Cybersecurity Experts Have Faced a "Game-Changing" Phishing Scheme

A recent cyberattack was dubbed "game-changing" - wording you obviously don't see every day. What makes that particular phishing attack that impressive, though?

The attack was detailed and analyzed by security researcher Craig Hays in a Medium article. It all started with the usual phishing attack alerts security companies receive from customers. However, as the early investigation was in progress, minutes after the first report, more red lamps started flashing as an increasing number of email accounts from the same organization came up as having been compromised.

The hacked email accounts were sending out unusually large amounts of outgoing mail, which tripped up the warning mechanisms. They were being accessed from unusual locations all over the world and were pumping out many more emails than usual. The issue that the security team ran into, however, was that there was no clear indication of the initial attack vector - there was none of the usual warning signs that signal a successful phishing attempt - no incoming mail from unknown addresses, nothing.

The Danger of Familiarity

It turned out that the phishing emails indeed did not originate from suspicious or unknown addresses. They were being sent as reply messages to genuine, legitimate emails. The simple fact that the malicious phishing links were hiding in mail received from what looked like known sources.

The mechanism behind the attack involved a sophisticated bot. Once an email on the attacked network had its credentials stolen, the bot received the login information, logged into the compromised account and started sifting through incoming mail that arrived over the past few days. Each unique email chain discovered in this way received a reply from the bot with a message that held the links to the phishing portal set up by the criminals. Notably, the crooks had come up with sufficiently generic wording that clicking the attached fake document never seemed too strange or out of place.

This means that the phishing message sent by the bot preserved the address, the conversation chain's original subject line as well as all past communication, making it incredibly believable and reliable on the surface, far more so than any attempt at phishing sent by an unknown address that immediately triggers warning lights even for inexperienced users.

A Worm-Like Phishing Malware

The fact that the bot acted like a worm, propagating across company email networks by scanning inboxes and sending its believable phishing bait is significant. This mode of propagation made the threat particularly difficult to deal with. Finally, a pattern in the malicious URLs was discovered and adding this to an automatic filter allowed to really curb and stop the spread of the worm-like phishing bot.

Another important fact that the report highlights is that the bot was a bit too eager for its own good. If there had not been such unusually large volumes of outgoing mail to trip up the alarms, the bot could have gone unnoticed for much longer and caused much more damage.

The final vital takeaway from this incident was that multi-factor authentication should be used whenever available and also made available as soon as possible wherever it is not already an option.