The Anatomy of a Flawed Phishing Attack: When Phish Get Caught
by Rhiannon Hughes
Phishing attacks have become cyber criminals go-to method for breaching systems and stealing valuable information. Evolving from obvious email scams, phishing emails now appear to be much more convincing and are often composed to trick particular victims. This form of attack has rapidly increased in popularity amongst cyber criminals because it is relatively easy to carry out and cheap to administer. In fact, according to the Department for Digital, Culture, Media and Sport, 83% of businesses experienced a phishing attack in the past year. The overall aim of phishing attacks is to either fool victims into supplying sensitive information such as passwords or financial information or to trick users into clicking a malicious link that will install malware onto their systems.
Phishing attacks have such a high success rate because they play on emotions such as fear, panic and embarrassment and use language that creates a sense of urgency. Usually, phishing emails will specify that a task has to be completed within a certain time frame. For instance, an attacker may pretend to be a victim’s boss and request that certain information is sent to them by the end of the day. Victims will often panic and submit information or click on a malicious link within the timeframe to avoid embarrassment or financial loss. Attackers also tailor broader phishing attacks to events going on in the world. For example, in January there is usually a spike in phishing emails from “HMRC”, coinciding with the tax return deadline. Amazon and Royal Mail are similarly used in December to attack users who are online shopping in time for Christmas. Business-related applications such as Microsoft, Zoom and DocuSign are also regularly spoofed in phishing attacks. Since the beginning of the Covid-19 pandemic, there has been a sharp rise in emails, text messages and phone calls using NHS branding to harvest personal information from victims. These attacks have used fake messages from NHS Track and Trace, testing appointments, vaccination appointments and the Covid Pass app to trick victims. A Freedom of Information request submitted by the BBC revealed that 1,168 cases of vaccine-related phishing attacks were reported to the police between December 2020 and June 2021.
Recently Wolfberry received a common phishing email which we will break down below. This scam had the usual goal of credential theft, beginning with an email from a supposed customer. Beginning with ‘Dear Supplier’ the objective of the email was to trick a user into clicking onto an attachment that the author claimed to be contact information for the Accounts Payable team. In reality, the ‘document’ was a HTM attachment designed to bypass deceptive content filtering and would take the user to a spoofed Outlook page. We can infer that the overall aim of this scam is to collect Outlook credentials from users to access sensitive company data. This is a typical phishing technique, where malicious actors set up fake websites which contain forms intended to steal credentials, payment details or personal information. Out of interest, Wolfberry followed the scam to understand how the malicious actor had constructed it. Some mistakes had been made that Wolfberry was able to unpick. Due to the malicious actor’s carelessness or poor execution, Wolfberry was able to analyse the folder that stolen data was being stored in and access all the data that had been stolen from previous victims.
Above is in the initial email we received. To an aware user, the usual red flags are there. It’s from an individual whose name we are not familiar with, the language used is vague and impersonal, the attached ‘document’ is a HTM file rather than a word document or pdf, and the file name is gibberish. The author of the email makes a half-hearted attempt to create trust by suggesting that they have transferred Wolfberry money, in comparison to more obvious scams that request an ‘over-due payment’ or payment information. The email is partially successful in creating a sense of intrigue by only providing vague information about the payment, and then suggesting that the victims click onto the attachment to find further information. Although this is an obvious phishing email to the trained eye, it is understandable how an unaware user or busy member of staff who is preoccupied with other tasks may be tricked into opening the attachment.
Clicking on the ‘attached document’ takes the victim to a spoofed Outlook login portal. Essentially, a webpage had been squeezed into an HTM file. This had been designed to bypass deceptive content filtering. This is shown in the image above – which has been sanitised. As displayed above, the victim’s email has been pre-filled (phish@example.com). This is a manipulation technique. Pre-filling the email address will lead users to assume that they must have logged into this portal before and therefore it must be a trustworthy website. Once the user logs into the spoofed portal, the login credentials are sent to the malicious actor. The victim's account has been compromised. They are now able to access the victim's Outlook account and all the data that the account contains. This could be documents belonging to the victim's organisation, PII and sensitive data or contact details for other members of the organisation. If the victim reuses their password elsewhere for office-based applications, personal accounts or online banking, the malicious actor is now able to reuse the login credentials they have stolen to gain access.
