Tessian Threat Intel focussed on crypto and payment fraud campaigns for the month of May, particularly PayPal related scams which have become increasingly sophisticated over the last several months. Most recently we have identified scams relating to fraudulent email invoices requesting payment via PayPal, with some of these scams requesting payment in Bitcoin.    Keep reading for recommendations for staying safe, and sign-up for our Threat Intel update to get this monthly update straight to your inbox. 

Social engineering remains a persistent global threat that continues to evolve to evade law enforcement and cybersecurity detection and prevention efforts.   Email-delivered crypto Business Email Compromise (BEC) campaigns are increasing in volume and sophistication.   Threat actors are targeting payment providers such as PayPal and fraudulently creating email invoices to perpetrate payment fraud.   Bitcoin is the preferred payment method due to its ability to transverse geographic borders.   In their latest annual IC3 report, the FBI notes over $43 billion has been lost globally due to BEC compromises in the past 5 years. The true figure is likely significantly higher due to unreported incidents.   The FBI notes phishing is increasing and remains the most reported cyber crime incident.   To stay safe: Never click on links from suspicious emails and be on the lookout for increasingly sophisticated BEC attempts to perpetrate invoice payment/wire fraud.

Tessian Threat Intel have noted an uptick in BEC efforts, with invoice/payment fraud the primary objective of threat actors.   We have been tracking payment provider related fraud since January 2022.   Also noteworthy is the increasing sophistication of campaigns targeting victims using a range of themes including the COVID-19 pandemic and, more recently, the conflict in Ukraine.    Over the past 30 days we are still seeing an average of 45 new Ukraine themed domains registered every day. (See April’s round up on Ukraine).   Key themes of the attacks still include crypto donation scams as well as ecommerce spam, romance scams, and loans for refugees.    The donation scams are increasing in volume and expanding in variety with themes for humanitarian aid and support for children or refugees.   As the digital payment market grows, so too will the range of attacks.   Bitcoin remains the preferred medium of payment for the BEC campaigns we have been tracking.   FBI notes a 65% increase in BEC fraud related losses globally in the period 2019 to December 2021.

Be suspicious of any invoice related request, even from a trusted party.   Always verify the authenticity of the invoice by contacting the party via an independent method, for example via telephone – and never use a telephone number provided in the suspicious email.   Report suspicious emails to your security administrator.   Use an advanced email protection solution that relies on behavioral intelligence modeling vs. a static, rule based approach to threat detection.   Report all BEC related losses to your relevant law enforcement agency – only by having an accurate picture on the extent of the crime threat, can we as a community harness the required resources to effectively deal with this challenge.

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Tessian Threat Intel introduces our key threat intelligence themes and topics we have been tracking for the month of April 2022.  The key theme this month focussed on Ukraine-related cyber threat campaigns. We expect nation-state related attacks to escalate in the wake of the Russia invasion. Recommendations for staying include following best practice as outlined by CISA  and NIST. Be sure to sign-up for our Threat Intel update to get this monthly update straight to your inbox.

Phishing campaigns escalated in the wake of the Ukraine invasion Ukrainian themed QR code crypto currency donation fraud featured prominently in phishing campaigns in the wake of the invasion Ramp-up of cyber retaliation by Russia against western countries and targets is expected in the coming weeks The Ukraine invasion is among the first inter- nation-state conventional conflicts to feature a cyber-war (hybrid war) component In order to disrupt nation-state campaigns in Ukraine, public-private partnerships as demonstrated by Microsoft will be key in addressing this threat vector The cyber insurance industry, already in choppy waters before the Ukraine invasion, is set for further turmoil concerning coverage limitations and premiums LinkedIn is now the most popular brand for impersonation in phishing attacks

Tessian Threat Intel have noted a significant escalation of phishing threats in the wake of the Ukraine invasion We take the view along with our colleagues that Russian affiliated APT groups are expected to escalate their attacks on countries allied with Ukraine, with the US, the UK, and the EU key targets in this regard Nation-state cyber attacks are expected to feature more prominently in conventional nation-state conflict based on recent outcomes from the Ukraine invasion  Cyber insurance premiums have doubled over the past 12 months, while coverage has dramatically been reduced A number of leading cyber insurance providers have recently amended their policy coverage to reflect this changing geopolitical risk landscape to specifically exclude acts of war

Threat actors take advantage of key events including conflict and natural disaster events as we witnessed during the recent pandemic Having dedicated executive support and resourcing for cybersecurity programs in the enterprise as outlined by CISA  is essential Defense in depth is key to reducing the likelihood of a successful breach Leveraging Threat Intel insights from your peers and from the cybersecurity vendor community is an important component to keeping aware of the rapidly evolving threatscape Cyber insurance is quickly becoming unaffordable to most small and medium sized companies. This may result in tough trade-offs for firms. Bottom line: Making strategic investments in cybersecurity programs is more important than ever.

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Key Takeaways   We’ve seen an upward trend in the number of suspicious emails being flagged related to Ukraine.  Spam campaigns started to appear only one day after the initial invasion by Russia.   The number of new domains containing “Ukraine” registered in 2022 is up 210% from 2021.   An average of 315 new Ukraine themed domains have been observed per day since the 24th February.  77% of these domains appear to be suspicious based on early indicators.

Overview   The conflict taking place in Ukraine has quickly become a common theme for threat actors and scammers alike. Tessian has observed an upward trend in Ukraine themed emails flagged by our platform, including a number of threat campaigns that are exploiting the conflict as a theme for new scams, malspam, and phishing.   In line with this, open source intelligence shows a significant increase in the number of Ukraine themed domains being registered, which can be used for malicious purposes.   The scams observed typically request donations in the form of crypto-currency under the pretense of supporting the Ukrainian humanitarian effort in the wake of the Russian invasion. The spam is similar to common campaigns previously observed, pushing links to suspicious e-commerce sites selling Ukrainian themed items.

Trend analysis Domain registrations   There has been a significant upward trend in the number of new domains being registered that contain “Ukraine”. The number of these domains being registered is up more than 210% in 2022, compared to 2021.   Researching domain registrations , we can see the upward trend progressing over the past two months. 

Since early March there has been an average of 340 new domains registered each day, either containing “Ukraine” or closely resembling the word.  Our platform observed an upward initial trend in Ukraine themed emails, which peaked early March. This included the spam campaigns and donation scams.

