Phishing hits a new level of quality

Security June 26, 2015 Matthias Maier

Hello community,

In recent weeks I’ve noticed that the quality of phishing e-mails I’m receiving (even to my personal account) have reached a new quality. They are getting better and better every day and even the latest spam filters let them through.

Why are they better?

Let’s look at one currently being sent out to many e-mail addresses that appears to be from DHL about tracking orders on the way to your house. For the German speaking market the quality is very good. Previously, end users have easily detected this kind of phishing attack as they contained spelling errors or bad translations form Google translate. Today they no longer include spelling errors and even the graphics and the branding of the e-mail look genuine.

Take a look on your own and see what you think!

Which one is the phishing e-mail?

Which one do you think is original and which one fake? The sender address in both e-mails is not DHL.

I can tell you – the left one with the OXID7 logo is a valid DHL e-mail – I ordered some doorstops from Amazon (I’ve just moved house).

The hyperlink in the DHL phishing email is the malicious content linking to a *.org page to start delivering malware for download.

What can you do?

We will see more and more of these advanced and targeted attacks in the future and you can’t prevent them completely. Even if you can prevent 95% with up to date technology, letting 5% through is still a threat.

So it’s more and more important that organizations have visibility and the ability to create awareness once they identify that a phishing attack has succeeded.

In this example an organization needs to have the capability to ask the following questions:

Which of my users has received a DHL delivery e-mail in the past?
When did the DHL campaign start?
Did someone click on the link within the DHL E-Mail? Or are my users well trained enough to not click on such a link e.g. hovering the mouse over the link first to validate the url is dhl.de?
Did my proxy block the file download or not if someone clicked the link?
Did the AV scanner from the endpoint block the malware if it was bypassed by the proxy and executed by the user?
Was there any unknown IP connection or change on the endpoint configuration after the download of the malware?
If the phishing website simulated a valid webpage (amazon, outlook web access etc.) – did the user try to logon/submit their credentials?
Can I identify a pattern to find out more users that have got similar attacks – for example using simple statistic: rarely accessed domains, first accessed domains for a user etc.

If organizations have the capability to get quickly answers to their questions they lower their risk and can respond with the right actions to prevent further damage.

Thanks for reading!

Matthias

Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise

In this Splunk blog post, we aim to equip defenders with the necessary tools and strategies to actively hunt down and counteract this campaign. Additionally, we will offer some resilient analytic ideas that can serve as a foundation for future threat detection and response efforts.