The Phishing Adventures of Huck Phinn, Deep Water Spear Phishing

Chapter 3

In the previous chapter, Huck Phinn, who works for an environmental group, narrowly escaped a phishing email trap by recognizing red flags. But he still remained a target of other “phishers” trying to lure him.

One day, a message to Huck’s business email address, huckleberry.phinn@spwf.org, popped up. It looked legit because Huck's office does use Microsoft Office 365 for their email. (Figure 1)

Figure 1 - Fake Microsoft Office 365 email

Uh oh! Huck took the bait and clicked “Read Now.” Unfortunately, that’s all it took for the bad actors to take their next steps in a sophisticated spear phishing attack targeting Huck’s organization:

• “Read Now” opened a nexxt.com job posting page, that led to a redirect to an abod3.azureedge.net URL. abod3.azureedge.net, Microsoft Content Distribution Network (CDN) domain. (Figure 1)
  
  
• That page then redirected to yet another domain that generated a customized fake Microsoft Office 365 login page, with Huck’s real email address already filled in! (Figure 2)

Figure 2 - Fake Microsoft Office 365 login page.

• The complex deception kept pulling Huck in deeper. For example, the default Microsoft background was replaced with the real background and logo of the St. Petersburg Wildlife Foundation's website. (Figure 3)

Figure 3 - Fake Microsoft Office 365 login page with the real background
and logo of the St. Petersburg Wildlife Foundation's website.

At this point, Huck recalled the recent phishing email that he received (covered in Chapter 2), and deciding not to take a risk by going any further with this one, forwarded the email to the Ingalls Phishing Email Helpdesk to have their expert SOC analysts review it first. The Ingalls Phishing Email Helpdesk Analysts investigated the email and sent Huck a response to let him know that it was malicious and recommended immediately deleting the email (Figure 4).

Figure 4 -Ingalls Phishing Email Helpdesk email response

Ingalls’ investigation revealed this was more than a standard phishing attack. This was a deliberate spear phishing attack using tricky tactics like obscuring the known phishing domain with a redirect from a legitimate site, such as the job posting site (nexxt.com) to avoid detection by email security and filtering solutions.

Open source threat intelligence revealed a number of other potential victims were targeted with similar attacks, and one of the domains used in this attack was included on a pastebin dump of known phishing domains.

This time, Huck realized something was wrong just in time. If he had continued on the fake login page, he would have encountered a prompt to enter his password. Flags that would have helped him identify the malicious content included additional spelling and grammatical errors.

• The login prompt stated, "Because you're accessing sensitive in fo, you ne-ed to verify your password" (Figure 5).
• In the event that Huck couldn't recall his password, the malicious login prompt even included a helpful button labeled "Forget Password", although the fake button was just for appearance and didn't actually do anything.

Figure 5 - Fake Login with misspelled words and "Forget Password" link

After entering a password, whether correct or not, Huck would encounter an error stating "Your email or password is inorrect." Whatever password information entered by Huck on the fake login page would have been captured by the attackers (Figure 6).

Figure 6 - Error stating "Your email or password is inorrect."

All of this could have been avoided if Huck had noticed these telltale signs the email was malicious: 

• The email claims to come from "phinn Office Helpdesk", but the actual email address that sent the email was a bellnet.ca address that Huck was unfamiliar with and was definitely not part of the spwf.org domain. 
• Huck doesn’t have a technical role at St. Petersburg Wildlife Foundation, so why would he receive an unusual alert about email sync issues?
• Little typos and grammatical errors 
1. "phinn Office Helpdesk" rather than "Phinn Office Helpdesk" 
2. "phinn Microsoft 365 Sync has failed" rather than "Phinn Microsoft Office 365 Sync has failed"
3. A missing period at the end of "Y‏‎‍‌o‏‎‍‌u h‏‎‍‌a‏‎‍‌v‏‎‍‌e 5 i‏‎‍‌m‏‎‍‌p‏‎‍‌o‏‎‍‌r‏‎‍‌t‏‎‍‌a‏‎‍‌n‏‎‍‌t m‏‎‍‌e‏‎‍‌s‏‎‍‌s‏‎‍‌a‏‎‍‌g‏‎‍‌e‏‎‍‌s t‏‎‍‌h‏‎‍‌a‏‎‍‌t h‏‎‍‌a‏‎‍‌v‏‎‍‌e n‏‎‍‌o‏‎‍‌t r‎‍‌e‎‍‌a‎‍‌c‏‎‍‌h‏‎‍‌e‏‎‍‌d y‏‎‍‌o‏‎‍‌u"
4. The “time” of the email alert was “5/28/20209:21:13” rather than  “5/28/2020 9:21:13”
5. "T‏‎‍‌h‏‎‍‌e a‏‎‍‌l‏‎‍‌e‏‎‍‌r‏‎‍‌t i‏‎‍‌s t‏‎‍‌r‏‎‍‌i‏‎‍‌g‏‎‍‌g‏‎‍‌e‏‎‍‌r‏‎‍‌e‏‎‍‌d w‏‎‍‌h‏‎‍‌e‏‎‍‌n u‏‎‍‌s‏‎‍‌e‏‎‍‌r h‏‎‍‌a‏‎‍‌v‏‎‍‌e e‏‎‍‌r‏‎‍‌r‏‎‍‌o‏‎‍‌r i‏‎‍‌n m‏‎‍‌a‏‎‍‌i‏‎‍‌l s‏‎‍‌y‏‎‍‌n‏‎‍‌c‏‎‍‌" rather than "The alert is triggered when the user has an error in mail sync."

Figure 7 - Little typos and grammatical errors

Security Awareness is increasingly important as part of a culture of security for every organization. It can no longer be considered strictly your IT department’s responsibility to keep the organization safe. No amount of sophisticated technical controls can fully account for every opportunity a bad actor has to take advantage of the most basic human instincts - to respond when prompted.

Does your organization have an effective solution for reporting and evaluating suspicious emails? Do your employees know where to go for help and what to do if they spot a phish? Ingalls Managed Detection and Response Services include a Phishing Email Help Desk to make it easy for your employees to report emails they are unsure of and lighten the burden on your IT team of analyzing and responding to phishing attacks. Contact us today for a free consultation and get peace of mind for your cybersecurity.

Catch Huck’s ongoing phishing adventures in the next chapter in the series, coming soon…

About Ingalls

Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have.