[BreachExchange] Plenty of Phish in the Cc

[Destry Winant]

https://www.riskbasedsecurity.com/2019/12/02/plenty-of-phish-in-the-cc/

We recently released our latest Data Breach QuickView Report for Q3
2019, and there are a few things that stand out.

There were 5,183 breaches reported in the first nine months of 2019
exposing 7.9 billion records.
Compared to Q3 2018, the total number of breaches was up 33.3% and the
total number of records exposed more than doubled, up 112%.
In Q3 alone, six breaches exposed 100M or more records, accounting for
3.1 billion records exposed between July 1st and September 30th.

Over the past years, the number of records being exposed on the web
has reached astronomical amounts, and in many cases a single event can
be the source of millions of records exposed. The breach landscape has
changed radically over the past years, but some trends remain
unchanged since we began this report in 2011. Malicious actors are
still seeking opportunities to make a fast buck, and hacking is still
the top breach type with the majority of attacks coming from outside
the organization.

As we look over 2019, we have continuously found evidence that
organizations, in a way, help hackers out. It is commonplace to read
about how organizations have misconfigured databases and services,
leaving millions of sensitive records out in the open, or that
employees continue to fall for phishing campaigns that provide
malicious actors with a toehold into their systems. Human nature,
coupled with weak controls, has contributed heavily to the number and
severity of breaches that were reported in our QuickView report.

I am a Nigerian Prince

Nowadays, many organizations require their workforce to take some form
of  educational session about computer security, no doubt causing many
eyes to roll. When you have the boilerplate phishing script in mind,
it seems incredible that people ever fall for it so it’s not
surprising that being told “don’t click this” sometimes falls on deaf
ears. Everyone seems to have a Nigerian prince in their network with
millions of dollars to hand out, if they can just help with a few
small transaction fees.

However, 7.9 billion records have been exposed in the first nine
months of 2019 and we are on track to reach as high as 8.5 billion
records for the year. Approximately 80% of breaches reported this year
have confirmed data exposure with additional research supporting that
attackers prefer email addresses and passwords to aid them in their
attempts. Why is this? Because it is much easier to find an opening
with keys in hand rather than trying to forcibly break in.

Who falls for these things? You have to be naive, right? The
stereotypical phishing campaign is laughable at best. Yet these mails
keep coming in because enough people click to make it profitable.

Everyone is at Risk, Even Risk Based Security

Every organization is bound to get a malicious email, us included.
Within the last few months we have been sent dozens of emails that
have attempted to impersonate our CEO, Barry Kouns. Since we are a
security company, our researchers wanted to determine if we were being
targeted or whether this was just a spray-and-pray attempt at random
companies to see who would fall for it.

It didn’t require our team of researchers much analysis or
consultation from upper management to conclude that this email is
indeed fake. Joking aside, the prose within the email as well as its
grammar is a dead giveaway to this message’s malicious attempt.

Fight Fire with Fire: Operation Phish in the Cc

In order to get more information, one of our researchers created a
fake account and reached out to the scammer. He provided them a phone
number and went along with the scheme. Within a few minutes, via SMS,
the scammer was asking for the employee to purchase Wal-Mart gift
cards and send the gift card codes back to them.

Our researcher told the scammer(s) that he had unfortunately ran out
of data on his phone plan and that he would need to email the pictures
to which they agreed. Our researcher then created a PDF canary token
and sent it via email to the other email address ‘Barry’ provided, in
order to determine the approximate location of the scammer. Once he
sent the loaded PDF our researcher got an alert that they had opened
the file.

Following this alert, our researcher reached out to the scammer(s) for comment:

"Do you think we are that dumb?

A Risk Based Security researcher"

Their spokesperson did not respond unfortunately.

Keep in mind, that is just a DNS server, not the actual IP of the
scammer. Risk Based Security is an ethical company so the PDF was
blank. However, like most email links, it could have contained
anything (including malicious code). The point is that they fell
victim to the same attack they tried on us. If we really wanted to, in
our researcher’s words, we “could have owned them.”

What Happens if They Aren’t Gullible?

Despite the former example, not every phishing attempt is unpolished
and we have seen our share of attempts that are seemingly passable to
an untrained eye, with some being very convincing.

Since the release of our Mid-Year QuickView report we have seen a
massive uptick in ‘fake’ websites claiming to provide a copy of our
own report and they are specifically designed to bypass Google search
filters.

In this example, the website seems legit on a first pass but then
suddenly redirects to a page with a fake window notifying that an
Adobe Flash Player update needs to be downloaded. Even though this
attempt is noticeable, to someone stressed out and on-the-go, this may
seem real. But if you inspect certain elements on the page such as the
URL and a small grammatical mistake in the pop-up, you can see that
the update window on the page is a fake.

A second attempt (and site) was much more convincing. The website
affiliated with this scheme comes from a plausibly named “security”
domain name, so on inspection, you think to yourself, “this could be a
real site”.

In addition to the domain name, this window replicates the elements of
a Mac OS update almost perfectly; the update button even properly
changes color on mouse-over. However, the minimize button does not
respond which gives this attempt away. With only very subtle clues, it
is no surprise that these types of attack enjoy success.

Attackers Shouldn’t Be the Only Ones Adapting

Attackers are constantly adapting their phishing attempts and
organizations need to be prepared. One mistake could be the catalyst
that exposes thousands, or millions, of records into the hands of
malicious actors, and it is the duty of organizations to do their best
in protecting sensitive data.

It might seem mundane at times, but make sure to check every detail of
an email or web-page you visit on a work system. Sometimes even
legitimate sources seem suspect, but it is better to be safe than
sorry. Let’s do our part in ensuring that malicious actors cannot get
a toehold into systems through carelessness.