Ntiva Live: Cybersecurity for the Rest of Us

It's Phishing Season - Don't Take the Bait!

Episode Overview: It's Phishing Season - Don't Take the Bait!

In today's episode, Frank and Jabran walk through what spear phishing is, why it's so popular today, and show you some real-world examples of classic attempts to steal your personal information!

Sign Up Today

Complete the form to register for the "Cybersecurity for the Rest of Us" series. You’ll get an email reminder before each livestream, plus an email with a link to the recording in case you miss any of the live events.

Spear Phishing: Episode Transcript

Today, joining me is Jabran from my security team. He is a cyber engineer working at Ntiva. We're going to have a little chat and maybe show you some examples of what's been seen in the wild lately. We can go ahead and kill this part now. Obviously, as always, if you have any questions, feel free to drop them into the Q&A.

What we're going to do today is just really talk about some of the phishing attempts that are going on right now. We'll talk a little bit about some email security and some of the things to maybe draw attention to why these were obvious.

I'm going to start out though by saying that it is Labor Day Weekend. If the track record holds true, Memorial Day, 4th of July were both really big spear phishing email attack weekends. Kaseya, and that whole ransomware came out over the 4th of July. There was a lot of other stuff happened around the Memorial Day weekend. So be on your guard. Be suspicious.

Yesterday, the FBI issued one of their joint cybersecurity advisories, saying that they have no specific threat. However, they're expecting an increase uptake in the total amount of attacks, the ransomware attacks, the targeted attacks, all that kind of stuff. So just be ready for it. Be on your guard. Be suspicious. That's really the most I can offer up for just about everybody in the way things are going these days.

Jabran, thanks for taking the time away from your lunch as well. Although Jabran is actually in the Midwest. And so, it's not exactly his lunch unless he's having brunch. But thanks for taking the time out of your schedule too, to be here. Chime in on anything as I bring some stuff up

So, I am going to share some, it's a word document. And I'll apologize, if I need to Zoom in or do anything with it, drop it in the chat or the Q&A. But I do want to show some examples, because these are things that are actually happening right now and have been around. So there aren't too many new things going on. We tend to see some of the same things get rehashed a little bit.

Jabran, do you want to talk about that BuzzFeed one you were mentioning while I go ahead and get this word document going?

 

Spear Phishing: Real-World Examples

Jabran:

Yeah. So I came across an article that said someone actually got offered a job at a BuzzFeed. Someone that, well, supposedly, they thought it was a legitimate offer. They reached out to this person, and this person said there was no communication via a video interview or a phone call. It was just straight through email.

They said, "Hey, we really liked your resume. Would you mind sending us some more information over?" And they were discussing some things back and forth. And the so-called representative, fake representative at BuzzFeed said, "Hey, we like you. We want to give you a job offer on the spot." So I think that's the first red flag. No company is going to give you an offer right off the spot through email, without giving you a phone call or a video interview, any of those.

So they gave him that offer. And the person hesitated to give that information out because what they requested after was like, "Hey, send us your social security, your home address, your personal information." And like I said, there was no phone call or formal interview process. No one reached out to them, like a real human being.

The funny thing is, they were actually referring him to the IT and HR departments through LinkedIn. So they're doing their due diligence, and going through learning about these different departments and representatives at BuzzFeed, and then saying, this is our IT director or a person in IT that's going to reach out to you for further information. We just need your social security number, your home address, your bank account information.

First of all, the reason you could tell that they're not a real representative from BuzzFeed, they're reaching out from a Gmail account. So anytime you want to make sure any email that goes for a phishing campaign, always check the domain of the sender.

They're not going to be sending you job offers or anything like that from Gmail or personal accounts. It's always going to be from the legitimate domain name. Like ours is Ntiva, so you'll see like, jaraan.shakil or shakilj@ntiva.com. So in this case, the person wasn't giving a real BuzzFeed domain name. It was just like xyz@gmail.com. So found that to be a bit funny. And that person did a good job by not responding with any of the information.

 

Spear Phishing's Newest Target: The Job Market

Frank:

Yeah. And if you've been following anything, there is a ton of activity in the job market these days. People are all over the place. There's a lot of pent up COVID demand, really. And actually, I was going to show some of the latest of on the COVID emails, but they've been overtaken.

