From points A to Z: Examining random Phishing email

When you work for a corporation, seeing email form IT is routine. Sometimes, those emails are urgent, and rightfully so, but this sense of urgency is what criminals look to exploit.

On Wednesday afternoon, one such email, with an overly urgent subject line, arrived in my inbox. I wasn’t the only one; others at CSO got them too. In fact, I’m betting a good deal of people at IDG Enterprise got this email.

The subject line, “Warning!!! Account owner” portrays a level of urgency that demands the message be opened. Inside, the potential victim will see the following:

Information Technology Services (ITS) are currently upgrading e-mail accounts. This will provide you the ability to store a greatly increased amount of e-mail correspondence in your e-mail account.

Your account has been identified as one of the accounts which are to be upgraded. Please click the link below and follow the instruction

Click here

The new minimum quota level for e-mail accounts will be set to 1000MB.

Regards,      

IT Help Desk Team

The email itself is a form generated email. It’s a cookie-cutter scam that has been used since 2010, and often delivered by compromised webservers, email accounts (as the message can simply be cut and pasted), and bots. The original script for this scam has origins on IRC, but today it’s mostly found in modular Phishing kits that are sold and traded online.

In fact, the basic wording of the email can be altered for any number of scams. In my case, it’s asking for email account data, but it’s also been used to scam PayPal accounts. The email I’m examining today has been flagged by the University of Virginia, the University of Alaska, the University of Hawaii, the University of Michigan, just to name a few.

When the message arrived, the overly urgent subject line immediately told me something was off. While the IT team that supports me and my co-workers will send status emails and urgent notifications, this isn’t their style or tone.

But, it’s my nature to be curious, so I opened the message in plain text.

The body of the message, as previously shown, stands out in plain text. The URL where I am supposed to “verify” my account isn’t a corporate domain. Not even close. So that was all the proof I needed to know this message was a fake. For the curious, following the link takes you to the form seen below.

Knowing the email was fake wasn’t enough for me however, I wanted to know where it came from and how it got past the spam filters used by my company. As it turned out, the email’s headers gave me all the information I needed.

One of the header lines told me the message originated from Google’s servers, and passed through our spam filters with a high legitimacy score. After all, it’s Google, so trust is implied by default in the anti-Spam software. Sad, but true.

Knowing it came from Google doesn’t help, so I looked at the other parts of the message’s headers. I noticed that the received-by markers were signed with DKIM, meaning the domain sending the email is likely legit, thus suggesting that the from address wasn’t forged or otherwise spoofed.

Google does this for all of their messages, but more to the point, they do this for Google Apps accounts.

The Phishing email was delivered to me from an address that belongs to a teacher working for the Spring Independent School District (ISD) in Texas. The district serves more than 36,000 kids from pre-K through grade 12, on 38 campuses. One of the key resources made available for students and staff is the ability to access Google Apps for Education, anywhere at anytime.

Armed with this knowledge, it’s clear that the teacher’s Google Apps account was somehow compromised and used to spread the Phishing attack further. That’s one of the big risks with compromised email, once your account has been hijacked, the attackers will turn to your contact list in an effort to add to their victim lists, and use it to blast messages to hundreds of people in short order.

Calls to the Spring ISD confirmed this.

Speaking with one of their Technology Department specialists, the Hash was told that before the campaign was halted, some 8,000 messages were sent out. The account that delivered my email was but one of about five that were compromised.

The incident started on Friday, and the team at Spring ISD worked over the weekend in order to keep control over the situation. As of Wednesday afternoon, they were confident that things were returning back to normal. They were still dealing with accounts when the Hash spoke to them by phone, but I was one of the final recipients of the Phishing blast. As part of their recovery process, they are resetting access to the accounts that were or may have been compromised.

Unfortunately, Spring ISD was not the original victim in this campaign. Their users were compromised due to a Phishing attack against another school district. It isn’t clear if the victims in either case were students, teachers, or both, as privacy policy prevents that level of discussion.

However, the point is that scams like this rely on propagation. That’s exactly how it was able to spread from school district to school district, and on to the outside world.

The lesson to learn is the same one for all email-based threats. Don’t follow links if something seems suspicious. However, in this case the emails would have came from a trusted contact first. I’m a third-tier potential victim, the bulk of the propagation happened within the hijacked account’s address book, and the victim’s close circle of contacts.

In cases such as this, be aware of tone, and question requests that are overly urgent. Instead of following links, reach out and contact the person (or in this case the IT department) directly for confirmation. It’s perfectly acceptable to adapt a policy of trust, but verify – especially when it comes to dealing with Phishing attacks.