If the fish don’t bite

Just when you thought the infamous “Nigerian Prince” was a ubiquitously understood joke, it seems the security industry still has a long way to go when it comes to phishing. Over the years we’ve watched as attackers have grown craftier in their methods, targeting specific users and carefully designing legitimate-looking emails that are challenging to immediately identify as malicious. Surely some attack groups employ professional designers and marketers, but a new phishing scam is proving that unrefined attempts still exist.

Got a bobber floatin’ in the water with a minnow dancin’ on a hook

Last month a follower of the SANS Internet Storm Center reported to the group that s/he had received “an interesting phishing attempt.” Researcher John Bambenek published information on the InfoSec Handlers Diary Blog about the bizarre new campaign. According to the post, the user received an email with the subject line “Assessment document” from a company professing to be “VetMeds.” Interestingly, the content of the email is a single “locked” PDF and a clickable link.

Source: SANS ISC

Once the user clicks the link, s/he is directed to chai[.]myjino[.]ru, suspicious enough in its own right. At this point, if the user is on a computer configured to invoke Adobe Reader as the default PDF viewer, a warning appears, asking the user, “Do you trust myjino.ru?”  

Source: SANS ISC

If the victim clicks “Allow” he or she is then asked to enter user credentials to access the PDF. Apparently any credentials will do, according to the blog post, but it’s more likely that an average user will enter a valid ID and try the first valid password that pops into his/her head, thus allowing the attacker to harvest credentials which can be used in a secondary attack.

You’re singin’ to the radio

From an attacker’s point of view, once the victim’s credentials are received, attack over. Success. What struck Bambenek as odd, though, was the immediate redirect to a Russian website for a SWIFT transaction. He wrote, “What I found interesting was [that] the lure was a VetMeds assessment but the underlying document at the Russian website is for a SWIFT transaction, so some mixes messages there.

Mixed messages, indeed, and all of this seems fishy (if not phishy) to a security pro. However the fact that some malicious hacker is using really rudimentary and obvious tactics suggests that end users still fall for really rudimentary and obvious tactics.

It is unknown how successful this phishing campaign has been, and the security community is unlikely to ever know if the attackers gained one new set of credentials or thousands. Its mere presence, though, suggests that we have a lot more work to do on the security awareness front. Because phishing is so successful, security teams must be hypervigilant about educating end users. Many organizations have been at it for years, however, and the hope was that by this stage of general cybersecurity awareness the type of attack described on the SANS website would be too ridiculous to exist. At least come at us with some sort of sophisticated and targeted phish. Right?

Bare feet in the brook

While the general public is getting slowly better at protecting their individual accounts, the real solution lies in the technical capabilities of the security team. Systems have to be configured to block or quarantine emails with potentially malicious attachments or links. Spam folders don’t suffice. Web traffic should be inspected, analyzed in real time, and set up to alert on and/or block suspicious activity. Make sure your organization isn’t only monitoring what’s coming into the network, but also uses data leak prevention and scanning tools to inspect what’s leaving the network. Implement two-factor authentication so that any credentials adversaries manage to extract can’t be used effectively. Patch like crazy. Consider rolling out a password manager for employees (N.B. This won’t prevent users from using regular passwords for personal accounts, but if they are familiar and comfortable with a password manager inside the enterprise, they are more likely to adopt one for personal use, thereby lessening the chance that they’ll do something risky from their work computer).

Last but not least, keep educating and testing employees. When a phishing scam like the one described above is found in the wild, security practitioners across the globe might be tempted to groan and wring their hands in defeat. This isn’t a zero-sum game, though, and remember that this phish was discovered by a user, not a researcher. There’s hope. Keep on going.