Cyber attacks continue to increase at a rapid rate. In 2016, there were 6,447 software security vulnerabilities found or reported to authorities. In 2017, that number rose to 14,714, more than double the previous year. Halfway through 2018, we are at 8,177 with no signs of slowing.
One of the biggest avenues of attacks is Adobe Flash Player, which has been a leading source of vulnerabilities for over 20 years.
Modern browsers have been phasing out Adobe Flash over the past 5 years. In December 2016, Google Chrome completely disabled Flash Player by default.
Mozilla Firefox started to block the most vulnerable parts of Flash Player by default in 2016 and 2017.
The latest Flash Player vulnerability, designated CVE-2018-5002 by Adobe, aims to circumvent those browser changes by hiding the attack in a Microsoft Excel file, which is then distributed by targeted emails disguised as legitimate bulletins from hiring websites.
To hide this from anti-virus software, the hackers went another step further by not including the malicious code directly in the Excel file. Instead, they just embed a small snippet that tells the file to load a Flash module from somewhere else on the Internet. Due to this, the file appears to be a normal Excel document with Flash controls to anti-virus applications.
CVE-2018-5002 is what’s known as a Zero Day vulnerability, which means it was used by attackers before it was discovered and patched.
This particular vulnerability appears to have been used in the Middle East already.
In one instance, businesses in Qatar received an email that mimicked “bayt.com,” a Middle Eastern job search website. The attackers sent the email from “dohabayt.com.”
With Doha being the capitol of Qatar, it was easy to assume that dohabayt was simply an extension of the main website.
However, a true branch of bayt.com, known as a subdomain, would be separated by a period like so: doha.bayt.com. Once the target was tricked into opening the email, they were directed to download and open the attached Microsoft Excel file named “Salaries.”
This was a normal-looking table of average Middle Eastern job salaries, but in the background, the attack was already going to work.
How To Avoid Being Infected
The fake email scenario described above is known as phishing. Phishing is the attempt to disguise something as legitimate to gain sensitive information or compromise their computer.
The word phishing is a homophone of fishing, coined for the similarity of using bait in an attempt to catch a victim.
The attack described above was a type of phishing known as spear phishing, where the attacker tailored their methods specifically to the intended victim.
They disguised the email as a local site used for job or employee hiring, and the file as a desirable database of salary information.
Phishing emails are most easily identified by checking the sender’s email address. Look at the unbroken text just before the “.com”.
If this is not a website known to you or if it contains gibberish such as a random string of numbers and letters, then the email is almost always fake.
While the attack above was sophisticated, most phishing emails simply try to trick the user by saying things like “Your emails have been blocked, click here to unblock them” or “Click here to view your recent order” when you did not actually order anything.
Always be vigilant. When in doubt, forward the email to your IT department or provider for them to check the email for viruses or other threats.