Going stealth: Bad guys embrace the power of branding
By Stu Sjouwerman
Since the very dawn of organized phishing attacks, the bad
guys have recognized the power of exploiting trusted brands and online
services. Our original experience with phishing was defined by spoofed emails
purporting to hail from popular banks. Their objective was simple: trick users
into coughing up their online banking credentials with convincingly branded
emails and fake login pages.
Itâs a technique that has kept on giving, long after the bad
guys scaled their ambitions beyond merely draining the bank accounts of
individual marks. Perhaps the most infamous phishing email of all time â the John Podesta phish that
was exploited by the Russians in the 2016 U.S. presidential election â spoofed
a common Google security notification email that has likely been seen by
millions of users. By trading on the good names of established companies and
leveraging usersâ trust in their offerings, the bad guys can effectively hide
malicious content in plain sight.
In the vast majority of cases, the bad guys leverage the
power of brands by simply spoofing the emails and web pages of trusted brands
and online services. They may do it more or less well. And the resulting emails
and web pages range from utterly convincing to barely believable.
When Faking It is No Longer Making It
At the end of the day, though, those spoofed emails and web
pages are still fake. More and more the bad guys are discovering that clever
fakes arenât cutting it anymore. Not only are users getting more savvy,
anti-virus and Exchange security services have become more sophisticated and
capable in their ability to identify spoofs.
Phishing campaigns that rely on spoofed emails and web pages
can fail for a number of reasons:
- headers reveal the true origin of malicious
emails - email subjects and body content are fatally
flawed in terms of format and textual content - embedded links tip off users and security
software to the true destination of apparently innocuous URLs - hosted content (and the host itself) offer
tell-tale clues that everything is not as it seems
Here is a fairly typical spoofed Dropbox phishing email,
which is littered with clues that should tip off attentive users that this is
not a real Dropbox email:
The problems begin with the From: line, which uses an aol.com email address instead of the
standard no-reply.dropbox.com. The problems continue with the awkward attempt
to shoehorn the âvia Dropboxâ (with the parentheses misplaced) into
the Subject: line instead of the From: line. The formatting and
arrangement of items in the body contain still more clues, including the
inexplicable use of Adobe PDF icons and file names.
Even users who donât bother to hover their mouse over the
link should recognize that something is amiss once their browsers open to this
landing page:
From the URL â which points to a free web host instead of
Dropbox itself â to the offer of multiple login options, users who are paying
attention should have ample opportunity to sidestep this ham-handed attempt to
trick them into coughing up their credentials. Smartly written security
software, which can dig into this phish emailâs headers, would be in the same
position as the proverbial mosquito in a nudist colony: one hardly knows where
it would begin.
These problems are baked into the process of spoofing
trusted online brands and services. The bad guys can do little about the
headers and delivery of spoofed phishing emails â those are largely determined
by the choices bad actors are forced to make when figuring out how and where to
host and maintain their malicious content. Moreover, while some criminal groups
may have a talented and disciplined pool of developers to work with, others are
forced to rely on whatever local talent they can get.
What most often gives away spoofed phishes to users is the
link. The most reliable, objective strategy that users can employ to spot
potentially malicious emails is the link check. Email headers may be a
confusing chore to wade through. Links donât lie â at least to those who
bother to check.
And the bad guys know this. Thus, in many cases itâs not
enough to simply spoof legitimate brands and online services in order to
leverage the trust users have placed in them. To create truly convincing fakes
of trusted online brands and services, itâs imperative to actually exploit the
functionality of those services and brands so that malicious emails can land in
usersâ inboxes like so many Trojan horses.
The Gold Standard for True Fakes
Bad guys looking to disguise bad links are increasingly
exploiting the very features of web sites and services associated with trusted
brands, not just spoofing them. That means turning to sites that allow user-hosted
content or offer other useful features â even things as simply as URL
redirection.
The best âtrue fakes,â however, do more than
simply fuss over the link. The real goal when constructing phishing campaigns
that leverage trusted sites and services is complete brand continuity
throughout every aspect of the campaign. Complete brand continuity brings with
it the power to confer near full stealth on malicious emails and hosted content
â a cloak of protection that fool both end users as well as the layers of
security software that protects them.
