Not all security breaches can be blamed on hackers trawling the Internet day and night for flaws, sometimes it’s the funny cat video, the Ukrainian bride waiting for you, or the mystery package delivery you missed.
In basic content, today’s phishing attacks are as simple as they were 5 years ago, the only difference is now the spammers don’t use plain text emails but have instead switched to HTML so their emails look more enticing and realistic to the victim. Let’s dive a little deeper…
A common method of phishing is hiding the intended URL with hyperlinks, or using commonly known shortening services such as https://tinyurl.com/ or https://bitly.com/. The example below is one we recently received from “Vodafone”:
The email is baiting the victim to click on a shortened URL. It is exceptionally unlikely that a company would send out shortened URLs, so just ignore these emails! However, for those who want to probe a little deeper, it is possible to quickly check the links without subjecting yourself to compromise by using a URL expander such as http://longurl.org or http://knowurl.com. The URL expands to a much more recognizable link, indicating that an executable file awaits the users download – http ://188.8.131.52/wp-content/themes/f679RqP75G.exe
In the case of a spoofed hyperlink, users should always hover over the link with their mouse to identify the final destination. Take for example this Google Drive phishing link:
It is clear by hovering over the link, that the intended address is not what is displayed to the user.
On mobile devices such as iOS or Android, simply pressing and holding down on the URL will bring up a submenu – also indicating what the real URL is:
This quickly identifies the link as a phishing attack since the actual intended address is http ://184.108.40.206:8080/ae38x2aejm
Let’s take a look at the tinyURL hiding the potentially malicious executable file: http ://220.127.116.11/wp-content/themes/f679RqP75G.exe
It is always good practice to scan a file before doing anything with it, Virustotal.com identified the file as a Trojan variant, with a detection rate of 22/40, but how dangerous is this?
Upon executing the file, it has removed itself immediately, but started a background process called ‘unyen.exe’. Looking at the internal memory strings, it is obvious that more calls to external resources are pulled down, even some from valid websites which seemed to have been compromised!
A constant I/O stream with bursts of network activity give a pretty good indication that the software is slowly gathering user data, and occasionally sending the data back encrypted to the C&C server. The following diagram shows a quick overview of the infiltration, exploitation, and exfiltration process this specific variant has adopted:
Not all attacks are designed to harvest user data or disrupt day to day business. Sometime they’re just for personal gain like bragging rights or sometimes even financial gain if an attacker can get an internal document or list of emails they can sell them on. And sometimes your machine becomes a sleeping zombie in a gargantuan botnet waiting for instructions to join your zombie brothers for DDoS attacks.
The most common causes are when staff haven’t been trained properly, they don’t care enough, or simply become trigger-happy-link-clicking-maniacs because they’re too busy.
Security teams should make sure they give time and appropriate support to staff and have a standardised processes in place to react quickly and effectively in the case that a phishing attack is successful or staff have concerns.
A dodgy link need not be the end of the world, whether or not it was clicked. Keep your staff trained and engaged… and stay vigilant!
Alexis Vanden Eijnde