The legal sector has become a favored target of phishing campaigns. 80% of law firms reportedly received phishing emails in 2018. And in 2017, the success of these phishing campaigns was 300% higher than in 2016. This success rate could be attributed to the fact that not all phishing emails look suspicious, and law firm staff members might not be able to identify them.

IT security professionals in various industries are also not too confident about the ability of end-users to recognize phishing emails. A study by Osterman Research, for instance, found that only 18% of IT professionals believe that end-users are “extremely capable” of recognizing phishing and spear-phishing emails.

IT/Security Perception About the Ability of End Users to Recognize Phishing and Spearphishing Emails (Source: Osterman Research, Inc.)

So, how then can legal service firms mitigate the risk of phishing attacks and protect the confidential information held as part of the client-attorney privilege agreements put in place?

In this post, we examined some of the most common types of phishing attacks targeting law firms and how these can be detected early with the help of Domain Reputation API.

Phishing Attempts in the Legal Sector: Attack Entry Points

Two of the most common methods that threat actors use in phishing campaigns targeting legal service providers are impersonation and social engineering. These techniques are easily pulled off because most lawyers make their contact information, employment history, and other personal details publicly available online.

LinkedIn, for one, is a fountain of information for anyone who wants to impersonate a lawyer or a law firm staff member. The social media site also gives threat actors up-to-date career changes, so they know who recently joined or just left a firm.

New employees and associates are often vulnerable targets. In one case, a finance manager who had only been with a law firm for two months was tricked into transferring £60,000 to a phisher who impersonated a supplier.

Attackers are also known to pretend to be senior partners in casual emails to see if they can get enough responses to launch a full-blown phishing attack.

Our Investigative Tool: Domain Reputation API

Let us take a look at a URL we found on PhishTank that seems like it’s from a legitimate legal services firm:

https://pmlegalservices[.]net/pmlegalservices2018/u00m/checkpoint/mn/index[.]php?email=bronk@tokalaska[.]com?.

We ran the domain name on Domain Reputation API and found that it has a low reputation score of 76.3. The ideal score is 100, which means a site is safe to access.

Aside from the domain’s low reputation score, the tool also returned several warnings that include:

• Newly registered domain (NRD): The domain pmlegalservices[.]net was registered only nine days ago, so this should raise a red flag as NRDs are often tagged as malicious or suspicious.
• Secure Sockets Layer (SSL) certificate does not match: While this error may occur because of a misconfiguration, it could also mean that an attacker is acting as a man in the middle (MITM). When a victim clicks a link in a phishing email, a connection may essentially be hijacked, so any input gets sent to the hacker.
• HTTP Public Key Pinning (HPKP) headers not set: HPKP headers add an extra layer of security as they prevent website impersonation using malicious Transport Layer Security (TLS) certificates. When HPKP headers are not set, the domain’s reputation score is negatively affected.
• HTTP Strict Transport Security not set: This technology forces connections to use HTTPS so hackers cannot capture user traffic. By not setting this security feature on, a script that loads traffic over HTTP can go through.

* * *

Aside from training staff members to be vigilant of phishing emails, a possible action for legal services at this point is to integrate tools such as Domain Reputation API into existing systems and solutions. That way, these can be configured to stop connections to domains with low reputation scores as an additional layer of protection against phishing and other more sinister cyberattacks.