To achieve full or nearly complete stealth campaigns must
ensure thatâŠ
- the link is trusted
- branding is consistent between embedded links
and the rest of the email body - embedded links are appropriate, matching the
emailâs purpose as well as its form - malicious emails are delivered through a
recognized and trusted brand or service - malicious content (including malware, if
possible) is hosted partially or entirely on a trusted, branded service - hosted content itself preserves brand continuity
Complete brand continuity offers a number of other potential
advantages for malware campaigns beyond full stealth, though:
- malicious content enjoys free hosting
- malicious emails land in user inboxes via free
email delivery - malicious files can sit behind a login-protected
wall of obscurity
In short, the gold standard for bad guys looking to move
beyond spoofed fakes is complete alignment between the social engineering
schemes used to hook unwitting users on the one hand and the exploited site or
service on the other.
Realizing such an alignment is easier said than done. In
what follows weâll take a look at the efforts of bad guys to achieve full
stealth â and the numerous ways they can fail along the way. And we shall do
so with the help of customers who have shared with us real phishing emails
reported to them by employees using the Phish Alert Button (PAB).
Brand Mishaps
Bad guys looking to host malicious content on trusted sites
and services have a number of options. Dropbox, for example, is becoming an
increasingly popular choice. But while many users will be familiar and
comfortable with emailed links pointing to Dropbox, unless placed in the right
context a Dropbox link will usually not be enough to pull off a convincingly
âtrue fake.â
Consider this DHL-themed phish, which uses a professionally
designed, spoofed email to hook users:
As with the previous Dropbox email we looked at, minor
formatting discrepancies plague this attempt to spoof DHL. The biggest problem,
though, is the use of Dropbox to host the initial malicious content that users
will be hitting, for a Dropbox link in a DHL email sticks out like a sore
thumb.
The bad guys attempt to recover brand continuity in the
document hosted on DropboxâŠ
âŠbut it falls flat once users click this second link and
find themselves yet again at the same free web host as the previous email:
âŠwhere we once again that strange use of Adobe PDF logos
amidst branding elements that oddly neglect to include DHLâs trademark yellow.
Casual Stealth
Sometimes malicious actors hoping to lull users into false
sense of security opt to sidestep the branding issues altogether in the initial
phishing email:
SurveyGizmo, along with similar DIY survey sites, is another
increasingly popular option for bad guys looking to draw users onto a
recognized, trusted site where the bad guys can host malicious content.
The ruse falls apart on the landing page at SurveyGizmo,
though, where we encounter the introduction of not one but two new brands
(Office and OneDrive) along with sloppy use hyphenation and capitalization:
Some malicious groups have yet to learn what we shall dub
the âGoldilocks principleâ of branding in phishing emails: not too
much, not too little. To be truly convincing, the branding has to be just
right.
Functional Stealth
Bad guys willing to apply a bit of discipline and hire the
right talent to craft their phishing campaigns can achieve impressive, though
still imperfect results.
Although there are still formatting issues in this spoofed
Dropbox phish, the brand consistency from the initial email through to the
landing page is several cuts above either of the previous Dropbox phishes we
looked at. Not only does this phish spoof the From: line and hue true to the minimalist arrangement of elements
of real Dropbox emails, it takes care to set up user expectations with respect
to the file name they will be asked to download (6 pending documents).
And the landing page is, as it should be, on Dropbox, though
some architect seems to have taken offense that the bad guys â perhaps in a
fit of overconfidence â have attempted to push a ragingly malicious,
full-blown executable on unsuspecting users.
That is one potential downside to using Dropbox for
malicious files â users can blow the game in the Comments section.
Another group of bad guys achieved similar results with this
OneDrive-themed phish, which leads off with another professionally crafted, yet
still fake, email:
While the link takes users to SharePoint, one suspects most
users wonât be too bothered by that discrepancy given that both are Microsoft
services often used in conjunction by many organizations.
