On January 31st, GreatHorn’s threat response team identified a widespread business email compromise campaign targeting senior executives claiming to be a Doodle poll required to reschedule an upcoming board meeting. The attack links directly to a well constructed Office 365 credential theft site.
Purporting to be from the CEO of an organization, the phishing attack claims that a planned board meeting needs to be rescheduled and requests participation in a poll to identify a new date.
The attack appears to be hitting multiple senior executives (e.g. CEOs, CFOs, CTOs, SVPs) within an organization and has been found present across multiple industries and organization sizes, always direct spoofing (i.e. using the same “from” email address as the “to” email address) with a display name of “Meetings” and subject line / content personalized to the targeted company.
Importantly, on a mobile device, the native Outlook client overwrites the display name to say “Note to self,” further complicating the attack and making it even more likely for a recipient to interact with it. While some of these messages were sent to Microsoft’s “Junk” folder, they remained accessible to end users, leaving them vulnerable to the attack. As of 3:20pm, the destination site remained up and unidentified by browsers as a malicious site.
The attack was found (and eliminated) in 14% of GreatHorn’s customer base. In addition to blacklisting the domain, GreatHorn correctly identifies the destination as suspicious in its Link Protection module.
The GreatHorn security team is currently monitoring this attack and providing automated support to clients.
Currently, here is what we know about this attack:
- The initial point of infection is via a phishing email sent to senior executives with a display name of “Meetings” and their own from address.
- The subject line is consistently New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)
- The email appears to be a Doodle poll but actually links to an Office 365 credential theft site, with a primary domain ending in web.core.windows.net
GreatHorn Security Response:
- All attack emails within GreatHorn’s customer base have been removed from customer inboxes.
- All customers of GreatHorn Email Security can rest assured that this destination has been added to GreatHorn’s blacklist, ensuring that all future emails will be blocked
We are continuing to monitor for evidence of this malware and will provide additional information and remediation support as our investigation continues.
If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].
Few angles make for a better email-borne attack than the impersonation of a trusted service. Organizations such as Microsoft, Google, Bank of America, Citigroup, DocuSign, Dropbox, FedEx, UPS, and countless others are brands recognized throughout the world that host or access trusted financial data, personally identifiable information, confidential data, and other exploitable content desired by criminals.
Better yet for attackers, these organizations frequently send a variety of notifications: updated terms of service, account changes and alerts, new documents being shared, etc. Recipients don’t just trust these brands, they’ve been conditioned to expect email notifications from these companies. As a result, they often interact with emails from trusted brands without giving as much thought to it as they might take with an email from a stranger. This provides a ripe environment for attackers to exploit.
These types of emails are often attempting to gain any number of different pieces of information: names, addresses, social security numbers, account numbers, routing numbers, but what is commonplace at nearly every organization are credential theft attempts by way of a fake notification email like one of the aforementioned. Attackers have realized the value of these credentials; with password reuse as rampant as it is, one password could be the key to everything from a corporate account to a personal email account to a bank account, and even without widespread reuse of the password, email addresses are the most common means of resetting passwords for every other account a person utilizes.
There are a number of ways to detect and prevent these types of attacks, but detection and prevention specifically based upon analysis of URLs (and to a lesser extent attachments) has been viewed as a central component to email security technologies for some time now. This is not nearly as infallible as many would be led to believe and when the system gets it right, everyone sleeps soundly, but there are a number of these payloads still reaching end users precisely because of the shortcomings of the specific analytical approach taken and end users are then left to their own devices to figure out which URLs are safe and which are not.
Over time, attackers have become craftier and craftier in their approach to these emails meaning the payloads getting through are more and more pernicious. Regardless of who or what business service might be spoofed by an attacker, destination URLs are often “hidden” behind hyperlinked text (e.g. “Click here”), made to look like a common file share URL, or are even legitimate file sharing URLs. Because of this, they can be difficult to spot and identify as unsafe. Coupled with users’ inherent level of trust with these respected brands (or members of their organization) and the sense of urgency an attacker creates (Data will be deleted in the next 24 hours if you do not take action!), users often feel compelled to do exactly as the URL advises: they click.
