Today a small business owner became the victim of a phishing attack and almost lost access to their email account including:
- Bank emails
- Personal communications
- Professional communications
Because email is a critical step in changing a user’s password, if the owner had not acted quickly enough they many have also lost control of their bank accounts, credit card accounts, social media accounts, on-line shopping, brand reputation. Thankfully, although this story had a high amount of stress, worry and anxiety, it appears to have a happy ending so far.
How Did the Attack Happen?
Deception: The Initial Attack Vector
An email from one of the business owner’s larger customers was the initial attack vector. That customer’s computers were hacked and their email system compromised. The hacked computer then sent out emails to all the customer’s contacts including the victim. Consequently, the victim received a “purchase order” email from the hacked computer:
Nothing about the message was flagged by any email, spam, or antivirus software or filter. Why not? In its individual parts, the email seems completely benign:
- The message came from a legitimate address and the receiver had a long term relationship with the sender.
- Fax.com is a legitimate fax-email gateway website.
- The “Click to Review Fax Document” is a link to a Canva document but there’s nothing suspicious about sending someone a Canva link.
In hindsight, there are some things that are a bit odd:
- The “Purchase Order” for new products to be ordered from the message recipient has a subject line with a shipping order suggested that products are being sent to the message recipient.
- The From: address field is the same as the To: address field.
- Canva is a SaaS site that allows users to make slide decks and presentations much like Microsoft PowerPoint. It is unusual that a link to download fax document actually points to a Canva document, but few of us hover over a link to see where it goes before clicking on it.
In summary, it is human nature for people to suspend such scepticism when we believe we are dealing with someone we know and none of them are glaring enough to evoke strong concerns that the message might be a fake.
The Lure: Innocent Steps
The “Click to Review Fax Document” link took the recipient to a perfectly natural looking screen for downloading fax documents…
Except it wasn’t. It was a slide in Canva doctored to look like a fax download website. Clicking on the “–>CLICK HERE TO PREVIEW FULL PDF” points to an off-site web address with the strange URL of: https://qss.vfdfvwdwdwfvfd.repl.co. At the time of this writing, this URL is not listed on any domain blacklist site and would not be flagged by a DNS Firewall.
The Trap: Inviting the Victim to Commit
This qss.vfdfvwdwdwfvfd.repl.co site invited the user to enter their email credentials to access the files which they thought contained the purchase order (and which unfortunately they did):
Again, it is a credible looking web page (ignoring the Â character in the copyright line). Enter your email credentials and they will be sent to a different URL again: kaos.dyndns.dk.
This is where things can get interesting:
- Microsoft Edge and Apple Safari (which is the browser used by the victim) provided no warning and let the user click through and give up their email password.
- In subsequent tests using Chrome or Firefox, Google Safe Browsing warned that the destination domain of this screen, kaos.dyndns.dk, is a known malware site and prevented the credentials from being shared.
- Further testing revealed that even when using Edge or Safari, if the victim had subscribed to a DNS Firewall, the attack would have failed. The victim did not subscribe to a DNS Firewall.
- Norton 360 did not warn me at any step in this process that I was at risk. The victim, who used a free version of Malwarebytes, was also not provided with any warning by their software.
Lessons to Learn
In this time of COVID, it is easy to get complacent about computers and email. The number of attacks is up because malefactors know this and work to exploit our weaknesses. There are a number of reminders here from which we can all benefit:
- Phishing attacks can happen to any of us–and probably will in time.
- Never use the same password for more than 1 site. For example, if you use the same password for your email as you do for your bank, you’re asking for a world of hurt. It’s much better that if 1 account is compromised, you only need to change one password.
- If you are ever attacked (or even think you might be), change all your email passwords first, then all your banking and financial site passwords, and then all the rest.
- Use a multiple set of protections:
- A DNS firewall could have stopped this attack no matter which browser the victim used. It is a cost-effective option to protect an entire office location or home.
- While antivirus software was not effective for this case, be sure you have a good, robust, paid anti-virus package on your computers. I know that some will say that free is good enough but I would argue that free offerings are not updated and do not adapt quickly enough. Keep your operating system patched to the current level as well.
- Have a documented and understood plan of how to respond to an attack when an employee clicks on the trap and shares their identity or email credentials with a hacker. In these cases, response time is critical if you want to minimize the damage.
- Be preventative and not reactive. There are plenty of technologies than can prevent or mitigate these attacks but they only work before an attack. They include:
- Making sure your email domain has SPF and DMARC records installed.
- Consider the use of a DNS Firewall.
- Backup your documents and email so you can recover older versions if your system is ever hacked.
- Use a password safe to manage your passwords safely and securely while making sure that they are hard to guess.
- Training software for staff is available to help employees identify phishing attacks and understand how to prevent them.