High Profile Phishing Attacks in the News and How Automation Can Help
In the past two weeks, several high profile phishing attacks have highlighted how even the most security-conscious and sophisticated organizations on the planet can be susceptible to phishing. In this post, we’ll look at three types of phishing attacks and will show how security automation can help the process of investigating and remediating once an attack has been identified.
Facebook and Google Conned Out of $100m in Phishing Scheme
In an April 28th article in the Guardian, Samuel Gibbs reports that “Not even two of the biggest US technology firms are safe from fraud, as the social network and the search company named as victims of sophisticated attack.”
In this type of attack the perpetrator, a Lithuanian man named Evaldas Rimasauskas conducted the phishing attacks as follows per the Guardian:
According to the criminal complaint, Rimasauskas posed as a computer hardware manufacturer by creating his own company, registered in Latvia, with the same name as a legitimate one in Asia.
For roughly two years, Rimasauskas “and others known and unknown” pretended to be employees or agents of the Asian company, according to the charges. They then sent phishing emails to representatives of the major tech firms, which regularly “conducted multimillion dollar transactions” with the manufacturer. The American firms followed the email instructions and wired tens of millions of dollars to bank accounts in Lithuania, Latvia, Cyprus, Slovakia, Hungary and Hong Kong.
This is a highly sophisticated, targeted attack that leverages social engineering more than technology. By targeting companies doing multi-million dollar transactions regularly and impersonating a legitimate supplier, the attacker was able to redirect over $100 million.
Since nothing malicious was dropped on the recipients’ machines, the only way for a detection system to flag the emails as suspicious would be through comparing trusted domains to very similar domains and looking at domain authority. For instance, if Facebook’s AP department frequently dealt with supplier1.tw and began seeing invoices from supplier1.lv, their detection systems could flag the sending domain as suspicious. An investigation of the domain name could find that the knock-off domain was recently created, showing signs of the fraud.
With a detection system in place capable of scanning emails for content, context, and domain authority, such a system would send an alert to a security automation product to find out:
- Which email accounts received messages from the fraudulent domain
- What machines correspond to those email accounts
- Whether any attachments were downloaded or links were clicked
Given this information, security staff would be able to identify the population of employees that may be coerced to wire funds before it happens.
Google Docs Users Hit with Sophisticated Phishing Attack
Yesterday afternoon, I received a phishing email that looked fairly run-of-the-mill.
As this doesn’t look like the email you receive when you’ve been shared on a Google Doc, it was pretty obvious that this was phishy. However, looking at the URL, you see:
Which looks legit, but then:
With that, we can see that it’s a legitimate Oauth authentication process using Google Apps credentials. This simulates the common flow when you’re signed out of your Google Apps account and need to log in, but by giving permission to this application masquerading as Google Docs, you are granting permission to “view and manage your e-mail” and “view and manage the files in your Google Drive.” In short, if you click the link and agree to grant permissions, you’re giving permission to the attacker to take over your email and files within Google Drive. Once permission is granted, the attack spreads by sending the same phishing email from the infected account.
On the surface, this attack looks like a self-replicating email takeover scheme. Once granted access, the attacker:
- Has full access to all of your emails, letting them send additional messages to everyone in your contacts.
- Can send emails with links to CNC addresses and attachments with malware payloads
- Can initiate password resets and then delete the corresponding emails so you will never know
- Can access any other application linked to your address that does not have 2 factor authentication enabled
Luckily, a reddit user spotted the attack early, and a Googler saw the post and was able to shut down the attack in a few hours, removing the fake “Google Docs” app, and revoking any permissions granted. The attack seems to have been limited to self-replication, and was shut down before the attacker could use their privileged access to spread anything malicious.
From the @GoogleDocs Twitter Account:
(1 of 3) Official Google Statement on Phishing Email: We have taken action to protect users against an email impersonating Google Docs…
— Google Docs (@googledocs) May 3, 2017
(2 of 3) & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team…
— Google Docs (@googledocs) May 3, 2017
(3 of 3) is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.
— Google Docs (@googledocs) May 3, 2017
What’s surprising is that gmail’s built-in AV capabilities missed the redirect and allowed the obfuscated URL to land in the inbox. What’s more surprising is that Google lets 3rd party app developers create an app named “Google Docs”.
As stated earlier, this attack seemed to have too short of a shelf life to spread any malware or even send links to compromised URLs. However, in the case where an organization’s detection systems spotted the phony URL, they could send an alert to an automation tool to investigate any machine that clicked on the link in order to be sure nothing was downloaded or executed.
Update: As of this morning, a university student claims that the attack was a test and not a phishing attempt. Via NakedSecurity.
The Exceptions That Prove the Rule: More Common Attacks
While it’s interesting to look at the most sophisticated attempts that target specific companies and gain full access to Google Apps credentials, these are edge cases. If your organization isn’t using Google Docs or dealing with multinational suppliers, the above two cases wouldn’t apply. However, looking at the statistics around phishing attacks shows that most phishing attempts are a numbers game. More smash and grab, less Mission:Impossible.
- 97% of phishing emails use a form of ransomware. The amount of phishing emails containing a form of ransomware grew to 97.25% during Q3 2016, up from 92% in Q1 2016. Source: PhishMe 2016 Q3 Malware Review
- 78% of people claim to be aware of the risks of unknown links in emails. And yet they click anyway. 78 percent of participants stated in a questionnaire that they were aware of the risks of unknown links. In the first group tested with a mock phishing email, 20% of people said they clicked the link in the email but 45% actually clicked. In the second group tested, 16% of people said they clicked the link in the email but 25% actually clicked. Source: Barkly.
- 95% of phishing attacks that led to a breach were followed by some sort of software installation. Cybercriminals rarely fit the Hollywood profile. They’re opportunistic; using scattergun techniques like phishing to trawl for weak points that they can use as a foothold to launch their attack. And their intent is rarely world domination, it’s normally just money.
In fact, in the vast majority of phishing attacks, email is used as an entry point to get a user to execute malware, either from an attachment or by clicking a link and installing malware from a remote site.
In this case, security automation can be a massive advantage. In any case where attackers are using automation, the best response is automation. Let’s take a look at how automation can help investigate and remediate the most common and prevalent phishing attacks: