Angling Antics: The Latest & Greatest in Phishing Techniques

A Case Study in Encrypted Email Phishing

If you haven’t noticed by now, phishing is a big deal. Every other day, you get an email attempting some new way to get your password, download malware on your computer, or otherwise take your information. These emails may be sent by a basement-dwelling fan of the darker side of the web or by a group of thrifty cybercriminals just looking for the next payoff. They could come from a team of foreign hackers advanced enough to be given fancy names by the US government (such as OceanLotus, Dynamite Panda, and even Charming Kitten) or even from your IT team in an attempt to prepare you for the real threats. Either way, these emails often have some devilish tricks in their “nasty little pocketses” (which may do much worse than merely stealing your uncle’s ring). It is estimated that 91% of all successful cyber-attacks are with a phishing email.

Because phishing is a powerful tool in the cyber-attacker’s toolbox, it’s no wonder it is constantly evolving its attack vectors and methods. As email spam filters better detect dangerous emails, “Ye Olde Phishers” must get progressively more creative with creating their phishing packages. Some phishers send malicious messages to many users in a “spray and pray” tactical approach, while others do their research more carefully. The latter groups determine which individuals at a company would be most valuable to compromise, then figure out what sort of email would be most enticing or seem most “normal” to them, increasing the likelihood that the email will be successful.

One phishing technique has applications for evading spam filters and slipping through the “normal” filter. It’s also a technique in which we’ve seen a sizeable uptick recently. This masked method of email malevolence is the Encrypted Email Scam (EES, though it’s doubtful I’ll even use that acronym). These emails pretend to contain links to critical encrypted files that one must click to go access:

The first email was sent from a domain that was evidently set up just for sending spam emails, so it could, to some extent, be suspect just by the sender. The second email, however, is a little bit of a different issue. That email was sent from a legitimate email account at another company which had been compromised. This email then led to what is normally also a legitimate document sharing website called PandaDoc, which would prompt you to download a document:

The “message.html” document is an interesting choice from the bad actors who sent the email, because it demonstrates the focus of their phishing campaign. When opened, this .html document leads to an Adobe landing page that attempts to gather your credentials.

The first phishing email referenced above attempts a very similar thing, redirecting users to a URL containing their email that attempts to mimic the real WeTransfer page for accessing encrypted documents:

These emails attempt to evade spam firewalls in a couple of different ways. One, both emails come from real email servers: one from a compromised 365 email server and the other from an email server set up by bad actors to send emails. The domain used for the latter email server, newagesteelchem.com, is set up with simplistic SPF and DMARC Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. By implementing DMARC, domain owners can specify that their emails are protected by both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) protocols, significantly reducing the risk of email fraud and phishing attacks. Key components and benefits of DMARC include: Authentication: DMARC builds on SPF and DKIM authentication mechanisms by ensuring that the sender's email domain aligns with the domain in the email's From header. This alignment helps verify the authenticity of the email sender. Policy Enforcement: Domain owners can set policies on how to handle unauthenticated emails. These policies can include monitoring only, quarantine (moving emails to spam), or rejecting unauthenticated emails outright. Reporting: DMARC provides domain owners with valuable feedback through aggregate and forensic reports. Aggregate reports show summary data on email authentication failures, while forensic reports provide detailed information on individual emails that fail DMARC checks, aiding in the identification and mitigation of potential phishing attempts. Visibility: By aggregating data from recipient email servers, DMARC offers domain owners insight into who is sending emails on behalf of their domain, enabling them to detect and take action against malicious activities. Improved Email Deliverability: Authenticating emails with DMARC can enhance overall email deliverability rates, as receiving servers are more likely to trust and accept emails from authenticated sources. Implementing DMARC is a critical step in securing email communications and protecting an organization's brand reputation. By combining DMARC with SPF and DKIM, domain owners can establish a robust defense against email-based threats, contributing to a safer and more trustworthy email ecosystem. records (two methods of email authentication that make emails appear more legitimate). Secondly, both emails use link formats that mimic those of legitimate services (PandaDoc and WeTransfer). The PandaDoc email goes a bit farther because it stores the real payload of its attack (the fake Adobe page) within the file sharing service. Not only that, but the content of the page in the message.html file is encrypted with Javascript, helping it evade any internal scanning performed by PandaDoc.

Now, the important part: how do we avoid being compromised by scams like these? There are several methods one can leverage to unmask the malicious marauding of electronic messaging skullduggery (I had fun writing that sentence; I hope you had fun reading it).
 

1. Firstly, think about whether you’ve ever received email from this sender before and whether you are expecting any encrypted files. If you’ve worked with the company that the email appears to be coming from, reach out to your contacts at that company and check to see if they meant to send encrypted files. Don’t do anything with unexpected, encrypted file requests until you’ve confirmed that they are legitimate.
2. Secondly, check the links in your emails. The Barracuda Spam filter will actually sanitize many of the links in an email before they reach your inbox, so you may not see the real link name if you use Barracuda’s services (the link may start with https://linkprotect.cuda...). However, in most cases, the website URL will be visible if you hover over the hyperlink. This will allow you to see if the URL looks like a bunch of nonsense, such as the one to the right (try going to https://ipfs.io and seeing if the website is legitimate; this will let you test the first part of the link to see if the domain is real)
3. Thirdly, check the sender of the email. For encrypted email scams, the perpetrators will often be sophisticated enough to make the sending address look more legitimate. However, there are some clues you can look out for. Take this email header for example. It shows as being from WeTransfer, but the domain name (newagesteelchem.com) seems to have nothing to do with transferring files. Also, if the email appears to be from someone you know, but the domain is unfamiliar, you can safely suspect a scam (e.g. From: Caleb Hill ).

In summary, cyber attackers are always updating their phishing schemes to involve the latest angling antics that may gain them some leverage over unwary victims. Fortunately, those of you who’ve read this article now know how to duck and dodge these scams, avoiding malicious links and devious HTML code. Stay light as a butterfly and you won’t get stung like a bee by encrypted email attacks (I can’t promise any heavyweight titles, though).