Threat campaign explainer  Donation Scams   Donations from around the world have been made in support of Ukraine in the wake of the Russian invasion. Unfortunately, leveraging humanitarian efforts such as the one currently underway in Ukraine to perpetrate phishing-related fraud has become a common modus operandi for threat actors and fraudsters. This explains why phishing remains among the top reported cybersecurity incidents according to the FBI’s latest Internet Crime Report, with over 323k reported incidents for 2021.   The donation scams vary in sophistication from basic emails containing a short message with a plea for help, to fake websites set up to impersonate certain charitable organizations like the British Red Cross.    One of these scam emails claims to be supporting the humanitarian aid effort in Ukraine and is requesting  Bitcoin cryptocurrency donations. Legitimate website  text and logos from the likes of UNICEF, Actalliance and the Australian Council for International Affairs (ACFID) are being fraudulently leveraged to enhance the authenticity of the phishing emails.   The threat campaign detailed below purporting to be a legitimate humanitarian aid effort for Ukraine from the ACFID, requests Bitcoin donations and allows victims to make the donation via direct Bitcoin address or via a malicious QR code.

Phishing email purporting to be from the ACFID  

Scanning the QR code with the iOS camera app will prompt you to open a locally installed payment app that supports Bitcoin. In this case, Cash App.   According to Blockchain Explorer, the last transaction to take place with the address in this email was on 2022-02-14 with only 6 transactions in total.    Another donation scam was sent from a newly registered domain redcrossukraine[.]org impersonating the Red Cross in Ukraine. The email contained a link to a professional looking website containing details of the Ukraine conflict as well as instructions on how to donate cryptocurrency in aid of Ukraine.

The site was based on a bootstrap template by BootstrapMade which gave it the look and feel of a legitimate website. Towards the bottom were references to addresses for 3 different crypto wallets you could send payments to as a ‘donation’. One for Bitcoin, one for Ethereum, and one for Tether cryptocurrency.

Ukraine themed spam   Spammers have also quickly reacted to the invasion of Ukraine by adjusting the themes of their campaigns.    One notable spam campaign, only a day after the initial invasion, began blasting out spam with links to suspicious e-commerce sites pushing the sale of t-shirts and other items to show support for Ukraine.   The emails sent out in the campaign have subjects like “I Stand With Ukraine Shirts” and contain images of t-shirts with slogans in support of Ukraine. The emails also contain links pointing to sites like mimoprint[.]info or mabil-store[.]com where you can browse and purchase some of the products referenced in the email.   Links resolving to recently created sites like mimoprint[.]info or mabil-store[.]com were sent out in emails with subjects like  “I Stand With Ukraine Shirts”. Searching this site online reveals some reviews claiming that they are a scam and if a purchase is made then no product is received. Other reviews claim they steal designs from users on other sites.    Recommended action  Some charities do and are accepting cryptocurrency donations. But be cautious of any emails purporting to aid or receive donations in an effort to support the humanitarian effort in Ukraine. If cryptocurrency is requested from an unsolicited email then the likelihood is that it is a scam.   Before interacting with any Ukrainian themed email received, check the source and email header to confirm the organization it originated from is legitimate.   If you want to make a donation in support of Ukraine, then the best way is to go directly to your preferred charitable organization. CNET has published a list of reputable charities you can donate in aid of Ukraine. 

Credential harvesting via phishing remains a significant threat to organizations. In early February 2022, we detected a credential harvesting campaign leveraging a fake Microsoft Outlook login page. Although Secure Email Gateways (SEGS) have URL rewriting protection capability, these types of phishing efforts typically go undetected through the usage of obfuscation techniques such as using superscript tags hiding the malicious code.

Summary of the attack   An email impersonating Microsoft was sent using Amazon Simple Email Service targeting multiple individuals at a specific organization. The email informed recipients their password was due to expire and they needed to follow a link to reset it.   The link in the email followed multiple redirects before landing on a credential phishing site impersonating the Microsoft Outlook login page. Analysis of this attack reveals it to be related to known phishing as a service (PhaaS) site where anyone can purchase tools and services for phishing.   Email Content   Below is a screenshot of the malicious email with a malicious link to reset the password. Note the usage of language (albeit with typos) expressing urgency around changing the end user’s password.

The threat actor sent the target recipients a request to change their Microsoft password that included a malicious link that would redirect to a credential harvesting website. Tailored to specific targets, the emails also appeared to be sent from an AWS Apps server using the Amazon Simple Email Service and passed security checks including SPF, DKIM and DMARC, meaning it is unlikely to be flagged as malicious.    Given the email appears to have been sent via Amazon SES, there is a chance the attacker may have compromised an AWS account. Alternatively they could have registered an account for the sole purpose of sending these emails and passing security checks since Amazon will be seen as a reputable sender.

Email body   When viewed from a mailreader these emails are fairly easy for the trained eye to spot. The main indicators being the grammatical errors that are common amongst phishing emails, as well as the suspicious link clickable from the button.   But underneath the message displayed was further evidence of the attacker going to great lengths through common phishing obfuscation techniques to make these emails difficult to detect.   The email body was base64 encoded which is not that uncommon for emails but still a technique attackers use to obfuscate the content of an email. Decoding this revealed the HTML used to construct the email. When focusing on the email body we find the attacker has added a series of HTML elements distributed randomly between the letters in the message.

Specifically the attacker has used superscript HTML tags to obfuscate the email body against common email security tools like SEGs.   <sup style=”display: none;”>YYCZPYYCZP</sup>   The attacker has added “display: none;” styling to each tag meaning the content of the element won’t appear in the displayed email. This means the recipient will only see the intended message displayed to them in a mail reader while making it difficult for legacy email security tools to pick up on any of the keywords that would indicate this as a phishing email.

By removing the superscript tags from the code we can more clearly see the message left behind that was displayed to the recipient.   Phishing URL   The email contained a phishing URL with the recipient address auto-populated at the end. The URL was added to a button labeled “Keep My Password”. Phishing link embedded in HTML email body        

The phishing link also contained a second URL nested in the query component of the first. The attacker is abusing an open redirect function in a well-known affiliate marketing network called Awin to redirect victims to the malicious site.   Phishing link from email:  hxxps://awin1.com/awclick.php?mid=2584&amp;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr#<recipient>@<domain>[.]com Which redirects to: hxxps://pcbmwc[.]org/fr#<recipient>@<domain>[.]com   The redirects are incorporated to bypass initial URL security checks common in legacy email security tools. Most security tools scanning URLs are likely to focus on the domain from the initial URL ‘awin1[.]com’ and recognise it as safe.   The domain in the nested URL ‘pcbmwc[.]org’ appears to belong to a buddhist monastery based in Patiya, Bangladesh. The site appears to be fairly basic and low budget, it is likely the attacker compromised this site and is using it to host part of their malicious infrastructure – an increasingly common tactic for phishing attacks.   The initial URL leads you to an apparently blank page. The source code reveals there is a script checking to make sure there is still an email address present at the end of the URL after the ‘#’. This is intended to be the target’s email address.  

If there isn’t an email address appended to the end of the URL then nothing will happen and you will stay on the blank page. If there is an email address included at the end, then the script redirects the target to the final landing page for the phishing site with that email address still included in the URL.   Link to the final phishing site:   hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html#<recipient>@<domain>[.]com

Phishing Site Clicking the link from the original email will lead to the page below with the target’s email captured in the URL. The site is designed to resemble the Microsoft Outlook login page where you are prompted to enter your password. Looking at the source code for this site, it appears to be based on a previously seen template also used for Microsoft credential harvesting but with a few alterations.