Once the victim has handed their credentials to the malicious actor, they are sent a fake invoice. This is sent as a pdf and is hosted on a compromised domain. By sending the further details promised in the original email, the malicious actor manipulates the victim into believing that they have successfully logged into the real Outlook portal and that they have not been scammed in any way. As the victim is unaware their credentials have been stolen, they do not report the compromised account or change their login credentials. This means that other members of the organisation would not be warned of the attack and measures to control the breach would not be taken quickly enough.
Due to some mistakes that the malicious actor had made, Wolfberry was able to have a look around other files within the same folder. We identified a file containing sensitive data belonging to previous victims of the same attack. This has obviously been a successful phishing campaign for the malicious actor. The file contained users’ ID’s, passwords, domain names and IP address belonging to a long list of previous victims. The snippet of the file below shows that this attack had been globally successful, with stolen credentials from victims based in Ireland, Belgium, the United Kingdom, the United States and Canada.
User ID : [REDACTED]
Password : PerthAustralia0601
Domain : [REDACTED]
IP : 87.198.XXX.XXX
Country : Ireland
Date : 09-06-2021
-----------------++-----------------
-----------------++-----------------
User ID : [REDACTED]
Password : Maan1947@
Domain : [REDACTED]
IP : 217.136.XXX.XXX
Country : Belgium
Date : 09-06-2021
-----------------++-----------------
-----------------++-----------------
User ID : [REDACTED]
Password : kkk
Domain : [REDACTED]
IP : 185.244.XXX.XXX
Country : United Kingdom
Date : 09-06-2021
-----------------++-----------------
-----------------++-----------------
User ID : [REDACTED]
Password : Shamoo22
Domain : [REDACTED]
IP : 50.235.XXX.XXX
Country : United States
Date : 09-06-2021
-----------------++-----------------
-----------------++-----------------
User ID : [REDACTED]
Password : Siddjune21
Domain : [REDACTED]
IP : 209.225.XXX.XXX
Country : Canada
Date : 09-06-2021
-----------------++-----------------
-----------------++-----------------
User ID : [REDACTED]
Password : warrensinclair
Domain : [REDACTED]
IP : 184.70.XXX.XXX
Country : Canada
Date : 09-06-2021
-----------------++-----------------
-----------------++-----------------
User ID : [REDACTED]
Password : Bezhan1987$$
Domain : [REDACTED]
IP : 165.225.XXX.XXX
Country : United States
Date : 09-06-2021
-----------------++-----------------
-----------------++-----------------
User ID : [REDACTED]
Password : Staffing1962
Domain : [REDACTED]
IP : 96.27.XXX.XXX
Country : United States
Date : 09-06-2021
-----------------++-----------------
-----------------++-----------------
User ID : [REDACTED]
Password : staffing1962
Domain : [REDACTED]
IP : 96.27.XXX.XXX
Country : United States
Date : 09-06-2021
-----------------++-----------------
The breakdown of the phishing attack above showcases how easy it is for malicious actors to gather a large number of credentials which they can use to breach organisations and gain access to sensitive information. Although we spotted the email as soon as it arrived, the amount of credentials Wolfberry found in the file highlights how successful this attack had been elsewhere. It only takes one user to enter their credentials to compromise an entire network.
The best way to protect your organisation from phishing attacks is to increase user awareness and create a culture of cyber security throughout your workforce. Training users to spot the common red flags of a phishing attack and significantly decrease the chance of your network being breach. Phishing simulations are hugely beneficial as they not only teach your workforce how to spot a phishing email but also how to effectively report an attack. Simulations can also be used to train users on what to do in the unfortunate event that they do click a link so that the people in charge of cyber security in your organisation can manage the breach and mitigate the impact. Users should have clear instructions on who to report a potential attack or breach to, and contact details for that person should be distributed throughout your organisation.
Breaches and data leaks that result from falling for phishing attacks can be detrimental to businesses. The UK GDPR sets a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greatest – for infringements. Phishing attacks capitalise on manipulation and human error, meaning unaware users can be the biggest weakness in your cyber security strategy. Training your workforce could turn your weakness into a valuable added layer of protection.