An inside look at Dropbox phishing: Cryptowall, Bitcoins, and You (updated)

Post Updated on June 10

On Monday, I wrote about attackers using phishing attacks to deliver malware via links to Dropbox. Today, we received another wave of these emails with slightly different subject lines. Figures 1, 2, and 3 show the variants that were received by us in the latest campaign, and reported by our internal users. In this campaign, 10 of our users were targeted.

Phishing with a malicious .zip attachment

A few weeks ago, we received a round of phishing emails with malware that seemed a little more special than your run-of-the-mill ZeuS, so we decided to give it some analysis. The email was reported by a user at PhishMe. We really do drink our own kool-aid. Figure 1 shows a screenshot of the email that is being analyzed.

Figure 1

Figure 1 — Original Message

HTML Attachment Phishing: What You Need to Know

Are you aware of HTML attachment phishing? It is one of the latest trends with cybercriminals. Instead of emailing downloaders that contact C7C servers to download crypto malware, Troijans, or other nasties, HTML attachments are being sent. HTML attachment phishing is less well known, and as a result, many people are falling for phishing scams.

Even though this past weekend was a holiday weekend for many, there is a good chance that you still checked your email fairly often. If you are like me, you typically use your phone or another mobile device to check your email on the go. This past weekend, you were probably multitasking and may not have been on high-alert for a fraudulent message while you were checking email in between hiding and finding Easter eggs.

Hackers know these things.

So, they send crafty messages like this one (shown as opened in the Thunderbird email client):

If you open that message on your phone, the attachment would probably download with the message, and all you have to do is click to view it. This is a little different than your typical phishing message; a typical phishing message contains a button that has an embedded link that takes you to a lookalike of your bank’s or another online service provider’s real web site.

In today’s example, the phishing page has been stored as a file that looks like the following in a desktop browser:

It will also load up in your phone’s browser, but Safari (or another browser) on your phone may just show you a truncated version of the Internet address you are visiting. When it is a local file, you may just see a portion of the name of the file, Wells_Fargo-Personal-Business_Banking.htm as on my iPhone below:

So, what can Wells Fargo do about that? You may think there is no phishing content to be taken down or removed because it seems encapsulated in the email message. You may think that nobody is harmed if you don’t reply or fall for logging in this way. However, some folks WILL reply, and there is fraudulent content on the Internet that can be referred by Wells Fargo to their takedown provider.

In the source code of the HTML attachment are instructions for how to handle the credentials that the victim enters. Below is a snippet of the code from this phishing attack:

<form id=”frmSignon” action=”hxxp://” autocomplete=”off” method=”post” name=”signon”>

The highlighted portion is the path to a PHP script on a compromised server in Portugal that hosts a domain belonging to a Brazilian gospel video web site. Undoubtedly, if we could view the source code of that PHP script, we would see that is contains the email address of the criminal who is receiving the stolen Wells Fargo credentials. Wells Fargo wants to remove this fraudulent content before its customers can be victimized.

When we visit that page, we see that the PHP code redirects victims to what we call the “exit URL” which is a legitimate login page at Wells Fargo. The victim will then think that their login failed, and they will try to log in again. It is at that moment that Wells Fargo can recognize that customers who login there—having been referred from the URL—are customers who likely just gave up their authentication credentials and should have their accounts locked until the situation is rectified.

PhishMe provides the intelligence that enables Wells Fargo and other spoofed brands tackle this threat vector. Our PhishMe Intelligence system scans over two million spam messages daily to identify the messages that are delivering HTML attachments. Then we use our patented technology to automatically identify the file as a phishing attack and extract the relevant intelligence.

PhishMe digs deeper than other threat intelligence service providers to find the source of the attacks.  Learn more about how we can help you protect your brand here

Watering Holes vs. Spear Phishing

How Does A Watering Hole Attack Work?

Water holing attacks originate by compromising trusted websites and infecting the computers or other devices that visit that site. A successful watering hole attack casts a wide net and has the potential to compromise a large number of users across multiple organizations. This flood of information is a double-edged sword, as attackers have to parse through a large amount of data to find information of value. Additionally, these attacks often exploit zero-day vulnerabilities, so their increased popularity means attackers are burning through zero-days faster, and companies are responding faster as well, stopping attacks earlier in the kill-chain.

