fbpx
Cybriant CTO: Analysis of a Phishing Email

Cybriant CTO: Analysis of a Phishing Email

by | Aug 27, 2019

I recently received an interesting phishing email that I shared with the rest of our company as part of our Internal Security Awareness program.  You might guess that as CTO of a security company I often receive phishing emails (and you’d be right), but this one caught my eye.  This phishing email was interesting for a few reasons:

  1. It made it past Microsoft’s ATP (Advanced Threat Protection) anti-phishing service in Office 365.
  2. It had a valid SPF record (no DKIM or DMARC).
  3. The phishing link had a clever URL encode redirect.

So, let’s take a look at the email:

There were several factors that tipped me off that things were amiss: 

  • I have never seen a similar voicemail email.
  • We don’t do business with any company named Alarmtech (looking at the email address).
  • We definitely DON’T do any business with any company named Alarmtech that has a Polish TLD (the “.pl” of “alarmtech.pl” domain in the email address).
  • The “local Wireless User” phone number was also odd.

So, I decided to take a look at the message’s full headers.

I was quite surprised to see that the email had a valid SPF record, and while it was unfortunate to see that a DKIM was not setup it is fairly common for less sophisticated admins to omit this type of email authentication.  This also explains part of why Office365 gave a phishing email a pass instead of convicting the email.

And, a quick check with MXToolbox confirmed that the SPF record was indeed valid.

Ok, at this point I was even more curious.  So, I copied the link for the “Play Record” button and utilized www.o365atp.com to de-obfuscate the link.  Bingo!  We’ve got something interesting!

Now, we have the de-obfuscated link (Office365 ATP uses a technology called Safe Links as an extra layer of protection).

__SNIP__

https://www.google.com.mx/url?q=ht%74p%73%3A%2F%2F6%34%65%35%33r%77%37.%62l%6fb.co%72%65.%77in%64%6f%77s.n%65%74%2F5%65%353%72%77%376%2F%69%6edex.%68t%6d%6c%26%236%33%3B%70z%6fne%26%23%36%31%3BY%575%6b%63mV%33Lmhh%62Wl%73d%479uQHB%79%61W1%31%63%33Nlcn%5a%70%592VzL%6dN%76%62Q%26%2361%3B%26%23%361&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

 

If you notice, the URL begins with http://www.google.com.mx/url?q= this is a clever way to have Google (in this case it’s the Mexico link for Google as it has a TLD – top level domain – of “.mx”) to redirect to the actual malicious website address, which is:

__SNIP__

ht%74p%73%3A%2F%2F6%34%65%35%33r%77%37.%62l%6fb.co%72%65.%77in%64%6f%77s.n%65%74%2F5%65%353%72%77%376%2F%69%6edex.%68t%6d%6c%26%236%33%3B%70z%6fne%26%23%36%31%3BY%575%6b%63mV%33Lmhh%62Wl%73d%479uQHB%79%61W1%31%63%33Nlcn%5a%70%592VzL%6dN%76%62Q%26%2361%3B%26%23%361&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

Yes, that is a valid FQDN and URL.  And, this is the other part of the reason why I believe that this phishing email made it past Office365’s ATP service.  It’s using a method called URL encoding.  URL encoding allows you to do things such as create spaces in a filename.  For example, the following two bullet point links would point to the exact same URL (Note:  I used a random domain name):

phishing email

The “%20” is the URL encoded value for a space “ “.  There are some genuine uses for URL encoding, and it is especially helpful when creating scripts or working with APIs.  For example, when dealing with APIs in our SOC (Security Operations Center) this is often how we have to get around restrictions such as using an “@” in a username.  Instead of user@cybriant.com it’d be: user%40cybriant.com

So, let’s de-obfuscate the link using https://urldecoder.org:

__SNIP__

https://64e53rw7.blob.core.windows.net/5e53rw76/index.html?pzone=YW5kcmV3LmhhbWlsdG9uQHByaW11c3NlcnZpY2VzLmNvbQ=&#61&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

There we have the REAL link.  Next, we’ll explode this link in Joe Sandbox to see it’s behavior.  Click on the following link to see the full Joe Sandbox analysis, and see what our SOC would discover if they were performing this for a customer.  I’ll give you a hint, it turns out it’s malicious:

https://www.joesandbox.com/index.php/analysis/166555/0/executive

Note:

When I first exploded the URL decoded link Joe Sandbox didn’t find anything interesting.  And so, the second time I utilized the link that was a google.com.mx referrer link.  When using the referring link Joe Sandbox determined that the final destination URL was indeed malicious.  In short, the bad actor built a check into their website to ensure that the full link was being used (confirmed by seeing Google.com.mx referring the user to the phishing website).  Pretty spiffy thinking on their part! 

