Phishing, Scams, and What to Look out For

Most organizations are repeatedly targeted by e-mail and SMS fraud attempts. Let’s talk about how to interact with and report scams and phishing attempts.

Email

BEC, or business email compromise, is the most common way that organizations are compromised and lose data, information, and money. BEC is one of the most tried and tested methods that threat-actor’s use, which means that there is copious amounts of information on the subject.

If you receive an unprompted email that should’ve been an in-bound message, that’s an immediate red flag. While this could be a legitimate message, it’s worth noting that this is out of bounds for expected behavior in our organization. Verify that the email address is legitimate and proceed with caution, or, ask that the conversation be moved to the proper communications platform.?

Methods to identify a phishing email:

• Emails requesting urgent action on a task.?
• E.g., “Are you busy? I need you to do this ASAP because I’m in a meeting. Thanks, Mr. Boss, CEO of Company Name”
• Poor spelling or grammar anywhere in the message.
• Not all hackers and scammers are bad at english. Attackers often use this as a method to isolate targets that are less mindful and make for an easier target.
• Request of sensitive information.
• Most employers will never request sensitive information such as passwords, social security numbers, payment information, and the like through email.
• Incorrect domain
• Always take a moment to verify the domain from which a new email comes from. In Gmail you can see the sender’s email address next to their name.?
• To verify the authenticity, it’s a good idea to view an email in its original format by clicking the kebab icon???on the far top right corner of the email, and then clicking “show original”. This shows the raw email format which is full of information that you can use to better understand where the email originated.
• You can also click the downward arrow next to “to me” under the sender’s name. This will show the following useful?information:
• From:
• Reply-to:
• To:
• Date:
• Subject:
• Mailed-by:
• Signed-by:
• Unsubscribe:
• Security:
• Links that don’t match the expected domain
• Attackers will often send you links to spoofed login, download, and other pages. If there’s a link, always think before you click. Hover over the link to see what the full URL is before you decide to click.
• Unsolicited attachments
• This is likely malware. Avoid opening attachments in email, especially if you did not request the attachment.

Avoid clicking links in emails. It’s?better to copy the link and paste it into a browser so you can see the full link before visiting it, or simply go to the website yourself without using the link.?

Example: you receive an email about that your password for Amazon needs to be updated, and there’s a link in the email to do so. Instead of clicking the link, go to your browser, type in the address yourself, and log in.

If you receive an email that you suspect to be a phishing attempt, report it to SecOps and we can assist you. Typically we will look the message over for investigative purposes and record any relevant information. After this, it’s safe to click the kebab icon and report it as phishing to Google.?

Please, do not simply delete the email and not report it. Please make the Operations team aware of these attempts as it helps us to better understand these threats and create training for the future. Also, if you simply delete the email and fail to report it as phishing, Google doesn’t investigate the message and sender, which allows the sender to continue on from this address.

SMS Phishing

SMS Phishing, or SMishing, is very similar to email phishing, as are the methods for recognition. The messages typically contain a link to a fake login page which steals credentials if they're entered, or are attempts to scam people and organizations out of money. In our experience, the attackers want to scam the organization out of money by having the recipient go to a store, buy gift cards, and then send them the information so they can claim the money for themselves.?

This can also be a method for authenticating who a phone number belongs to, which can be used for other attacks in the future. Should you reply and have a discussion with the sender, this can reveal that the number is valid and you are the intended target.

If you receive an unprompted text that should’ve been an inbound (inbound meaning within whatever method or application your team communicates through), that’s an immediate red flag. This is out of bounds for the expected behavior. If you suspect that this is a legitimate text, ask that the conversation be moved to the proper communications platform. Example: “I’m happy to talk about this in our preferred communications platform”.

If you suspect that the text is fraudulent, screenshot the message and report it to your manager and or security team.?Most mobile OS platforms allow you to report and block the number. While attackers rotate the numbers they use often, it’s better than not reporting and blocking the number.

