Business Service Spoofing: The New Spear Phishing Technique of Choice

Business Service Spoofing: The New Spear Phishing Technique of Choice

Over the past two weeks, we have seen multiple variations on impersonated DocuSign phishing campaigns. While GreatHorn Inbound Email Security clients have been fully protected in both circumstances, DocuSign has confirmed that both incidents were the result of a data breach by criminal hackers, resulting in the loss of client email addresses and names.

Coming within weeks of both a sophisticated impersonation of Google Drive, a worldwide ransomware attack that took down the NHS, and an increasing focus on cybersecurity globally, this attack is an example of a new kind of threat: business service spoofing, or BSS.


Worldwide Ransomware Attack Brings Down NHS, Telefonica

A major ransomware attack hit the UK’s National Health Service, Spain’s Telefonica mobile telephone network, and various smaller companies across 74 countries on May 12, 2017. One of the largest global cyberattacks to date, it relied upon a modified version of a known ransomware kit (Wanna Decrypt0r, also known as WannaCry or WCRY), and at its peak, spread at an estimated rate of 5 million infected emails per hour.

As of this writing (May 13, 2017), the attack has been neutralized for some systems, by way of a DNS sinkhole. The initial malware contained code that caused the attack to terminate if a specific website was online (likely part of the development process for the file), and the destination has now been sinkholed and redirected to a site that causes the infection to shut down instead of spreading. However, systems running behind a proxy are still susceptible to attack.

Creating a local DNS entry that redirects (the check URL used by the worm that spreads the malware) to a local IP is a critical step, should the sinkhole fail.

Interestingly, the malware used was described in NSA documents that were stolen and leaked in April of 2017, by a group known as the Shadow Brokers.

Infected Windows machines around the world were being used to propagate the attack. The initial infection vector was via a Word file, which deployed the WCRY malware; once opened, the ransomware encrypts a Windows machine’s files, and then uses a remote vulnerability through Windows’ network file share protocol (SMB) to distribute itself to other Windows machines on the same network.

What was critically different here was that due to the nature of the exploit, if even one machine were infected, it would automatically spread to all other vulnerable machines on the same network. This self-propagation is why the attack was so widespread, and while the Windows exploit which this attack uses was patched on March 14, 2017 (full details are here), many networks and companies had not yet patched their systems to prevent exploit.

Once infected, these machines’ desktop wallpaper was changed, and the malware would then display a message requiring BitCoin payment within a certain timeframe or else the encrypted data would supposedly be deleted:

wanna decryptor

Along with the warning message above, users were also presented with a readme file, explaining what they need to do in order to regain access to their files (namely, transfer $300 USD via BitCoin to the attackers):

The encryption routine in the malware targets the following file types, and adding an extension (.WCRY) to the end of each file’s name:


Why This Attack Was So Dangerous:

The most significant threat here was from unpatched machines with a recent vulnerability. While a patch existed at the time of infection, it was not universally deployed. Coupled with the auto-propagating nature of the attack, a large number of machines were compromised rapidly.

The primary attack vector for this attack is believed to have been a non-targeted phishing campaign. Increasingly, phishing scams combine malware distribution with advanced deception tactics, designed to trick users with a variety of social engineering techniques, including:

  • Display Name Spoofs, which use a valid email address (such as a newly registered account with Gmail, Yahoo, Outlook, or similar service) in combination with the Display Name, or “friendly” first and last name that most email clients display, to deceive a user into believing that they have received a message from a known contact.
  • Identifying Display Name spoofs manually requires that every email for every user be analyzed at the mail header level. Automated analytics (including GreatHorn’s Inbound Email Security platform) will highly any email from a Display Name / From: combination that may be a deception attack.

  • Lookalike / Cousin Domain Attacks, where the attacker combines fully registered and validated domains that are visually similar to a company’s own domain with the actual attack payload, in this case, the malware.