There's still a lot of that out there. Hopefully you can see this now. I am going to Zoom this guy in a little bit. I got this just like a week ago. And this has been a common type of scam. This one is pretty good looking though. It's not terrible. It doesn't have some of the boxes underneath. But it comes from UPS quantum view.

It's got a nice UPS logo. They obviously did a nice job of copying that over. It's not terrible. It just says, we tried to deliver a package. If you want alternative information on it, click here. Has my email. Thanks for shipping with us. Really, made it through the spam filters. This did not get caught by spam filters either.

So it's coming from a legitimate domain, although it's obviously not UPS. So it made it through the SPF filters. It made it through the DKIM. It did all those kinds of things, if you follow on that side. And yet, this is clearly a false one.

For a long time, it was a DHL. And then it was a brief period of time where there was a FedEx scam. But this UPS one has been ongoing for a while. We've seen a bunch of this out in our client base. People have been reporting it and stuff. So I want to bring this one definitely to everybody's attention. Be aware of it. Jabran, you see anything else on this little guy that you want to bring up?

Jabran:

Yeah. Where it says UPS quantum view. The email address right after, it's packagetrackingportal.com. It doesn't come from UPS.com. So there's one.

Frank:

Oh, and I can't highlight anything right now. I don't have that turned on.

Jabran:

Oh yeah, the spelling is off too.

Frank:

We got shipping spelled wrong. This one's pretty well done. It's not terribly subtle. It's not terribly obvious or anything like that. Like I said, reasonably well done. But use some common sense here too.

Like, when I order UPS, I order from my personal email account, I'm never going to get it at my Ntiva account. And for all of these shipping scams that are out there, there's the Amazon package one that's out there right now.

Some are more obvious than others. But the bottom line is, you have to first ask yourself, why am I getting this on my work email? The other part is, if you do get this on your personal email, use some thought process. Oh, geez. I didn't think I ordered anything from UPS. If you haven't ordered in the last day or two, you probably aren't getting a package.

Jabran:

Even if it's that, you can always hover over the link as well. And it'll show you with a popup where it's going to redirect to. So even if it does look legitimate, let's say it was spoofing the UPS domain name.

You go over it and it says, parcelshipping.com or.net. You could see that and be like, okay, that's a red flag. It's not taking me to the correct domain or company.

Frank:

Yeah. These are just all images. So I didn't bring any of that over. I'm going to show these next two, just because this was Memorial Day weekend stuff. If you missed it, US Agency for International Development, they were absolutely hacked. They had a compromised account. And I never did find out if it was really at USAID or if it was at ConstantContact.

But they were using ConstantContact to send out newsletters. And it was a newsletter account that basically is the one that got hacked. Now, this one didn't go completely mainstream. It was more targeted. It went to a bunch of NGOs. It went to companies and organizations that had military and government affiliations. Also went to some nonprofits. So it was a little bit less than your typical total volume.

But this is again, just to draw attention, this is from the Agency for International Development. You would not expect them to be sending you Donald Trump documents. And under any circumstances, whether you agree, don't agree, nothing associated with it.

There is no reason in the world that they were going to publish these kinds of documents. But this was an emotional thing, right? This was purely a case of whether you like Donald Trump or you despise Donald Trump. You were probably going to go Trump documents, oh, I'm going to go click on that.

And what made this particularly bad, and why I want to bring it up. This had no ability by technology to be caught. Absolutely zero. It was from a valid account. It came through a valid sender, which was ConstantContact, which when you did the reverse lookups and did all those kinds of things, the Agency for International Development was using it.

It was in all the systems and perfectly allowable. There was no malware other than the visit our website and the normal Facebook, Twitter links down here. This is it. These were the only links. The visit our website link was legitimate. In the email below it, it did have the unsubscribe and those kinds of things. Those were all legitimate links because they came from ConstantContact.

The problem came in if you said view documents. Now the view documents link itself did not cause any alerts either. So if you ran it through a sandbox and checked it, it would show up as okay, that went to wherever it went to. I don't even remember where it was.