To look as legitimate as possible, the site borrows graphics and styling directly from Microsoft owned CDNs. Entering a password into the box provided and clicking ‘Sign in’ would result in the email address from the URL and the password being captured and submitted through an AJAX post request to a php file hosted on a separate server.   PHP file:   hxxps://moliere[.]ma/aX3.php   The domain in the link to the PHP script appears to belong to a consulting firm based in Casablanca. If legitimate, then it too has likely been compromised by the attacker to host malicious infrastructure.   This script will most likely be what the attacker uses to harvest the credentials. It will either send the credentials to the attacker directly or store them in a location accessible by the attacker.    The source code of the site includes some jQuery scripts to perform a number of actions with the aim of making the site look and feel legitimate. This includes sections to provide feedback to the victim such as error messages and progress bars. One section checks to make sure the password entered isn’t blank and is more than one character long. Another section displays a fake progress bar after clicking sign in to give the illusion of a genuine login taking place.    If the credentials are submitted successfully then the victim is redirected to a genuine Microsoft login page and presented with the login screen again. The victim will assume that they entered their credentials incorrectly the first time and just carry on.   Another observation from the source code is that whoever wrote or borrowed the code has replaced most of the variable names and tag IDs with strings of seemingly random characters.    At closer inspection these random strings appear to be composed of various keyboard walk patterns. A keyboard walk is when you type a series of characters in the order they appear on the keyboard, for example ‘qwerty’ or ‘asdfg’. Often done by dragging a finger across the keyboard.   This has been done deliberately to make the code more difficult to read and follow without clearly labeled variables.

Phishing as a Service (PhaaS) The primary features and indicators from this phishing attack point to it being related to the BulletProofLink (aka BulletProftLink) phishing as a service site, which was detected and analyzed by Microsoft in late 2021.   This site offers phishing kits for sale to anyone and also offers infrastructure to host and run  malicious campaigns from. Phish kits or services will typically be available for sale for around $200.

Although there were some differences for the specific campaign analyzed here, the attack chain observed is virtually identical to that mapped out by Microsoft.  

This credential harvesting attempt is a good example of what is becoming a particularly common modus operandi to compromise an organization’s credentials and information system. The unfortunate reality is that such attempts have a high success rate of bypassing legacy and native email security controls. Threat actors are able to achieve this success through the use of obfuscation techniques that are tried and tested repeatedly against static, rule-based email security controls, until the desired outcome is achieved.   

With continuously advancing sophistication of phishing attacks, it becomes a matter of when, and not if, an organization’s legacy email security controls will be circumvented.  Behavioral cybersecurity solutions like Tessian are increasingly seen as a gamechanger and a necessity to ward off advanced social engineering-based attacks. Tessian detects and prevents phishing attacks as the one discussed on a daily basis for our clients. It does this by scanning not only the URL links, but all of the fields contained in an email and contrasts this against a historical mapping of the email ecosystem to determine using machine learning, whether the email is malicious or safe. End-users then receive in-the-moment security warnings prompting them towards safer action.

Appendix: Indicators Email Body (decoded) <sup style=”display: none;”>YYCZPYYCZP</sup>   URLs hxxps://awin1.com/awclick.php?mid=2584&amp;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr# hxxps://pcbmwc[.]org/fr# hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html# hxxps://moliere[.]ma/aX3.php   Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred based on analysis of the email and the phishing site that was active at the time of receipt.   TA0043: Reconnaissance  T1589: Gather Victim Identity Information T1589.002: Email Addresses T15905: Active Scanning   The attacker will have gathered email addresses to target either from data breaches dumped on the Internet or by scanning the target organizations’ public facing website for addresses, which will have most likely been found on their people page.   TA0042: Resource Development T1584: Compromise infrastructure T1584.004: Server T1588: Obtain Capabilities T1608: Stage Capabilities T1608.005: Link Target   The attacker will either have developed or obtained the scripts and pages used to construct their malicious email through a phishing as a service site. It also appears they may have compromised vulnerable web-servers to host some of their malicious infrastructure used for harvesting credentials including the redirection page, the malicious login page and the PHP script to collect the credentials. This could also have been provided as part of a PhaaS package.   TA0001: Initial Access T1566: Phishing T1566.002: Spear Phishing Link   The attacker sent emails impersonating Microsoft containing a phishing link aimed at harvesting credentials. These emails were sent from an AWS Apps server via Amazon SES. Meaning the attacker may have compromised an existing AWS account or set one up for this campaign.   TA0005: Defense Evasion   A number of techniques were employed to evade detection. The first is the use of Amazon SES to make emails appear reputable and pass security checks. The attacker also obfuscated the message in the email by placing hidden HTML elements at random intervals, making it difficult for security tools to pick up on keywords.   An open redirect was also used in the phishing URL to send the recipient to the malicious site via a trusted one first. Security tools and the recipient will often see the domain for the trusted site and assume the URL is safe.

In late January 2022 a specialist law firm was the target of a spear phishing campaign flagged by Tessian Defender where the threat actor attempted to impersonate the Chairman of the firm. Leveraging common social engineering tactics, the threat actor then targeted the firm’s junior employees. This is known as CEO Fraud.

Impersonation attacks are becoming a mainstay for threat actors. Based on our investigation  into the 2021 spear phishing landscape, we determined that 60% of the malicious emails seen in Tessian’s network relied on generic impersonation techniques, including freemail impersonation and Display Name Impersonation. An additional 30% relied on more advanced impersonation techniques, including direct impersonation like domain spoofing, direct spoofing and account takeover (ATO).

The Attack   The attacker leveraged the name of the chairman and used a freemail domain. Display name and domain name impersonation spoofs accounted for 4.9% of all malicious email detected and prevented by Tessian in 2021.

Email Content: Sender Address: <Name of Chairman>.<Website Domain>@gmail[.]com Display Name <Name of Chairman> Subject:  <Name of Chairman> Body: Asking if recipients have time available Expressing a sense of urgency Links & Attachments None   The threat actor registered an email address using Gmail and chose a username that contained the name of the law firm’s chairman, together with the domain used for it’s website. They also changed the display name associated with the account to match the name of the chairman as it appeared on the firm’s website.   After that, the attacker drafted an email with a generic message containing a call to action, asking the recipient “are you available?”. It was sent to +200 individuals at the firm.   The email did not contain links or attachments when it was sent, just the message added by the threat actor. This indicates intent to engage in social engineering via correspondence with recipients.

