Cyber criminals keep creatively upping their game and this new phishing attack is proof of that. A new worm phishing attack has found a way to hop between victims in a way that has rarely been seen before. A cybersecurity researcher commented that it is ‘ingenious’, the method of operation of this phishing attack. This attack specializes in credentials theft and account take-over. However, its working is far different than the user phishing attempts. Cybersecurity architect and bug bounty hunter, Craig Hays, has some thoughts on this cyber-attack.
“The Greatest Password Theft Attempt,” says Hays
Organizations are becoming wary of cyber scams. Now, more and more organizations are hiring / contracting cyber security teams to ward off potential attack. The organization in question for this particular also had a response team (CSIRT) that immediately warned Hays when a phishing attempt was detected. The CSIRT isolated and locked the account of the employee who’s machine had fallen prey to the phishing attempt.
Just as they began digging into this machine for the root of the attack, several more warnings popped up on other machines. This was a given, as phishing emails typically thread their way in using multiple target emails. The response team carried on as usual, not giving any special treatment to the attack. But by the time all the alerts were identified and accounted for, the true scale of the issue came to light.
When the security team completed a top-level basic damage assessment and recovered two of the many threatened systems, they found out it was a mass account takeover attempt. Several organizational accounts were being accessed from different geographical locations and sending out large number of emails. Hays acknowledged that a bulk phishing attempt does not have such a big success rate. He guessed that it was either a very effective phishing campaign, or someone had stealing credentials for a long time, and was simply waiting for the right moment to use them.
The intriguing thing about the attack
Typically, when a phishing attack gets some success, the reason is that an employee interacts with a malicious email. However, the phishing alert sounded by the CSIRT could not be traced to a particular phishing email / spam attempt. The team then tried to match the timestamp of takeover to the email communication that had taken place at that moment. Doing this, they were eventually able to uncover the attack vector.
“The phishing emails were being sent as replies to genuine emails,” noted Hays. “Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.”
How was the credentials theft carried out?
This was an attack that jumped from machine to machine. All it took for the ball to get rolling was one single account. When just one of the accounts was breached, the credentials for that email account was fed to a remote bot. The bot ran a script using the credentials to scan through the recent email communication to and from that account.
For each new communication, the bot sent a phishing email to the latest email in the email threads. The email contained malicious payload ( a link to a spoofed page) that acted when the employees engaged with it. The ‘from’ email id for this phishing email ID was spoofed and the email was constructed to pass of a basic inspection.
In a matter of hours, after injecting the phishing emails in valid, actual email threads, the phishing attempt gathered the credentials of several employees. Hays marvels at the chain effect of this attack. It is almost like a worm, which spreads rapidly from machine to machine. Ultimately, that was its own undoing: it was so effective and rapid that red flags were raised quickly and the attack was singled out.
As a precaution, MFA was setup for the all the accounts of that organization.
Read our blog on Multi-Factor Authentication to know how it protects against phishing.
Logix Infosecurity is a leading organization, having over 20+ years of experience dealing with email threats of all kinds. Take a look at our email security solutions and see if we fit your needs!