Brand consistency is maintained, for the most part, all the
way through to the slickly designed final landing page, which attempts to
distract users from the wildly inappropriate URL with still more prominent and
visually polished OneDrive branding elements.
Inexplicably, though, the page offers the familiar, tell-tale
assortment of login options â a feature almost completely unique to bad-guy
web sites.
Near Stealth
To go full stealth requires that malicious actors exercise
discipline in accepting and working creatively within the limits of the trusted
service they are exploiting.
To execute this phish, the bad guys elect not only to host
some of their malicious content on Dropbox, but to exploit the messaging
capabilities of that service by delivering the social engineering hook through
an actual Dropbox email:
On the landing page we see that bad-guy love for Adobe PDF
logos seems irrepressible, though the Comments section to the right gives
plenty of evidence that more than a few users remain entirely undisturbed,
happily offering up their email addresses along with entreaties to the bad guys
to email malicious file directly to them.
As is so often the case, the problem is that users must be
taken outside of Dropbox in order to present with the endgame: a credentials
phish. As we have seen in previous cases, brand consistency can take a hit, as
it does with this spoofed Microsoft login page hosted on a rogue .TK domain.
Will users pause to wonder why they were taken to a
Dropbox-hosted PDF file only to be shuffled off to a Microsoft login page?
The malicious actors behind this WeTransfer-based phish
encounter a similar difficulty. Starting off with a real WeTransfer emailâŠ
âŠthat takes users to a PDF file downloaded hosted on WeTransferâŠ
âŠthe bad guys smartly elect to bridge to transition to an
outside site with WeTransfer branding in the PDF to preserve the ruse:
Despite the lame attempt to shovel a faux WeTransfer URL
into the address bar, this final stop along the way to a credentials phish may
be a bridge too
far for some users for many of the same reasons weâve explored in previous
examples.
Still, the bad guys behind this phish did manage to keep the
ball in the air through several hops.
Full Stealth: The El Dorado of Brand-Based Phishing
If youâve made it this far you have undoubtedly noted that
many of our example phishes for this piece involve file sharing sites of one
sort or another (Dropbox, OneDrive, SharePoint, WeTransfer). Thatâs no
accident. At present file transfer sites offer a number of tools helpful to bad
guys trying to confer stealth status on their phishing campaigns.
In addition to offering trusted brand names and services
familiar to millions of corporate email users, the provide cheap or even free
file hosting as well as email delivery and, in some cases, login protection to
keep pesky link scanners at bay.
What malicious actors really need, though, is a complete
phishing platform that would ideally let them execute malicious content in
addition to hosting and promoting. Good analytics would, of course, be a
welcome bonus. For now, though, file sharing sites will do.
As the big players on the internet build out their platforms
(Google, Facebook, Microsoft, Apple, etc.) to offer users a more complete range
of services, many of them involving content uploaded and published by users and
organizations, malicious actors will be looking to convert those increasingly
powerful service offerings into true phishing platforms.
If youâre currently working in the IT trenches, you have
more than enough to worry about as it is, even with the limitations of the
current range of online services, many of them implicitly trusted by users
throughout your organization from the lowliest receptionist or intern to
C-suite executives who still havenât figured out that real bad guys are
actually targeting them through brands they know and love.
As we saw in all the examples discussed above, the bad guys
still manage to leave plenty of telltale clues of their malicious intent even
when cleverly exploiting remarkably functional file sharing services. But your
users have to be trained to look for those clues. Without the right training,
they remain your biggest
vulnerability (and the bad guysâ greatest opportunity).
With the bad guys turning to increasingly powerful online
tools to cloak their malicious emails behind the trusted veneer of familiar
online services, it is imperative to step your employees through New-school
Security Awareness Training and follow up with regular simulated phishing
campaigns to test their mettle against simulated phishes modeled on actual
malicious emails in use today by the bad guys. Short of that, you could very
well find your users hanging out in the Comments section for a malicious
Dropbox file blithely inviting hardened criminals to send them more malware.
Gloss