This style of phishing usually leads to the threat actor trying to convince the recipient to send money or share information that could be leveraged for a more advanced phishing attack. This low-cost-of-effort phishing attempt explains why social engineering now accounts for 70-90% of all successful breaches.   In other cases it can involve sending a few messages back and forth to establish a baseline of trust, before sending a malicious attachment or URL in subsequent emails. Having established trust, the recipient is more likely to click without feeling much concern or suspicion. This also explains why advanced social engineering threats bypass detection by legacy Secure Email Gateways (SEGs), either due to the sophisticated degree of subterfuge in name and domain name spoofing, or because the malicious payload is not present in the initial email.

The Approach   The majority of phishing attacks using this approach will typically come from addresses registered by a threat actor, for example, looking something like “partner1234@gmail[.]com” or “manager5678@hotmail[.]com”.    Attackers use freemail accounts because of their utility in carrying out attacks and zero cost. Freemail accounts that deliver malicious payloads via a proxy server are also notoriously difficult to trace for attribution. Accounts like this will continue to be used to target multiple organizations.   In the case of this attack the address was created as “<Name of Chairman>.<Website Domain>@gmail[.]com”, this indicates deliberate intent to target this firm specifically.    The fact that the threat actor sent the email to +200 junior members of the firm indicates a higher level of planning and reconnaissance than most of these types of attacks typically have.    Our research confirms that law firms are targeted 31% of the time for impersonation style phishing attacks.  And firms tend to post details of most employees on their websites including names, email addresses and positions held. Many are also active on networking platforms like LinkedIn. This makes reconnaissance very easy for threat actors.

In the case of this impersonation campaign, the threat actor will have found the firm’s people page, searched for a senior individual to impersonate, then filtered down to the more junior individuals to target.    The C-Suite was impersonated in this attack to amplify the call to action in the messaging and to increase the sense of urgency felt by the targets. Likewise, junior employees were targeted in this attack because they were possibly seen as being more likely to comply with instructions received from senior management.    Another hypothesis could be that the threat actor was seeking to gain more information to wage a secondary spear phishing attack, targeting more strategic positions in the firm such as the finance department.

Real-time, comprehensive email protection Tessian was able to detect the phishing techniques deployed by the threat actor for this campaign. Tessian recognized the law firm’s domain in the local part of the email address and the name of the chairman in the display name. It also detected suspicious keywords indicative of an urgent call to action, which included “are you available?” and “quick”.    Tessian also detected that the address used by the attacker had not been observed in historical emails sent to anyone at the law firm.   Many of the recipients at the law firm responded to the in-the-moment security warning message from Tessian and confirmed that the email was actually malicious.   All it takes is one click.    This example underscores the relentless pursuit of threat actors, attempting to gain access to an organization’s crown jewels. As attacks become more advanced, it requires a defense-in-depth approach to email security. Leveraging email security solutions that have behavioral detection and in-the-moment security awareness training capabilities is now table stakes to securing your email ecosystem.

Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred up to the point the email was received.   TA0043: Reconnaissance – https://attack.mitre.org/tactics/TA0043/ Gather Victim Org Information – https://attack.mitre.org/techniques/T1591/ Identify Roles – https://attack.mitre.org/techniques/T1591/004/   T1589: Gather VIctim Identity Information – https://attack.mitre.org/techniques/T1589 T1589.002: Email Addresses – https://attack.mitre.org/techniques/T1589/002 T1589.003: Employee Names – https://attack.mitre.org/techniques/T1589/003   The threat actor carried out reconnaissance activities against the target’s website. Here they identified the key individuals to impersonate and target. Using the people directory available on the website they were able to identify the chairman of the law firm to impersonate via email and get a list of names and email addresses for associates at the firm to target.    TA0042: Resource Development – https://attack.mitre.org/tactics/TA0042 T1585: Establish Accounts – https://attack.mitre.org/techniques/T1585/ T1585.002: Email Accounts – https://attack.mitre.org/techniques/T1585/002/   After identifying a high ranking member of the firm, the threat actor registered an email account with Gmail. They created an account with a username containing the name of the chairman of the firm as well as the domain used for the firm’s website. They also changed the display name associated with the account to that of the chairman.   TA0001: Initial Access – https://attack.mitre.org/tactics/TA0001 T1566: Phishing – https://attack.mitre.org/techniques/T1566/   With a free email address registered, a senior staff member to impersonate and a list of victims to target, the threat actor sent an email to more than 200 associates at the firm. The email contained a message explaining they were the chairman of the firm and wanted to know if they were available to help them quickly.    TA0005: Defense Evasion – https://attack.mitre.org/tactics/TA0005/   The threat actor avoided detection through conventional means by registering a new email address and not including a malicious link or attachment in their initial email. SEGs typically rely on known IOCs to be able to detect malicious activity. Since there was no attachment or URL in this case, there was nothing to scan or lookup the reputation for.   MITRE D3FEND Framework Most of the techniques used by the threat actor were reconnaissance-based and occured at the pre-compromise phase outside of the scope of typical defenses and controls meaning they could not be easily mitigated without advanced email protection.   Detect – https://d3fend.mitre.org/tactic/d3f:Detect D3-SRA: Sender Reputation Analysis – https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis   Sender reputation analysis can be used to detect unwanted or malicious emails by analyzing information about the sender. This can include information over time such as the number of emails received, number of recipients, number of emails replied to etc.   The problem with this attack is the email address used by the threat actor will likely have been recently registered using a reputable freemail service and would have been unseen to the law firm before. This means there is limited information available to determine the sender reputation. Detection can be done based on the email address having not been seen before; however with legacy email security controls this type of detection can generate high levels of alerts and false positives.  

This week, Tessian’s threat intelligence researchers detected a relatively sophisticated phishing attempt impersonating PayPal, the global payment services provider. The threat actor sent an email requesting action from the victim, prompting them to click on the login button, leading to a malicious website. The email that was received  

Social engineering-based cyber attacks like this, usually leveraging a form of phishing via email, have become a common phenomenon both at work and in our personal lives. Threat actors are able to perpetrate these attacks through a range of techniques,  leveraging information gathered by random coincidence or through open source intelligence (OSINT) tactics.    In fact 70-90% of all successful breaches are attributed to social engineering, with 96% of all phishing attacks delivered via email. This is why advanced phishing attacks are seen as a growing cybersecurity challenge.

All it takes is one click   Phishing attempts are used for a range of cybercriminal objectives, for example delivering malware including ransomware onto unsuspecting victims’ computers. Often phishing campaigns are also waged for the harvesting of credentials to execute an account takeover (ATO) attack.    They’re difficult to spot, too. Phishing attempts can appear to be very legitimate, even to the trained eye.

