Spear Phishing using a Net

Net

Emails are one of the few technologies that almost everyone – young and old, technical and non-technical – is familiar with. There are even some employees whose entire job is to review and respond to routine invoices, fax messages, resumes and general queries that they receive in email. Even the most secure organizations, who isolate their more sensitive workstations from the Internet, are usually fairly lax about email. This is why emails have become the weapon of choice for hackers.

Here we have collected several real world examples of how all types of attacks utilize emails. Spreading ransomware and bankers, phishing, targeted campaigns and large ones – all rely on emails and social engineering to get the job done.

Who is the Real Target of the Phishing Messages?

Recently we identified many phishing emails that were crafted as legitimate messages such as “Blocked Transaction Report”, “Incoming Fax Message” and “Receipt for Payment”.  These messages’ intent is to entice recipients into opening attachments and downloading malicious software.

When these messages arrive to the “right” people within the organization – they will be opened and activated.

Imagine you’re working in Accounts Payable and you receive the following email:

phishing-messages01

Looks suspicious for Logan to be using Mike’s email account, but then again you probably receive similar legitimate emails that contain Google and Dropbox links from time to time. If you are used to opening linked attachments, why won’t you do it this time?

The following email is another example of using Dropbox to lure the recipients into clicking a link:

phishing-messages02

The above example is even harder to distinguish from a genuine message since it was sent using a hacked corporate account to all people in the contacts list for the hacked account.

In recent years, spammers have been pummeling mail servers with social engineering-themed messages, including malicious fax and voicemail notification emails. These emails contain information that is typically included in legitimate fax and voicemail messages, such as a caller ID or confirmation number.

phishing-messages03

Once the victim clicks the link in the mail, he downloads “Upatre” downloader which eventually loads the dangerous “Dyreza” banking Trojan.

Simple Tricks of the Trade

Building Spam Lists

Hackers don’t really have to tailor their phishing campaign for each target. There are several quick and dirty methods that accomplish the same goal. Hackers can use bots to scan and collect email addresses from public websites. We also noticed many of the phishing emails arrived to the general information groups such as “info@imperva.com”, “hr@imperva.com”, “careers@imperva.com”, “sales@ imperva.comand others. These emails usually appear on the Contact Us page of the company’s official site, as well as other notable and easily accessible locations.

We tend to think that corporate machines are infected through sophisticated Spear Phishing campaigns. The reality however is different: the sheer amount of messages indicates that the attackers simply send phishing emails to any organizational email address they put their hands on. It is more likely, that the attackers’ agenda is to reach as many employees as possible from various positions inside the organization.

As Chris Rohlf, lead of pentesting team at Yahoo and Leaf Security Research Founder, said in this recent article “Offense At Scale”: “We rely too much on the one in a million defense. In our business, one in a million is next Tuesday”.

The following spam email is an example of a message we received to the general information address:

phishing-messages04

Using hacked accounts for sending emails to the compromised contacts list further increases the chance of the target opening the message and downloading the malware.

Match Email to Target Audience

The next example is interesting since the malware embedded in the email is localized. It’s written in Portuguese and targeted at Brazilian users. In this case the cybercriminals were hoping to significantly increase infection rates by giving their emails a legitimate and seemingly relevant appearance. This was achieved by using language-specific email texts as in the following email:

phishing-messages05

“Electronic transfer available. Sorry for the delay but only now managed to make the transfer, follows in the attached message the transfer voucher. For any questions I am available”
Compress and Attach

We received the email below a couple of days ago. The attachment poses as a resume inside an archive file. Needless to say – the attachment includes a malware. This message is a part of new resume-themed malicious email campaign aimed at delivering version 3.0 of the infamous CryptoWall ransomware.

phishing-messages06

That downloads a zip file containing a malware with an adobe PDF icon, designed to trick users into double-clicking it.

p7

Once this ransomware gets in without knocking, it initiates a scan in the background in order to find the files with popular extensions on all computer and network drives. Everything that gets found is quickly encrypted in place (removing the original content). After encrypting the files it adds the “HELP_DECRYPT” files to the affected directory. Afterwards it opens the “HELP_DECRYPT” files to show the victim the dreaded ransom note:

phishing-messages07

Simple Spoofing

Another interesting phishing attack is based on email’s source address spoofing, to make the email look like it came from a trusted email address, as in this example:

simple-spoofing

While services exist that help in actually sending an email address with a spoofed source, the sample above uses an EXTREMELY SIMPLE technique to make it look like it was sent from one address while in reality it was sent from a different one.

The attacker inserted single-quote characters in the FROM field in the following way:

 John Johnson < John Johnson@xxxxx.com <mailto: John Johnson@xxxxx.com>> <attackeraddress@gmail.com <mailto: attackeraddress@gmail.com >>‘

The green quotes mark the beginning and end of the FROM field, and the red quotes are actual quotes in the string.

Also note that there is currently no payload within these emails such as attachments, links or embedded code. In this case, the attackers get information from their victim when they reply to the email.

Summary

What at first may seem as a targeted attack (Spear Phishing) against a specific organization is in fact a widespread spam campaign. These campaigns’ aim is to infect as many organizations as possible, meaning that every organization is at risk. Telling even these simple, generic, Phishing emails from genuine ones is extremely hard for the ordinary person.

The bottom line is that while employee education is a necessity, at the end of the day infection is inevitable. Links will be clicked, attachments will be downloaded, opened and executed, for the simple reason that employees do this as part of their job. Therefore, the focus of the organization should be on building a security suite that is fast in detecting a compromised machine or account through its attempt to abuse enterprise data and resources and then quickly and automatically close the loop by applying a quarantine to that compromised asset – by preventing further access to sensitive enterprise data.