Posted February 4, 2019
Probably like you, LookingGlass Cyber Solutions, Inc.’s senior management was recently Phished.
The robust company Cyber Security Awareness Training ensured no one bit on this phish. But no one at LookingGlass wanted to pass the opportunity to catch this Phish, particularly given a current cyber intelligence report stating “up to 93% of all breaches start with a Phish.”
Our approach. The method and tactics used to catch this Phish were both simple and sophisticated. First, we collected the information necessary to catch the deception actors, in case we assessed they might be located in a region with responsive law enforcement pursuing cybercrime investigations. To do this, we began with basic headers analysis to see if the actors forged additional headers to fake that the email was coming from AOL, seemingly the attacker’s mail provider. However, our header analysis showed that they really were using AOL webmail like the email address implied. In parallel to the header analysis, another analyst collected timing information for all the suspect emails that came in and this gave us our first clue to the level of sophistication for the attacker.
The bait. We replied to the Phish’s message and began a dialogue to determine what the deception actors wanted. This Phish wanted his victim to send multiple gift card links. – Now we knew what bait to use to catch our Phish.
The hook. The Team would send our Phish the desired gift card links; however, these links included a web beacon we inserted. As soon as our Phish clicked, we were able to log the Phisher’s every move and eventually tracked down his IP address.
The web beacon required infrastructure for the required hosting and logging. We then generated QRCodes linked back to those same web beacons, so that if the deception actor accessed our link from their cell phone, that activity would appear in our logs. The Team also employed a social engineering tactic by using an HTTPS URL to make our web beacons look more legitimate. With the bait on the hook, we sent the deception actors a response from the internal victim’s email address to avoid existing spam prevention measures like SPM and DKIM that might cause our message itself to be flagged as spam.
The wait wasn’t long. The web beacon triggered and a moment later it triggered again with a different IP address. An hour later, the beacon triggered two more times with two more IP addresses. We had our deception actors. A quick lookup of the IP addresses found the first two and the last one were based in Nigeria and the third one shared a VPN exit point. We were also able to determine what device they were using to access the links – an iPhone and an Apple desktop.
What we learned. While this attack wasn’t the most sophisticated in terms of targeting, the complexity existed in the deception actors’ ability to evolve quickly and the presence of an organizational structure. The fact that these bad actors were able to get a webmail client to perform a sustained three emails per minute send rate is not an easy feat, implying that the person behind the attack is skilled, practiced, and disciplined.
Phishing continues to be a serious threat not only to internal staff but also for third party vendors and suppliers – bringing increased emphasis to third party vendor management in every security strategy. There is a continuum of risks to be addressed in any risk management plan, from brute force protection to phishing education – everyone’s cyber safety needs upgrading. There are many cyber safety wiki and blogs online, including our own recent Cybersecurity ABCs, to help you stay on top of this topic.
Gift Card requests
The recent round has been impersonating a high-level company official like the CEO or CFO who request employees to purchase gift cards on their behalf.
This tactic usually centers on developing a romantic relationship with the target who is then exploited for financial gain.
Necurs botnet: Used to launch a campaign of targeted phishing emails aimed at breaching the cyber defenses of a number of banks.
Phishers continue to adapt and are now being more targeted in their efforts, doing their homework and learning from their mistakes. In this case, our phisher impersonated an executive ranked high enough that the phisher hoped the request would not be questioned. The same group has been reported to be hitting many other companies, and — after our QRCode web beacon — they’ve refined their message to include images of the gift cards they want.
For more Phishing Trends and Threats, check out our Strategic Intelligence Subscription Service.