The phishing attempt targeted PayPal customers, and used common phishing tactics, including leveraging corporate logos hosted via a third-party service provider, and creating a sense of urgency by stating that “Your PayPal Account Has Been Temporarily Restricted”.    But, when you actually click “Login to PayPal” as instructed, you’re directed to   hxxps://me2[.]do/xZD4rPKB Which redirects to hxxps://docs[.]05fmxoujyghzb[.]club/tmp/index/wildtt.php?97giuywdae   Despite the unusual URL, the landing page looks legitimate, and will prompt users to enter their login details. This information is then captured by cybercriminals in a scheme known as credential harvesting.    Just as every effort was taken to make the webpage look legitimate, every effort was also taken to mimic the authenticity of a legitimate PayPal customer email, including:

Email images  The email source points to linkpicture[.]com domain, a used free image hosting service. The primary reason for using a free service like this? It enables the threat actor to avoid any tie-backs to personal infrastructure, which enables a relatively high degree of anonymity and separation for carrying out the attack.

Quoted printable encoding   The threat actor also used quoted printable encoding inside key email fields and sections of the HTML body of the email – a common tactic for obfuscating spam filters. Web browsers automatically decode this encoded text to readable text displayed to the end user.  Sender

Display Name Decoded When adding the display name the attacker attempted to double encode part of it but this didn’t work which is why the first string does not fully decode. Body – Email Headline

Email Headline Decoded

Enhancing “authenticity”   Impersonating well-known and trusted brands like PayPal is a common modus operandi for phishing attacks. According to Tessian research and the analysis of 2 million malicious emails, Microsoft, Amazon, and Zoom all ranked among the top most impersonated brands. Likewise, the financial services sector tends to be heavily targeted in phishing attacks.    The threat actor also used what appears to be legitimate footer links from PayPal to enhance the appearance of authenticity of the phishing email – another common tactic observed in phishing attempts. The links included however are empty and have no URL  included.

Additional observations of interest, and avenues for further research   The HTML body contains the name of a UK based retailer “Sainsbury’s” indicating the reuse of this template for likely earlier phishing attempts, targeting a different retailer’s customers. The threat actor has, in this instance, forgotten to update the information. There might be utility in purchasing similar phishing templates off the dark web to identify phishing attack trends and indicators.   It also pays dividends for organizations to stay aware of how email security threats are evolving, with threat actors continuously adapting social engineering methods to bypass legacy, rule-based email security controls. Educating employees about threats and how to spot them is important, too. What to do if an email if you think an email is suspicious   Now that we’ve examined this particular example, we need to address what you should do if you suspect you’re being targeted by a phishing attack.   If anything seems unusual, do not follow or click links or download attachments.  If the email appears to be from a government organization or another trusted institution, visit their website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Contact your line manager and/or IT team immediately and report the email.  

Overview Time period: March 2020 – May 28, 2021 Number of emails sent: >405,000 Subject lines used: 5,881 Mailboxes targeted: 2,099 Sender domains used: 821 Tessian’s Research & Intelligence team have identified a pattern of suspicious email activity across the Tessian platform, originating from a US-based online “leader in legal education”. The first email campaigns were detected in early 2020. In every campaign, the organization appears to be promoting discounts on educational courses or new curriculum. New domains – our team has observed 2-3 new domains appearing per week – were used to evade spam filters and SEGs. Who was targeted? Over 10% of our customer base received one of the campaigns from this legal education firm. 65% of the targeted customers are in the Legal sector; 25% are in Financial Services. Almost all targeted customers are US-based. Nearly every customer has a legacy Secure Email Gateway (SEG) and Tessian Defender as part of their inbound email tech stack. These emails bypassed the SEGs, but were flagged as potentially malicious by Tessian Defender.

One single law firm received an astounding 280,000 emails from this organization in a little over a year. Other Tessian customers received several hundred to thousands in the same time frame. Normally high-volume campaigns like this are not very targeted or customized to the recipient. In this case, the sender has taken a scatter-shot approach with the hope that a fraction of the recipients engage. Even if these emails are not malicious, they are certainly a nuisance – especially for busy attorneys.   What was the angle? Nearly 6,000 subject lines were used in these email campaigns. Notable themes and keywords include: Coronavirus / COVID-19 Cryptocurrency, Blockchain, Bitcoin and Smart Contracts AirBnB & Short-Term Rental Law Marijuana, Hemp and Cannabis Law  Judgments & Asset Protection Uber, Lyft & Ridesharing law Discounts Last/final day to register It appears that they are attempting to capitalize on new or trending legal topics, which could be particularly relevant to law firms and financial services institutions.

Suspicious, not necessarily malicious  While this legal education provider may be a legitimate organization, their website is insecure (no SSL certification, no padlock icon), and more importantly, the way they are building and distributing these email campaigns is suspicious; their tactics mimic those deployed by cybercriminals to evade defenses. For example, the emails are often sent from a recently registered domain by a sender the recipient will probably not have seen before. These are two key indicators that trigger Tessian Defender. In a little over a year, the legal education provider registered over 800 domains; sent emails from over 825 email addresses; and used about 20 different display names. This sort of behavior indicates that they were deliberately crafting emails to bypass rule-based filtering. [Read more about display name and domain manipulation.] Why? Once a domain has developed a reputation for spam, then it can be added to a spamming blacklist, which will be a significant factor considered by spam filters.  Registering a new domain with a fresh or unknown reputation is the easiest way to get around this. This is not dissimilar to how hackers create phishing attacks.  The emails often also contained a sense of urgency to bait the recipient into buying or signing up to something while a certain discount is still available. Urgency (i.e. “Last day to register”) is another technique regularly employed in phishing emails. Most of the URLs in the emails pointed to a legitimate website called Constant Contact (an email marketing tool). What can you do about it? General guidance  Limit how far you share your email address across the internet. Keep it private unless it is essential to share it. Do not click on any links in spam emails as they could be malicious. Mark it as spam or move it to your spam/junk email folder to help train the spam recognition algorithm. After marking it as spam, delete the email from your spam/junk folder. If you’re a Tessian customer Review attacks in the Tessian portal and add senders to a denylist to be blocked before reaching inboxes in the future.  Review attacks in the Tessian portal and remove emails from employee inboxes.  Use the Human Layer Risk Hub to understand which employees are most at risk of phishing; then notify them individually or create customized warnings to educate them about the risk. The primary way for avoiding spam is to limit how much you share your email address across the internet. Be cautious of who and what services you sign up to with your email address – whether it’s your personal or business email address. Some services may willingly sell your information to spammers or marketers. The key difference between marketing emails and spam is that marketing emails should only be sent to emails that have consented to receive them. To comply with regulations like GDPR and CCPA, marketing emails must also provide an easy way to opt out of future emails, for example, by including an unsubscribe link or button in the email. Last but not least, if you’re a lawyer, always make sure the provider and courses of legal training are accredited. 

