Phishing exploits that steal passwords from gullible workers have been in the news recently, but your accounts can still be compromised even if users never click on a fraudulent link. Case in point: a recently reported social engineering scam running out of Nigeria. In this attack, dubbed the “Phantom Menace,” the scammer sends an email and PDF attachment to an unsuspecting worker at an oil transportation firm. When the recipient opens the attachment, all they see is an empty document. But under the hood, they’ve inadvertently created a file that copies any usernames and passwords saved in the email client and local browser.
Once the file swipes the secret info, it sends it back to the scammer. He then uses the credentials to pose as a legit shipping firm and trick oil brokers into advancing him up to $100,000. This is a variation of the Nigerain 419 scam, which, in turn, is a variant of a 500-year old scam called the Spanish Prisoner.
In the world of InfoSec, we tend to worry about ingenious code that can bypass firewalls and certificate protocols. This scam shows us that less sophisticated schemes work just as well. No zero-day patch or fancy hardware can stop a criminal once he has usernames and passwords.
A Scam Without Malware or Accidental Sharing
To get those credentials, the scammer didn’t use traditional malware. Nobody’s device was damaged or disabled by software. Also, the workers didn’t mistakenly tell someone their login credentials. The scammer’s attachment simply grabbed passwords stored on employees’ local browsers. The convenience of autosave features built into local browsers and the widespread use of web email means that any device anywhere can lead to a breach.
Can You Defend Against Phantom Menace?
If your workers are running browsers on their local devices, you can’t stop a scheme like Phantom Menace. However, there is a way to avoid this threat: a browser in the cloud. Our cloud-based browser, Silo, handles the burden of login credentials for the user. With Silo, workers are no longer responsible for coming up with strong passwords or storing them on their local browser. Instead, Silo auto-fills complex credentials for the user, remotely.
If your company uses Silo, a worker who accidentally opens a Phantom Menace-style attachment wouldn’t create a security breach. The scammer’s folder can’t collect passwords from the local browser because they aren’t there. Moreover, if you really want to lock things down, Silo lets you pre-emptively restrict downloads altogether.
It’s an unavoidable fact that password-protected, web-based, business applications are here for long haul. So the question is: Will you let all those vital credentials float around on workers’ devices and local browsers? Or will you rein in those vulnerabilities and protect your network with a secure, easy-to-manage, cloud-based browser?