[Heads Up] This Ingenious Worm Phishing Campaign Is A Game-Changer In Password Theft And Account Takeovers

angler_phishing-1A few days ago in a Medium blog post, Craig Hays, a cybersecurity architect and bug bounty hunter described a recent phishing new type of attempt which turned out to become "the greatest password theft he had ever seen."  He said: "I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it."

Charlie Osborne at ZDNet summarized Hay's story: "Originally, the security expert simply deemed the notification "another day, another attack." The team locked the impacted account down and began to investigate the incident in order to find the root cause and any potential damage.

Within minutes, several more alerts pinged their inbox. This, in itself, isn't unusual. As Hayes noted, "emails that made it through the filtering rules tended to hit a number of people at the same time."

However, after the sixth report, the responders noticed this was potentially something more substantial -- and by the time they had conducted an initial damage assessment and two accounts had been recovered, they faced a "huge wave of account takeovers."

"We could see that all of the accounts were being accessed from strange locations all over the globe and sending out a large number of emails," Hays said. "For so many accounts to be hit at once, it was either a really, really effective
phishing attack, or someone had been biding their time after stealing credentials over a long period."

The phishing emails were being sent as replies to genuine emails

The problem was, the initial credential theft vector wasn't obvious and no victim had received an email from a new contact on the day -- the latter of which being how phishing messages are generally sent, often appearing from a spoofed or seemingly-legitimate source.  Eventually, the team turned to sign-in timestamps to connect the account takeovers with emailed communication -- and this revealed the attack vector.

"The phishing emails were being sent as replies to genuine emails," the researcher explained. "Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues."

This is how it worked: once one email account was compromised, the credentials for the account were sent to a remote bot. The bot would then sign into the account and analyze emails sent within the past several days.

"For each unique email chain it found, it replied to the most recent email with a link to a phishing page to capture credentials," Hays said. "The wording was generic enough to fit almost any scenario and the link to a 'document' didn't feel out of place."

Sent as a reply-all, using a legitimate email account, and given the conversation history, trying to distinguish the bot from the genuine account owner was difficult.

Phenomenal number of accounts compromised in a few hours

The technique, resulting in worm-like mass takeovers, left Hays "in awe" of the "phenomenal number of accounts [that] were compromised within a few hours." Unfortunately, as the bot grew in size and took over account after account, this allowed it to propagate beyond the impacted company itself -- the phishing emails were also sent to other people outside of the organization.

The phishing attack was out of control by this point and the only way the team was able to clamp down on it was by finding a pattern in the URL of the phishing pages that could be used to add a quarantine rule.

While Hays calls the campaign "ingenious" and "the most favorite attack I've seen in person," he also notes that the bot was "too effective" and its eagerness to propagate set up red flags and alerts too quickly to reach its full potential.
Multi-factor authentication was quickly implemented for email accounts that had not enabled the additional security measure.

"The goal for this attacker was probably to harvest credentials to sell on the dark web. They achieved their goal of harvesting a lot of credentials, but they were too noisy about how they went about it and immediately raised alarms, losing any value they had gained," Hays commented. 

You really need to train your users to not click on phishy links inside existing email threads. Story at ZDnet:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews