Jan 31, 2019 | business email compromise, credential theft, spear phishing
On January 31st, GreatHorn’s threat response team identified a widespread business email compromise campaign targeting senior executives claiming to be a Doodle poll required to reschedule an upcoming board meeting. The attack links directly to a well constructed Office 365 credential theft site.
Purporting to be from the CEO of an organization, the phishing attack claims that a planned board meeting needs to be rescheduled and requests participation in a poll to identify a new date.
The attack appears to be hitting multiple senior executives (e.g. CEOs, CFOs, CTOs, SVPs) within an organization and has been found present across multiple industries and organization sizes, always direct spoofing (i.e. using the same “from” email address as the “to” email address) with a display name of “Meetings” and subject line / content personalized to the targeted company.
Importantly, on a mobile device, the native Outlook client overwrites the display name to say “Note to self,” further complicating the attack and making it even more likely for a recipient to interact with it. While some of these messages were sent to Microsoft’s “Junk” folder, they remained accessible to end users, leaving them vulnerable to the attack. As of 3:20pm, the destination site remained up and unidentified by browsers as a malicious site.
The attack was found (and eliminated) in 14% of GreatHorn’s customer base. In addition to blacklisting the domain, GreatHorn correctly identifies the destination as suspicious in its Link Protection module.
The GreatHorn security team is currently monitoring this attack and providing automated support to clients.
Currently, here is what we know about this attack:
- The initial point of infection is via a phishing email sent to senior executives with a display name of “Meetings” and their own from address.
- The subject line is consistently New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)
- The email appears to be a Doodle poll but actually links to an Office 365 credential theft site, with a primary domain ending in web.core.windows.net
GreatHorn Security Response:
- All attack emails within GreatHorn’s customer base have been removed from customer inboxes.
- All customers of GreatHorn Email Security can rest assured that this destination has been added to GreatHorn’s blacklist, ensuring that all future emails will be blocked
We are continuing to monitor for evidence of this malware and will provide additional information and remediation support as our investigation continues.
If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].
Jan 25, 2019 | credential theft, phishing
Screenshot of the original email received in inboxes
Between 10:50am-11:00am on January 25th, GreatHorn’s threat response team identified an active, widespread phishing campaign that impersonates a Skype message. The multi-layered attack includes a .eml attachment (a tactic commonly used by attackers to get around link analysis within the main email) that links to an Office 365 credential theft site.
The attack appears to be hitting multiple users within an organization, and has been found present across multiple industries and organization sizes, using the same sender, content, and subject line.
The GreatHorn security team is currently monitoring this attack and providing automated support to clients.
Screenshot of the .eml attachment containing the malicious link
Screenshot of the final destination of the URL – an Office365 credential theft site.
Currently, here is what we know about this attack:
- The initial point of infection is via a phishing email from what appears to be a compromised account from domain marketingevolution.com. The email includes a .eml attachment that appears to be from the “Skype Message Center”.
- The .eml attachment includes a link that appears to have a primary domain of “www.worldmicro.com.br” but is redirected multiple times, ending at an Office 365 credential theft site, with a primary domain of fidelit.com.br
- Marketing Evolution is a legitimate organization, so this appears to be a compromised account via an account takeover.
- Edit: As of 12:34pm, both Chrome and Safari have updated the destination site as a suspected phishing website
GreatHorn Security Response:
- All attack emails within GreatHorn’s customer base have been removed from customer inboxes
- All customers of GreatHorn Email Security can rest assured that the attachment has been added to GreatHorn’s blacklist, ensuring that all future emails will be blocked
We are continuing to monitor for evidence of this malware and will provide additional information and remediation support as our investigation continues.
If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].
Jan 7, 2019 | business email compromise, credential theft, email authentication, spear phishing
Few angles make for a better email-borne attack than the impersonation of a trusted service. Organizations such as Microsoft, Google, Bank of America, Citigroup, DocuSign, Dropbox, FedEx, UPS, and countless others are brands recognized throughout the world that host or access trusted financial data, personally identifiable information, confidential data, and other exploitable content desired by criminals.
Better yet for attackers, these organizations frequently send a variety of notifications: updated terms of service, account changes and alerts, new documents being shared, etc. Recipients don’t just trust these brands, they’ve been conditioned to expect email notifications from these companies. As a result, they often interact with emails from trusted brands without giving as much thought to it as they might take with an email from a stranger. This provides a ripe environment for attackers to exploit.
These types of emails are often attempting to gain any number of different pieces of information: names, addresses, social security numbers, account numbers, routing numbers, but what is commonplace at nearly every organization are credential theft attempts by way of a fake notification email like one of the aforementioned. Attackers have realized the value of these credentials; with password reuse as rampant as it is, one password could be the key to everything from a corporate account to a personal email account to a bank account, and even without widespread reuse of the password, email addresses are the most common means of resetting passwords for every other account a person utilizes.
