On Tuesday evening, Salted Hash received a pitch from a PR agency we've worked with in the past. Such things are normal in the day-to-day life of a journalist. But the problem is, this email wasn't a pitch, it was a Phishing attack with at least three victims - including the PR agency that sent it and the two journalists who forwarded the original message.
Here's a postmortem of the incident.
There was nothing strange about the email at first glance, not really. It came from a known contact at a PR agency that I've worked with in the past for Salted Hash. However, the email was missing a subject line. Thinking this was one of those fantastic email blasts gone wrong, I opened the message. As it turns out, this was an email blast gone wrong, but not in the comedic sense.
The message's body didn't look like normal communications from the agency or the representative (strike 1), it contained a generic request written in broken English (strike 2), and link itself pointed to a domain maintained by the Special Anti Crime Bureau – not really strike 3, but questionable enough that I started digging around.
Turns out, the domain is legitimate, but the link in the email isn't – it's a Dropbox Phishing page harvesting email credentials from Gmail, AOL, Yahoo, Hotmail, or personal POP accounts.
Here's the thing. I'm an odd duck, so I don't expect other journalists to go hunting for malware and Phishing kits.
If you're a journalist or work for a PR agency and you suspect an email is a Phishing attack, don't go hunting. Instead, report it to IT and delete the message, it's easier and less risky. If you're freelance or have no access to IT, just delete the message and forget about it.
At the same time, in the world of PR and journalism, opening email attachments and following links are part of the job. What happened on Tuesday is a perfect example of the risks associated with this type of setting, because a trusted source was compromised and used as leverage in an attack.
Trust your gut, if it looks shady or feels shady, treat it as such. In the long run, this will always be your best bet. Awareness training helps, but it isn't going to solve the problem. That's where the gut feeling comes in to play.
One of the first things I did was contact the PR agency to warn them they've been compromised. They were already aware of the issue, because the contact realized they had fallen victim to a Phishing attack and immediately alerted IT.
The contact got the same email from two other journalists, who had obviously fallen prey to the same scam.
Eventually, curiosity got the better of them. They followed the link in the Phishing email and entered their credentials when prompted. The scammers then used those credentials to blast the same Phishing lure to everyone in the contact's address book. This is how the email made it to the Salted Hash inbox.
The PR agency uses all the proper security settings when it comes to email, so the Phishing blast cleared any anti-Spam filter it encountered. The message claimed to contain a report form the Special Anti Crime Bureau. Despite the questionable name, it's easy to see why a journalist would be curious, PR agent too, especially if they work on security related topics.
The Phishing Kit:
As this write-up was being posted, not too long after being reported, Google's Safe Browsing was flagging the domain as a Phishing attack. Salted Hash contacted the server administrator to alert them as well.
An examination of the Phishing kit revealed a collection of some basic scripts, and a massive blacklist.
The main page of the Phishing kit is designed to look like Dropbox, except that it looks nothing like the actual page. There was another Dropbox Phishing page running on the same server, and it too looks nothing like the real thing. Both pages are from the same kit, and while it's simple in design, clearly it works.
The blacklist filters IP assignments from Netcraft, Kaspersky, OpenDNS, PhishTank, Bitdefender, Fortinet, Google, Tor, Amazon, Rackspace, OVH, McAfee, Hostway, Noisebridge, Chaos Computer Club, Microsoft, Alien Vault, Avira, Comodo, AVG, ESET, Panda, Doctor Web, Symantec, Sophos, MIT, Trustwave, and more. The OVH block is interesting, because the server is using IP addresses owned by OVH.
Anyone on the listed IP blocks will be given a generic error message displayed as a 404. A full copy of the Phishing kit's blacklist is available on Pastebin.
Harvested credentials are emailed to the kit's controller, and there are logs kept of each visit recording the IP and browser information. According to the email script that records the victim's credentials, the kit's controller reminds himself (yes, it is a he running this campaign) that "success is loading... because I deserve it!"
As mentioned, the website owner has been notified, and the Phishing pages reported.
The lesson here is that reporters and PR people need to slow down, and use basic awareness training along with a good dose of caution when dealing with our work.
The only reason I wasn't fooled by this attack was because I knew the sender, and what the general tone and flow of their emails looks like.
When a basic assessment fails, I'm an instant skeptic, which in this case pushed me to verify the email and then investigate the URL. But not everyone has that level of insight, or the knowledge to carry it out, so continual training and assessment is a must.
Public relations and journalism are hard businesses to be in, and when it comes to email-based threats, those of us in this profession have a higher risk factor than most, similar to those who work in HR and procurement. All day long we see emails from strangers with links to follow and attachments to open.
Sadly, an anti-Virus engine or email filter that stops everything doesn't exist, so it's up to us to do some diligence in order to protect ourselves.