Many existing email security solutions are heavily reliant on threat intelligence feeds to identify these URLs as malicious at the time of delivery. While undeniably useful, threat intelligence has its shortcomings. It goes without saying, but someone need be the first (or possibly second, third, fourth, fifth…) victim before the URL can be classified as malicious and that intelligence can be disseminated. Other solutions stop short in performing their analysis on the full URL but instead focus only on the root domain. The idea is that, given their available dataset coupled with their threat intelligence and other data feeds, malicious URLs are bound to be spotted based solely on being anomalous. This, of course, ignores the fact that web certificates do expire or that attackers can hijack otherwise innocuous websites through other means, they can utilize URL shorteners, redirects, and a host of other means that ultimately obfuscate the true intent of the destination page of the attacker’s URL.
GreatHorn recently identified a fairly compelling example of a business services impersonation email in one of our client environments that would have almost certainly bypassed many of these existing methods of detection. The message appeared to be from business service provider LogMeIn, which makes a suite of popular access and communications products, including GoToMeeting and LastPass among others. As anyone familiar with LogMeIn can see here – save for the font – the notification was exceptionally close in appearance to a real LogMeIn notification email. There was a link in the message purportedly leading the user to a LogMeIn account login page where “6 months of free subscription” awaited him.
In this instance, the attacker utilized a domain for the URL (logme-in.com) similar enough to LogMeIn’s actual domain (logmein.com) that it would likely pass as legitimate to an end user’s eye test. At the time of attack, the URL in this email was not showing up on dozens of threat intelligence feeds and the root domain of the URL redirected to a Google search page showing results for a LogMeIn-related search. With threat intelligence coming up blank, if a solution were to check the root domain, it would ultimately find a legitimate Google webpage.
As is shown in this example, the term “detecting malicious URLs” can be misleading. This particular email, at least in regard to the URL, could easily have bypassed any number of security solutions if they used one of the above approaches. With attackers getting more savvy, it’s important for security teams to ensure that their link protection options are robust enough to protect them from attacks.
We recently announced GreatHorn Link Protection – a new turnkey module that’s available as a core component of our email security platform. In addition to all the proprietary threat detection techniques we use that would flag a message such as this as a concern, GreatHorn Link Protection provides multiple levels of protection regardless of the URL’s presence on our threat intelligence feeds.
Stay tuned for more blogs on GreatHorn Link Protection, but in the meantime, you can learn more about GreatHorn’s Malicious URL capabilities here. Also consider checking out our recent blog on the recent rise in business service impersonations to learn more about real-world credential theft attempts.
December is an active month for cybercriminals – the uptick in holiday shopping, end of year budgets & contracts, preparations for tax season, end of year surveys, and generally frenetic pace lends itself to a ripe environment for phishing scams. It’s not atypical this time of year to see an uptick in phishing attempts that rely on old standby techniques such as DHL or FedEx impersonations or fake invoices being sent to accounting departments.
Last week, however, came with a twist – a number of high-profile ransom-driven phishing scams that prey on fear.
In a typical phishing scam, you can usually find three key characteristics: a trusted sender or brand, urgent language, and some kind of required response.
In these bitcoin-driven scams, attackers substitute fear for the trusted sender component: Last week saw a dramatic rise in bomb threats requesting bitcoin payment (which so far appear to be hoaxes / scams rather than legitimate threats), whereas starting this past summer, there has been a burst of sextortion scams.
Ultimately, the pattern is the same – threaten personal damage (physical or otherwise) unless the recipient transfers a certain amount of bitcoin to one of several circulating accounts. These scams often include some level of personalization to give the threat greater credibility.
In the business world, this same pattern can be found in other financially motivated phishing attacks: The target is sent a plain text, often personalized, email with no links or attachments that requests a wire transfer due to a late invoice payment, or W2 information for a former employee. Such requests are rarely legitimate but have enough details to encourage action.
From an email security perspective, such emails either completely bypass traditional email security tools because they are “payload-free” with no attachments or associated links or they’re quarantined – which can be problematic if they are legitimate. This binary approach to email security (either something is good or bad) belies the reality of today’s threat landscape which exploits the dangerous gray area of every day communication. The challenge of course is that a percentage of “legitimate” email follows this same pattern, and this good/bad approach to email can result in either exposure for the company or delayed business operations due to blocked or quarantined emails.
Security teams should use the current ransom scams as an impetus to reconsider how such emails should be handled not just from a technology perspective, but also from a business process and user education mindset. For example – what’s the process for authorizing wire transfers or transmitting confidential information? How should physical security threats be handled and to whom should they be reported? How is that information being communicated and reinforced to employees?
Once such decisions are made, technology can not only detect the threats but also be a powerful enabler and reinforcement for that process. For many of GreatHorn’s customers, for example, such emails come with a warning banner that reminds the recipient of the established business process and whether the email deserves extra scrutiny.
