A phishing story
Jindrich Karasek
Cyber Threat & Defence Research, AI & Cognitive Security, DFIR, speaker, mentor, TI Associate, Views are my own.
Phishing threat is still valid and it remains the most prevalent way how the attacker get into the enterprise environment.
Or is it just risk for the companies?
Story I am about to tell shows that even personal privacy and secrets might be great deal for hackers!
During investigation of an incident, I found out the phishing campaign targeting people in general, searching for their secrets.
Also they seemed to issue a score for each victim to determine whether the victim’ s account will be used for further spreading of the phishing campaign, or some other purposes.
These “score classes” were found:
- Cheater: wife/husband cheater, to be blackmailed.
- Nude pictures: Usually young ladies who had stored nude pictures in their mailbox. For blackmailing or impersonation on other places in the internet.
- Administrator: Person having in his/her email credentials to administrative account.
- Strong: Person who seemed to have strong position of any kind both at social networks or in the business. To be impersonated, blackmailed, (cyber) attacked in further ways.
- By mailbox content: Should there be service messages from Facebook, LinkedIn, PayPal, e-shop accounts, the attackers attempted to log in using the credentials stolen from user. If succeeded, this was used to propagate the attack on different platforms.
Regarding the latter, attackers tend to move laterally from email to victims LinkedIn in most cases. Once they succeeded, they tried to use victim’ s LinkedIn to mine for the contacts lists and spread the attack further.
This is an example, how the successful phishing attack looks like from data point of view:
Connections shows how the malicious email was spreading over the network of people connected via emails.
Perks attackers were looking for:
1] Misuse of private mail account for business related communication:
Attackers identified a victim, which was using her private email account for managing of company’ s operations.
So they tried to issue an order for payment towards the finance, masking themselves as “office supplies providers”.
Due to lack of the data it is not clear if attackers succeeded or not.
2]Storing of credentials in mailbox:
Attackers identified a victim’ s stored credentials in his/hers mailbox and used them to log in to the accounts. This was very common finding. According to the notes found in the data, attackers hijacked following types of accounts:
– Another emails used by a victim, Papal, Facebook, LinkedIn [very often], file sharing services, shopping accounts, server and web administration, shared document services.
3] Cheaters & family life issues to be exploited:
Both men and women. Should the attacker find a remark of such behavior in victims’ correspondence, it was noted down and in several cases they attempted to blackmail the victims.
How this attack could have been prevented:
Victims should be aware in general about eventual phishing attacks and its most common forms. This is not valid for enterprise environment but also for private life.
Triggers which should raise the attention:
- Unusual request to read the document.
- Warning about the certificate while browsing to malicious website.
- Request to logging in in non – standard website.
- Fact that nothing has actually happened after entering of the credentials.
- Some of the emails were actually caught by spam filters but people clicked on that anyways.
- Antivirus – antispam issued a warning about spam / malicious PHP phishing.
As of this period of a year, the danger of phishing is eminent as attackers take advantage of people being stressed, do online shopping both from business and private email accounts, people are likely to open strange attachment or click on malicious link at this time of the year. It is easier these days to impersonate delivery company, shopping mall, to spread attacks masked as special promotions etc.
-------------------------------------------------------------------------------------------------------
Full article is here: A phishing story by 4n6strider.
More information:
To promote awareness about phishing, I would like to mention great deal of CSR work done by the Trend Micro company:
"What’s Your Story?" is a video competition for youth, to engage them in the conversation about being online, and the challenges and benefits which we can all experience. Check out some amazing past winning videos from our US contest https://whatsyourstory.trendmicro.com/ .
Internet Safety For Kids and Families Program (ISKF):
The program aims to raise awareness and provide education to parents, teachers, and youth on Internet safety issues. It is designed to achieve this through partnerships, volunteerism, grants and donations. The ISKF program is delivered free into our local communities by our Trend Micro volunteers around the world promoting safety, responsibility and success online for everyone.
Already they have helped us reach over 1,000,000 parents, educators and students across the globe. Trend Micro collaborate with academia, law enforcement, industry and government around the world with key focus at all times on youth and community empowerment online.
For more information, resources and articles check out our global blog site https://internetsafety.trendmicro.com/