(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Last week I ran across a very successful phishing campaign, whats odd in most ways it was nothing special. The attacker was using this more like a worm, where stolen credentials would be used within the hour to start sending out a mass amount of more phishes. Ive decided to call this Dynamite Phishing because there is nothing quiet about this at all.It seems about 40% of the credentials were used for more mailings, and the other accounts credentials had not been used.

The initial phishes came in from a K12 domain from several affected individuals. The email subject was You have an Incoming Document Share With You Via Google Docs. The contents of the email were base64 encoded, while it appears to be common Content-Transfer-Encoding, its not something I typically run into especially when looking at Phishes.

Here is what the Document rendered as.

width:624px" />

The link in the document went to hxxp://bit.ly/2kZJbW3 which went to hxxp://jamesrichardsquest.co.nf/lib


The landing page was setup as a generic Outlook Web Access 2013 login page.


Some of the headers had the below client listed. It appears the EM_Client is a pretty popular email client, but it maybe something you can block on depending on your environment.

user-agent: eM_Client/7.0.27943.0

While most people have good protections from Emails coming from external entities into their email environment, many dont push the same protections intra-domain. The volume of email sent from the Phished accounts to other Internal accounts is what made this so successful.


Lessons Learned:

  • Two-factor Authentication to Email services.
  • Dont trust internal-to-internal email
  • Rate limit or block emails with X-number of recipients inbound and outbount




--

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

I took a look at Guy font-family:Helvetica Neue width:1267px" />

tevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status