Earlier this week, we wrote an article on the threats of spear phishing. We thought we could drive the lesson home with a story about a spear phishing attack that happened recently.
A very sophisticated spear phishing campaign has exploited a major energy company. The scam used a clever ruse to get around the organization’s Microsoft email security software. It relied on a complicated phishing attack that was sent from Google Drive. According to Aaron Riley, a researcher from cybersecurity firm Cofense, the scammers impersonated as the CEO of the organization. The scammers sent an email via Google Drive and said they were sharing “sharing an important message” with the employees. Nobody wanted to disbelieve the CEO of the company.
The email was not sent directly by a hacker. The originator of the email was actually Google Drive. It was received by subordinates, but it triggered a major “warning”: the email address did not conform to the company’s internal naming convention for emails. But most employees wouldn’t take the time to verify the threat and clicked the link anyways, Riley told us. This proves that the desire to avoid investing a few seconds to versify something can be a tragic mistake.
The link was incorporated in email content. It linked to a legitimate Google Drive filled with numerous documents that employees could download. Also, Microsoft’s email spam detection tool does not determine the destination that the user is going to be taken after clicking on the link on the Google Drive. Even though the Google Drive link may not look malicious, the final destination that the user will be referred to could contain malicious malware or be part of a devious social engineering scheme by hackers. As a result, the user could be lulled into a false sense of security.
Let’s review the email received by employees:
Dear colleague, I want to share a few thoughts and deliver a quick review regarding topic X. These thoughts will be explained in detail. All employees are obligated to read, know and interpret it, as well as share their opinions. I appreciate your constant help in improving our organization. CLICK HERE TO SEE THE UPDATE. Note: the message is of great import and all workers should view the link.
Riley explained that scanning past the first link wouldn’t solve the problem. The email inspection application still would not be able to evaluate links that were present on the following pages unless the user was trying to download them.
The phishing attack was not detectable, because there was not an immediately visible threat.
Once a user accessed a document on Google Drive, nothing immediately happened that was malicious. The targets were given an explanation of a public business decision by the “CEO” and then asked to view a related document via another link.
Any employees that decided to click the link embedded in the Google Drive document were sent to a fake login page that had recently been registered at the domain. Once the victims provided their credentials, they were shared with the scammers.
The real lesson here is that employees could have been taught to look for suspicious emails and could have prevented the attack. In addition to the fact that the CEO’s email address was incorrect, the information about the “business decision” was over a year out of date. Additionally, two sentences in the document contained very poor English: “I appreciate your constant help in improving our organization” and “the email is of great import and all employees should access the link”, which are informal. This is already a warning sign that should not have been missed.
Riley noted that exactly the same sentences were witnessed in a similar scam that had targeted major universities, indicating that the hacker has a known MO, which will make it easier to detect future phishing. By recognizing sentences that have already been used, a future attack could be recognized. It is important, then, to pay special attention to the content of an email you receive.