Adam Vincent, CEO, ThreatConnect
We’ve all heard the phishing attack stories that start with someone receiving an email that requests an urgent invoice review or password change and ends with a data breach where personal information is compromised, and money is lost. Although many of us may roll our eyes at the possibility of falling for such an obvious scam, we must acknowledge that if those tricks didn’t work, malicious actors wouldn’t keep trying.
Sometimes, previously established filters and phishing mailboxes aren’t enough. Vulnerabilities can still exist. At times, the content of an email can be troublesome. If a message asking for a money-wire transfer comes through looking urgent and legitimate enough, an unsuspecting employee might just take a requested action out of fear of repercussion. If an attachment looks innocent or a link seems harmless, it’s inevitable that someone might succumb. PhishMe reports that over 90 percent of data breaches can be traced back to phishing emails.
Phishing is often the initial step of a larger attack. Advanced persistent threat (APT) activity often leverages phishing emails as an initial intrusion method. Phishing provides actors with the ability to target specific individuals or organisations unlike other methods such as strategic web compromises. Even as organisations put their defences up against these attackers, the tactics continue to advance.
Another common tactic is to spoof URLs to appear similar to that of a legitimate organisation. This makes a link look trustworthy at first glance. For example – a full URL might be http://threatconnect.com.badguys[.]com, but unless the recipient looked closely and noticed that the domain was actually badguys[.]com, they might be fooled. Another domain spoofing technique involves registering domains with missing characters or subtle spelling errors, such as www.threatcomect[.]com which replaces two “n” characters with one “m” character. At a glance, the domain looks like it might be the legitimate ThreatConnect website, but upon closer examination it is clear that the characters aren’t quite right. This is a technique commonly used by many APTs including Fancy Bear, Deep Panda, and APT10.
Our ThreatConnect Research Team identified that was Fancy Bear most likely the threat actor responsible for the World Anti-Doping Agency (WADA) phishing incident that used this spoofing technique as well. Fancy Bear used domains such as wada-arna[.]org that were slightly misspelled in comparison to WADA’s legitimate wada-ama[.]org. The phishing emails using links to these domains likely were used in an attempt to harvest recipients’ credentials. By leveraging ThreatConnect and DomainTools, our team was able to identify an additional domain registered by the same individuals — tas-cass[.]org — that spoofs a domain for the Court of Arbitration for Sport, which works closely with WADA. . Taking a deeper look into spoofing and being on the lookout for domains spoofing your organisation can help your team prevent and mitigate similar incidents in the future.
When it comes to phishing, early detection and speedy incident response are imperative to prevent data breaches. Doing so can then help to establish filters so the offending email can’t make it to the intended recipients and phishing mailboxes to ingest the email into ThreatConnect for knowledge management, investigative, and research efforts. By proactively establishing these security measures, security teams can deter or monitor some of their threats that use these techniques.
However, email filters and phishing mailboxes aren’t fool proof, and if malicious emails get through those defences, recipients may have their guard down. Attackers are experts at creating phishing pages. In researching Fancy Bear activity targeting the DNC and the citizen journalism organisation Bellingcat, ThreatConnect researchers identified the use of Google-spoofing phishing emails and credential harvesting pages. In incidents where the malicious actor is attempting to harvest target credentials, this emphasises the importance of multi-factor authentication (MFA). In the worst-case scenario where a credential harvesting campaign successfully compromises an individual’s credentials, MFA mitigates the malicious actor’s ability to login to the given account.
It isn’t just large organisations that attackers go after. Small and medium sized companies aren’t safe just because of a smaller revenue stream. Since phishing attacks are relatively easy attacks to launch, its recommended that even the smallest teams be on the lookout for suspicious emails. When it comes to prevention and mitigation, one of the strongest defences any organisation can enable is automation. Establish a system that can evaluate and flag potential threats as they come in, and your security team will have the time to craft an effective response to the most pertinent threats.
Phishing attacks could be considered a “classic” example of cybercrime as we approach an era where we’re inundated with online danger. Although there is no one size fits all solution to preventing and mitigating phishing, security teams can save themselves time and stress by leveraging threat intelligence and establishing stronger filters. Teach your team to check URLs by hovering over them before clicking and always check with management before opening suspicious attachments. Spending that extra minute looking over any email you’re just not sure about and training employees to know what to look for when scrutinising messages could save your company a lot of time, energy, and money.