In this series, our security experts will give a behind the scenes look at phishing emails that were reported to PhishER, KnowBe4's Security Orchestration, Automation and Response (SOAR) platform. We will go in-depth to show you real-world attacks and how you can forensically examine phishing emails quickly.
Each Phishing Catch of the Day will focus on a single phish attempt and describe:
- What context or pretexting exists between employee, hacker and email.
- What red flags one can look for before falling victim.
- What attack vector is being utilized and for what purpose.
- What steps to take to inoculate users from similar attacks.
The Initial Phish Breakdown
Figure 1: PhishER Screenshot of Reported Phishing Email
Early in the morning on Feb 11th, a Knowbe4 employee received an email that claims their inbox will be deactivated if they do not confirm their email address. The sender of this phish is hoping to generate an emotional reaction, causing a user to react without thinking.
Phishing Warning Signs and Red Flags
The best approach to consistently identify phishing is to simply ask oneself “Is this phishing?” whenever viewing an email or electronic message. The brain will naturally jump into a detective mindset and become resilient to emotional reaction.
Scroll up to the first screenshot, put on your detective cap, and try to find as many red flags as you can before continuing!
Figure 2: Red flags found in the phishing email
Let’s gather more information from the headers of the email. Clicking on the Headers tab in PhishER will give you all headers pulled from the reported message in an easy-to-read format and highlights ip addresses and authentication information for you. Take a look at the Arc-Authentication-Results to figure out the original, non-spoofable, sender location.
Figure 3: Arc-Authentication-Results from the Headers tab in PhishER
It appears that the email is coming from an Amazon SES server and the originating ip is 23.251.242.1. You may be able to reach out to Amazon and report abuse if necessary, especially if this is an ongoing problem from this specific address.
Phishing Attack Vector and Road to Compromise
Opening up the link found in the email, we see the landing page below.
Figure 4: Phishing email landing page
Notice the “NOPE” at the top and the fill-in for “nope@nope .com”. This is pulled from the ‘#’ anchor passed in to the page from the email URL. The page then uses javascript to style the form and add any icon found in Google images for the user’s email domain. This is to provide some familiarity to a victim and to imitate a generic login page that an individual might trust.
Figure 5: Anchor passed in from the URL in the email body
Upon entering their credentials, the page will run a js script to verify that the password and email fields are not empty and send the form contents to a remote server in Indonesia (which may explain why the email had been sent outside US business hours).
Figure 6: JS code to POST user entered credentials to a remote server
Figure 7: WHOIS of the domain found in the POST request
Conclusions and Recommendations
The attack described above is a perfect example of credential phishing. This is a tactic where a hacker will route you to a landing page that imitates a popular or important browser application in hopes that, when you enter your username and password, they can pocket the credentials to use at a later date.
This attack can be particularly harmful to your organization because your end users are usually unaware that they have compromised their account! A malicious actor can utilize this access for weeks without detection because any activity looks to come from a legitimate account.
If you're a KnowBe4 customer, you can find this phishing template under the IT Category on the KMSAT platform labeled, "IT: IT Support Email Shutdown (Link) (Spoofs Domain)".
It's important to ensure your users are staying alert of the latest attacks. Frequent phishing security tests and new-school security awareness training can help your users actively apply training techniques in their day-to-day job functions.
