Gone Phishing

Anatomy of a Phish

Phishing. We hear about it all the time, with warnings abounding from IT and security experts. We know we will be targeted by it. We know that possibly we, or a colleague, may get caught. With the sheer amount of phishing attempts out there, and the high quality compared to days of yore, it can only be a matter of time. What does that mean for us though?

I have investigated a number of cases over the years which started out with a successful phishing attempt and can share a general overview of what some of those cases looked like. All names have been changed, to protect the guilty.

The view from the dark side

First off let’s see what a phishing attempt looks like from the criminal side of the event. How easily can Billy Blagger get started on a phishing enterprise? It turns out that it isn’t very difficult to do, which goes some way to explaining the volume we see nowadays.
Let’s say Billy wants to target ACME Legal Associates Inc, because Billy suspects they may have some action he can get in on. Billy does a little online digging and identifies a couple of employees at ACME that he can target. He gets their email addresses from their website and maybe digs up enough information to figure out which cloud services they use. Maybe ACME list their partners and happy customers on the site too. It’s all useful to Billy.

Let’s say Billy has identified Rodney A. Paralegal as a potential mark at ACME. Rodney seems to be involved in conveyancing, so his email account is one that Billy would love to gain access to. Billy does a lookup on Rodney’s email account and can see that it’s hosted by Microsoft 365. How hard is that to find out? Not hard at all. He goes to a site like https://dnschecker.org/mx-lookup.php and does an MX Lookup for ACME’s domain. Easy peasy. The only tool Billy needs to get this far is a web browser.

Now Billy needs to craft an email containing a form that will fool Rodney into entering his login details for his Microsoft 365 account, ideally without Rodney realising that he has given away the Keys to the Kingdom. When I say craft, I mean he just needs to alter a few details in a template. Billy doesn’t believe in hard work. There are templates available to impersonate a 365 login, and Billy just needs to change a few details in the template, and host it somewhere temporarily while it captures and stores any information Rodney enters into the form. He can beg, borrow, steal or buy templates to impersonate pretty much any online service. If he’s a little bit more technical he can clone a genuine login screen using the Social Engineer Toolkit which is included in the pen tester and hacker’s favourite Linux distribution, Kali Linux. Kali is free, and Billy doesn’t even need to install it. He can run it as a virtual machine in VirtualBox or VMWare. Alternatively he can download and install SET on his own computer.

All Billy needs to do is point SET at the login he wants to clone and it will make a fairly convincing copy for him. He can then make a few edits to his new copy so that when data is entered into the fake form by Rodney it will be recorded where he wants it to be. SET is menu driven, and fairly fool proof. Billy can’t really go wrong with it and all he needs to do now is get his fake login to Rodney, which only involves sending him an email.

The view from the victim side

Rodney gets an email which looks business related. He opens it and there’s a link to a document which looks to be from a client. He clicks the link and one of those silly 365 login screens pops up again. He’s always having to log in to that. It’s why he has the password on a Post-It stuck to his screen. He enters his email and password, and they get recorded by Billy’s online database. Rodney doesn’t see what’s going on when he interacts with the form, but it could be storing information in a cloud bucket, free hosting, or hidden deep in someone’s compromised website.

Anyway, Rodney enters the information and his login is now compromised. If Billy is a bit sophisticated, his fake form will redirect Rodney to the real 365 page so that Rodney’s suspicions won’t be aroused and login will appear to have worked. Or if the real page is looking for login Rodney might think that he entered the password incorrectly the first time. Either way, Billy now has access to Rodney’s email account, and Rodney probably has no idea. The email turned out to be nothing interesting, but that’s hardly unusual.

What happens now?

Now that Billy has access to Rodney’s email account he will probably do a couple of things. Firstly he will read Rodney’s emails. He will want to know what opportunities are in there. He will search for anything to do with financial transactions. He will set up a rule that blind copies all Rodney’s emails to an account on a free service where he can read them at his leisure, or maybe a rule which copies just those emails which contain interesting terms like “bank”, “BIC”, or “IBAN”.

From reading Rodney’s emails, he sees that a house purchase is at an advanced stage. John Smith is purchasing a holiday home and has been dealing with Rodney. Rodney is going to handle the purchase and make sure that all the legalities are looked after. This is Billy’s opportunity. He sends an email to John, from Rodney’s account, letting him know the BIC and IBAN of the bank account he needs to lodge the money into. Billy deletes the mail from Rodney’s sent items, and sets a rule so that any reply from John will be marked as read on arrival, and possibly placed into a folder where it’s unlikely that Rodney will see it.

Billy now interacts with John on Rodney’s behalf, and if all goes well for him John will send the money to Billy’s bank account. There’s no reason it shouldn’t go well as he has access to all Rodney’s emails so mimicking his language and tone is simples. Billy then deletes or hides the emails, takes the money, and exits stage left.

This, ladies and gentlemen, is how you steal a 6 or 7 figure sum nowadays without having to wear a mask – or even get out of your pyjamas.

The upshot for the victim

ACME will of course find out that there is a problem when Rodney asks John to transfer the monies for his house purchase and John asks them why they are looking for it again. He will say that he followed their instructions, and they will say that they issued no such instructions. The ensuing investigation will confirm that the instructions were sent from an ACME account, resulting in huge embarrassment and costs to both business and client. The vast majority of the hit will likely go to ACME, and it’s a high price to pay for an email.

And then there’s that call they will have to make to the Data Protection people…and the calls to all the clients who had dealings with Rodney’s email account.

Colm Gallagher is the head of CommSec’s forensics business practice.