Overview Industry: Legal Size: 5,000 employees Platform: O365 In May 2021 Tessian Defender flagged a series of emails sent to a global law firm. The emails were attempting to impersonate a senior partner at the firm and targeted a list of other partners. Reconnaissance  The firm being targeted by the attacker operates globally, but the senior partner they were impersonating was based in Australia. All employees targeted in the attack – including their contact details – are featured on the firm’s website. Eleven partners were targeted by the attacker. All of them were also based in Australia, indicating the attacker spent time considering who to target based on what they were able to learn from reconnaissance activities against the individual they wanted to impersonate. It is likely they chose targets they assumed would be in regular contact with the senior partner at the firm. The attacker had registered an email address with Gmail containing the word “partner” at the beginning followed by a series of numbers. They also changed the display name associated with the address to match the name of a senior partner at the firm they were targeting. Attack Deployed In the email sent, the attacker asked questions about the targeted recipient’s availability, implying that part of the intention was to establish a dialog for social engineering. From the email headers, it also appears that the email was sent from a mobile device.  There were no links or attachments included in any of the emails. It is likely the attacker was hoping to receive a response from any of the 11 targeted partners, with the intention of building a rapport and then socially engineering them into carrying out actions on the attacker’s behalf; for example, giving up sensitive information or unwittingly compromising the firm’s network infrastructure by further directing them to a malicious link or attachment.  Threat Detected and Prevented At the time the emails were sent, Tessian Defender was being trialed at the firm across a subset of users. Two of the users who received the email had Defender installed. For both users, Defender flagged the email as a possible impersonation of someone else at the firm based on the display name, and warned them there was something suspicious about it.

Both users who received the notification from Defender marked the email as malicious, which subsequently alerted the security team.

This attack was not particularly sophisticated but could have easily gone unnoticed by busy employees – especially if viewed on a mobile phone, where sender addresses are often not visible. More importantly, this rudimentary attack was not detected by the firm’s Secure Email Gateway.  Tessian Threat Intelligence in the portal drew the security team’s attention to the suspicious indicators: “first time sender” – the recipients had never been emailed by this sender before Keywords like “are you available” were highlighted; which coming from a first time sender signals risk After the security team investigated the threat, they notified the other targeted users in the firm and the incident was resolved without any damage being done. 

The National Cyber Security Centre (NCSC) recently revealed that it removed more online scams in 2020 than in 2016-2019 combined, due to a surge in malicious activity related to the Covid-19 pandemic.  In a report published by the NCSC’s Active Cyber Defence program, it’s revealed that more than 120 phishing campaigns in which the NHS was impersonated were detected in 2020 – up from 36 in 2019. The lure commonly used in these scams? The vaccine roll-out. How have cybercriminals taken advantage of the Covid-19 vaccine? Tessian researchers have been monitoring phishing campaigns related to the vaccination roll-out since the start of 2021, and their findings clearly demonstrate how quickly cybercriminals will jump on milestone moments to craft convincing scams.  In fact, in the week commencing January 4th 2021, Tessian data shows that the number of scam emails related to the vaccine was 188% higher than the weekly average of such scams detected in 2021. It was during this week that the UK began distributing the AstraZeneca/Oxford vaccine. Our researchers also saw significant spikes in suspicious emails related to the vaccine during the: Week commencing 25th January, when the Biden administration promised to have enough coronavirus vaccine for the entire US population by the end of summer. During this week, the number of suspicious emails relating to vaccines increased by 585% compared to the previous week.  Week commencing February 8th, when U.S. government officials announced that around 1 in 10 Americans had received the first dose of the two-part Covid-19 vaccine. The number of suspicious emails was 148% higher than the weekly average of vaccine related scams detected by Tessian in 2021.  Week commencing February 15th, when G7 countries pledged $4 billion to global Covid-19 vaccine initiatives. Suspicious emails related to the vaccine were 133% higher than the weekly average.  Week commencing March 1st, when President Biden announced that vaccines will be available for every US adult by May. The number of suspicious emails related to vaccines during this week were up by 161% compared to the previous week.  Now that the vaccine roll-out is well and truly underway, with many people having received both doses of the jab, Tessian researchers reported a significant drop in the number of scams. This a clear indication that hackers were responding to hot topics in the news to apply a sense of urgency and timeliness to their malicious campaigns.

Why are these phishing attacks so effective?  After a year of stress and uncertainty, people were desperately waiting for the vaccine roll-out. People urgently wanted to find out things such as when they will get the vaccine, where they can receive the jab, and many more wanted to research and understand potential side effects.  In response, cybercriminals capitalized on people’s desire for more information. They created fake websites, in which people were lured to via phishing scams, and tricked their targets into sharing personal or financial data in exchange for the information they were looking for. Tying their campaigns to timely moments in the news added another layer of urgency.  In fact, additional Tessian research revealed that a significant of website domains related to the Covid-19 vaccine were registered in the early days of the roll-out, with over 2,600 new website domains being created between 5 December 2020 and 10 January 2021. Many of these domains impersonated legitimate healthcare websites, touted misinformation around injection side effects, and falsely claimed to offer guidance around timing and logistics of distribution. The reason why these phishing scams are so effective is because hackers use techniques to prey on people’s vulnerabilities during times of crisis. In a report we published with Jeff Hancock, Professor of Communication at Stanford University and expert in trust and deception, he said, “when people are stressed and distracted, they tend to make mistakes or decisions they later regret.”  What does a vaccine scam look like?  Oftentimes, cybercriminals impersonated trusted healthcare organizations or government agencies to trick their victims into thinking they’d received an email from a legitimate source, as shown in the example below. 

In other examples detected by Tessian, bad actors would impersonate Human Resource departments, urging staff to click on links or download malicious attachments that supposedly contained information about the vaccine roll-out and/or infected employees. Below is an example received by a global financial services enterprise, and detected by Tessian Defender. In this case: The attacker registered a domain to impersonate an outsourced Human Resources function in a phishing email.  The phishing email used Covid-19 as the theme and used fear and urgency tactics to announce an “Covid-19 Emergency”, seemingly providing a list of known infected persons.  The aim of this was to encourage those who received the email to click a link to a PDF which claimed to contain information about the emergency and a list of infected individuals.  The attacker used the name of the financial services organization in the name of the file which was linked to in the URL. This implies that this attack was highly targeted; the recipient would assume that the link was legitimate.  It’s likely that the PDF linked to in the URL would have contained malicious macros designed to infect the target’s device. 

How to spot a Covid-19 scam Always be wary of emails purporting to come from healthcare organizations asking you to click on links to ‘find out more’. Always check the sender name and address, particularly if you have received an email on your phone in order to verify the sender’s identity. It’s also important to question any websites that request personal data. Domains that spoof government healthcare websites, like the Centers for Disease Control and Prevention (CDC) are especially dangerous, as cyber criminals could potentially steal extremely sensitive information such as Social Security numbers and health information like insurance or medical history details.  At a time when phishing scams are only growing in frequency and sophistication, always think twice before entering your personal information online and remember, if it doesn’t look right, it probably isn’t. Remember, you can always verify any question by contacting the sender directly, via another means of communication, to check it’s the real thing. 

