Financial Phishing Scams – Driving Bitcoin Ransoms through Fear

Financial Phishing Scams – Driving Bitcoin Ransoms through Fear

December is an active month for cybercriminals – the uptick in holiday shopping, end of year budgets & contracts, preparations for tax season, end of year surveys, and generally frenetic pace lends itself to a ripe environment for phishing scams. It’s not atypical this time of year to see an uptick in phishing attempts that rely on old standby techniques such as DHL or FedEx impersonations or fake invoices being sent to accounting departments.

Last week, however, came with a twist – a number of high-profile ransom-driven phishing scams that prey on fear.

In a typical phishing scam, you can usually find three key characteristics: a trusted sender or brand, urgent language, and some kind of required response.

In these bitcoin-driven scams, attackers substitute fear for the trusted sender component: Last week saw a dramatic rise in bomb threats requesting bitcoin payment (which so far appear to be hoaxes / scams rather than legitimate threats), whereas starting this past summer, there has been a burst of sextortion scams.

Ultimately, the pattern is the same – threaten personal damage (physical or otherwise) unless the recipient transfers a certain amount of bitcoin to one of several circulating accounts. These scams often include some level of personalization to give the threat greater credibility.

In the business world, this same pattern can be found in other financially motivated phishing attacks: The target is sent a plain text, often personalized, email with no links or attachments that requests a wire transfer due to a late invoice payment, or W2 information for a former employee. Such requests are rarely legitimate but have enough details to encourage action.

From an email security perspective, such emails either completely bypass traditional email security tools because they are “payload-free” with no attachments or associated links or they’re quarantined – which can be problematic if they are legitimate. This binary approach to email security (either something is good or bad) belies the reality of today’s threat landscape which exploits the dangerous gray area of every day communication. The challenge of course is that a percentage of “legitimate” email follows this same pattern, and this good/bad approach to email can result in either exposure for the company or delayed business operations due to blocked or quarantined emails.

Security teams should use the current ransom scams as an impetus to reconsider how such emails should be handled not just from a technology perspective, but also from a business process and user education mindset. For example – what’s the process for authorizing wire transfers or transmitting confidential information? How should physical security threats be handled and to whom should they be reported? How is that information being communicated and reinforced to employees?

Once such decisions are made, technology can not only detect the threats but also be a powerful enabler and reinforcement for that process. For many of GreatHorn’s customers, for example, such emails come with a warning banner that reminds the recipient of the established business process and whether the email deserves extra scrutiny.

In 2019, we’ll be writing more about the Email Security Lifecycle – and GreatHorn’s unique ability to support all aspects of an organization’s comprehensive email security strategy. Stay tuned!

Breaking: Petya Ransomware Attack Spreading Worldwide

Breaking: Petya Ransomware Attack Spreading Worldwide

This morning, a major ransomware attack similar to last month’s WannaCry attack began spreading worldwide. The GreatHorn security team is currently monitoring this attack and providing automated support to clients.

Currently, here is what we know about this attack:

  • The initial point of infection is via a phishing email from the sender [email protected]. The email includes a Word attachment infected with a strain of the Petya malware identified (specifically know as Petrwrap); initial indicators of compromise suggest that the Word file is entitled “Order-20062017.doc”, exploiting CVE-2017-0199. Once initiated, the ransomware uses the same remote vulnerability (ETERNALBLUE) as WannaCry to distribute itself to other Windows machines on the same network.
  • The Word file itself connects to a variety of compromised endpoints (the most common appear to be and to download the Petya variant being used in this attack, launches the binary, encrypts the local hard drive, wipes the system log, and forces a reboot.
  • As of 12:30PM EST, no kill switch to this attack has been identified.

Our specific recommendations:

  • Install Microsoft’s patch for this vulnerability if you have not done so already:
  • Block inbound connections on TCP Port 445
  • Block incoming email from [email protected]; GreatHorn clients of Inbound Email Security are automatically being provided with Policy-level support to move these messages to a “Danger-Phishing” folder.
  • Update all instances of Office on your local network, to minimize the risk of infection should the phishing email vector change

We are continuing to monitor for evidence of this malware, and will provide additional information and remediation support as our investigation continues.

If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].

Subscribe to the GreatHorn Blog

We'll email you when we publish new content, but we'll never spam you or share your information. 

Worldwide Ransomware Attack Brings Down NHS, Telefonica

A major ransomware attack hit the UK’s National Health Service, Spain’s Telefonica mobile telephone network, and various smaller companies across 74 countries on May 12, 2017. One of the largest global cyberattacks to date, it relied upon a modified version of a known ransomware kit (Wanna Decrypt0r, also known as WannaCry or WCRY), and at its peak, spread at an estimated rate of 5 million infected emails per hour.

