Not unlike any other threat analyst, Marc Laliberte’s email inbox fills up minute by minute. Some of which has made its way past the spam filter. The WatchGuard employee decided to finally act upon a certain phishing attempt in hopes of teaching the bad guys a lesson.
Spear phishing is a type of phishing attack in which the perpetrator customizes their attack to a particular individual or group of individuals. The attacker gathers information on the victim and then tailors the attack to be more likely to fool the target. The would-be attack arrived as an email appearing to come from the finance employee’s manager, requesting an urgent wire transfer.
Thanks to proper security awareness training, the finance employee recognized that the email’s blatant disregard for the official chain of command and finance protocols was suspicious and alerted the proper personnel.
In most cases, companies don’t have the time or resources to follow the bread crumbs back to the perpetrator. But in this case Laliberte set out to learn as much as he could by playing along with the attacker. He responded to the first email and the attacker replied, asking “the finance employee” to contact them via text to a phone number the attacker claimed was the manager’s personal line.
The email’s source address was a seemingly random seven-digit number at gmail.com. The attacker didn’t try to spoof the message to make it appear to come from a WatchGuard account. Instead, the attacker relied on the message’s “From:” header to fool the target. Most mail clients use the “From:” header to display who a message came from, and often the client only shows a sender’s first and last name. In this phishing email, the “From:” header showed the WatchGuard manager’s first and last name, which might convince uninformed employees that the message really did come from that manager.
Laliberte did some digging and found that the phone number provided by the attacker was registered as a landline through Level 3 Communications with an area code matching Jacksonville, Fla. He suspected that the attacker probably was never physically located in Jacksonville, instead, he likely used a forwarding service to send and receive text messages through this number. Attackers commonly leverage the global nature of internet and telephony services to hide the true location of their attacks.
Laliberte texted the attacker using a disposable phone number. A day later, the attacker replied and quickly got to the point, requesting an urgent fund transfer as payment for a shipment of WatchGuard Fireboxes arriving the following week. He kept the attacker on the hook by alluding that a money transfer was possible and asked for further details.
The attacker asked for a wire transfer of $20,000 to a man he claimed was in New York. Some quick research revealed that there were no fraud references related to the provided name. The attacker also sent account and routing numbers for the wire transfer itself. While providing bank account details adds legitimacy to transactions, it also increases the authorities’ ability to track payments in fraud investigations, making it risky for attackers to do. It appeared that the account details provided likely belonged to a compromised account that the attacker could quickly transfer money out of.
At this point, Laliberte had gathered all of the information the attacker would voluntarily share, but still had no clear picture of where he was located. However, the attacker did expect a wire transfer confirmation message. He masked the IP address (as seen below) of a honeypot server behind a URL-shortener and sent it to the attacker disguised as a confirmation link.
220.127.116.11 - - [22/Apr/2016:22:25:06 +0000] "GET /verify HTTP/1.1" 404 194 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1"
When the attacker visited the link, it redirected him to the honeypot server where Laliberte logged his source IP and browser User-Agent data. The attacker’s source IP was registered to Airtel Networks Limited, a mobile Telco out of Nigeria. The User-Agent data told Laliberte that the attacker was connected to the honeypot using an iPhone running iOS 9.3.1. This confirmed the hypothesis that the attacker was using a forwarding service to receive text messages through the Jacksonville phone number.
Though the attacker was in Nigeria, he used a bank account (TD Bank) that required a permanent US address, meaning the account was either compromised or the attacker had an accomplice in the US (often called a mule) who could retrieve any transferred money. Laliberte contacted TD Bank to allow them to begin an investigation on attempted fraud by someone with access to the provided account.
This spear phishing attempt makes it clear just how big of a problem these attacks are today. No spear phishing protection is perfect. Even with technological solutions like DMARC or S/MIME, phishing messages will still slip through and reach employees, he said. It is critical that IT professionals train their users on how to spot and report attempted phishing attacks. With the growth of spear phishing, organizations need to update their training programs to help employees learn how to spot these more convincing, targeted email scams.
This story, “How this analyst targeted a phisher” was originally published by CSO.