Below are some examples of a recent texts we’ve received:

Phone

While not as common as email or text messaging, voice is still an attack vector for threat actors. Legitimate phone numbers can be spoofed when making calls, so use caution. Again, know how your company communicates important business information.

Be wary when receiving a call about work. Should you receive a call from someone seeming to be a co-worker or manager, and they’re requesting business or sensitive information, tell them you will call them right back, and terminate the call. While outgoing calls can be spoofed and routed from a threat actor through a legitimate number, if you hang up and call the number back, your call will route to the actual person / number. You can also write to the person in your company’s preferred communication platform and ask if they called you.

There are known vulnerabilities in the signaling systems that our phones use. History has shown that sharing sensitive business information over the phone is not a best practice.?

Social Media

By now I’m sure we’re all aware of the dangers of social media. With sites like LinkedIn merging the business and social media realms, it’s important to be aware of the potential threats coming from there. The tactics used will be similar to email and text messaging, but can be a little more convincing.?

One such tactic is done by threat actors posing as recruiters or hiring managers companies (real or fake) who entice you with a job offer, and then request that you share some of your work with them to verify your qualifications. This may seem innocent enough, but there have been instances where employees have shared intellectual property with these attackers, and thus lost company information, and subsequently, their jobs. See this?DarknetDiaries episode?for this exact situation.

Other tactics include attackers posing as employees from the same company you work at, and trying to get you to discuss sensitive, work-related information over DM. This is a very dangerous practice and should be avoided, even if the person is actually an employee you know and their account is authentic. Again, only discuss business information in your company’s preferred communications platform.

Examples

Twilio Compromise – August, 2022

On August 4th of this year, Twilio, a key player in the SMS and Voice API space, was compromised by a SMishing campaign. In their?incident report?Twilio states that the attackers sent texts to employees while claiming to be from their IT department. These messages claimed that the user’s password has expired, or that there was a change to their schedule, and included a link to a malicious web page which stole the credentials they entered.

Unfortunately, an untold number of employees fell victim to this attack, which granted the attackers the credentials they sought to log into Twilio accounts and compromise customer data. While not much high-value information seems to have been stolen in this incident, it still greatly impacts public and client perception of the company, and can impact morale among employees. There are almost always unknown costs associated with a breach such as this.?

Uber Compromise – Sept, 2022

On September 15th, word started to spread on Twitter that?Uber was actively being hacked. It was reported that a hacker used a combination of a method called “MFA Fatigue”and classic social engineering to gain access to an Uber contractor’s account. The attacker somehow obtained the contractor’s username and password, but the account was protected by MFA. The attacker spammed the employee with dozens of MFA requests, likely hoping they would accidentally accept one of the requests. When they didn’t, the attacker then found and messaged the employee on WhatsApp, claimed to be from the Uber IT team. They stated Uber was experiencing issues with the MFA system and if they wanted the requests to stop, they would have to accept one of the requests… and they did. This allowed the hacker to gain access to Uber’s VPN, scan their intranet, and find a powershell script which was hardcorded with credentials to their PAM solution, Thycoctic. Now with admin access, the hacker accessed seemingly all of their services and tools, including Google Drive, AWS, GCP, Slack, SentinelOne, and even their BugBounty account on HackerOne, which holds an untold number of security vulnerabilities being triaged.

Personal SMishing attempt – August 2022

Like most of us (have you checked?haveibeenpwned?lately?) my name, number, and email have been leaked in several data breaches. I somewhat regularly receive SMishing attempts. Sometimes they’re similar to the Twilio attacks where I’m prompted to reset an account’s password, but other times they’re a little more vague. Not all malicious texts attempt to steal your credentials. Sometimes the goal of the attack is simply to verify you as the person behind that number. If they can do that, they can use that information for an array of malicious purposes. Here is an example of what I assume to be an attempt at doing just that.