    Again, manually reviewing all of the mail headers can be helpful here, although training users to do so with every single email they receive can be difficult at best. Automated analytics can identify look-alike domains and automatically alert users to fraud attempts.

Mitigation and Response

  • Implement infection prevention within email systems, focused on identifying infected files (especially Word documents) and unusual senders, spoofs, and impersonation attempts. Rapidly changing malware can often circumvent legacy email gateway defenses, especially if the attack does not directly attach the infected file within the email itself, but instead delivers it via URL or link. Post-delivery protection is essential for both detection and response while endpoint and anti-malware tools catch up, and being able to rapidly identify and remove infected messages even if they get past the perimeter is critical to protecting against threats.
  • Patch all potentially vulnerable machines for MS17-010 (“ETERNALBLUE” and “DOUBLEPULSAR”). 
  • Remove outdated Windows NT, Windows 2000, Windows XP, and Windows Server 2000-2003 machines from production.
  • Disable SMB shares (especially on machines that cannot be removed) with the following command:
Set-ItemProperty -Path “HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters” SMB1 -Type DWORD -Value 0 -Force.
  • Filter SMB (TCP/445), NetBIOS (TCP/139), and RDP (TCP/3389) traffic at the firewall level, ensuring that infected machines cannot spread the malware if present within your network.

What To Expect Next

This is the second time a major attack has propagated over email within the past two weeks, and it’s highly likely that the criminals behind these attacks are in the process of improving the sophistication of both their primary attack tools (the malware and ransomware they use) as well as their techniques and tactics.

More generally, this attack demonstrates the importance of not relying on security awareness training alone; as the scope and efficacy of this incident reveal, training (traditionally a compliance effort) cannot adequately modify the behavior of every user at every company in the world — and given the rapid spread of an attack that spreads in the way that WCRY does, it only takes a single compromised account to bring down millions of machines and organizations in minutes.

The Google Docs Phishing Attack

Google Docs Is Fine, Right?

Earlier today, a major and sophisticated attack was levied against email users.

Unlike many commonplace phishing attempts, this attack cleverly used an imposter application to compromise mailboxes and accounts, by way of Google’s own OAuth framework. It was not an imposter email, user, domain, or the like — it was a real application that happened to be written in such a way as to look like a Google Docs application.

This is perhaps one of the most sophisticated phishing attacks we have seen to date.

Malicious cloud applications are almost impossible for an ordinary user to detect; by clicking on the “Allow” button, users are giving that application permission to operate on their behalf, both reading and sending mail from their inboxes. No credentials are stolen or exchanged; multi-factor authentication is of no help here.

There is a robust write-up on Reddit with additional technical details, as well.

How To Respond

First and foremost, the obvious: don’t click.

If you’re already running GreatHorn Inbound Email Security, you are also fully protected:

  1. GreatHorn automatically created a policy for every GreatHorn account today that detected and quarantined all instances of this attack from the time of detection onwards; no user action or administrative work was required here.
  2. Additionally, GreatHorn automatically detected and either quarantined or deleted every copy of the attack message, post delivery.

Unlike a traditional email gateway, GreatHorn’s cloud-native capabilities provide unique remediation capabilities, and can reduce incident response from hours to seconds — and as with the policy, this required no user action or administrative effort.

What’s Next?

One of our core beliefs is that advanced threats will not be limited to the phishing techniques seen today. Attackers are capable of building sophisticated, multi-step, and nearly impossible-to-spot threats that traditional email-only security tools and gateways cannot block.

Not only can we expect to see threats over email that defy legacy security tools, but we also expect to see an increasing number of attacks over secondary messaging platforms. Deploying this type of attack over a chat platform (like Slack) would be as effective as doing so over email — and no email-only security tool could detect or stop it.

GreatHorn is designed to uniquely provide detection capabilities for these additional platforms, with response capabilities tailored to deal with the threats of third party applications that leverage OAuth-based permission attacks.