There are a number of ways to detect and prevent these types of attacks, but detection and prevention specifically based upon analysis of URLs (and to a lesser extent attachments) has been viewed as a central component to email security technologies for some time now. This is not nearly as infallible as many would be led to believe and when the system gets it right, everyone sleeps soundly, but there are a number of these payloads still reaching end users precisely because of the shortcomings of the specific analytical approach taken and end users are then left to their own devices to figure out which URLs are safe and which are not.
Over time, attackers have become craftier and craftier in their approach to these emails meaning the payloads getting through are more and more pernicious. Regardless of who or what business service might be spoofed by an attacker, destination URLs are often “hidden” behind hyperlinked text (e.g. “Click here”), made to look like a common file share URL, or are even legitimate file sharing URLs. Because of this, they can be difficult to spot and identify as unsafe. Coupled with users’ inherent level of trust with these respected brands (or members of their organization) and the sense of urgency an attacker creates (Data will be deleted in the next 24 hours if you do not take action!), users often feel compelled to do exactly as the URL advises: they click.
Many existing email security solutions are heavily reliant on threat intelligence feeds to identify these URLs as malicious at the time of delivery. While undeniably useful, threat intelligence has its shortcomings. It goes without saying, but someone need be the first (or possibly second, third, fourth, fifth…) victim before the URL can be classified as malicious and that intelligence can be disseminated. Other solutions stop short in performing their analysis on the full URL but instead focus only on the root domain. The idea is that, given their available dataset coupled with their threat intelligence and other data feeds, malicious URLs are bound to be spotted based solely on being anomalous. This, of course, ignores the fact that web certificates do expire or that attackers can hijack otherwise innocuous websites through other means, they can utilize URL shorteners, redirects, and a host of other means that ultimately obfuscate the true intent of the destination page of the attacker’s URL.
GreatHorn recently identified a fairly compelling example of a business services impersonation email in one of our client environments that would have almost certainly bypassed many of these existing methods of detection. The message appeared to be from business service provider LogMeIn, which makes a suite of popular access and communications products, including GoToMeeting and LastPass among others. As anyone familiar with LogMeIn can see here – save for the font – the notification was exceptionally close in appearance to a real LogMeIn notification email. There was a link in the message purportedly leading the user to a LogMeIn account login page where “6 months of free subscription” awaited him.
In this instance, the attacker utilized a domain for the URL (logme-in.com) similar enough to LogMeIn’s actual domain (logmein.com) that it would likely pass as legitimate to an end user’s eye test. At the time of attack, the URL in this email was not showing up on dozens of threat intelligence feeds and the root domain of the URL redirected to a Google search page showing results for a LogMeIn-related search. With threat intelligence coming up blank, if a solution were to check the root domain, it would ultimately find a legitimate Google webpage.
As is shown in this example, the term “detecting malicious URLs” can be misleading. This particular email, at least in regard to the URL, could easily have bypassed any number of security solutions if they used one of the above approaches. With attackers getting more savvy, it’s important for security teams to ensure that their link protection options are robust enough to protect them from attacks.
We recently announced GreatHorn Link Protection – a new turnkey module that’s available as a core component of our email security platform. In addition to all the proprietary threat detection techniques we use that would flag a message such as this as a concern, GreatHorn Link Protection provides multiple levels of protection regardless of the URL’s presence on our threat intelligence feeds.
Stay tuned for more blogs on GreatHorn Link Protection, but in the meantime, you can learn more about GreatHorn’s Malicious URL capabilities here. Also consider checking out our recent blog on the recent rise in business service impersonations to learn more about real-world credential theft attempts.
Nov 12, 2018 | credential theft, email security, phishing
As a member of GreatHorn’s Customer Success team, I have daily insight into threat patterns as they emerge across our customer base. While we always see a variety of threats (and some more than others), occasionally we see volumetric phishing patterns that result in temporary spikes in one particular type of threat.
Over the past several weeks, we’ve seen a huge spike in service impersonation attacks. In this blog, I’ll explain what these are, how they work, what to look for, and what you can do to prevent them.
(more…)
Oct 17, 2018 | credential theft, email security, O365, phishing
This morning, on October 17th, GreatHorn’s threat response team identified an active, widespread phishing campaign using a range of impersonation techniques to deliver a “voicemail” alert to customers, linking to what appears to be a Verizon-branded PDF, hosted in either SharePoint or on free PDF hosting sites, containing links to credential theft attacks. Currently, the attack appears to be primarily hitting Office 365 customers, targeting multiple users within an organization, and has been found present across multiple industries and organization sizes, using different combinations of sender and subject lines.
Although we currently have only identified it in O365 environments, there is nothing to prevent this scheme from propagating to G Suite and other environments.
The GreatHorn security team is currently monitoring this attack and providing automated support to clients.
