Once a target, always a target: A second look at awareness training in action

The one constant about user awareness training is that the awareness part is supposed to stick with you. Learning how to spot one type of phishing email is only good for that particular email, thus the concept of awareness is learning to trust your gut when something looks suspicious.

On Tuesday, the CSO editorial team was once again reminded of why awareness training works. Last month, we explored a Phishing campaign aimed at the CSO editorial team, but our most recent encounter targeted IDG as a whole. Today, we’re going to examine this latest attempt, as there are some valuable lessons to be learned.

Phishing is a psychological attack. The criminals behind such initiatives want you, the victim, to do something. This ‘something’ can be a number of things, but common requests include following links or opening attachments, because the action is simple, takes little time, and it’s something everyone online does daily.

The trick though, is actually getting you to do the ‘something’ without asking too many questions. This is achieved by focusing on the psychological aspect of the attack. Those behind a phishing campaign will use fear, emotional pulls (e.g., asking for assistance or help), or a pretext of authority (which in itself can be a type of fear, if the pretext is law enforcement of management) to coerce the victim to do their bidding.

The phishing campaign used as an example for this article, circulated on the IDG Corporate network on October 8, 2013. Not everyone got it (including myself), but many people working with CSO and IDG as a whole did. The exact count isn’t important, but suffice to say, the issue was large enough for IT to send a company wide warning about the emails.

The tone of the message leveraged fear, and did so by presenting the pretext of someone in authority. In our case, the email’s message carried the air of coming from Human Resources -- and it’s never wise to cross them or refuse a request.

Unlike the other phishing campaign, which focused on CSO alone under the guise of a news release, this one cast a wide net, but it was flagged almost immediately by many of the employees who received it, for several reasons.

[Social engineering and phishing attacks are getting smarter, but are employers?]

SUBJECT: Annual Form – Authorization to Use Privately Owned Vehicle on State Business

The subject of the email references a form of some kind, which authorizes the addressee to use their personal vehicle while on state business. While most of us here at IDG are sure that such a form may exist, and perhaps is required in some cases, we don’t work for the state.

This is a red flag in and of itself, but in addition to not working for the state, it’s common knowledge from employee training that the company allows us to use our own vehicles while traveling for business. But still, like most large companies, we’re encouraged to use air travel and rental agencies when we have to travel for a story.

[3 steps to identify a potential phishing email]

FROM: Joan Leblanc (Joan [at] idgenterprise.com)

If the subject line wasn’t enough to prove that the email was suspicious, or at least completely unrelated to our jobs, the email address of the person who sent it raised a second red flag.

While idgenterprise.com is a legitimate address, after all it is our corporate domain; the email address itself wasn’t formatted properly. Our email addresses, as shown on our author profile pages, use something completely different. Like the previous phishing attack, a quick search of the company directory confirmed that Joan Leblanc isn’t a real employee.

TO:

The last time CSO had to deal with a malicious email, it was addressed to fake employees, and the editorial team. In addition, the message was also addressed to two aliases that simply didn’t exist. This time however, the aliases were valid, increasing the number of people who received the message.

Some common email aliases, such as support or sales, are fine for organizations of any size. However, aliases that are easily guessed that include a large number of employees should be considered during the risk assessment process for implementing email security.

“All of us do a little risk calculation whenever something comes into our inboxes…and it’s a subconscious thing,” explained Trevor Hawthorn, the CTO of ThreatSim, a company that focuses on spear phishing and awareness training.

“When something comes into something like an alias, I would speculate that most of the users &mdash when something comes into that email address, the little voice in their head probably said, ‘this is probably okay, because it’s only internal people that ever send to this list’,” he added.

In this example, the attackers managed to guess the name of an email address used by a business unit within IDG. However, it is still entirely possible that those targeted by this latest scam had their addresses harvested, as many of them are publically available. Still, the lesson here is that just because an email is addressed to a known internal alias, doesn’t instantly grant it immunity.

[A firsthand look at why user awareness training works]

BODY:

While the other red flags are more than enough to discount this message as a scam, the body is still worth examining. The tone presented by the message is one of fear, as it says that unless the form is completed and submitted, then reimbursement could be delayed. In essence, “…do as we say, or you won’t be paid.”

Again, “Joan Leblanc” is supposed to be someone with authority. Thus, the tone of this email and the subject line are the psychological aspect to the campaign.

All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor. Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

ATTACHMENT:

Again, our awareness training drills the point that you never open random email attachments or follow random links into our heads. The attachment for this email was rather simple: Form.idgenterprise.com.zip

Like the previously covered phishing scam, this too contained a Zeus Trojan variant. Although, the uptick in detection was faster this time around, with 24 of 48 AV engines on VirusTotal detecting the malware for what it is, as of early Wednesday morning.

[Social engineering study finds Americans willingly open malicious emails]

TECHNICAL:

This email likely originated from the same group of bots that sent the last one. As covered in the slideshow that examined the previous campaign’s headers, this message also came from a Comcast user, but the headers show sources in Indiana and Florida. However, there were other ISPs included, which were scattered throughout the globe.

This scam spoofed the idgenterprise.com domain, but it also used aexp.com again as the Return-Path as well as the Received header. As mentioned previously, AEXP.com is American Express, and this domain has been spoofed by criminals many times in the last year, including several noted Phishing attacks. The domain itself is usually whitelisted by network defenses, due to the use of corporate credit cards.

For additional technical details, including a list of domains and IPs to block, as well as files dropped, the Malwr report has them.