Andrew Hamilton

Andrew Hamilton

CTO

Andrew Hamilton is a member of the executive management team of Cybriant, a leader in the cybersecurity services industry. As CTO he is responsible for the technical vision and the delivery of services at Cybriant. Since its founding in 2015, Andrew has led the selection, evaluation, and adoption of all security technology and tools utilized by Cybriant in the delivery of its managed security services.

Learn more about Cybriant’s Continuous Threat Detection & Remediation Services: http://cybriant.com/pretect

Biggest Bank Fraud Cases in History

Biggest Bank Fraud Cases in History

by | Aug 20, 2019

Take a look at some of the most serious cases of bank fraud in recent history. Hackers, insider threats, and more are at the root cause of these. Are you doing everything you can to prevent fraud in your organization? 

The team at Fortunly recently created an infographic with information on the biggest bank fraud cases in history.

Common Security Threats

These cases are filled with so much drama that books have been written about them and Hollywood movies have been created using these storylines.

When you look at the facts, there are certain underlying similarities that you can prevent in your organization. Prevent bank fraud by being aware of these potential threats:

Insider Threats

Some of the cases of bank fraud include hacks and cover-ups from former employees. But, you are always at risk of insider threats when it comes to your security. It’s important to be sure your employees are aware of security threats and be aware of suspicious emails, etc. You also have to protect your employees by using technology or services like Managed Detection & Response that could prevent malware from executing.

Phishing Emails

Hackers are getting smarter, cyberattacks are getting more and more prevalent in 2019.

Why? Because cybercrime is big business. In 2018 alone, cybercriminals received $1.5 Trillion in revenue. 

According to a new study, 70% of American workers don’t grasp web security and privacy. The majority – 70% – of US employees fail when it comes to security and privacy best practices. Employees represent the biggest threat to their company or organization’s cybersecurity, this is just further proof. The email phishing statistics below are proof of this fact.

While this is alarming, it’s important to understand that organizations are not spending enough on technology or services to prevent cybersecurity issues from happening. While budgets are rising slowly, employees still need to be aware that they are the biggest threat to their organization. Read more phishing email stats here. 

New attack vectors and vulnerabilities are discovered every day. Your organization likely has firewalls, IDS/IPS, and AV solutions installed that look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks and advanced persistent threats. Consider using a service like our Managed Detection & Remediation.

Hackers

When your goal is to protect your organization’s data, you need to have a baseline framework that will help all future decision-making. When you have a framework in place, an assessment Compromise Assessment is helpful in discovering the potential gaps in your security strategy.

The Financial Industry’s Biggest Threat

Biggest Ever Cases of Bank Fraud

Top-Clicked Phishing Email Subject Lines of Q4 2018

Top-Clicked Phishing Email Subject Lines of Q4 2018

by | Jan 30, 2019

Wondering what the top phishing email subject lines from Q4 of 2018? KnowBe4 reports on this every quarter. Take a look at the infographic, you may be surprised to see what hackers are using!

Here at Cybriant, we are no longer surprised to see the phishing email subject lines that are our users click on. Even the best, most highly trained employees can be tricked. It seems you have to be suspicious of each and every email that comes into your inbox. 

Through our PREtect ADVANCED service, we have the ability to stop any malicious activity before it can execute. 

PREtect ADVANCED is the second level of our tiered cybersecurity service, adding next-generation endpoint technology which utilizes AI and machine learning to insulate endpoint devices from malicious code while capturing and analyzing forensic data which Cybriant’s Security Engineers can then utilize to further isolate and remedy the threat.

PREtect ADVANCED features Endpoint Protection Including:

  • True Zero-Day Protection
  • AI-Driven Malware Prevention
  • Script Management
  • Device Usage Policy Enforcement
  • Memory Exploitation Detection and PRevention
  • Application Control for Fixed -Function Devices

Top Phishing Email Subject Lines

Even with this amazing service, you should always train your employees to know what to look for. According to the infographic below, the top general phishing email subject lines are: 

  1. Password Check Required Immediately
  2. Your Order with Amazon/Your Amazon Order Receipt
  3. Announcement: Change in Holiday Schedule
  4. Happy Holidays! Have a Drink On Us.
  5. Have a Drink on Us
  6. De-Activation of [[EMAIL]] in Process
  7. Wire Department
  8. Revised Vacation & Sick Time Policy
  9. Last Reminder: Please respond immediately
  10. UPS Label Delivery: 1ZBE312TNY00005011

From KnowBe4, the top security awareness training company:

KnowBe4 reports every quarter on the top-clicked phishing emails. Here we have the results for Q4 2018. We track three different categories: general email subjects, those related to social media and ‘in the wild’ attacks. The results come from a combination of the simulated phishing email subject lines used by our customers as well as from the millions of users that click our no-charge Phish Alert Button to report suspicious emails to their IT Incident Response team.