As today’s attack demonstrates, protecting against social engineering and phishing attacks requires automated, comprehensive, and post-delivery response capabilities. Built on a foundation of over half a billion analyzed messages and leveraging the first and only cloud-native response platform, both Inbound Email Security and Messaging Security are available today, and both offer free 7-day trials.

GreatHorn automatically detects and removes phishing attacks from your inbox. 

Begin a trial or to request more information about Inbound Email Security for G Suite.

Why Spoofed Domain Attacks Are Killing Companies

Why Spoofed Domain Attacks Are Killing Companies

SS&C Technologies just had a very, very bad day.

According to a court filing dated September 16, 2016, a member of their staff “facilitated an amateurish fraudulent wire transfer request scheme and disbursed almost $6 million in cash” from one of their limited partner’s accounts.

In other words, they fell for a so-called business email compromise attack — and as of this morning they were suspending operations in light of the legal action and tremendous financial loss that followed.

It’s just another of what seems like an unstoppable chain of attacks, but we wanted to peel back the covers a bit and look at why these kinds of attacks keep happening…and what you can do to protect your company.

Just Another Email

According to CSO Online, “over twenty-one days, SS&C processed six fraudulent transactions, draining the Tillage fund of $5.9 million.” The deception relied on a single factor: a look-alike domain, sent from, instead of – notice the extra ‘l’?

The emails themselves were short, asked directly for a wire, and most importantly were received and acted upon in violation of the firm’s policies and controls:


Despite being clients of a well-known email security provider (Barracuda Networks, according to their MX records), this kind of attack reached the inboxes of staff, and from there it was a classic case of social engineering: urgency (“confirm…that the wire will go out today”) coupled with a hard-to-spot domain name spoof.

Not Uncommon, But Not Unstoppable

Analyzing a representative sample of the GreatHorn Data Cloud for threat metrics, the stats are sobering: In the past 6 months alone, we’ve seen a return to form on attempted domain spoofs, which dropped off earlier this year in favor of a more basic form of spoofed “return path” emails:


This is troubling, as look-alike / spoofed domains tend to be highly targeted attacks that zero in on user’s ability to differentiate mail from trusted vendors, business partners, or even their colleagues from very visually similar source addresses.

Considering that for every one of those spoofs, there was a potential multi-million dollar wire transfer fraud attack, it’s easy to understand why so many organizations are falling victim to these types of attacks.

What Can You Do?

Relying on old-school technology – designed to catch generic malware and spam – to protect against these kinds of attacks won’t work. Attackers know how to bypass email gateways, and even when strong security tools are in place, a significant number of attacks will find their way into user mailboxes.

Once there, even regular security training (SS&C’s internal policy was that wires required four authorized approvals!) isn’t sufficient. Human psychology is a classic security vulnerability, and users fall victim to these types of attacks because criminals know how to manipulate their targets into doing things they should not.

Stopping business email compromise is only possible when your security is embedded inside of the business email flow. GreatHorn can be connected to a Google Apps or Office 365 domain in just minutes, and provides automated, comprehensive protection from name spoofing, domain look-alike, wire transfer fraud, and other forms of highly targeted attacks.

New Solution Helps Enterprises Guard Against Chat-based Phishing

Betanews writes about the release of GreatHorn’s Messaging Security solution:

Slack is the largest enterprise chat platform in the world with more than 2.7 million daily active users who spend an average of 140 minutes per day using it. Not surprising then that alert attackers see it as an opportunity to expand their social engineering campaigns. The fact than many people use Slack without the IT team’s knowledge creates a further security issue.

Cloud security specialist GreatHorn is announcing its Collaboration and Chat Security product which provides security operations, analytics, and reporting for Slack deployments, as well as expanding security controls for cloud systems like Google Apps and Office 365.

“Employees from almost every large enterprise are using collaborative chat software and it’s vitally important that the same foundational controls that we see put in place to safeguard other cloud communications platforms be extended to this new ecosystem,” says GreatHorn CEO and co-founder Kevin O’Brien. Read the full story at Betanews >>