As of this writing (May 13, 2017), the attack has been neutralized for some systems, by way of a DNS sinkhole. The initial malware contained code that caused the attack to terminate if a specific website was online (likely part of the development process for the file), and the destination has now been sinkholed and redirected to a site that causes the infection to shut down instead of spreading. However, systems running behind a proxy are still susceptible to attack.

Creating a local DNS entry that redirects (the check URL used by the worm that spreads the malware) to a local IP is a critical step, should the sinkhole fail.

Interestingly, the malware used was described in NSA documents that were stolen and leaked in April of 2017, by a group known as the Shadow Brokers.

Infected Windows machines around the world were being used to propagate the attack. The initial infection vector was via a Word file, which deployed the WCRY malware; once opened, the ransomware encrypts a Windows machine’s files, and then uses a remote vulnerability through Windows’ network file share protocol (SMB) to distribute itself to other Windows machines on the same network.

What was critically different here was that due to the nature of the exploit, if even one machine were infected, it would automatically spread to all other vulnerable machines on the same network. This self-propagation is why the attack was so widespread, and while the Windows exploit which this attack uses was patched on March 14, 2017 (full details are here), many networks and companies had not yet patched their systems to prevent exploit.

Once infected, these machines’ desktop wallpaper was changed, and the malware would then display a message requiring BitCoin payment within a certain timeframe or else the encrypted data would supposedly be deleted:

wanna decryptor

Along with the warning message above, users were also presented with a readme file, explaining what they need to do in order to regain access to their files (namely, transfer $300 USD via BitCoin to the attackers):

The encryption routine in the malware targets the following file types, and adding an extension (.WCRY) to the end of each file’s name:


Why This Attack Was So Dangerous:

The most significant threat here was from unpatched machines with a recent vulnerability. While a patch existed at the time of infection, it was not universally deployed. Coupled with the auto-propagating nature of the attack, a large number of machines were compromised rapidly.

The primary attack vector for this attack is believed to have been a non-targeted phishing campaign. Increasingly, phishing scams combine malware distribution with advanced deception tactics, designed to trick users with a variety of social engineering techniques, including:

  • Display Name Spoofs, which use a valid email address (such as a newly registered account with Gmail, Yahoo, Outlook, or similar service) in combination with the Display Name, or “friendly” first and last name that most email clients display, to deceive a user into believing that they have received a message from a known contact.
  • Identifying Display Name spoofs manually requires that every email for every user be analyzed at the mail header level. Automated analytics (including GreatHorn’s Inbound Email Security platform) will highly any email from a Display Name / From: combination that may be a deception attack.

  • Lookalike / Cousin Domain Attacks, where the attacker combines fully registered and validated domains that are visually similar to a company’s own domain with the actual attack payload, in this case, the malware.

    Again, manually reviewing all of the mail headers can be helpful here, although training users to do so with every single email they receive can be difficult at best. Automated analytics can identify look-alike domains and automatically alert users to fraud attempts.

Mitigation and Response

  • Implement infection prevention within email systems, focused on identifying infected files (especially Word documents) and unusual senders, spoofs, and impersonation attempts. Rapidly changing malware can often circumvent legacy email gateway defenses, especially if the attack does not directly attach the infected file within the email itself, but instead delivers it via URL or link. Post-delivery protection is essential for both detection and response while endpoint and anti-malware tools catch up, and being able to rapidly identify and remove infected messages even if they get past the perimeter is critical to protecting against threats.
  • Patch all potentially vulnerable machines for MS17-010 (“ETERNALBLUE” and “DOUBLEPULSAR”). 
  • Remove outdated Windows NT, Windows 2000, Windows XP, and Windows Server 2000-2003 machines from production.
  • Disable SMB shares (especially on machines that cannot be removed) with the following command:
Set-ItemProperty -Path “HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters” SMB1 -Type DWORD -Value 0 -Force.
  • Filter SMB (TCP/445), NetBIOS (TCP/139), and RDP (TCP/3389) traffic at the firewall level, ensuring that infected machines cannot spread the malware if present within your network.

What To Expect Next

This is the second time a major attack has propagated over email within the past two weeks, and it’s highly likely that the criminals behind these attacks are in the process of improving the sophistication of both their primary attack tools (the malware and ransomware they use) as well as their techniques and tactics.

More generally, this attack demonstrates the importance of not relying on security awareness training alone; as the scope and efficacy of this incident reveal, training (traditionally a compliance effort) cannot adequately modify the behavior of every user at every company in the world — and given the rapid spread of an attack that spreads in the way that WCRY does, it only takes a single compromised account to bring down millions of machines and organizations in minutes.