Cybercriminals are getting creative to stay undetected by anti-phishing programs.
A new Microsoft Office phishing campaign was discovered by WMC Global Analysis researchers that a legitimate login page of a Microsoft Account, but uses color inversion to avoid matching patterns from image recognition software, according to Kim Komando.
It seems that while experts are continuously improving anti-phishing software at halting phishing sites before they could launch their tricks. Image recognition software is used by web crawlers to flag and block malicious sites. However, this new phishing campaign stays undetected by using these creative ways.
While seeing the login page on negatives makes it easy to spot the attack, these cybercriminals also use a CSS code to flip the page back to normal colors use to further trick their victims. Web designers use CSS code, a kind of style sheet, to change the appearance of a website.
Moreover, WMC Global Analysis also found these scammers are also updated with the changes on Microsoft Office's login background look that came with the recent updates.
Why is Microsoft Office 365 always targeted by phishing attacks?
Microsoft Office 365 has been targeted by phishing attacks in recent months. Despite numerous anti-phishing notices, some users continue to fall from these tricks.
Since one needs to login to Microsoft account to access Office, stealing the Microsoft account gives attackers to steal access the person's email, Office 365 account, cloud storage, and even lock him out of his computer.
Hackers can also use malicious documents to get into the computer. They can also remotely access the computer and plant more malware by exploiting security flaws in the application.
Meanwhile, cybercriminals can also crack into a Microsoft Account through fake websites, which look similar to authentic Microsoft websites. Since scammers are implementing new tactics to trick their victims, software companies need to further develop the anti-phishing software to prevent them.
How to protect a Microsoft Office account?
It is hard to decipher the real and fake login account. However, users can always use some actions to prevent getting scammed. Here are some tips and red flags to avoid falling on the bait:
- Use strong passwords and do not use a password similar to other accounts. Avoid including common words or personal information in the pasword.
- Always closely check the URLs and sender fields before opening an email, even if it says it is from Microsoft.
- Avoid opening email attachments, particularly Office documents. If the emails appear to be sent by familiar persons, confirm first if they actually sent it.
- Activate two-factor authentication for all accounts that supports it.
- Avoid clicking on links on emails and stick accessing familiar websites when browsing the web. Also, random websites should not require logging into the Microsoft Account.
While these cloned phishing sites look real, they tend to show up in places they have no business such as pop-up ads or email links. For those who have been victims of an Office phishing scam, visit Microsoft support to recover or reset their account.
This is owned by Tech Times
Written by CJ Robles