Overview Industry: Construction Size: 500 employees Platform: O365 In March 2021 Tessian Defender flagged an email received by one of our customers from one of their trusted vendors. The vendor had suffered from an account takeover when an attacker used compromised credentials to login to the mailbox of one of their employees and send out malicious emails.  Targets Identified With access to the vendor mailbox, the attacker was able to identify all organizations or individuals they had regular correspondence with. The attacker identified a list of 6 high-ranking employees – including the CEO and their PA –  who were part of an organization the employee had regular correspondence with. This organization – a construction firm – happened to be a Tessian customer running Defender across their mailboxes. Attack Deployed The attacker sent an email to their targeted list of recipients from the compromised account. This email contained a message outlining a request for proposal for a piece of work. The email also contained embedded links to a file sharing location hosted by box.com, which the recipients were encouraged to click on to see full details of the request.

Threat Detected In addition to Tessian Defender, the targeted firm has in place another major phishing detection and response platform, as part of their email security stack. The account takeover attack was only flagged by Defender. Defender flagged this email as a possible account takeover attack by identifying 2 significant abnormalities. While the email did come from a trusted sender, what appeared to be out of place was that the email had been sent from a client IP address located in Miami, Florida, which is not a location the sender was known to have previously operated from. (The vendor is based outside the US.) Additionally the file sharing site – box.com – was not a tool the sender was known to use.

The recipients of this email saw the warnings generated by Defender and, fortunately, marked them as malicious, which alerted their security team. The security team was then able to act on the attack. They contacted the real owner of the sending email address by phone to verify the legitimacy of the email and inform them their account may have been compromised. Minimizing fallout This attack could have been much worse had it not been for Defender flagging the malicious email, which could have otherwise gone unnoticed as it was sent from a trusted email address. The warning message displayed to the recipients successfully nudged them into treating the email with caution and raising it to the security team.  Most significant is that the security team on the recipient side went the extra mile to notify the owner of the compromised account. This enabled the security team on the sender’s side to quickly take the following remediation actions: Identify and notify any other organizations that were targeted by the attacker Secure the compromised mailbox and reset the credentials As a result, the attacker was prevented from sending malicious emails to any other target organizations. 

The global COVID-19 pandemic has wreaked havoc on job markets. In the US, the unemployment rate stands at 6.2 percent and in the UK, it’s estimated that around 2.2 million people, or 6.5% of all workers, could be unemployed at the end of the year.  Cybercriminals are taking note.  When Tessian researchers analyzed suspicious emails relating to ‘unemployment’ and terms associated with unemployment that were flagged by our inbound solution Tessian Defender, they saw a notable spike in suspicious emails related to unemployment and COVID-19 in the week of 24th February – the week in which President Biden announced the third round of stimulus checks, which would send billions of dollars to people without jobs. Our researchers also noted a spike in suspicious activity during the week of 8th March which is when COVID-19 the stimulus checks started being received. They found that: In the week of 24th February, the number of suspicious unemployment and COVID-19 related emails was 40% higher than the weekly average of such emails detected since the start of 2021. The number of unemployment themed emails alone was 16% higher than the weekly average. In the week of 24th February, the number of unemployment and COVID-19 related emails was 50% higher than previous week.  In the week of 8th March, the number of suspicious unemployment and COVID-19 related emails was 51% higher than weekly average recorded since the start of 2021. The number of unemployment and COVID-19 related emails detected during this week was 69% higher than the previous week.  Over the last 12 months, cybercriminals have capitalized on the fear, uncertainty and doubt created by the global pandemic to make their scams as believable and convincing as possible. At the start of 2021, for example, Tessian reported a surge in newly registered domains related to the vaccine roll-out and confirmed that a number of these websites were malicious and designed to harvest people’s financial information and account credentials. Now, cybercriminals are launching scams to prey on people who are vulnerable, out of work and urgently looking for relief. They are well aware that these individuals may be applying a little less scrutiny to the messages they receive – especially if the emails appear to have come from a legitimate and trusted sender. How do unemployment scams work?  Here’s how a typical unemployment related scam works: A fake job posting is listed on legitimate job sites. Often, scammers will target small businesses to spoof or impersonate as it is less likely for these companies to monitor their job listings.  An applicant will respond to that ad and will be sent a generic email asking them to perform a task for the interview process. These phishing emails could contain malicious attachments that applicants are asked to download or links to fake websites that ask applicants to input sensitive or personal information. This information could, then, be used to commit identity fraud.  Scammers will also ask applicants to click on a link that refers them to a fake credit check website. Here, they will ask the applicant to share financial information or wire money. Cybercriminals can also identify targets via social media sites like LinkedIn. A recent report from Tessian found that 93% of people share job updates online, and while it’s common for people to let their networks know that they’ve been laid off and are looking for jobs, they are also unknowingly giving cybercriminals the information they need to craft convincing social engineering attacks that are designed to steal personal information.  The FBI has released warnings of unemployment scams, disclosing that many U.S. citizens have been victimized by bad actors “impersonating the victims and using the victims’ stolen identities to submit fraudulent unemployment insurance claims online.” In fact, figures from a watchdog for the U.S. Department of Labor reveal that Americans have lost a shocking $63 billion of unemployment funds during the pandemic to improper payments and fraud, while the Illinois Department of Employment Security reports having stopped around 1.1 million claims involving identity theft in the past year. In many cases, victims don’t even realize they’ve been targeted until they later try to file for unemployment insurance benefits, receive a notification from the state unemployment insurance agency or even get notified by their employer that a claim has been filed while the victim is still employed.

What can you do to avoid falling victim to the scams? It’s always worth remembering that an official government agency or state workforce agency (SWA) will not contact you out of the blue, asking you to apply for UI benefits via an email or a text. So if you do receive a message like this, then do not click on the links or comply with the actions. We also recommend that you: Inspect emails carefully. Look for the .gov URL in the sender’s email address and check that the sender’s email domain matches the sender’s name. Don’t click on anything unless it’s from a legitimate source. Verify the legitimacy of the sender by calling the organization or agency directly. Adopt two-factor authentication and try to not use the same password across different sites. Password generators like 1Password create unique passwords and protect them with encryption software. Monitor your bank accounts on a regular basis to check for any fraudulent activity.

You might assume that to carry out a phishing campaign you’d need to be fairly tech savvy or have committed a lot of time to learning how to become a “hacker”. But this is not necessarily the case.  Part of the continued increase in both the volume and sophistication of phishing attacks is due to the availability of free to use open source social engineering tools. These tools are primarily intended for use by security professionals but are not exclusively available to them. With a little bit of Googling, these tools can be easily found and be put to use by anyone—not just experienced cybercriminals. Of course, it is easier if an individual already has a fairly technical background, but this is not a requirement.  This blog is for educational purposes only, intended to help security professionals protect themselves against these email threats by better understanding how they are created. Creating a phishing campaign All anyone needs to be able to create their own phishing campaign is: An anonymous or disposable email address A target The ability to follow instructions One tool available that is commonly used by malicious and ethical hackers alike is the Social Engineering Toolkit, or SET for short. This is part of the default toolset that comes preinstalled on Kali, a Linux distribution built specifically for penetration testing and information security purposes. SET provides an intuitive command line interface, which provides step-by-step guidance for creating a social engineering scenario. This includes steps for phishing. With this tool a cybercriminal can easily create a phishing campaign on a mass scale against a list of email addresses they’ve sourced. Or they can create a more personalized and targeted spear phishing campaign. Depending on the type of attack a cybercriminal wants to perform, it can even include instructions on how to automatically clone a website login page to harvest credentials, or create a malicious file to infect targeted user machines.

