in enhancing your awareness. This strengthened awareness is a valuable tool, capable of protecting not only your finances but also ensuring peace of mind!