The problem is that the file that got downloaded was an ISO image. And for those of you that don't know, basically when you click on it, that's the equivalent of you could mount it as a drive. It's the same thing, and it'll bypass your security software. You would mount the drive image. And at that point, when you tried to click anything within the image, it was going to execute malware.

And it was actually going to do, I think this one included Cobalt Strike as part of the malware. So, this was a real serious one, but there was absolutely no way that technology was going to stop it.

At the same time it came out, they used the same set of accounts and everything else. Came out about, and I think this even came through the same email portal. Looks real official. Got lots of logos and stuff on it. And it included a download link, which I guess didn't show up on the screen capture that I did here. But looks real official. Again, it was aimed at specific targets, so it didn't go out just plain across to everybody. This was a popular one for CEO fraud and other high-level executives.

 

Classic Spear Phishing Examples From Our Own Clients

Now this one, this is going around right now. It came out to one of our clients, August 11th. This is not even believable, but it's in the wild again. And I'm going to scroll, and I don't expect anybody to actually take any time to read it. But the bottom line is, this is your classic dig for sensitive information or sensitive data.

We have $2.8 million and it's here for the taking. And we'll put 12,000 a day on your ATM card, or you can have a certified cashier's check, and it's got all kinds of different things. Even goes as far as saying, don't fall for this kind of stuff, don't send money to anyone. But go ahead and send money to us. And here's our contact information.

And you'll notice that Rachel, she might be a very fine specific individual, but she's got a ProtonMail account, and she's working for the International Monetary Fund.

I'll just move this thing around a little bit. You can peruse it. It's bad English. For those of you that have been around IT as long as I have, this is the Nigerian prince scam all over again. And by the way, the Nigerian prince scam comes out every few months too, probably because somebody falls for it.

But you know, no matter how you slice this one, this is so blatantly obvious in my opinion, that it almost embarrasses me that I'm going to bring it up. I don't know. What do you think of Abdul? Abdul? What do you think, Jabran?

Jabran:

I mean, right there, the first thing, the from subject, it says test@test.com. See, and probably bad grammar as well. And just a sense of urgency. Like, hey, all these funds we have for you. Go ahead, and we'll deposit that into your account.

Found that to be the first thing that stood out was just that domain name, the test@test.com. And then isn't that the same person that's asking with the Proton email to send the funds over, and they have two separate emails in there?

Frank:

No, it's all one, believe it or not.

Jabran:

Oh, really.

Frank:

Yeah. So, it's kind of silly. It included the second set of information as well. I mean, it wasn't even good.

Jabran:

It was just a bunch of text, to be honest.

Frank:

We have a question. We received phishing emails from TechCrunch through a third party, bulk mail sender. TechCrunch.com as an SPF record, and shows the third party sender can send email as them. The attacker was able to compromise another account at the bulk mailer and send legitimate SPF record verified.

So, that's exactly what happened with the ConstantContact in USAID problem. It was a perfectly valid thing. The technology wouldn't have blocked it. The SPF, again, for those that aren't aware, is sender policy framework. It's one of the ways that you can basically try to authenticate and authorize who can be your sender.

There's a bunch of things out there, DKIM and DMARC. Configuring those is tricky. Making it work correctly is not always the easiest thing. Almost everybody still surprises me that we come across times that there is no SPF record.

Almost everybody has an SPF record. DKIM and DMARC are not as widely used. And the folks at SendGrid will probably hate me for saying this. SendGrid is one of the bulk mailers. And it's a legitimate service, don't get me wrong. You can subscribe to it.

But unfortunately, SendGrid has become a target of opportunity for the spammers. And a lot of spammy mail will be used through SendGrid. They'll use them as the third party essentially, like ConstantContact or something. The reason for that is because they offer a free account that lets you do a lot of things like that.

The downside is that if you're a real business using SendGrid, you run a good chance that your mail is going to be blocked at the recipient's side because so many recipients now just absolutely block SendGrid from coming in. The alternative to that is, if you use SendGrid, you need to have one of their non-free plans.

I don't know what their tiering structure or anything looks like. But the SendGrid free plan doesn't allow you to basically pick an IP address. When you get into, it might be the second level paid plan, but you can have a single IP address dedicated to your sender, and then your recipients can whitelist against that IP address. But nobody wants to whitelist against SendGrid because then you open yourselves up for getting a lot of spam coming in.