SET is an extremely powerful tool in crafting social engineering attacks. It does require a cybercriminal to have a reasonable level of technical understanding though and, as stated at the start of this blog, not all cybercriminals need a deep technical background to create a phishing attack. Worryingly, there are a number of free open source tools that provide wannabe attackers with simple guides to building and deploying phishing campaigns.  Gophish is an example of another free and open source tool which provides a platform for crafting and deploying phishing campaigns, but with the added benefit of a friendly-looking graphic user interface. These tools tend to be used by security professionals for the purpose of testing and educating, but are available to anyone, which unfortunately includes people with bad intentions or motivations. That means bad actors could leverage them to potentially compromise an individual or organization. Tools like these require only a small amount of research in order to find, and there is no shortage of tutorials available explaining how to operate them. They often have the functionality to clone existing web pages and create fake or look-alike landing pages, to help campaigns appear more convincing. Additionally some even provide reporting functionality that allows you to visualize the “performance” of a campaign. For example, an attacker can view metrics on how many people were reached, how many clicked on a link, and how many credentials were captured or machines infected etc.

An even more basic method of phishing is display name impersonation, which does not require any special tools. All an attacker has to do is register a new email address and simply change the display name on the account to appear as someone else. This can be effective against recipients viewing emails on mobile devices, which typically only show the display name of a sender.  Phishing for Hire A cybercriminal doesn’t have to carry out an attack on their own. Hacking for hire is available across some of the less reputable parts of the internet, like the dark web—the part of the internet only accessible by means of special software that will allow someone to remain anonymous and untraceable while browsing. This is an online area where illegal or blackmarket activity regularly takes place. All you need to hire a hacker for a phishing campaign is: Ability to view the dark web via an anonymous browser Some cryptocurrency Accessing and browsing the dark web is also not as difficult as many might think. The Tor Project offers the most commonly used browser that will allow individuals to browse the internet anonymously and access the dark web From this browser, you can start searching using the default search engine provided to look for pages that will offer links to dark web marketplaces. Some of these links are even referenced by articles or research pieces that are indexed by major search engines making them easier to find. With enough browsing you will find more and more “hidden wiki” pages that will provide many more links that help navigate the dark web. There is a reasonable element of risk that comes with browsing the dark web. Plenty of scams and fake services exist, which even an experienced cybercriminal could fall victim to. But, if careful and persistent enough, it isn’t too difficult for an individual to find someone who could build and deploy a phishing campaign for them. These will be pages maintained by cybercriminals, outlining their services for hire, the specific techniques they offer, and their pricing structure. There are even reviews of hacking-for-hire services available, so that users can find the ones that will be the most reliable!

The cost of hiring a hacker? It can vary depending on who is hired and the specific service required, but services that might need social engineering could start from as little as $200 – $300 in cryptocurrency.  An example of a phishing attack detected by Tessian Phishing attacks can take many forms. Here is one example of a phishing email that was flagged by Tessian Defender:

In this example, an attacker is attempting to convince the recipient that they are a new HR Manager from an outsourced firm (a third-party vendor).  The key indicators that identify this as a phishing email are: It contains hyperlinked text concealing a link to a malicious website. Upon hovering, the suspicious URL is revealed. The sender plays on human kindness by pretending to be a new starter looking for help. A sense of urgency is used to encourage the recipient to act fast or something bad might happen. There are some minor grammatical errors, which are common amongst phishing emails. The email domain is not often seen across networks defended by Tessian. This is an additional flag made possible from insight generated by the Tessian Defender platform. This type of phishing email could have been easily constructed, distributed and tracked by a cybercriminal using an open source social engineering tool. Tessian Defender was able to identify the anomalous signals in this email and nudge the recipient into exercising caution. Looking for more examples of phishing attacks flagged by Tessian Defender? Check out this article. Conclusions The main conclusion to be drawn here is that it really isn’t very difficult for anyone to launch a phishing attack as long as they have the time and the will to do so. Some methods may require a little more technical ability or effort to research than others, and some may be riskier. But the availability of advanced and intuitive social engineering tools make phishing very accessible and simple to do.  This is likely to be a factor in why the volumes of phishing attacks are so high and why there are new campaigns appearing all the time. It’s the newer and more targeted spear phishing campaigns that present the greatest threat to individuals and organizations as they are more difficult to spot. The newer a phishing campaign is, the less likely it is to be flagged by conventional spam filters or rule-based detection platforms. If the campaign is highly targeted, then it will likely have been tailored to have the best chance of bypassing legacy controls and deceiving the target. The social engineering tools described in this post make it much easier for someone to customize and tailor a phishing campaign against a specific target demographic. What can you do to protect yourself? Most spam filters or rule-based email protection platforms are capable of detecting and mitigating the majority of known or recurring phishing campaigns. But this only applies to known campaigns and the detection platforms are only as good as their latest release, which is why it is important to keep your software up to date. One way to reduce your risk of compromise if you do ever fall for a phishing attack aimed at credential harvesting, is to make sure all your major online accounts have two-factor or multi-factor authentication enabled. This makes it more difficult for an attacker as they would also need the authentication token required to login with your credentials. It is also best practice to avoid using the same password repeatedly across different accounts. A common technique used by attackers with a list of stolen account credentials is to attempt to login with them across multiple online services on the off chance any of the same email address and password combinations may have been used. This technique is referred to as credential stuffing. Organizations can also make sure it is difficult for cybercriminals to spoof their domains by publishing and maintaining their DMARC authentication protocol records. They can also go a step further by adding canarytokens to their webpages so it’s easier to spot when cybercriminals are cloning their website for use in phishing campaigns. But, even DMARC isn’t enough to stop targeted impersonation attacks. Learn why.

Targeted spear phishing can be much harder to detect with automated tools. This is why it is important to be vigilant if you receive a suspicious looking email appearing to originate from someone you trust. If the content of the email or the behavior surrounding it feels abnormal in any way, then this can be a strong indicator that something is not right. You can find some specific examples of red flags to look out for in this article: What Does a Spear Phishing Email Look Like? Tessian Defender aims to identify this sort of anomalous behavior to help keep you protected from attackers who may try to socially engineer you into letting your guard down so they may achieve their malicious goals. You might have assumed that phishing requires a lot of skill and technical knowledge, but you’d be mistaken. Anyone can be phished by anyone.