Brad Curtis | June 26, 2012
It sounds like a broken record; time and time again you have to read about phishing attempts, blah, blah, blah. You may even by now be a self-proclaimed expert at spotting these emails because you’ve seen them in your home email, work email, and your designated junk mail accounts. The fact is though, that until recently, these emails were incredibly easy to spot because they were so poorly written or obviously incorrect. Now, we are starting to see well-written, well thought-out attempts. They are still not quite there, but it won’t be long before these emails will no longer be easily identified.
At work the other day, an employee who receives FedEx® shipping notifications maybe once or twice a year had one pop in her inbox. She’s had it driven into her head via security awareness training to be critical of emails she is not expecting or familiar with. We have sent around countless Security Tips relating all the types (and examples) of phishing attempts. Since she only sees FedEx notifications occasionally, she didn’t think much of it until she decided to take a closer look. She hovered over the first link and it terminated to FedEx.com. It looked good. She opened a browser and manually went to FedEx.com and typed in the tracking number provided. Incredibly, it was actually associated with a real shipment that had been delivered. Usually when you type the tracking numbers in from these phishing emails, they are not even valid (e.g., the wrong number of characters, invalid characters, letters instead of numbers, etc.), but this one worked. She immediately noticed it was a shipment to Toronto, Canada and that didn’t seem to make much sense. After checking our FedEx log she quickly realized we hadn’t shipped anything to Toronto as she had suspected. Her curiosity turned to the next link, which said it was the invoice for the shipment, but when she hovered over it, it actually went to a children’s website with a zip extension. She then immediately reported the email to our security team and deleted it from her inbox and deleted folder.
Further research showed the zip file contained a PIF file and once extracted contained two data files and a text file, which were encrypted. We made a second attempt to re-download the file to have a second copy for additional testing, and the hijacked website had already removed the file. This is great because the hosters were obviously paying attention to their traffic or were notified there was a problem and acted quickly to remediate the issue.
The following is an example of the FedEx email.
There are many indicators that give this away, but if you do not carefully read the email you may miss them:
- Misplacement of the colon (:) in the subject line
- The official FexEx subject line is “FedEx Shipment 000000000000 Delivered” with 0’s being the tracking number
- FedEx does not address e-mails as “dear client”
- The use of “tracking#” is spelled out in official FedEx notifications
- The tracking number itself looks like a USPO tracking number with the spaces (even though it worked)
- There’s no formatting or spaces. FedEx notifications are laid out neatly with a lot more information in a table format
- FedEx does not tell you to download your invoice
- FedEx does not use a copyright date in their notices
- The no-reply line is a nice touch, but FedEx has an entire paragraph about this in their notification
So while I identified many issues with this email, if a user is in a hurry and does not typically see these notifications, they could easily click the second bad link without thinking twice about it. These attempts are getting better, especially when they first direct the user to an official site.
It won’t be long before you won’t be able to tell the difference between a phishing attempt and an official email. Systems and/or security departments should keep informing coworkers of these types of emails. The more users see real examples and are informed, the less they will be apt to click “that” link. It takes much less time to research these emails and put together a simple Security Tip notification than it does to clean an infected machine, or worse, a piece of production equipment.
The goal of this malicious attack as well as other similar attacks, is to entice the victim into opening the zip file, which silently and automatically installs malware on the victim’s computer.
Within the malware, a host (URL/Domain) list is included as part of the malicious file’s payload. The malware uses this list to contact a Command Control (C&C) server or malware distribution point while the victim is connected to the Internet. Once again, this happens behind the scenes and doesn’t typically affect the normal operation of the victim’s system, so it is unlikely the victim is aware of these events.
A key point to make here is the victim does NOT need to have a browser open; if connected to the Internet (e.g., always-on connection), the malware does its thing without further interaction from the victim.
Once a connection is established with an attacker controlled C&C or malware distribution point, the malware starts sending information (e.g., personal info, user names and passwords for websites, form data, etc.) it has gathered in stealth mode to the attacker-controlled system. These communications often occur using encrypted data streams implemented as part of the communication framework deployed by the attacker.
Often the attacker-controlled server provides a fresh list of domains, IP addresses and URLs for the malware to use in future communications (yes, malware authors are smart…they believe in redundant controls as well).
Some classifications of these types of malware are referred to as Advanced Persistent Threats (APTs). APTs are notorious for installing additional malware on a compromised system as new hosts are contacted. APTs can also lie dormant or be instructed to “sleep” for periods of time, making them incredibly difficult to detect and eradicate. Victims who have been infected for some time may have several pieces of malware on their systems. Anti-virus may catch some instances of malware from time-to-time, giving victims a false sense of security as other infections may not (and likely won’t) be detected at the same time.
If all else fails, look into a robust log monitoring program that includes end-point devices as a second line of defense.
POST A COMMENT