Financial Phishing Scams – Driving Bitcoin Ransoms through Fear

Financial Phishing Scams – Driving Bitcoin Ransoms through Fear

December is an active month for cybercriminals – the uptick in holiday shopping, end of year budgets & contracts, preparations for tax season, end of year surveys, and generally frenetic pace lends itself to a ripe environment for phishing scams. It’s not atypical this time of year to see an uptick in phishing attempts that rely on old standby techniques such as DHL or FedEx impersonations or fake invoices being sent to accounting departments.

Last week, however, came with a twist – a number of high-profile ransom-driven phishing scams that prey on fear.

In a typical phishing scam, you can usually find three key characteristics: a trusted sender or brand, urgent language, and some kind of required response.

In these bitcoin-driven scams, attackers substitute fear for the trusted sender component: Last week saw a dramatic rise in bomb threats requesting bitcoin payment (which so far appear to be hoaxes / scams rather than legitimate threats), whereas starting this past summer, there has been a burst of sextortion scams.

Ultimately, the pattern is the same – threaten personal damage (physical or otherwise) unless the recipient transfers a certain amount of bitcoin to one of several circulating accounts. These scams often include some level of personalization to give the threat greater credibility.

In the business world, this same pattern can be found in other financially motivated phishing attacks: The target is sent a plain text, often personalized, email with no links or attachments that requests a wire transfer due to a late invoice payment, or W2 information for a former employee. Such requests are rarely legitimate but have enough details to encourage action.

From an email security perspective, such emails either completely bypass traditional email security tools because they are “payload-free” with no attachments or associated links or they’re quarantined – which can be problematic if they are legitimate. This binary approach to email security (either something is good or bad) belies the reality of today’s threat landscape which exploits the dangerous gray area of every day communication. The challenge of course is that a percentage of “legitimate” email follows this same pattern, and this good/bad approach to email can result in either exposure for the company or delayed business operations due to blocked or quarantined emails.

Security teams should use the current ransom scams as an impetus to reconsider how such emails should be handled not just from a technology perspective, but also from a business process and user education mindset. For example – what’s the process for authorizing wire transfers or transmitting confidential information? How should physical security threats be handled and to whom should they be reported? How is that information being communicated and reinforced to employees?

Once such decisions are made, technology can not only detect the threats but also be a powerful enabler and reinforcement for that process. For many of GreatHorn’s customers, for example, such emails come with a warning banner that reminds the recipient of the established business process and whether the email deserves extra scrutiny.

In 2019, we’ll be writing more about the Email Security Lifecycle – and GreatHorn’s unique ability to support all aspects of an organization’s comprehensive email security strategy. Stay tuned!

Anatomy of a Phishing Attack: Rising Tide of Service Impersonation Spoofs

Anatomy of a Phishing Attack: Rising Tide of Service Impersonation Spoofs

As a member of GreatHorn’s Customer Success team, I have daily insight into threat patterns as they emerge across our customer base. While we always see a variety of threats (and some more than others), occasionally we see volumetric phishing patterns that result in temporary spikes in one particular type of threat.

Over the past several weeks, we’ve seen a huge spike in service impersonation attacks. In this blog, I’ll explain what these are, how they work, what to look for, and what you can do to prevent them.


Breaking: New phishing campaign targets Office 365 customers, masquerades as missed voicemail

Breaking: New phishing campaign targets Office 365 customers, masquerades as missed voicemail

This morning, on October 17th, GreatHorn’s threat response team identified an active, widespread phishing campaign using a range of impersonation techniques to deliver a “voicemail” alert to customers, linking to what appears to be a Verizon-branded PDF, hosted in either SharePoint or on free PDF hosting sites, containing links to credential theft attacks. Currently, the attack appears to be primarily hitting Office 365 customers, targeting multiple users within an organization, and has been found present across multiple industries and organization sizes, using different combinations of sender and subject lines.

Although we currently have only identified it in O365 environments, there is nothing to prevent this scheme from propagating to G Suite and other environments.

The GreatHorn security team is currently monitoring this attack and providing automated support to clients.

Currently, here is what we know about this attack:

  • The initial point of infection is via a phishing email from senders “[email protected]” and “[email protected]”. The email takes a number of different forms, including the example on the right, and  includes a link to a PDF that is currently being hosted on multiple compromised Sharepoint file hosting sites, as well as on free PDF hosting websites such as
  • The destination of the supposed voicemail link is a PDF, branded as a Verizon document, containing a second step URL that leads to a credential theft site designed to look like an Office 365 login:

PDF with Verizon-branded message linked to credential theft website

Credential Theft: Fake Office 365 login page

Our specific recommendations:

We are continuing to monitor for evidence of this attack, and will provide additional information and remediation support as our investigation continues.

As of October 17 at 11:51am EDT, neither the documents, the URLs where they’re hosted, nor the credential theft links themselves are being flagged by threat intelligence blacklists. While threat intelligence is an important part of any email security strategy, they are often ineffective at protecting against zero-day threats and phishing attacks.

If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].

LIVE WEBINAR   |   NOV 1   |   2 PM ET / 11 AM PT

The Evolution of Phishing & How We Fight Against It

Join our November 1st webinar at 2pm ET, where dmarcian CEO Tim Draegen, the primary author and advocate of the DMARC standard, and GreatHorn CEO Kevin O’Brien will discuss how phishing tactics have evolved over the years and how email security approaches have had to change to keep up.

