Anatomy of a phishing campaign.
TDL are not unlike any other organisation in that we are not immune to phishing attacks and common scenarios where our internal staff are targeted in an attempt to have a fraudulent invoice paid. In order to learn from the experience and increase awareness this is how a recent event went down in our business.
- Internal staff member received an email from a 'trusted source'. It was someone they regularly correspond with and, based on their training, they concluded the email was legit as the sender details were valid and the topic was relevant.
- The email contained a pdf attachment with a name relevant to the sender and the topic. It was only once this attachment was opened and it contained rubbish information that the recipient suspected something was awry. At this point the malware had already compromised the machine and this staff members' credentials were compromised. What happens next is interesting….
- The perpetrator went straight for the Exchange account and scanned for any email conversations pertaining to paying of invoices. An RSS feed was set up for all correspondence with the parties involved in this conversation and emails were sent to our staff member and the other party around changing of banking details and how this account needs to be paid immediately.
The use of an RSS feed to track and intercept conversations is something we've encountered several times now and checking your RSS feed folder in Exchange for conversations seems to be one way of determining if an accounts' credentials have been compromised.
- Our manual processes stepped in at this point as the whole payment conversation seemed too weird and did not align with our normal payment processes. It was at this point where the escalation occurred. The compromise was identified, the accounts and endpoint device cleaned and a post-incident review was initiated to determine what we could better.
Key learnings from this event.
- The initial email was very well formed and targeted. This was not the archetypal 'Nigerian prince' type email and there was no reason not to suspect that the sender was fraudulent.
- The email in question made it through our filtering engines. The web link also in the email was blocked by Cisco Umbrella as it was detected as a fraudulent site.
- Never take the position of 'it was the users fault for clicking on the link', belittle that person or assume you yourself are above this. They are called targeted attacks for a reason. According to this research, https://blog.barkly.com/phishing-statistics-2016, 1 in 3 companies have had executives fall victim to CEO fraud email. If you want to point and laugh at your C-level, go ahead….
- If there is suspicion of a compromised account in Office 365, there are good resources from Microsoft on the topic:
How to check if your account has been compromised.
How to fix a compromised account.
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/