Trends That Persisted Throughout 2018

In reviewing the Q4 2018 most clicked subject lines, trends were easily identified; five subject line categories appeared quarter-over-quarter throughout 2018, including:

  • Deliveries
  • Passwords
  • Company Policies
  • Vacation
  • IT Department (in-the-wild)

Additionally, three “in-the-wild subject lines” were clicked three out of four quarters and included Amazon, Wells Fargo and Microsoft as keywords.

The Subject Lines Tell Us Users Are Concerned About Security

“Clicking an email is as much about human psychology as it is about accomplishing a task,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “The fact that we saw ‘password’ subject lines clicked four out of four quarters shows us that users are concerned about security.

Likewise, users clicked on messages about company policies and deliveries each quarter showing a general curiosity about issues that matter to them. Knowing this information gives corporate IT departments tangible data to share with their users and to help them understand how to think before they click.”

Here is the full InfoGraphic of top subjects in all categories for the last quarter, the top 10 most-clicked general email subjects in Q4 2018, and most common ‘in the wild’ attacks during that period.

Read the full report here. 

 

FBI Warning: Hackers don’t stop for the Holidays

FBI Warning: Hackers don’t stop for the Holidays

by | Dec 22, 2017

The FBI has released a warning about a fraudulent email scam, just in time for the holidays. According to the release, “The emails claim to be from one of three shipping businesses and claim that a package intended for the email recipient cannot be delivered. The messages include a link that recipients are encouraged to open in order to get an invoice to pick up the package, however, the link connects to a site containing malware that can infect computers and steal the user’s account credentials, log into the accounts to obtain credit card information, additional personal information, and learn about a user’s shipping history for future cyber attacks.

The messages may consist of subject lines such as: “Your Order is Ready for Shipment,” “We Could Not Deliver Your Package” or “Please Confirm Delivery.” The shipping companies say they do not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information and if you receive such a notice — don’t respond. You should delete the email immediately or forward it to the companies listed contact email address. If your interaction with the website resulted in a financial loss you should contact your bank immediately.”

I clicked! Now what?

We get it! Hackers are so good at creating emails that look very real, plus the timeliness of their messages – around the holidays –  could not be better. Many of us are waiting for packages to ship, wondering where the packages are, and hoping that they don’t get lost. If you click, you’ll probably know immediately that you messed up. The easiest way to check before you click is to hover over the link and see if the URL is one that you would trust. And then, just go to that URL and search for what you need – avoid clicking altogether.

If you click, close the browser, use task manager to end the browser process. Shut down your system and reboot.  By disconnecting, you reduce the risk of the browser reloading that malicious page once you have restarted. Immediately report to your IT team and they may recommend that you clear your cache and do a scan of your hard drive to check for malware.

Consider reporting the malicious email you received to the FBI through their Internet Crime Complaint Center (IC3). Start here: https://www.ic3.gov/default.aspx. The US is constantly being targeted by nation-state hackers and the FBI needs our help as consumers to help them learn more about these hackers and how they can protect us.

Our partner KnowBe4 has a free tool that allows your IT department (or Cybriant if you want us to manage it) to send you fake emails like the ones the FBI mentions just to see how many users at your company would click on those emails. It’s not a malicious email, so the only outcome will be that users that click on the fake emails may have to go through a little bit more security awareness training. After all, employees are the last line of defense if an email has gotten through all your organization’s firewalls, etc. Check out their free phishing security test here: https://info.knowbe4.com/phishing-security-test-partner?utm_medium=partnerurl&utm_source=Cybriant

Avoid it all together

At Cybriant, we discuss the idea of having a layered approach to security when it comes to the overall cyber risk defense of our clients. Hackers will try to get into your organization from every angle possible, so you have to be prepared, and think like a hacker. Many of the breaches you read about are the result of a small thing, like a forgotten patch, that the hackers realized before the organization’s security team. That ‘small thing’ has resulted in millions of dollars of loss for many organizations. Here’s what we recommend:

  • Real-time Vulnerability Management
  • Responsive Patch Management
  • Endpoint Detection and Response
  • 24×7 SIEM with Security Monitoring

 

Partner for Sending Data Breach Notifications

Notifying customers of a data breach is an essential step to protecting their safety and security. It gives customers the opportunity to take the necessary steps to protect their accounts.

This includes changing passwords, monitoring account activity, or even utilizing password manager accounts for extra protection. In addition to improving customer security, data breach notifications provide an important reminder to companies about the risks associated with storing sensitive information online.

Letting customers know that you are paying attention and taking action can help maintain trust and prevent any potential losses due to malicious activity. Contact Cybriant if you need a trusted partner for data breach monitoring.

Cybriant PREtect

Tell me more!