-
Home
-
Knowledge Base
-
Caleb Hill
- Angling Antics: The Latest & Greatest in Phishing Techniques
Knowledge Base
Angling Antics: The Latest & Greatest in Phishing Techniques
A Case Study in Encrypted Email Phishing
If you haven’t noticed by now, phishing is a big deal. Every other day, you get an email attempting some new way to get your password, download malware on your computer, or otherwise take your information. These emails may be sent by a basement-dwelling fan of the darker side of the web or by a group of thrifty cybercriminals just looking for the next payoff. They could come from a team of foreign hackers advanced enough to be given fancy names by the US government (such as OceanLotus, Dynamite Panda, and even Charming Kitten) or even from your IT team in an attempt to prepare you for the real threats. Either way, these emails often have some devilish tricks in their “nasty little pocketses” (which may do much worse than merely stealing your uncle’s ring). It is estimated that 91% of all successful cyber-attacks are with a phishing email.
Because phishing is a powerful tool in the cyber-attacker’s toolbox, it’s no wonder it is constantly evolving its attack vectors and methods. As email spam filters better detect dangerous emails, “Ye Olde Phishers” must get progressively more creative with creating their phishing packages. Some phishers send malicious messages to many users in a “spray and pray” tactical approach, while others do their research more carefully. The latter groups determine which individuals at a company would be most valuable to compromise, then figure out what sort of email would be most enticing or seem most “normal” to them, increasing the likelihood that the email will be successful.
One phishing technique has applications for evading spam filters and slipping through the “normal” filter. It’s also a technique in which we’ve seen a sizeable uptick recently. This masked method of email malevolence is the Encrypted Email Scam (EES, though it’s doubtful I’ll even use that acronym). These emails pretend to contain links to critical encrypted files that one must click to go access:
The first email was sent from a domain that was evidently set up just for sending spam emails, so it could, to some extent, be suspect just by the sender. The second email, however, is a little bit of a different issue. That email was sent from a legitimate email account at another company which had been compromised. This email then led to what is normally also a legitimate document sharing website called PandaDoc, which would prompt you to download a document:
The “message.html” document is an interesting choice from the bad actors who sent the email, because it demonstrates the focus of their phishing campaign. When opened, this .html document leads to an Adobe landing page that attempts to gather your credentials.
The first phishing email referenced above attempts a very similar thing, redirecting users to a URL containing their email that attempts to mimic the real WeTransfer page for accessing encrypted documents:
These emails attempt to evade spam firewalls in a couple of different ways. One, both emails come from real email servers: one from a compromised 365 email server and the other from an email server set up by bad actors to send emails. The domain used for the latter email server, newagesteelchem.com, is set up with simplistic SPF and DMARC records (two methods of email authentication that make emails appear more legitimate). Secondly, both emails use link formats that mimic those of legitimate services (PandaDoc and WeTransfer). The PandaDoc email goes a bit farther because it stores the real payload of its attack (the fake Adobe page) within the file sharing service. Not only that, but the content of the page in the message.html file is encrypted with Javascript, helping it evade any internal scanning performed by PandaDoc.
 |
Now, the important part: how do we avoid being compromised by scams like these? There are several methods one can leverage to unmask the malicious marauding of electronic messaging skullduggery (I had fun writing that sentence; I hope you had fun reading it).
- Firstly, think about whether you’ve ever received email from this sender before and whether you are expecting any encrypted files. If you’ve worked with the company that the email appears to be coming from, reach out to your contacts at that company and check to see if they meant to send encrypted files. Don’t do anything with unexpected, encrypted file requests until you’ve confirmed that they are legitimate.
- Secondly, check the links in your emails. The Barracuda Spam filter will actually sanitize many of the links in an email before they reach your inbox, so you may not see the real link name if you use Barracuda’s services (the link may start with https://linkprotect.cuda...). However, in most cases, the website URL will be visible if you hover over the hyperlink. This will allow you to see if the URL looks like a bunch of nonsense, such as the one to the right (try going to https://ipfs.io and seeing if the website is legitimate; this will let you test the first part of the link to see if the domain is real)
-
Thirdly, check the sender of the email. For encrypted email scams, the perpetrators will often be sophisticated enough to make the sending address look more legitimate. However, there are some clues you can look out for. Take this email header for example. It shows as being from WeTransfer, but the domain name (newagesteelchem.com) seems to have nothing to do with transferring files. Also, if the email appears to be from someone you know, but the domain is unfamiliar, you can safely suspect a scam (e.g. From: Caleb Hill <This email address is being protected from spambots. You need JavaScript enabled to view it.>).
In summary, cyber attackers are always updating their phishing schemes to involve the latest angling antics that may gain them some leverage over unwary victims. Fortunately, those of you who’ve read this article now know how to duck and dodge these scams, avoiding malicious links and devious HTML code. Stay light as a butterfly and you won’t get stung like a bee by encrypted email attacks (I can’t promise any heavyweight titles, though).
About the author
Contact Us
|
Contact Information: |
Hours of Operation: |
OUR FOCUS
Intrada Technologies is a full-service web development and network management company with a focus on creating ongoing, trusted partnerships with each of our clients.
We make sure our clients have what they require to run their businesses with maximum efficiency and reliability, as many of their needs are mission-critical.
Our unique, collaborative partnerships allow us to provide our clients with the assurance that we will be there when they need us.