In Chapter One we mentioned that the most common phishing attacks are mass emails sent to as many recipients as possible in hopes that even a few high-value targets will be compromised.
That’s what happened when Huckleberry "Huck" Phinn, a senior employee at the St. Petersburg Wildlife Foundation, received an email from SFaxRemittanceInformationTransmittalCenter. (The email content is real; names and numbers have been changed. (Figure 1)
At first, Huck doesn’t see anything suspicious about this email.
- The email contains text from a disclaimer from a real law firm in Illinois, and links to a “Risk Management Bulletin.” (Figure 2)
Huck glances at the topic and the linked article. It looks legitimate and contains actual content. Including links to a legitimate website is a common tactic that malicious attackers use to avoid detection by email security and filtering solutions. Here’s what Huck saw when he clicked on the link (Figure 3).
However, the email doesn’t end with the article. The email tells Huck that he has received a “fax” from this SRFax service and includes links to “PREVIEW OR PRINT PAYMENT” and to ”View email in browser.” (Figure 4)
These links redirect Huck to a OneNote page that includes a blurry picture of a document with a Bank of America logo which was also included in the original email Huck received. The caption of this image says to "Click below image to view fax document anytime." This OneNote page contained much of the same information included in the phishing email, and it also contained the warning to "Use receiving email to access documents to prevent error." (Figure 5)
Huck missed a few red flags but he caught on in time. He doesn’t fall for it, and neither should you.
- The email says it’s from a fax remittance service, but includes a disclaimer from and links to a law firm in Illinois.
- The area code of the fax number is in North Dakota, not Illinois.
- The phone number works but is not a fax number.
- The small, blurry embedded .png image of a document with a Bank of America logo followed by a link to “Click below image to view fax document anytime” enticing the user to click for a higher-resolution image. Highly suspicious.
- If clicked, the links redirect to a OneNote page on a compromised Sharepoint site belonging to yet another unrelated company. Using redirects is another tactic used by malicious actors to obscure the actual link and to avoid detection by email security platforms.
- The OneNote page contains a warning to "Use receiving email to access documents to prevent error". This warning was likely used by the attacker(s) to help ensure that they would compromise Huck's business email credentials as opposed to his personal email credentials.
If Huck had fallen for the phishing attack his next click would have taken him to a fake Microsoft Office 365 login page. It looks convincing, including a default Microsoft background image, and it doesn’t contain any typos or grammatical errors that often accompany phishing attacks. After entering an email address and password, the login would have failed, but whether correct or not, whatever information entered by Huck on the fake login page would have been harvested by the attacker(s). (Figure 6)
Red Flag Challenge:
Did you catch the big red flag on the phony login page (Figure 6)?
Click here to reveal the answer.
...to be continued.
Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have.
Our “How to Spot a Phish” checklist can help you identify phishing emails and provides advice on what to do with them.
About the Author
Cyrus Robinson, CISSP, MCSE, MCITP, CEH, CHFI, Sec+
Mr. Robinson is a skilled Information Security professional with experience working with diversified technologies and environments. Mr. Robinson’s professional IT career began as an electronic forensics engineer as an active duty Airman with primary responsibilities with testing and evaluating digital forensic software, policies, and procedures. In this capacity, he worked alongside federal investigators and various DoD, CIA, FBI, NSA, and NIST employees. Following his active duty role with the USAF, Mr. Robinson went on to work in change management and system administration as a DoD Contractor. Mr. Robinson also has extensive experience in the roles of Information Security Officer and IT Director for a large medical group which contribute to his knowledge with security risk assessments, HIPAA compliance, and drafting and implementing corporate IT security and business continuity policies. Mr. Robinson holds various industry standard certifications and a Masters of Science in Information Security and Assurance.