Case Study: Upgrade Hoax

by | Feb 11, 2020 | Case Study | 0 comments

One of our users caught a plaintext phishing attempt i.e. not a big HTML sophisticated logo complete ripoff. This is a quick analysis of that attempt. This attempt is interesting for a couple of reasons.

  • The target company is a 10+ person local retailer using outsourced IT. Only two people actually use the company email, demonstrating the reach of phishing and that no one is too small for attackers’ attention
  • The threat squeaked through an email filter. The nature of phishing is that even a minimal threat effort is tough to programmatically detect
  • A severity level, threat of withheld email, and a confidentiality statement create a sense of legitimacy and urgency. It takes all of two minutes to add these to an attack, yet are quite effective

This attempt hit the owner/operator of a local retailer. He recognized that this was a phishing attempt because of the Enveloperty add-on and alerted us. We investigated the email in a Tails VM for safety and followed the phishing link that was redacted in the original email by policy. The link placeholder was quite enticing since it said “release messages”, no mention of a payment or anything, a very low friction ask. The link led to a crude credential harvester. A suggestion of where they could take themselves was used as the password to see what the harvester would do. All it did was say invalid credentials, it didn’t redirect to a valid site or anything–showing a distinct lack of effort. There are a number of cues in the Enveloperty add-on alerting the user to such threats.

  • The from address was not trusted for the destination dynamic address/persona combination–alerting the user that this isn’t even remotely coming from where it should.
  • The attacker used an address they owned. If they attempted to spoof a more reasonable from address, which is common, DMARC would’ve failed and the user would’ve been notified via a huge red square
  • There is a specific address this kind of thing like an upgrade should’ve come from tagged with specific permissions. To have not triggered an alert, the attacker would’ve needed to spoof that specific address

To us, this is a great example of why Enveloperty wants to partner with AI & training solutions. The nature of phishing and the simplicity of this threat makes programmatic detection difficult. But if malware or tracking had been sent along with the message, AI would’ve made mincemeat out of them. Together, each solution’s weaknesses would be covered by the others strengths, making for better numbers, in turn driving increased sales and most importantly, reducing victims and damages.

Training is the reason a user is on the lookout for phishing and knows how to handle it. A standardized training regime would greatly aid the infosec foundation of users. This would make Enveloperty more effective as it aids the inherent intuition of users. Greater effectiveness of Enveloperty would in turn aid the value of training, as it would be easier to execute in the wild, making training more impactful. The greater impact of training addresses the abstract value complaint some have with training–driving the bottom line for training organizations.

Share This