It's really similar to, Jabran, I think this came up on one of those compromises we were looking at. Jabran's been with us for just over three weeks. And I promised I wouldn't throw too much stuff at him until he'd been here at least a little while. I think my promise lasted three days.

But we were doing a forensics, and I think it was namecheap.com. It was a fake domain. namecheap.com is notorious with the folks that are creating fake domains. If your domain has a W in it, I create an equivalent domain, but replace it with two V's. I replace lowercase I's with J's. I add lowercase I's, J's, those kinds of things, because they're hard to see. A lowercase L and I, right, that's hard. 1's versus L's. I mean, all those things go into fake domains.

And if your domain name, by the way, is very long, subtle spelling errors, adding an extra letter or deleting one where you have duplicate letters. It's really, really bad. Really easy for people to spoof your domain that way. And somebody also pointed out that the UPS scam didn't address it to your name, just customer. That's also true.

Usually, you will see some level of personalization. These general phishing though don't always, they don't always go to the trouble to even personalize them to include your email. The UPS one, at least, included the personal email as we got down towards the bottom of it.

And the next one, I want to show you. There are various versions of this. But the eFax one has been really prevalent in the last, I've seen a ton of them in the last 30 days. But it's been around for probably longer.

Sometimes you will see this as a generic, you have received a fax, and it doesn't go to this quite level of sophistication. The alternative way that this one comes in is as a, you have a new voicemail. So with everybody working remote, and your office voicemail system grabs it as an MP3 file, emails it to you. Basically, they're trying to piggyback off of all of that.

This one is out now. Forgery. But again, if you look at it, it's not going to come directly from eFax. I don't think eFaxzero.com is one of their domains. It looks reasonably like it's an eFax document. When they do send you one, you see, this is their logo. When you click on the button, however, it takes you to what is a very well done credential compromise page. And there's a ton of this going on.

Dropbox has been a big target of it. There's fake Microsoft log-in pages. But this one, somebody went to a lot of trouble. It is copied. It's really professionally done. It's going to basically ask you to log in to get your eFax. And it came from this email. So you click here. Boom, takes you to the compromised credential page. And now it's going to ask you for username and password. I don't know what to say about that.

At that point, you're giving away the keys to the farm. You got anything you want to add about that, Jabran?

 

Fake Websites Are a Popular Way to Steal Your Login Information

Jabran:

I remember testing one of these phishing emails before. And there's one that I received a long time ago. It was a Walmart one. And I remember, I was like, well, let's just see what happens. And you go in, it's a fake Walmart. Set up completely, just like you said, like this eFax website, a hundred percent. It looks legitimate, everything.

As soon as you go to input your credentials, so I just put in some fake stuff, and nothing happens. You hit submit, it just refreshes the page. And the attacker, he knew actually that, oh, I have someone. So what he did was he sent me that same email a bunch of times after, like five or six times, trying to get me to really input my credentials.

So they know. They keep track of that stuff to see who's clicked on it, and they try to get you again by sending that stuff again and again, in hopes of you actually entering in your credentials. So yeah, they'll create stuff just like this in hopes that you input your real information in there.

And that's how you can say bye to all your personal information, confidential information, credit card information. That's how it ends up on the dark web.

Frank:

Yeah. And so, we don't need to look at those things anymore. Not that you want to look at us anymore than you want to look at an eFax page. The other thing that'll happen on these credential compromise pages. And I've seen this with both Dropbox log-ins and Microsoft logins.

So the Microsoft log-in one is really dangerous because so many companies use that as, using Azure AD that gives you credentials to other things. But it will take you to a fake page. That page will grab your credentials. And then it's going to come back and say it was a bad log-in, and give you another chance.

Now that's not really that much of an indicator, because if you're like me, I mistype my password a lot, especially right after I've changed my passwords.

So what will happen when you do that is you go, oh, well I must have just typed my password wrong. And you put it in again. But the redirect, the second time, is to the legitimate login page. So you will log into your Dropbox page, or you will log into your O365 account.

