With December upon us and 2014 almost in the books, it’s a perfect time to take a look back at the year that was, from a phishing standpoint of course. If you’ve been following this blog, you know that we are constantly analyzing phishing emails received and reported to us by PhishMe employees. What was the most interesting phishing trend we observed in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content.
Given this trend, a list of the best phishing emails of 2014 may not sound like a riveting exercise, but just because they reused content doesn’t mean we didn’t receive a number of interesting phishing attacks:
10. Fax notice phishing
Fax machines may seem like something you only see on VH1’s “I Love the 90s” but fax notices are a popular theme for phishing emails. Many of the attacks discussed in this post used fax-themed phishing emails, and we recently received fax-themed attacks that sent updated versions of Dyre and an attack that featured Upatre malware, discussed in this whitepaper. In the case of the Upatre Trojan downloader, the phishing content was the same as any generic eFax phish, but the technical methods behind the malware were cutting-edge.
9. .NET Keylogger
This attack started with a standard banking-themed phish with a .zip attachment. The malware turned out to be a .NET keylogger that had the capability to scrape passwords stored in web browsers and other forms of media. Pretty deadly.
8. Message from attorney
Earlier this Spring we received a phishing email purporting to be from a neighbor who was sending a .zip file containing sensitive information from the recipient’s attorney. Why would your neighbor email you a .zip file from an attorney? It’s a valid question, and an important one to ask, because the .zip file contained a malicious executable.
7. Ransomware phishing
Back in May, we received a round of phishing that used fake MAILER-DAEMON email delivery failure notices to trick recipients into running an executable that installed a variant of Cryptolocker. A few weeks later, we received a fax-themed phish that led recipients to Cryptowall. Upon examining the bitcoin wallets of the attackers, we found they had collected over $130k in ransom payments.
6. ADP themed email with PDF exploit
Since they allow the attacker to exercise a sense of authority, and stir up emotions such as urgency, fear, and greed – payroll-themed phishing emails are extremely common. What was unique about this ADP phish? It contained a PDF exploit that injected shellcode into Reader. To complicate analysis, the attackers used several layers of zlib compression and difficult-to-track variable names.
5. IRS data-entry phish
Death, taxes, and phishing emails that spoof the IRS. Spoofing our nation’s tax collection agency is a tried and true tactic, and this phishing email from August played on the recipient’s excitement to receive a tax refund by linking to a page for the recipient to specify payment information for refund, provided he/she enters login credentials. After performing OSINT analysis on the phishing page, we found the same text had been used way back in 2006.
4. Slava Ukraini phish
Back in July, a new strain of Dyre appeared, packed as a zip file containing a screensaver file. The malware was interesting, but the phishing email? It was a simple fax notice, sent to one of our senior executives here at PhishMe.
3. Compromised .edu domain serving ZeuS
Near the end of October, we received a pretty ordinary phishing email with a .zip attachment supposedly containing information about a payment. The attachment contained a form of Zeus. Why does it make the list? The attackers sent the email from a compromised .edu domain. The trusted nature of an educational institution’s domain, and the generous amount of bandwidth those domains usually have provide attackers with an appealing platform for delivering malware.
2. Dropbox phishing
The rise of 3rd-party cloud services like Dropbox has provided attackers with an interesting new method to deliver nasty stuff through your network. In a round of emails last June that served as the precursor to Dyre, we received phishing emails that linked to a supposed invoice on Dropbox. The Dropbox link itself was legitimate, only it led to a .zip file containing a .scr, not an invoice. Dropbox has been quick to shut down this type of abuse, but it’s proven to be great method for attackers to get past spam filters. Dropbox use is so pervasive that most organizations won’t block its links. A few weeks later we would see Dropbox links abused in targeted attacks against the Taiwanese government.
1. Dyre malware email
The most notorious phishing email of 2014 seemed innocent enough upon first glance. We actually received two emails containing the then unknown malware, with both of them pointing to links from a third-party file sharing service, Cubby. The content of the emails itself was bland, one simply directed the recipient to a link to an invoice, while the other was a bit more extensive, directing the recipient to a link to learn more about a failed tax payment. Both of these led to the now notorious Dyre malware, a remote access Trojan (RAT) that has targeted banking information and customer data. Dyre’s impact has been widespread enough to catch the attention of the US CERT.
If we learned only one thing about phishing in 2014, it should be that phishing attackers repeat themselves. This can prove useful to help us defend against phishing in the future. While the security industry has traditionally focused on bad IP addresses and malware when it comes to phishing, we ought to be focused on tactics, techniques, and protocol. Focusing on email content, headers, and URLs to recognize patterns and take preventive action will add another layer of phishing defense.