By Aaron Riley and Darrel Rendell
With Hurricane Florence battering parts of the East Coast, here’s a reminder that phishing campaigns sometimes pretend to promote natural-disaster relief efforts in hopes of successfully compromising their target. Cofense IntelligenceTM has analyzed plenty of these campaigns, which are designed to entice the end user into credential theft or endpoint infection.
Besides implying some means of helping others during tragic events, these types of emails use the shroud of legitimate charities trying to support the victims. This creates a more challenging test for the end user to decide if the email is legit or not. If an end user falls for such an email at work, your network could be at risk.
The most recent campaign analyzed referencing a natural disaster focused on the hurricanes around the state of Hawaii. Figure 1 depicts the email campaign described.
Figure 1 shows the email body described above.
This email is uncommon in its narrative as it implies that the hurricanes have hit Hawaii and it has concluded a study on the effects. This email follows the typical pattern of having a link that leads to a secure document page as seen in Figure 2.
Figure 2 shows the landing page of the link within the email body.
This landing page purports to have a .pdf document of the study done behind the link. When the link is clicked it takes the user to a credential stealing sign in page for a product called smartsheets. This can be seen in Figure 3.
Figure 3 shows the credential stealing page linked from the previous site.
This site also gives the user the option to log in using their Gmail or Office365 credentials. As demonstrated here there is only two clicks between credential theft from start to finish. Machines have a limited ability to stop this from happening, so your business needs to have educated end users.
Cofense™ Tips on Weathering the Storm
Tip 1 (see Figure 1): The lack of substance in the email body as well as the broken English should be a red flag to the end user. The email signature of ‘Hawaii’ likewise signals a scam. If your users need help in spotting such clues, Cofense PhishMeTM can help with building phishing resiliency through simulations and education.
Tip 2 (see Figure 2): This is a little more advanced, since the entire page is a hotlink to the login page. An end user can hover anywhere on the page and the URL will display in the bottom left of the page. This means that the end user does not need to click the button but can click anywhere on the site to get to the illegitimate login page.
Tip 3 (see Figure 3): There are several markers that point to the illegitimacy of this login page. The URL in the second landing page containing the credential stealing login does match up with the credentials requested. The end user can also see that within the URL the smartsheet[.]com is actually a folder path within the domain of another website.
Tip 4: Having a security stack that can do deep inspections of emails passed on to end users can greatly increase your ability to avoid a phishing incident. The email security stack should include link analysis, attachment sandboxing, and the ability to respond automatically to threats that are already in user’s inboxes.
Tip 5: Always letting the end user base know of upcoming holidays, events, or natural disasters that are on the horizon can lead to scoped phishing emails and can help in their diligence in handling emails around those times.
Combining the right education and technology will protect your organization when hackers try to turn a natural disaster into a security disaster. To learn more about the emotional levers phishing attackers use, view the Cofense Phishing Resiliency and Defense Report.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.