Alert: Error Messages, Double Click and RSS App Help Trick Security Solutions
In the past couple of weeks BitDam ATP detected some interesting phishing attempts that use a combination of several tactics to make it harder for security solutions to detect and block them and fail phishing training methods. As you can imagine…it works, and the leading email security vendors fail to detect these attacks.
An example from the wild
Here is an example of a specific attack that I found particularly interesting:
The original email contains a calendar invitation which looks completely legitimate. The sender nickname was modified per the threat actor desire as can be seen from the EML headers:
This means that the attackers had full control over the email server. Digging in a bit more, it seems like they created the designated email domain, wildwestdomains.com, for this purpose:
In fact, the domain was created only 3 days before the attack was sent out, as you can see in the following image.In fact, the domain was created only 3 days before the attack was sent out, as you can see in the following image.
Clicking the email attachment in this particular attack it was a calendar invitation), the user gets a fake error message.
Clicking “Retry”, the user is transferred to a website that is local on the filesystem or in an iframe, as you can see in the domain blob on this screenshot:
The local website shows another error message and requests a password. Once the password is entered it is sent to an RSS application and stored there.
From this point, the attackers hold the users credentials and you can be assured they will take full advantage of that.
Now, what did we have here?
So why is it so interesting? Each of the elements used in this attack is not new by itself, nor very sophisticated. However, using all of them in one attack which was properly orchestrated makes this attack almost undetectable by email security solutions. Here are the highlights of the tactics used in this attack:
- Brand new email domain – solutions that base their detection on statistical models and reputation tend to trust new email domains as they don’t have any bad reputation yet. Attackers know that and use new email domains to reduce suspicion.
- Fake error message – Clicking the link in the message leads to a fake webpage that looks like a Microsoft error message. Security solutions are trained to suspect webpages that ask for credentials when looking for phishing threats. Pages that look like error messages are likely to pass below their radar because they don’t look like a phishing attempt.
- Requiring a second click – The webpage that asks users for their password is hidden behind another link. The user reaches it only after clicking the error message on the first webpage, which makes it more difficult for email security solutions to detect that this is a phishing scam (it needs to follow two clicks instead of just one).
- Local webpage – The attackers use a local webpage which again, looks less suspicious from an email security solution perspective. Another obstacle for detecting it as a phishing attack.
- Using RSS – For collecting the passwords, the attackers use an RSS application which makes it look even more legit, helping to bypass email defenses.
Based on BitDam’s observations within its customer base worldwide, many security solutions failed to detect this specific attack as well as similar phishing threats that use a combination of these techniques. These attacks remained undetected by other security products for many hours, while BitDam blocked it at first encounter.
Curious if this threat and newer attacks bypass your email security? You’re welcome to register for BitDam Lucky Meter – the next generation Breach and Attack Simulation which would send you the freshest attacks from the wild or access our malware feed.