Skip to the main content.
Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

3 min read

The Phishing Adventures of Huck Phinn, Dangling Bait in Open Waters

Chapter 2

In Chapter One we mentioned that the most common phishing attacks are mass emails sent to as many recipients as possible in hopes that even a few high-value targets will be compromised.

That’s what happened when Huckleberry "Huck" Phinn, a senior employee at the St. Petersburg Wildlife Foundation, received an email from SFaxRemittanceInformationTransmittalCenter. (The email content is real; names and numbers have been changed. (Figure 1)

Figure 1 - Email From SFaxRemittanceInformationTransmittalCenterFigure 1 - Email From SFaxRemittanceInformationTransmittalCenter

At first, Huck doesn’t see anything suspicious about this email.

  • The email contains text from a disclaimer from a real law firm in Illinois, and links to a “Risk Management Bulletin.” (Figure 2)

Figure 2 - Disclaimer from a real law firm in Illinois, and links to a “Risk Management Bulletin”.Figure 2 - Disclaimer from a real law firm in Illinois, and links to a “Risk Management Bulletin”.

Huck glances at the topic and the linked article. It looks legitimate and contains actual content. Including links to a legitimate website is a common tactic that malicious attackers use to avoid detection by email security and filtering solutions. Here’s what Huck saw when he clicked on the link (Figure 3).

Figure 3 - What Huck saw when he clicked on the linkFigure 3 - What Huck saw when he clicked on the link

However, the email doesn’t end with the article. The email tells Huck that he has received a “fax” from this SRFax service and includes links to “PREVIEW OR PRINT PAYMENT” and to ”View email in browser.” (Figure 4)

Figure 4 - Links to “PREVIEW OR PRINT PAYMENT” and to ”View email in browser”Figure 4 - Links to “PREVIEW OR PRINT PAYMENT” and to ”View email in browser”

These links redirect Huck to a OneNote page that includes a blurry picture of a document with a Bank of America logo which was also included in the original email Huck received. The caption of this image says to "Click below image to view fax document anytime." This OneNote page contained much of the same information included in the phishing email, and it also contained the warning to "Use receiving email to access documents to prevent error." (Figure 5)

Figure 5 - OneNote page that includes a blurry picture of a document with a Bank of America logoFigure 5 - OneNote page that includes a blurry picture of a document with a Bank of America logo

Huck missed a few red flags but he caught on in time. He doesn’t fall for it, and neither should you.

Huck Phinn Ch2 Fig-07 DownloadHere are all the red flags so far in this one real phishing email:

  • The email says it’s from a fax remittance service, but includes a disclaimer from and links to a law firm in Illinois.
  • The area code of the fax number is in North Dakota, not Illinois.
  • The phone number works but is not a fax number.
  • The small, blurry embedded .png image of a document with a Bank of America logo followed by a link to “Click below image to view fax document anytime” enticing the user to click for a higher-resolution image. Highly suspicious.
  • If clicked, the links redirect to a OneNote page on a compromised Sharepoint site belonging to yet another unrelated company. Using redirects is another tactic used by malicious actors to obscure the actual link and to avoid detection by email security platforms. 
  • The OneNote page contains a warning to "Use receiving email to access documents to prevent error". This warning was likely used by the attacker(s) to help ensure that they would compromise Huck's business email credentials as opposed to his personal email credentials.


If Huck had fallen for the phishing attack his next click would have taken him to a fake Microsoft Office 365 login page. It looks convincing, including a default Microsoft background image, and it doesn’t contain any typos or grammatical errors that often accompany phishing attacks. After entering an email address and password, the login would have failed, but whether correct or not, whatever information entered by Huck on the fake login page would have been harvested by the attacker(s). (Figure 6)

Figure 6 - Fake Microsoft Office 365 login pageFigure 6 - Fake Microsoft Office 365 login page

Red Flag Challenge:
Did you catch the big red flag on the phony login page (Figure 6)?

Click here to reveal the answer.

...to be continued.

 

About Ingalls

Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have. 

 

Our “How to Spot a Phish” checklist can help you identify phishing emails and provides advice on what to do with them.

How to Spot a Phish Download

 

About the Author
Cyrus Robinson, CISSP, MCSE, MCITP, CEH, CHFI, Sec+
Mr. Robinson is a skilled Information Security professional with experience working with diversified technologies and environments. Mr. Robinson’s professional IT career began as an electronic forensics engineer as an active duty Airman with primary responsibilities with testing and evaluating digital forensic software, policies, and procedures. In this capacity, he worked alongside federal investigators and various DoD, CIA, FBI, NSA, and NIST employees. Following his active duty role with the USAF, Mr. Robinson went on to work in change management and system administration as a DoD Contractor. Mr. Robinson also has extensive experience in the roles of Information Security Officer and IT Director for a large medical group which contribute to his knowledge with security risk assessments, HIPAA compliance, and drafting and implementing corporate IT security and business continuity policies. Mr. Robinson holds various industry standard certifications and a Masters of Science in Information Security and Assurance.
The Phishing Adventures of Huck Phinn, Another Kettle of Phish

The Phishing Adventures of Huck Phinn, Another Kettle of Phish

Chapter 4 Huck had narrowly eluded several phishing traps, and he now routinely screened his work Outlook email inbox for suspicious messages. He...

Read More
The Phishing Adventures of Huck Phinn, Deep Water Spear Phishing

The Phishing Adventures of Huck Phinn, Deep Water Spear Phishing

Chapter 3 In the previous chapter, Huck Phinn, who works for an environmental group, narrowly escaped a phishing email trap by recognizing red flags....

Read More
The Phishing Adventures of Huck Phinn, Another School of Phish

The Phishing Adventures of Huck Phinn, Another School of Phish

Chapter 7 It's Cybersecurity Awareness Month, so we thought it was a good time to bring back our good friend Huck Phinn for another adventure in...

Read More