I’ve encountered this tactic several times before. In this example they are looking for a friend named Carson, to which I replied, “Sorry, you’ve got the wrong number”. They then probe further by saying, “are you really not Carson?”, attach an image of “themselves” (which I was able to trace back to a person not named Amy), and hope that I reply with, “No, this is *my-name*. You’ve got the wrong number. Sorry!”

Most of us want to be kind and help someone who seems to be confused, which is noble, but we should be careful not to disclose more information than we need to.?

Okay… now what?

• Training. Practice makes progress, right? It’s hard to be good at something that you don’t practice or at least discuss. Running mock phishing campaigns is a great way to practice for the real deal. Whether done internally or through an external assessment, it’s one of the most effective ways to prevent losing information when these?types of incidents inevitably occur in the future.
• Documentation.?It’s good to have clear documentation and an operating procedure in place for these circumstances. Employees should have an understanding of how the company handles password resets, communication from other employees, departments, managers, executives, etc. E.g., if a company only uses business email accounts to communicate, but their manager texts them from a random number and asks them to buy $500 worth of iTunes gift cards, the employee should realize something is amiss by the communication being out of bounds.
• Internal Reporting & Tracking.?With training, examples, reporting, and tracking procedures in place, we’re less likely to give the attackers what they want, and the security posture of the company will grow stronger. A reporting and tracking mechanism strengthens training materials with examples of what the organization has encountered in the past.
• External Reporting.?Don’t just ignore these types of attacks – report them. In the case of Twilio, they reported these numbers to the carriers to deactivate the numbers used by the attackers. Twilio also reached out to the hosting providers who hosted the fake login pages and those companies removed those sites. Will this stop them forever? Probably not, but it does take some wind from their sails and lets them know that you’re not just going to roll over. A few ways that you can report these numbers and sites is through the US-CERT’s?Anti-Phishing Working Group. You can also report to the?FTC?or the?FBI.

Final thoughts

While people such as?KitBoga?and?Mark Rober?have had viral success with trolling scammers, it’s not encouraged that you interact with people who attempt to phish or scam you or your employer. While tempting, toying with them may anger and entice them to try other things and target us further, and we don’t want that. As stated before, if you reply to their message, the attacker now knows that is an active number or account who’s interacted with them, and that’s not ideal.

A lot of scams and attacks are successful only because people don’t want to be rude. Attackers will go to any lengths to compromise you. They do not play by the same rules and ethics that we do. Attackers will pose as someone in a wheelchair so that you hold the door open for them and allow them to gain physical entry into a place they do not belong. They will pose as an AT&T contractor and ask to see the networking closet. They will email you, call you, text you, DM you, and lie straight to your face with any story to get closer to what they want. They are ruthless and it’s up to us to be vigilant when it comes to protecting our organization.

Do not hesitate to authenticate someone. Who are they? Why are they there? Who are they there to see? What are they there to do? Verify these things. Ask for ID. Ask for paperwork. Ask the employee they’re there to see if they’re expecting them. Call the company they claim to be from and verify their authenticity.

You’re not rude for caring about the safety and security of your company, it’s information, and employees. If the person is legitimate, simply apologize for any inconvenience and let them know that we take security seriously.

Useful resources

• CISA Phishing & Spoofing Awareness
• https://www.techrepublic.com/article/dont-fall-for-linkedin-phishing-how-to-watch-for-this-credential-stealing-attack/
• https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
• https://www.cisa.gov/sites/default/files/publications/Phishing%20General%20Security%20Postcard_6.24.2021_508cV2.pdf
• https://public.cyber.mil/training/phishing-awareness/
• https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44
• https://www.cisa.gov/uscert/ncas/tips/ST04-014
• https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/spoofing-and-phishing
• https://safebrowsing.google.com/safebrowsing/report_phish/
• https://security.googleblog.com/2022/05/taking-on-next-generation-of-phishing.html
• https://www.google.com/safebrowsing/static/faq.html
• https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2808593/stop-the-snowball-protect-yourself-from-phishing-scams/
• https://attack.mitre.org/techniques/T1566/

Bryan Brinkman