Register now!

By the Numbers: Understanding the Phishing Threat

By the Numbers: Understanding the Phishing Threat

Infographic of 2018 email security benchmarkToday, after 4 decades in existence, and more than 25 years’ worth of consistent, daily use, email remains the most reliable, ubiquitous, and constant communication platform for both personal and professional interaction. As users, we may grumble about its ubiquity or its misuse, but we have an inherent trust in email bred from familiarity and functionality.

So it’s of little surprise that email has also become the single largest platform for Internet Crime, at least as reported by the FBI in its annual Internet Crime Report. Business email compromise alone represents 48% of the reported $1.4B financial losses from Internet crime in 2017. That’s 10x more than the reported losses from identity theft, and 3x more than the second most lucrative Internet crime technique (confidence fraud / romance).

Defined by the FBI as “sophisticated scams [that] are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds,” business email compromise is just one of many email-based threats facing organizations today.

So why are such scams so successful? In June, GreatHorn conducted a survey of 300 business professionals – most of whom were involved in email security in some way – to understand the current email security involvement. We benchmarked threat frequency, prevalence, types, defenses, and remediation requirements to see what kind of patterns we could find.

As you see in this infographic, we found a number of clues that pointed to the root cause behind the success of social engineering scams such as business email compromise and other spear phishing techniques.

For example, we learned that the “average” user either doesn’t recognize email threats for what they are or they dismiss it under the rather innocuous heading of “spam.” We know this because two-thirds (66%) of average users could not recall seeing any of the following email threats in their inboxes:

  • Executive or internal impersonations
  • External impersonations (e.g. customers, vendors, partners)
  • Wire transfer requests
  • W2 requests
  • Payload / malware attacks
  • Business services spoofing (e.g. ADP, Docusign, UPS)
  • Credential theft

And yet when asked the same question (explicitly about what reaches inboxes, not a quarantine folder), 85% of respondents that had some involvement in email security indicated that one or more of those threats was hitting inboxes.

That discrepancy demonstrates a dangerous perception gap within organizations – the exact perception gap that criminals exploit. We’ve moved beyond the easy-to-spot Nigerian prince schemes of yesteryear. Sure, there are still mass phishing attacks that are easy-to-spot, but such attacks in some ways increase the danger precisely because they are so easy to see. The user quickly identifies them as a danger, dismisses them as obvious, and pats themselves on the back for being perceptive enough to see them.

That self-congratulatory complacency may lead to an inability to recognize the real threats – the highly targeted, sophisticated, and well planned attacks that uses social engineering and research to replicate, impersonate, and redirect “real” communication. Our research indicates that most existing email security solutions are failing to catch impersonations (nearly half of our respondents – 46% – report impersonations; including 64% of email security professionals). Such emails often come without obvious triggers such as an attachment or even a link – they use urgency (5pm on a Friday), conciseness (typically just a couple of sentences), seniority (often impersonating a superior), and fear to drive the desired outcome. That’s why it makes sense that impersonations are the email threat that email security pros worry most about.

More concerningly, our study indicates that 1 in 5 organizations have to take some kind of significant remediation action (e.g. suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc.) on a weekly basis as a result of email threats that bypassed their security defenses. And on average, our panel deployed approximately three separate security tools to protect their environment from email threats.

Given the remediation requirements, it’s no wonder, however, that 56% reported major technical issues with their email security solution today, including:

  • “Doesn’t stop internal threats (e.g. if a user account is compromised)” – 35%
  • “Missing payload attacks” – 16%
  • “Missing payload-free attacks (e.g. impersonations, social engineering)” – 20%
  • “Weak or no remediation capabilities” – 19%
  • “Negative impact on business operations (e.g. too many false positives)” – 21%

We’ll dive more into the challenges with today’s common email security platforms and our results in upcoming blogs. In the meantime, however, we’d love to hear what you think. What do these numbers mean to you?

Want to download the full report? You can do so here.

Email Security Benchmark: First Take

Email Security Benchmark: First Take

Today we released a benchmark report analyzing email security trends based on data from nearly 300 respondents. We wanted to understand what organizations were facing in terms of threat prevalence, frequency, and severity. We asked questions about the effectiveness of existing security solutions and the importance of email security within the wider landscape of security initiatives.

We had some hypotheses going into it of course, but ultimately, we wanted to learn and let the data speak for itself. That’s why in the report itself, we presented the factual data without much commentary to allow you to draw your own conclusions, but naturally we have our own theories as to what the data indicates.

Take, for example, the discrepancy in the frequency and types of threats that email security professionals report versus what laypeople report. It would be easy to assign that discrepancy to the tired trope about users being “the problem” – that they just aren’t smart enough or careful enough to notice the threats.

But in fact what’s far more likely is that for many users, all unwanted mail is characterized as “spam.” They see the threats, recognize them as attacks, and dismiss them immediately by simply deleting them. This behavior may feel like safe behavior to the user because they’ve recognized and neutralized a potential threat quickly, but in fact, by not reporting such threats, they’re perpetuating the problem. A recent Verizon report indicates that just 17% of all phishing attempts are reported, and – of greater concern – one in 25 recipients will interact with any given phishing attack.

Over the coming weeks, we’ll explore different aspects of our report. Tell us what you think the report indicates – and stay tuned for more analysis!