You just won't see you the information that you were expecting, because it was like, hey, go here. And there's a document for you to pick up or something like that. So they redirect you to the correct page because at that point, then that gives you less of an indication that maybe you've been phished. So be very conscious of that.

If you get an email with a link, and it's at all plausible, maybe you're even expecting something like that. Avoid clicking on the link, go to the webpage and log in yourself. Jabran, you want to just go through some just general good hygiene, what to look for on these phishing emails. And then I'll wrap it up, the last couple of minutes, with what we can do going forward.

Jabran:

Yeah, sure. So always my tips are look and see the domain name, obviously. And sometimes, like you said, one of the attendees said sometimes they can be spoofed and whatnot. So just continue to look through for spelling mistakes, grammar mistakes. And if you get an opportunity for a link, if there's link in there, hover over it, don't click on it.

If it doesn't seem like it's suspicious at first, and then you're like, oh, it's checking out, just hover over the link. It'll show you the redirect page of the correct domain name and whatnot. So if it's something that says UPS.com, but when you go over the redirect link, it'll be, like I said, parcelshipping.com. That's an indicator.

And then always, you want to make sure that you're suspecting something from someone. So, if you receive like a phishing email for an invoice and you weren't expecting that, that should be your first red flag. And if, like I said, it looks legitimate and whatnot. You rather play it safe than sorry.

Then just go ahead and give that person who might be compromised as sent that fake phishing targeted email with the invoice, give them a call just to verify and say, "Hey, did you mean to send this invoice over?" Because this is the way, usually, what I say is, I'm pretty sure your organization wouldn't mind you losing out on maybe a five, $10,000 deal, opposed to getting ransomware.

And then the whole organization loses millions of dollars when they have to pay for that stuff, or figure out ways of figuring out a data breach.

So always be safe. Rather safe than sorry. And call people in case you weren't expecting something or just to make sure it's not something malicious. So that's usually my advice.

Frank:

So, what companies should be doing, if you're a decision maker at your organization, phishing prevention training. It doesn't prevent phishing. But what it does do is it makes people more aware of these things Jabran was just talking about.

It gives you an opportunity to say, people get more of an awareness by looking at it. I know this goes against a lot of people's better nature. I'm an engineer. So it comes easy for me. But be suspicious of everybody, no matter what you see, look at it, and be kind of jaded. And sorry, but that's the way things are these days. Do that on your home account as well. If you get any kind email that's trying to say your password has expired, you have to click here. Your Amazon account has been suspended.

I got one the other day, customs and border patrol has seized my social security number. It came on my home account. I mean, that's about as ludicrous a thing as possible. But call this number. You're starting to see these combination scams. It's email, it's phishing, it's SMS, text messages are coming in. You're getting phone calls. They're interrelated. I mean, all this stuff is all together.

And in the final 30 seconds, I'm going to mention that everything we talked about on how to detect the phish is much harder to do on your phone or tablet. On a computer, you hover over on these other devices. It's much easier to even accidentally tap. So be careful.

While your iPhone and your Android device are less likely to be infected with malware. It is possible. I personally use antivirus software on all of my mobile devices at home. I know a lot of people go, ah, you don't have to do that. I do, just so that I don't inadvertently click.

So I want to thank everybody. We're right at our 30 minutes. If you have any suggestions for future topics, any questions come up, you can always email me directly, frank@ntiva.com is one of my several email accounts. But that one I will look at as a direct result of these things.

Jabran, thanks for joining me today. Be safe this weekend. It's a long weekend. Hopefully it will be nice, we can all dry out. And watch out for the COVID scams because as the booster shots start coming out, I think you're going to start seeing a ton of those emails, and not all of them will be legitimate. So have a great Labor Day weekend. And thanks everybody.

About the Ntiva Cybersecurity for the Rest of Us Livestream

Ntiva’s Frank Smith hosts the Cybersecurity for the Rest of Us livestream every other Thursday from 12:00 to 12:30pm ET. These live events, presented by the Ntiva team of cybersecurity experts, are sharply focused, easily digestible, and cover topics surrounding cyber security in today's modern workplace. We take questions from the audience and share what's working for us and others in the industry.

VIEW MORE LIVESTREAMS