A Note on Phishing Scams and Phishing Emails26th Feb 2018
We recently received a phone call from a very 'panicked' customer of ours, who had been the target of phishing attempt by way of a ‘spoofed email’. The following is our breakdown of how this particular event unfolded, along with some advice to help you stay one step ahead of online fraudsters.
Now You’re Speaking Our Language
As is the case in most sub-sectors of technology and networking, understanding what on earth ‘those in the know’ are talking about can be the first - and biggest – challenge, so we thought it best to put a brief glossary at the top the article.
- Advanced Persistent Threats (APTs) – describe covert (often undetected) continuous computer hacking processes which are targeted at specific persons or organisations
- Phishing – describes the attempts of a hacker or fraudster to use digital ‘bait’ (such as email content/attachments) to access sensitive information
- Patch – a piece of software installed on a machine (i.e. a laptop) which fixes bugs or security vulnerabilities
- Email Spoofing – the practice of altering the ‘header’ (visible part of an email) to appear different from the ‘source’ (actual sender)
- Compromised (machine) – a computer which had been accessed without authorisation
You’re Being Watched
It may sound a little excessive, but it is likely that your business and/or social media profile(s) has been scouted or monitored at some point or another. Understanding how a business operates and who the ‘key’ individuals or decision makers within an organisation are can be of great value to fraudsters, and the worst part is that we willingly ‘give away’ much of this data on daily basis.
If a company director or owner of a business has – let’s say - a Facebook profile, and said director is visibly associated with a business on websites such as Companies House or LinkedIn, there will be enough data online for a fraudster to begin building a profile with which to potentially Phish information from an unsuspecting email recipient.
Now, let’s say that our fictitious company director enjoys golf and fine wine – I’d hate to stray too far from established stereotypes – the fraudster can add evermore complex layers to their fake profile, even down to upcoming holidays, recent birthdays or significant life events.
Imagine receiving an email from your boss, whose daughter was getting married in Mexico (very sharable social media information), reading as follows:
The WiFi isn’t so great here at the hotel – Can someone send me *insert sensitive information* as soon as possible please?
You can see how, in the midst of a busy day, this sort of email could slip through the net and result in a successful phishing email campaign.
So, to the case of the distress call from one of our customers; a phishing email attempt with all of the ‘classic’ hallmarks, which could have succeed but for one simple, yet significant, oversight from the fraudsters.
From the email that they received it was clear that our customer had been identified as a possible target, and the company’s directors had been marked for ‘spoofing’ – but, before we get into the detail, it is important to explain the groundwork which set the foundation for this particular phishing attack attempt.
Phishing Emails from the Source
It would be somewhat careless to deploy a phishing attempt – or any kind of cyber-hack for that matter – from your own machine for the obvious reasons of traceability.
The initial phase of the phishing process would have been for the fraudsters to either compromise a machine or to purchase an already compromised machine from the dark web – to use to pretend to be a director of our customers’ company.
Well, after some fairly low-level investigation into our customers’ situation, we found that this particular attack had originated in Scotland (they are based in the South of England). And, after diving into the code of the spurious email that little bit further, we managed to highlight both the compromised machine from which the attack was sent and even its unsuspecting owner (I’m sure it will not come as any surprise that on contacting the ‘host’, they were completely unaware – and somewhat perturbed to be involved in such an activity).
Weak & Reused Passwords
So, what would have led to our Scottish friend becoming the conduit for this phishing attempt?
The most common vulnerability exploited by hackers is weak or reused passwords. In fact, this is so common it is scary – if you have any concerns of passwords strength or remembering more complex password formatting, we would highly recommend LastPass – check it out!
What is most likely is that the fraudster had targeted had been reusing passwords which had been compromised and used to gain access to his/her machine – or more specifically their email server.
They then used the person’s email server to spoof an email to the ultimate target – our customer.
It read, simply:
would it be possible to make the following payment? *amount and bank details*
Here Comes the Kicker
These types of phishing email attempts are much like actual marine fishing, in that only a certain amount of skill and logic can be applied (such as bait, location etc.) and the rest is down to luck and playing the percentages. Whilst the email itself may not seem very sophisticated, it’s the timing and simplicity that can often catch unsuspecting staff members out – we’ve seen it happen!
What thwarted this phishing email attempt was that the spoofed email address was that of a former director of the company – which may have been the only reason it was highlighted as being suspect and was ultimately unsuccessful.
Had the spoofed email address been of one of the current directors, or even one of the senior management team, it is more than possible that it could have slipped under the radar and led to an erroneous payment being made.
All About the Timing
Successful phishing scams are all about catching the recipient at the wrong (or right) time.
The email was sent over a weekend, which is not insignificant. Fraudsters understand that outside of office hours, people are less likely to check the authorisation of a relatively simple payment request and, of course, are unable to verbally confirm it’s validation across the office.
A Close Call
In many ways, the fraudsters did everything right on this occasion, apart from selecting an ex-employee to spoof. The email address displayed in the correct format as the company’s standard, it was only the email address in the header (the actual one) that, if seen, would have sent the alarm bells ringing:
What About Our Unlucky ‘Host’
Of course, this story isn’t just about our customer and some faceless fraudsters, there was a third party who has also been a victim or sorts.
On notifying the owner of the hacked email account, they took the issue to their Internet Service Provider (ISP). ISPs are able to see the IP addresses (which are geographic) of individuals who have gained access to our email accounts and managed to track the hack back to Canada.
How Can You Avoid Phishing Attempts?
Although there is no silver bullet to defend against these types of attacks (yet!), the best way to avoid a breach of your network is to ensure that everyone within your organisation understands their own security responsibilities.
A great place to start is by creating an internal cybersecurity policy document, to which staff members are trained to follow. It also means that staff members must be made aware of the pitfalls of reusing passwords and maybe even making the use of facilities such as LastPass - as mentioned earlier – company policy.
Being realistic about how visible our social media activity is and, however unlikely it might seem, how it can be used to build a profile about you is also a great lesson to share internally.
At Ensign, we are big advocates of a layered approach to network security – good policy, understanding your network, trained and diligent staff members, up-to-date software on all machines, firewalls in play, and network monitoring in place can all combine to make your business a tougher target to hackers.
Teach a Man to Phish…
There are certainly some valuable lessons that we can all take from this ‘close call’.
What is most clear is that this threat is certainly not geographically specific – hackers are active globally and can access devices at any time, day or night, from anywhere in the word. This is a relatively new type of crime and is one that we all need to remain diligent towards.
Hackers and fraudsters play on our most basic emotions, using money, sex, intrigue or even complacency to catch us out. Some recent phishing attempts that we have seen involve emails regarding ‘parcel deliveries’ - in the days of e-commerce this is a highly effective tactic. To add to the danger, even your SMS messages are not safe - we wrote a blog on Smishing (SMS Phishing) which you can read here.
Although it is not necessarily desirable to go through life with a high degree of suspicion, the main lesson here is diligence; checking and double checking links within emails before clicking them is ALWAYS a good idea, as is checking the source for erroneous display addresses.
If you’d like to know more about phishing or business cybersecurity in general, contact our team!
For advice on designing or upgrading your business WiFi network and associated systems, to the deployment of security solutions like Next Generation Firewalls and Endpoint Network Security, please contact Ensign Communications for a chat with our technical team.