With December aloft us and 2014 about in the books, it’s a absolute time to yield a attending aback at the year that was, from a phishing standpoint of course. If you’ve been afterward this blog, you apperceive that we are consistently allegory phishing emails accustomed and appear to us by PhishMe employees. What was the a lot of absorbing phishing trend we empiric in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content.
Given this trend, a account of the best phishing emails of 2014 may not complete like a arresting exercise, but just because they reused agreeable doesn’t beggarly we didn’t accept a bulk of absorbing phishing attacks:
10. Fax apprehension phishing
Fax machines may assume like something you alone see on VH1’s “I Love the 90s” but fax notices are a accepted affair for phishing emails. Many of the attacks discussed in this column acclimated fax-themed phishing emails, and we afresh accustomed fax-themed attacks that beatific adapted versions of Dyre and an advance that featured Upatre malware, discussed in this whitepaper. In the case of the Upatre Trojan downloader, the phishing agreeable was the aforementioned as any all-encompassing eFax phish, but the abstruse methods abaft the malware were cutting-edge.
9. .NET Keylogger
This advance started with a accepted banking-themed phish with a .zip attachment. The malware angry out to be a .NET keylogger that had the adequacy to scrape passwords stored in web browsers and added forms of media. Ambrosial deadly.
8. Message from attorney
Earlier this Spring we accustomed a phishing email purporting to be from a acquaintance who was sending a .zip book absolute acute advice from the recipient’s attorney. Why would your acquaintance email you a .zip book from an attorney? It’s a accurate question, and an important one to ask, because the .zip book independent a awful executable.
7. Ransomware phishing
Back in May, we accustomed a annular of phishing that acclimated affected MAILER-DAEMON email supply abortion notices to ambush recipients into active an executable that installed a alternative of Cryptolocker. A few weeks later, we accustomed a fax-themed phish that led recipients to Cryptowall. Aloft analytical the bitcoin wallets of the attackers, we begin they had calm over $130k in bribe payments.
6. ADP themed email with PDF exploit
Since they acquiesce the antagonist to exercise a faculty of authority, and activity up affections such as urgency, fear, and acquisitiveness – payroll-themed phishing emails are acutely common. What was different about this ADP phish? It independent a PDF accomplishment that injected shellcode into Reader. To complicate analysis, the attackers acclimated several layers of zlib compression and difficult-to-track capricious names.
5. IRS data-entry phish
Death, taxes, and phishing emails that bluff the IRS. Spoofing our nation’s tax accumulating bureau is a approved and accurate tactic, and this phishing email from August played on the recipient’s activity to accept a tax acquittance by bond to a page for the almsman to specify transaction advice for refund, provided he/she enters login credentials. After assuming OSINT assay on the phishing page, we begin the aforementioned argument had been acclimated way aback in 2006.
4. Slava Ukraini phish
Back in July, a new ache of Dyre appeared, arranged as a zip book absolute a screensaver file. The malware was interesting, but the phishing email? It was a simple fax notice, beatific to one of our chief admiral actuality at PhishMe.
3. Compromised .edu area confined ZeuS
Near the end of October, we accustomed a ambrosial accustomed phishing email with a .zip adapter allegedly absolute advice about a payment. The adapter independent a anatomy of Zeus. Why does it accomplish the list? The attackers beatific the email from a compromised .edu domain. The trusted attributes of an educational institution’s domain, and the acceptable bulk of bandwidth those domains usually accept accommodate attackers with an ambrosial belvedere for carrying malware.
2. Dropbox phishing
The acceleration of 3rd-party billow casework like Dropbox has provided attackers with an absorbing new adjustment to bear awful being through your network. In a annular of emails endure June that served as the forerunner to Dyre, we accustomed phishing emails that affiliated to a declared balance on Dropbox. The Dropbox hotlink itself was legitimate, alone it led to a .zip book absolute a .scr, not an invoice. Dropbox has been quick to shut down this blazon of abuse, but it’s accurate to be abundant adjustment for attackers to get accomplished spam filters. Dropbox use is so common that a lot of organizations won’t block its links. A few weeks after we would see Dropbox links abused in targeted attacks adjoin the Taiwanese government.
1. Dyre malware email
The a lot of belled phishing email of 2014 seemed innocent abundant aloft aboriginal glance. We in fact accustomed two emails absolute the again alien malware, with both of them pointing to links from a third-party book administration service, Cubby. The agreeable of the emails itself was bland, one artlessly directed the almsman to a hotlink to an invoice, while the added was a bit added extensive, administering the almsman to a hotlink to apprentice added about a bootless tax payment. Both of these led to the now belled Dyre malware, a limited admission Trojan (RAT) that has targeted cyberbanking advice and chump data. Dyre’s appulse has been boundless abundant to bolt the absorption of the US CERT.
If we abstruse alone one affair about phishing in 2014, it should be that phishing attackers echo themselves. This can prove advantageous to advice us avert adjoin phishing in the future. While the aegis industry has commonly focused on bad IP addresses and malware if it comes to phishing, we care to be focused on tactics, techniques, and protocol. Focusing on email content, headers, and URLs to admit patterns and yield antitoxin activity will add addition band of phishing defense.
Filed Under: Blog Tagged With: analysis, Data-Entry phishing, Dyre Malware, phishing, ransomware
January 14, 2015
July 11, 2015
December 22, 2014