Currently, here is what we know about this attack:
The initial point of infection is via a phishing email from senders “[email protected]” and “[email protected]”. The email takes a number of different forms, including the example on the right, and includes a link to a PDF that is currently being hosted on multiple compromised Sharepoint file hosting sites, as well as on free PDF hosting websites such as freepdfhosting.com.- The destination of the supposed voicemail link is a PDF, branded as a Verizon document, containing a second step URL that leads to a credential theft site designed to look like an Office 365 login:
PDF with Verizon-branded message linked to credential theft website
Credential Theft: Fake Office 365 login page
Our specific recommendations:
We are continuing to monitor for evidence of this attack, and will provide additional information and remediation support as our investigation continues.
As of October 17 at 11:51am EDT, neither the documents, the URLs where they’re hosted, nor the credential theft links themselves are being flagged by threat intelligence blacklists. While threat intelligence is an important part of any email security strategy, they are often ineffective at protecting against zero-day threats and phishing attacks.
If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].
LIVE WEBINAR | NOV 1 | 2 PM ET / 11 AM PT
The Evolution of Phishing & How We Fight Against It
Join our November 1st webinar at 2pm ET, where dmarcian CEO Tim Draegen, the primary author and advocate of the DMARC standard, and GreatHorn CEO Kevin O’Brien will discuss how phishing tactics have evolved over the years and how email security approaches have had to change to keep up.
Register now!
© 2019 GreatHorn, Inc. All rights reserved.
Aug 17, 2018 | business email compromise, credential theft, email security, phishing
Today, after 4 decades in existence, and more than 25 years’ worth of consistent, daily use, email remains the most reliable, ubiquitous, and constant communication platform for both personal and professional interaction. As users, we may grumble about its ubiquity or its misuse, but we have an inherent trust in email bred from familiarity and functionality.
So it’s of little surprise that email has also become the single largest platform for Internet Crime, at least as reported by the FBI in its annual Internet Crime Report. Business email compromise alone represents 48% of the reported $1.4B financial losses from Internet crime in 2017. That’s 10x more than the reported losses from identity theft, and 3x more than the second most lucrative Internet crime technique (confidence fraud / romance).
Defined by the FBI as “sophisticated scams [that] are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds,” business email compromise is just one of many email-based threats facing organizations today.
So why are such scams so successful? In June, GreatHorn conducted a survey of 300 business professionals – most of whom were involved in email security in some way – to understand the current email security involvement. We benchmarked threat frequency, prevalence, types, defenses, and remediation requirements to see what kind of patterns we could find.
As you see in this infographic, we found a number of clues that pointed to the root cause behind the success of social engineering scams such as business email compromise and other spear phishing techniques.
For example, we learned that the “average” user either doesn’t recognize email threats for what they are or they dismiss it under the rather innocuous heading of “spam.” We know this because two-thirds (66%) of average users could not recall seeing any of the following email threats in their inboxes:
- Executive or internal impersonations
- External impersonations (e.g. customers, vendors, partners)
- Wire transfer requests
- W2 requests
- Payload / malware attacks
- Business services spoofing (e.g. ADP, Docusign, UPS)
- Credential theft
And yet when asked the same question (explicitly about what reaches inboxes, not a quarantine folder), 85% of respondents that had some involvement in email security indicated that one or more of those threats was hitting inboxes.
That discrepancy demonstrates a dangerous perception gap within organizations – the exact perception gap that criminals exploit. We’ve moved beyond the easy-to-spot Nigerian prince schemes of yesteryear. Sure, there are still mass phishing attacks that are easy-to-spot, but such attacks in some ways increase the danger precisely because they are so easy to see. The user quickly identifies them as a danger, dismisses them as obvious, and pats themselves on the back for being perceptive enough to see them.
That self-congratulatory complacency may lead to an inability to recognize the real threats – the highly targeted, sophisticated, and well planned attacks that uses social engineering and research to replicate, impersonate, and redirect “real” communication. Our research indicates that most existing email security solutions are failing to catch impersonations (nearly half of our respondents – 46% – report impersonations; including 64% of email security professionals). Such emails often come without obvious triggers such as an attachment or even a link – they use urgency (5pm on a Friday), conciseness (typically just a couple of sentences), seniority (often impersonating a superior), and fear to drive the desired outcome. That’s why it makes sense that impersonations are the email threat that email security pros worry most about.
More concerningly, our study indicates that 1 in 5 organizations have to take some kind of significant remediation action (e.g. suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc.) on a weekly basis as a result of email threats that bypassed their security defenses. And on average, our panel deployed approximately three separate security tools to protect their environment from email threats.
Given the remediation requirements, it’s no wonder, however, that 56% reported major technical issues with their email security solution today, including:
- “Doesn’t stop internal threats (e.g. if a user account is compromised)” – 35%
- “Missing payload attacks” – 16%
- “Missing payload-free attacks (e.g. impersonations, social engineering)” – 20%
- “Weak or no remediation capabilities” – 19%
- “Negative impact on business operations (e.g. too many false positives)” – 21%
We’ll dive more into the challenges with today’s common email security platforms and our results in upcoming blogs. In the meantime, however, we’d love to hear what you think. What do these numbers mean to you?
Want to download the full report? You can do so here.
