The editorial team at CSO recently had an unexpected lesson in Phishing attacks on Friday. We were fortunate however, that our user awareness training paid off. Thus, we were spared the pain of dealing with a malware outbreak. Since there is a lesson to learn by sharing, here's an after action report on the entire incident, including how our awareness training worked.
Part I: The Email
Fridays at the office are often somewhat slow. At CSO, most of the team spends Friday working on pre-planned news and research, or we're in briefings with vendors. Last week though, Friday was different, because a Phishing email hit the inboxes of the CSO editorial team.
The CSO editorial staff (including Joan Goodchild, Grant Hatchimonji, and myself) received what appeared to be, at first glance anyway, a poorly written news pitch focused on a secure email.
"Protecting the privacy and security of client, company, and employee information is one of our highest priorities. That is why Fiserv has introduced the Fiserv Secure E-mail Message Center - a protected e-mail environment designed to keep sensitive and confidential information safe. In this new environment, Fiserv will be able to send e-mail messages that you retrieve on a secured encrypted file," the Phishing email stated.
It's important to note that such a pitch isn't abnormal. We get news pitches from contacts we know, and some we don't know, hourly. Also, a fair number of them contain obvious grammatical errors and mistakes, so the normal Phishing training doesn't kick in on these, because we're used to this, and usually just delete them.
However, this email stood out for a few reasons. For one, the tone was overly formal, and a pitch addressed to "Dear Business Associate:" is going to either be deleted or treated with skepticism. Another questionable aspect to the email were the addressees themselves.
The TO: field included the CSO editorial team and two other employees. One of them had an IDG email address and the other had a CXO address, which in itself isn't all that common. However, of those two additional employees, one had left their position in July, and the other never existed. The email was also addressed to three other CXO addresses that don't exist either.
Yet, reading the message further, it was clear that this wasn't a pitch. In fact, this was a Phishing email. Despite our sometimes overly heavy filtering, this message somehow managed to get past both the company's email gateway, and Postini, our Anti-Spam service.
The message had a ZIP file as an attachment. This is an additional red flag, to the one previously raised by the random addresses, and the fact that the sender was unknown. In our minds, the email was suspicious almost immediately.
The icing on the cake however, was the fact that the email specifically asked that the attachment be opened, and that the included password be used in order to decrypt its contents. Clearly this was some sort of Phishing attempt.
Up to this point, all of our awareness training came in to play, and this message simply didn't feel right:
- The message was addressed to the entire CSO editorial team.
- It was also addressed to three list-like email addresses that simply didn't exist, as well as two bogus employee addresses.
- The wording was overly formal, and while it starts like a pitch, it completely changed direction halfway through.
- The email contained a random attachment, which we were instructed to open by someone unknown to us.
The only thing left to do was to make sure IT was aware of a malicious email making it past the filters, and to delete the message itself.
What this incident proves is that anyone, anywhere, can be a potential Phishing target. It's easy to fall for them if you're in a hurry, and most times email isn't really given a second thought if the content of the message is a familiar topic. The only way to avoid incidents is for organizations to offer training that helps employees identify and avoid Phishing attacks.
The CSO team has had such training, be we also have the benefit of working in an industry where such knowledge is rather common. However, the thought process we used to identify this scam isn't out of scope for anyone else, it was just a matter of slowing down, reading and analyzing the entire message, and thinking critically.
Part II: The Prevented Attack
After the incident was reported, it was decided that there was a lesson to be shared, so we sent the email off to some experts to examine. As it turns out, we were correct in our assumptions; the attachment was malware.
The Phishing email claims to come from Fiserv.com. However, that's a financial services company in Wisconsin, and they have nothing to do with any secure email product. Unfortunately, their brand is being hijacked by this scam in order to give it some legitimacy to those who Google the company's name. Moreover, the link in the Phishing email that points to Fiserv.com is broken, and according to archive searches never actually existed on the firm's domain.
As it turns out, while the variant CSO was privy to is new, the secure email aspect of the scam has existed for nearly a year. After some digging around on the topic, we discovered more than a dozen banks and credit unions warning customers about this exact scam. In each case, the Phishing email contained a password protected attachment that needed to be opened in order to deliver an "important" message.
When the email's headers were examined, we learned why it had bypassed the spam filters; the FROM: address was spoofed and claimed to be from aexp.com (American Express), which is a whitelisted domain for many employees who have a corporate expense card.
Analysis on the attachment itself, provided to CSO by Andrew Hay, the Director of Applied Security Research at CloudPassage; as well as Simon Crosby, CTO of Bromium, and Rahul Kashyap, Bromium's chief security architect, confirmed its true purpose.
For starters, the attachment is an executable file that used the PDF icon in a weak attempt to hide. If executed, the initial file acts as a dropper and downloads additional malware. Once that is done, it will delete itself — leaving only other files behind.
Additional examination shows that the downloaded files check for an Internet connection (they connect to Google), and if one is present, the malware will attempt connections to several other IP addresses. At the time this story was written, many of those command and control servers were still functional.
Furthermore, the malware alters the system's startup in order to ensure that it runs each time the machine is rebooted, and this is in addition to the corruption caused to the user's roaming profile (should one exist).
However, based on examination of one of the dropped files, the attackers had a plan: they were serving a variant of the Zeus Trojan in their email to us.
At first, the assumption was that this was a targeted attack at CSO. But given the fact that the same campaign has existed for some time now, that notion was dropped.
Still, the financial motive behind the attack is clear. The attackers packaged a working copy of Zeus for delivery, one that can open backdoors into the system, copy documents, and record keystrokes — especially those that are of financial value. The rest of the information harvested will be packaged and sold.
For us, there is no question. Having additional training on the topic of spotting scam emails enabled us to look past our professional blinders, and accurately question an email that by all accounts came off as a poor news pitch. Without it, the situation could have been much, much worse.