In 2019, we’ll be writing more about the Email Security Lifecycle – and GreatHorn’s unique ability to support all aspects of an organization’s comprehensive email security strategy. Stay tuned!
Cybersecurity journalist Brian Krebs reported today that the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, was the victim of a successful phishing attack.
An FS-ISAC employee “clicked on a phishing email compromising that employee’s login credentials.” Using the credentials, a threat actor created an email with a PDF that had a link to a credential harvesting site and was then sent from the employee’s email account to select member affiliates and other employees.
While the incident was contained, it is a stark reminder that anyone – even cybersecurity professionals – can get phished. In an interview with Krebs, FS-ISAC executives noted that the attack that tricked the employee into giving away email credentials wasn’t particularly sophisticated.
Although the organization regularly delivers security awareness training to staff members, this incident underscores many of the core beliefs we have at GreatHorn.
- Security awareness training, while necessary, is not enough. It is unrealistic to rely on employees to correctly identify a phishing attempt 100% of the time. In fact, a report from Forrester noted that among all tracked breaches (in 2015), the statistical difference between organizations who received training and those who didn’t was only 4%.
- Automated security controls to protect against phishing, social engineering and other email-based threats should be a foundational layer of any security program.
- New approaches to email security in the cloud are essential. Legacy email security gateway tools by design are not capable of protecting against phishing and other advanced threats targeting your employees’ inboxes.
To learn more about GreatHorn’s modern, cloud-native approach to email security for Office 365 and Google G Suite, listen to our most recent webinar: 4 Reasons Why It’s Time to Rethink Email Security.
Highly-targeted phishing attacks are among the most prevalent threats businesses face today. These attacks, which are increasing in their frequency and sophistication, can result in stolen credentials, loss of intellectual property and, in many instances, entry into core backend systems that contain customer data or financial assets. According to the FBI, U.S. businesses alone suffer from nearly $343,000 in damages every hour from phishing – and this number has been going up year over year for the last five years.
Why are these attacks so pervasive? In short, it’s because they work. Phishing attacks easily circumvent traditional email security systems to deceive their intended target.
Here is a step-by-step breakdown of how cyber attackers execute targeted phishing attacks and why they’re so successful.
Step 1: Identify a Target. The first thing attackers do when they’re launching an attack is look at the target organizations’ website. This allows them to understand the markets in which the organization plays, how it describes itself and its branding (e.g., colors, logos) – all valuable information which is readily available.
Step 2: Research the Victim. From here, the attacker will select an individual target, such as someone in charge of finances inside of the organization. This person could be someone that is listed in the ‘About Us’ section of the website. Attackers gather personal intel from public profiles on LinkedIn, Facebook, Twitter and other platforms to get a feel for the person’s interests and relationships. More importantly, they analyze a person’s tone, grammatical tendencies and common phrases to help make their attacks more authentic.
Furthermore, if that person has integrated some sort of trip software (e.g., TripIt) into LinkedIn, the attacker can even begin to understand where they might physically be. Criminals can then make reference to events happening in the person’s life to add another layer of authenticity.
Step 3: Craft the Attack. Once this information is gathered, the attacker will usually send an email to someone on the sales team to inquire about the services the company offers. Sales teams are typically quick to reply. In responding, they’ll hand over valuable information – things such as the format of the auto signature used in the organization, along with any logos, color schemes or website links that should be there. All of these elements are critical in crafting a believable phishing email. Once they have this information, it’s trivial for the attacker to then modify the signature of the sales executive to resemble that of the person they want to impersonate and reach out to their intended target.
Step 4: Strike at the Right Time. If the attacker sends the phishing email at the end of the day, or any time after normal working hours, it’s likely that the target will be viewing it on a mobile device rather than on a computer. The mobile interface will only show the picture and name of the impersonated person sending it – and not the actual email address, which is usually a Gmail address set up by the attacker. Since the email is coming from a consumer email service, it will pass the email authentication checks that many organizations rely on to block spam or direct brand impersonations. And so, a perfectly believable email is delivered to the target’s inbox.
With the combination of psychological pressure and sophisticated attack creation, the target will likely take action and perform whatever is being asked of them. This chain of events has lead to many of the high-profile data breaches we’ve seen in recent years and undoubtedly will lead to many more in the future. It doesn’t need to be this way.
To find out more about the latest phishing and social engineering techniques — and how a new approach to email security can protect your organization — check out our most recent webinar, 4 Reasons Why It’s Time to Rethink Email Security.