Phishing attacks in K-12 are getting more sophisticated and more frequent. The traditional strategies of user training and content filtering continue to be necessary, but they are also inadequate to stay on top of the arms race against bad actors who continually evolve their tactics to find weaknesses in K-12 environments. Identity Automation launched PhishID to augment traditional strategies with an approach that offers real-time intelligence to protect districts, improve threat visibility, and decrease the time it takes to respond to verified threats. In this report, you will learn about the types of novel attacks from which PhishID is designed to protect districts and how to improve your protection against them.
THE INCIDENT
Identity Automation recently faced a series of sophisticated phishing attacks targeting users across multiple districts. These attacks were particularly insidious as they bypassed traditional web filters by reaching users through their personal email accounts. This case study explores how PhishID, a phishing detection solution, played a crucial role in identifying and mitigating these threats, even when conventional security measures failed.
In late July, PhishID identified a recurring attack pattern involving phishing emails that mimicked legitimate services such as Google Docs and Amazon. These emails were designed to harvest users' Microsoft Outlook and Amazon credentials. Notably, these phishing attempts were not detected by conventional web filters since they were delivered to personal email accounts, outside the scope of the district's email monitoring systems.
Outlook Credential Harvesting Through Google Docs
On July 31, a district trustee clicked on the phishing attack below, which targeted their Microsoft Outlook credentials. The target unsuspectingly clicked on the link in Google Docs. The same attack pattern targeted district staff members on June 1st and June 12th across Texas and Georgia districts.
connectedservers[.]net/qd
Amazon Phishing Delivered Through Personal Email
On July 24 and 25, two Windows users fell victim to distinct Amazon phishing attacks. The URLs involved were:
- i0h97wi4pxih-b6prl6yz9ahw[.]line[.]pm/ap/continue?eventid=125ea3c97744d4a09bb3c53062b9e193
- servicecsamz979[.]duckdns[.]org/bbdff9f30dd14dd5a01dc27e8a1f1eae/f5f6c2643d9f7c64c693d1d2de1ef087.aspx
Google confirmed these URLs as unsafe after the incident, but at that time, all major vendors on VirusTotal, a well-known online service that analyzes files and URLs for viruses, worms, trojans, and other malicious content, deemed them clean.
Multiple Password Harvests
On July 10th, a staff member clicked a spearphish attempting to harvest password information for both their current and former school districts.
forms-us1-468217-3384-526190-2474[.]public[.]500apps[.]org/forms
THE ROLE OF PHISHID
PhishID detected these phishing attempts in real-time. This proactive detection was crucial for several reasons:
- Early Detection: PhishID's advanced algorithms identified the phishing characteristics of the URLs even when other security vendors did not flag them. This early detection allowed Identity Automation to take immediate action to mitigate the threat.
- Cross-District Similarities: PhishID's ability to recognize patterns across multiple districts helped understand that these were not isolated incidents but part of a coordinated attack campaign. The visual and procedural similarities in the phishing emails were flagged, providing valuable intelligence on the threat actor's methods.
- User Education and Response: With the timely alerts from PhishID, Identity Automation was able to inform affected users and educate them on recognizing similar phishing attempts in the future. This not only mitigated the immediate threat but also strengthened the overall security posture of the organization by raising awareness.
CONCLUSION
The incident highlights the importance of having a robust, proactive phishing detection system like PhishID. Traditional security measures, while necessary, are sometimes insufficient against sophisticated attacks that exploit personal email accounts and other external vectors. PhishID's ability to detect threats in real-time, even when they appear clean to other security tools, provides an essential layer of defense. This case underscores the value of advanced phishing detection solutions in safeguarding users and maintaining the integrity of organizational security.
To learn more about how PhishID can protect your district from novel phishing attacks, visit https://www.identityautomation.com/products/phishing-protection.
