Masquerading as a safe document format: But after so many warnings about this over time, why are people still so trusting of PDFs and Dropbox?”Because, historically, they’ve actually been trained to be,” said Avakian. PDFs are routinely used in the business world and have been positioned as a safe, read-only document format for invoices, contracts, HR forms, and statements. This applies to Dropbox, too; it’s become a mainstream business tool that employees have been encouraged to use, and has been positioned so that its services “are not some sketchy file-sharing site anymore.””When people see a PDF or a Dropbox logo, their guard naturally drops,” said Avakian. Familiarity and the need for speed prevent them from pausing and taking a closer look. Attackers know this, and “exploit it perfectly.”On top of this, Avakian pointed out, cloud infrastructure has become a “shield” for attackers. Security awareness has conditioned users to be wary of shady domains, but not of reputable platforms. It’s a mental model that’s outdated, and “attackers are way ahead of it.”
‘Don’t click links’ is not enough: Hackers know that many employees tend to touch payment processes and documents, noted Lionel Menchaca, content marketing and technical writing specialist at Forcepoint, so they must be trained to verify that invoices, purchase orders (POs), and contracts are coming from confirmed vendors, affiliates, and agencies.”If they cannot verify, they should report suspicious emails to IT or security teams,” he said.But the precautions don’t stop there, Shipley noted. Employees must develop good e-mail processing habits, such as by taking frequent breaks; simulations can help, as they allow people to break out of routine. Many email clicks (he estimates about 40%) occur when people are on autopilot and aren’t processing at the deep thinking level, “they’re just acting on instinct.”Avakian agreed that email security awareness training must evolve beyond “don’t click links.” Employers and leaders at all levels must understand that modern phishing is increasingly “multi-stage, cloud-hosted, brand-impersonating, and intentionally boring-looking.” PDFs are no longer “safe by default,” and cloud services are no longer “trusted by default.””This type of incident becomes a great example, and [an] opportunity to build more sophisticated phishing testing,” said Avakian. “The goal is not to embarrass users, but to build security minded habits as to how attacks unfold today.”While the basics still matter, they need to be framed honestly, he said. Hover over links, but understand that cloud-hosted URLs can still be malicious; check the sender’s “from” address and domain, but recognize that compromised or look-alike domains exist; be cautious of unexpected attachments, even PDFs, especially when they lead you somewhere else; treat any login prompts as a moment to pause, “especially when they’re triggered indirectly,” Avakian advised.”Security awareness has to grow up, just like the threats did,” he said.Still, clicks will happen, and effective multi-layered controls limit the damage. Multi-factor authentication (MFA), conditional access, and anomaly detection are critical, and a zero-trust mindset embeds security into a culture where the “trust by default” mindset goes away, said Avakian.”At the end of the day, PDFs and Dropbox aren’t the problem; unquestioned trust is,” he said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4125990/new-phishing-attack-leverages-pdfs-and-dropbox.html