 These attacks are an effective tactic, that when executed properly, can deliver widespread damage on a large scale. Symantec released an excellent report describing the APT group “Hidden Lynx”, who the report describes as the inventors of the watering hole technique. The report details last year’s VOHO campaign, which targeted iOS developers, and impacted users at Facebook, Apple, and Twitter – showing the power of a water holing.

The Danger Of Indiscriminate Watering Hole Attacks

Instead of viewing indiscriminate watering-hole attacks as a replacement for spear phishing, they can be seen as an additional tool at adversaries’ disposal, which is what makes it so dangerous. Like all tools, spear phishing and watering hole attacks have specific strengths and weaknesses that suit them well for certain jobs while making them limited in other situations.

As described above, watering hole attacks gather huge amounts of data that attackers will have to sift through for useful information, thus slowing down their ability to take additional malicious action.

Spear phishing, on the other hand, offers attackers the ability to focus more on specific targets and information. A successful spear phishing attack provides immediate access to a target’s systems. Given the amount of readily available information on organizations and their employees on the Internet, attackers can easily identify targets and craft seemingly genuine emails that will provide gateways to specific systems and ultimately data. Spear phishing can exploit zero-days to drop malware on a host, but it doesn’t rely on vulnerabilities. Simple social engineering tactics have allowed groups such as the Syrian Electronic Army to carry out a multitude of high-profile attacks.

“Spear phishing offers attackers the ability to focus more on specific targets and information.”

Anecdotal evidence continues to highlight spear phishing as the source of most high-profile breaches. As previously mentioned, spear phishing is the attack method of choice for the Syrian Electronic Army. Brian Krebs also reported that the Target breach started with a spear phishing email that unloaded malware and stole login credentials from Target vendor Fazio Mechanical.

The fact that news reports around watering hole attacks are stating “watering-hole usage” rather than “company x compromised by watering hole attack” indicates that either companies aren’t discussing successful campaigns, or that the attackers are still refining their tactics. Even if they are successful, the attackers may be inundated with information and are still deciding whether they have found anything useful.

There’s no denying that watering-hole attacks are making an impact, but the idea that it is replacing spear phishing is erroneous. While Symantec’s 2014 Internet Security Threat Report notes a decrease in the overall volume of spear phishing emails, the number of campaigns increased by 91%. Adversaries aren’t turning away from spear phishing as an attack method; instead they are sharpening the focus of their attacks. Symantec attributes this to growing user awareness (we’d like to take some credit for that), but it is probably also due to the dynamics discussed above.

For casting a wider net intended to compromise a large number of users, watering-hole attacks are an effective tactic, but for a highly focused attack seeking specific information, a well-crafted spear phish is still an adversary’s best weapon.

Phishing for passwords with malware

Reports from the Target breach investigation continue to trickle in, with Brian Krebs now citing multiple sources close to the investigation that have traced the initial compromise to login credentials stolen through a phishing email.

Last week, we discussed how attackers can steal credentials without using malware through data-entry phishing. While this tactic is a common and highly effective technique, the latest report on Target alleges that Citadel, a password-stealing derivative of the ZeuS banking Trojan, was responsible for stealing login credentials from Target vendor Fazio Mechanical, which provided attackers with the foothold they needed in Target’s network.

The Resurgence of Data-Entry Phishing Attacks

‘Old School’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere, and possibly responsible for other high-profile breaches.

A Target spokesperson confirmed last week that attackers initially gained access to the company systems through stolen credentials obtained through a vendor. While Target has not confirmed the exact method through which the credentials were stolen, one possible scenario is that attackers sent a spear-phishing email to the vendor, obtained valid login credentials for Target, and used those credentials to gain a foothold in Target’s network.

Punishing users is the wrong approach to improving security behavior

Punishing users for undesired security behavior? We believe that punishing users is a misguided idea that will alienate them and make it difficult to ever improve user security behavior. Every so often, someone in the industry brings up the idea of punishing users as a way of motivating/improving behavior. We hadn’t heard much on this topic since we wrote a post on it back in September; however, it has flared up again.

Popular holiday-themed phishing attacks

The holidays are a busy time for everyone… especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns.

How can you ensure your employees are prepared for the onslaught of phishing attacks this holiday season? We’ve mentioned before that training your employees needs to be continuous, and if you have provided immersive security awareness training throughout the year, your employees will be more resilient to phishing attacks at all times. We’ve also noted the need to keep that continuous training fresh, and providing holiday themed training is a great way to provide training that is engaging and timely.