{"id":28035,"date":"2024-09-19T22:23:19","date_gmt":"2024-09-19T16:53:19","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/mass-phishing-with-spear-tricks\/28035\/"},"modified":"2024-09-19T22:23:23","modified_gmt":"2024-09-19T16:53:23","slug":"mass-phishing-with-spear-tricks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/mass-phishing-with-spear-tricks\/28035\/","title":{"rendered":"Overcooking the phish"},"content":{"rendered":"

The trend of using spearphishing<\/a> techniques in mass emails continues to gain momentum. We recently came across a sample email in which attackers used a whole box of relatively sophisticated spearphishing tricks. Now, one might think that use of such tactics for a \u201cmere\u201d mass phishing attack would be somewhat OTT in terms of effort on the attackers\u2019 side; not so \u2013 it transpired in this case: the attackers still gave it a shot (though detailed analysis reveals the attack was doomed from the start). In any case, it presented us with an excellent opportunity to take a dive into the techniques employed by phishers.<\/p>\n

Email mimicking update of corporate guidelines<\/h2>\n

\nAlmost everything about the email is spot on. It\u2019s addressed to a specific individual within a specific organization, and uses ghost spoofing for the sender\u2019s name \u2014 that is, the \u201cFrom\u201d field displays a forgery of the legitimate address of the target company (which, of course, has no relation to the address in the \u201cReply To\u201d field<\/a>).<\/p>\n

The email is sent through the infrastructure of a reputable marketing company, raising no red flags with email filters. What\u2019s more, the name of this company and the top-level domain hosting its website are deliberately chosen to lull the recipient\u2019s vigilance \u2014 the website\u2019s based in Indonesia, and the victim may well perceive the \u201c.id\u201d domain as an abbreviation for \u201cidentifier\u201d rather than a country code. Alongside the spoofed address in the \u201cFrom\u201d field, it looks convincing enough:<\/p>\n

\"Email<\/a>

Email mimicking update of corporate guidelines.<\/p><\/div>\n

But that\u2019s not all. In the email body there\u2019s practically zero text \u2014 only a copyright line and an unsubscribe link (both of which, as it happens, are inserted by the mail engine of the legitimate company used to send the message). Everything else, including the recipient\u2019s name, is an image. This is to prevent anti-phishing mechanisms from applying text-based filtering rules.<\/p>\n

An attached PDF file is used instead of a direct phishing link for the same reason. Websites can easily be blacklisted and blocked at the mail-server level. A PDF file, on the other hand, appears as a completely legitimate attachment.<\/p>\n

PDF attachment<\/h2>\n

\nIn actual fact, attackers have long been concealing links in PDF files. Thus, in theory, security software should be able to analyze a PDF \u2014 including any text and links within. But the creators of this phishing campaign were wise to that as well. Their PDF technically has no text or links in it whatsoever. Instead, it presents another image featuring a QR code and embedded accompanying text.<\/p>\n

\"Contents<\/a>

Contents of the attached PDF file: the QR code contains a malicious link.<\/p><\/div>\n

In addition, the PDF mimics the interface of DocuSign, a well-known service used for electronic document management. DocuSign does indeed allow you to send documents for signing, and to track their status. But, of course, it has nothing to do with PDF files housing a QR code.<\/p>\n

At this point, it becomes painfully obvious that the attackers overcooked the attack. The victim receives what seems to be confidential corporate guidelines by email, but to read them they need to scan a QR code with a mobile phone\u2026 \u2014 not exactly realistic. Most employees won\u2019t bother \u2014 especially if they use their own (non-corporate) phone.\n<\/p>\n

Epic fail: the phishing website<\/h2>\n

\nSo what happens if the victim does pull out their phone and scan the code? Well, for starters, they\u2019ll be greeted by Cloudflare\u2019s verification system and asked to prove they\u2019re human. Cloudflare is a legitimate service to guard against DDoS attacks, and cybercriminals like to put their phishing pages behind it to add plausibility.<\/p>\n

But after that it\u2019s a disaster. The website plays an animation of an envelope opening, then crashes with an error message.<\/p>\n

\"Phishing<\/a>

Phishing site that appears to have an overdue bill,<\/p><\/div>\n

It appears the attackers forgot to renew their subscription to the hosting services. Maybe the site had some more kooky tricks in store for the victim, but by the time the phishing emails were being pumped out, it was already defunct.<\/p>\n

How to stay safe<\/h2>\n

\nTo protect company employees from phishing:\n<\/p>\n