Phishing with the Wolves.Yes, the Wolves.

Written by Harry Papadopoulos on 27/10/2017

Are you a lucky winner?

Are you one of the hundreds of thousands that just received an email saying you’re eligible for a tax rebate? Or maybe you’re one of those unlucky people that were in a car accident (although you don’t own a car or have driven one for years). If anything along these lines is true, I regret to inform you that an aspiring big shot hacker has targeted you via a phishing campaign (though chances are it is just a script kiddie). Unfortunately, it is very common to receive many spam e-mails throughout the day and other than ignoring them (and reporting), there is not much that can be done. What can be done, though, is proper handling for those that manage to find their way to your inbox instead of your spam folder. Proper handling here can make a very large difference.


The small phish eats the big

It is a common practice to open all emails found on our inbox. Although most of the time these will be ok and will not pose any significant issues, sometimes they will contain a link or an attachment were it can be our hook to their phishing rod. Simply put, a phishing attempt is when an attacker (we will call him Bubba Gump) tries to throw something on our way in order for us to bite the bait. The bait on large phishing campaigns is usually something very generic in the form of an advertisement that looks appealing and will attract our interest. In that case, Bubba Gump must have found our email address somewhere online and just added us in a big list of targets. There is also a more subtle approach for targeting individuals, which is more careful and has usually better results. This method is called spear phishing, as it is more targeted, going for quality over quantity. The main difference with general phishing attempts/campaigns is that in spear phishing, Bubba Gump will need to do a bit of research about the target and tailor the message and possible attachments to something that the mark would be prone to click on. Although spear phishing sounds like a lot of hassle for Bubba Gump to get involved with, given that all kinds of information about ourselves is available at any given time on social media, it is fairly easy for anyone to be a target. There are various sub-categories under the scope, with the more common being whaling. Similarly, to spear-phishing, this is also a targeted attack, where the target(s) are big financial whales. The target can be a single person or the whole business and the pay check (if successful) can be big enough.


Phish me once... well, it's actually Game Over after that

Have you ever visited a news site and seen an article about a business being hacked? No? You sir, are a liar. It has been almost a year since news about a hacked business makes into the news on a weekly basis. Sometimes it is even during the same week that reports about multiple businesses paying hackers to decrypt their files made the headline. A big portion of these attacks was successful not because the systems were not secure enough, or because there were 0-day exploits, but because someone clicked that linked and/or attachment that Bubba Gump sent to them. That single click could have given access to the attackers by installing a malicious file on the users system, or by prompting the user to input their credentials on a website which although looks legitimate, it is actually controlled by Bubba Gump. It could also download an innocent-looking attachment that would start encrypting your files making them unreadable unless you pay the specified amount (varies, but it usually works out to be hundreds of £££) of untraceable internet currency (bitcoin). Something that is easier to go unnoticed, it is a combination of a phishing and scamming attack. In that case, Bubba Gump will attempt to fool us while at the same time there is a more personal interaction via either phone or e-mail. To have a better understanding, think of the following scenario.


Take it to the lake

You are moving places and decide that your old furniture is not worth the trouble of moving it across the county, but it is better to sell it and buy new. Once you place the ad online, the attackers will approach you trying to “buy” your furniture. After the initial emails/texts/calls and the usual questions about the product being available, if you can ship it, and if you can give a discount, Bubba Gump will agree to your terms (it makes you feel better). The next step is for you to agree to a non-direct payment method – usually PayPal. After you have happily agreed to receive the payment via third party payment, it is time for you to receive the confirmation e-mail that the money is in and waiting! Adding the cherry on the cake, most attackers choose to add some extra ££ on top of the original price as a thank you for agreeing to ship the product to them (it also makes you feel better). The email, which contains the “verification of payment”, also has a link that will re-direct you to the third-party payment service, in order to input your credentials and check with your own eyes that the payment went through. All done! Happy days, right? Errrr, wrong. Happy days, yes, but for Bubba Gump, not for you. The email wasn’t actually from the payment service, but it was a very well-crafted copy of an actual email sent by Bubba Gump.

"But it says that the email was sent from payments@service.com!"
Correct. It was sent from that address, but the correct email address would have been: payment@service.com. Note the difference.

"Ok, why did it send me to the correct location when I clicked the link?"
Oh, did it now? You were sent to www.paymentservlce.com, not www.paymentservice.com.

"But... but... I have an expensive antivirus installed!"
Yep, and the fishes have the whole ocean lake to swim in, yet, they bite the worm on the hook by choice.


Worm or Eel?

In a simple attempt to sell an item, we lost not only the item (assuming we also send the furniture), but we also gave Bubba Gump access to our account. This explains the monumental difference from simply receiving a phishing email in your inbox, and clicking on it. Your management of the phishing email can determine your fate. A well-crafted phishing email will look like it was sent from a legitimate source, with the only difference being in very small details of the sender and possibly the links that exist within it. When an email form an unknown source is seen, it is really important to check that all information regarding the sender correspond to the correct person. The same principle goes for emails received from known sources but are not expected (e.g. your mobile phone bill received again, 2 days after the first one, or halfway through the month rather than at the end).


Angler vs Wolf... and how to avoid them

To wrap everything up, it is safe to say that Bubba Gump will attempt to exploit us at some point of our online presence. On the bright side, it is usually easy to identify this kind of attempts because of the not-so-subtle approach, which resembles a wolf in a lake. It is noisy, slow, and gives away the intent that is there to harm you. On the other hand, we have the approach of an angler (those not so pretty deep-sea creatures with the light bulb on their head). These kind of attacks are crafted more close to your liking and standards and are usually executed when you are more prone to bite. Paraphrasing the example above, you were looking for the sunlight, and angler gave it to you (kind of). The best way to avoid falling victim of a phishing attack is to always pay attention on where you put your mouse cursor and what you click. No matter how legitimate it looks, spend that extra second to actually read and verify the email address, link and/or attachment before you take action. In case you do fall an actually give away any details (credentials, credit card details etc.) get in touch with the provider to block anything that has been compromised.
  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.