Dissecting a successful phishing attack

After several years of successful defense against constant phishing attacks, a company I represent finally fell victim.  An email link was clicked, credentials stolen, account compromised and money originally we were owed fell into the wrong hands.   Too often I’ve read all about this type of scam thinking of ways we can avoid problems, but after it happened I was truly struck by the competency of the attacker(s) and their ability to think and act quickly.  One moment of weakness and a click on the part of one employee set the whole fiasco in motion.

The company was an indirect victim here, one of our accounts was used as a ‘vehicle’ for the scam.   The actual victim was a company that we do business with.   The attacker, after stealing the credentials of our employee, used them to log in to the cloud email account and began reading the emails.  (We use a cloud-based system for email access, let’s just say you’ve heard of them and probably use them too).   The attacker found a financial exchange about to take place and inserted themselves into the email conversation, impersonating our end-user.  Email rules were set up to redirect any messages from the victim to an unseen folder, instead of the inbox.  Our employee saw no communication at all from the victim.  Any sent messages from the attacker, or any email trail was quickly deleted by the attacker so we would not become suspicious.  So, in reality our employee was using email without a clue something was going on with another login to the account.

The attacker then emailed the victim (within a few hours of the initial phish) with a story that our wire address had changed because of some ‘suspicious activity’ or ‘bad checks’ on our bank account, and quickly gave them a new bank routing number and other pertinent info. There was a ‘slight’ change in the look of the email signature (Red Flag #1), but other than that it looked legit.   The new bank was in a middle-eastern country (Red Flag #2) where we do not do business (Red Flag #3).

The victim had trouble with the new banking info, and could not use it.  The attacker kept pushing and pushing (red flag #4) to have them try again.  Finally the victim replied via email (again intercepted by the bad guy).  They were getting suspicious at this point and the whole thing looked like it was going to come crashing down.  They asked if there was someone else in the finance department they could talk to about this bad banking information.  (Nice work! ask to talk to someone else at the company!)

With me so far?? This is where it get’s interesting.

The attacker had another tool in their arsenal aside from being shameless, deceitful and good at social engineering– a look-alike domain.   A look-alike domain is an internet domain that looks very similar to another domain. For example moor.com looks a lot like rnoor.com, but notice the ‘m’ is replaced by a ‘r and n’.   In this case the attacker registered the look-alike domain around the same time they started phishing–probably fully aware it could come in handy to impersonate another employee in our company.

Another fake email was sent from this look alike domain, spoofing an employee associated with our finance department giving full validation to the lies, and offering a different bank and routing number, this time a domestic bank.  Replies to the new spoofed address went to the look alike domain (Red Flag #5–check your reply-to addresses!), keeping everyone right where they wanted them, clueless.   This time the bank info was good, and money was wired.

Nearly a week had gone by when our employee was in his email and noticed a draft message go to their outbox, then disappear.   He became suspicious and called the help desk, who contacted security guy, who had them change passwords immediately.  That kicked out the bad buy, but was just the start of the incident response, cleanup, and post-mortem.  I immediately suspected a phishing attack because credentials are so easily stolen that way.

Getting the money back after the wire was improbable, as too much time had gone by before the victim became aware of the scam.  Authorities were contacted (IC3 and FBI).  My association with the InfraGard (www.infragard.org) was truly helpful in this situation, as that gives you instant recognition from the FBI, and direct access to a Special Agent who works these types of cases.   The report that I sent will be compared to others and maybe some of the information that I sent will help catch this thief.

Looking back, there were many ways this could have been prevented.  Doing all of your business through email, especially financial business is dangerous.  Always use the phone to verify financial info, never email.  Have a verification process and safe procedure for sending money via wire, this will help protect against phishing.  Watch for pushy and/or emotional emails demanding you hurry, try again or anything to drive your emotions up, because that is where your logic goes down.  Again, I know the technology is almost 150 years old, but it still works!  Pick up the phone and call!

Leave Comment

Your email address will not be published. Required fields are marked *