Use Case: L33tB0y

by | Feb 19, 2020 | Case Study | 0 comments

***Redacted Snarky Comments***

Quick Takeaways

Anywhooo, quick take aways are, there were no real technical giveaways to mark this message as phishing, such as the presence of malware. Meaning detection is really about semantic cognition, asking yourself does this make sense? I’m sure most would say, “look at the spelling and grammar mistakes, obviously a hacker.” The length of the message does suggest that, but how often do you get imperfect English from your coworkers in email? In our opinion that’s hardly a concrete way to determine phishing.

Long story, this phishing attempt was caught by one of our users and passed on to us. SPF was valid, since the sender took the time to set it up, but DKIM was not present at all. This caused a red flag to be thrown in the user interface alerting the user to be suspicious. Also the user in question doesn’t have any cameras on their computer… so you know there’s that. This is a plain and simple con man attempt. The only thing this attacker has, is the social fabric that people believe what they read and a cheap email headers trick.

If It Were Better

But for the sake of argument lets pretend that this attempt was a bit more ummmm polished, what then could’ve happened? After all, the attempt could’ve used more work, but the attacker used some good elements. The third image in the gallery starting with Dear John, is all of two minutes of off the cuff edits I made to make the attempt better. If your living depended on duping people, a better translator and maybe even some social media stalking would go a long way. Long story short, this attempt could’ve easily been much harder to detect. As you read, keep in mind that this is a con. The attacker wins when the victim believes so strongly that they comply. So this is all about gaining, keeping and then leveraging trust that what the attacker says is true.

  • The first good element is that he immediately tries to grab your attention. Pretty much anyone would continue to read after a line like that. It would’ve been better if he was able to obtain the users name and use it, but whatever.
  • Using a notorious name builds credebility as it’s something one can look up and see results. Unless you over sell it. I can’t resist a inside joke, but assume TaterSalad is someone with a law enforcement history of screen captures and keylogging. The real Bogachev is absolutely not wasting the time on our user, so it hurts the confidence level. Same goes for claiming you’re the best hacker, we don’t believe a restaurant is the best, we aren’t believing you
  • Any good anti phishing tool will check for DKIM i.e. verification that this email actually did come from where it says it did. This person didn’t set up DKIM so it failed and triggered an alert in our system…whoops by the bad guy, but otherwise a clever header trick to make the user think he was actually in their email. Since the from field did show up as the address in question….kinda
  • The concept of using a compromised account to inject malware is a soundish tactic. But going the porn route is so cliche and assuming the user has a camera is just plain risky. I felt going for a more abstract claim and letting the victim figure assume the worst was better. It may be porn, it could be something racist or in some other ways shameful, let the victim decide
  • Since he didn’t actually compromise anything, antivirus wouldn’t report anything…because nothing happened. Leaning into that by claiming you’re too good to be caught was a real good idea. I went into it more by trying to gain more credibility claiming a history of success
  • I like the concept of saying this is just business, as many people can relate to brutality for money. I took it a step further by offering a carrot/stick situation and imploring for mercy. Most Americans are willing to assume that life in whatever third world country they think phishing comes from is hard. People want to help, so by construing that you’re just helping me feed my family, or I can beat you down, encourages a payment
  • Scammers actually have a good history of restoring ransomware files and the like as it is conducive to payment. So a cursory lookup would suggest the scammer would keep up their end of the bargain
  • Adding an element of urgency is a good way to put pressure on the victim, encouraging the easy way out, payment. Again I claimed that this victim is just one in a long line. I suggest that one person was arrested because of the leak. For those few that do have searches or the like that would warrant that worry, it’s a compelling line
  • When people think of and deal with hackers, all of the stereotypes come flooding to them. The type on a screen to communicate is a real classic from much tv and movies. If believed adds a serious spook factor

Because this attack was a pure confidence play, Enveloperty was able to help the user recognize it as such very quickly. However, the attack could have easily contained malware, in which case an AI solution would have been very effective. Enveloperty empowers the fundamental intellect and awareness a user possesses. Therefore, training is an excellent investment for employees, on which Enveloperty then executes upon. All of these styles of solutions have their own strengths and weaknesses, none offer complete protection on their own. Each solution is better when used together with the others. We’d love to collaborate with other other anti phishing tools if you have an introduction

Share This