2021 Mid-Year Phishing Report

Authored by Joel Garcia, Cyber Security Operator III at Security On-Demand

As the world re-opens and employees make the transition back to some normalcy, scammers remain hard at work to score payoffs and gain unauthorized access. Looking back, the FBI’s 2020 Internet Crime Report ranks email fraud as the most financially damaging attack, totaling over 2 billion dollars.

Worst yet, email threats have evolved to evade traditional filtering technologies. Knowledgeable and vigilant end-users remain the best defense. In that spirit, let us look at what has worked for threat actors in the first six months of the year in this 2021 Phishing Report that cover the first half of the year.

Top Threats Q1 & Q2

Business Email Compromise (BEC)

BEC Financial Fraud

Business Email Compromise (BEC) is a class of email fraud, typically for financial gain. In a BEC attack, scammers impersonate (or hack) a trusted entity’s email. Threat actors then attempt to convince a separate employee to transfer funds or disclose documents.

Payment of an invoice, requests for sensitive information, and gift card codes for employees are typical payoff scenarios. Threat actors typically impersonate executives, business partners, or employees, scammers use the six Principles of Social Engineering to make their request – Reciprocity, Commitment and Consistency, Social Proof, Authority, Liking, and Scarcity.

 

BEC is a form of a social engineering attack via email, there is no malware or link for gateway filters to catch. Instead, BEC exploits the lack of widespread use of Domain-based Message Authentication, Reporting and Conformance (DMARC).

DMARC extends existing protocols Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to protect organizations from lookalike (spoofed) domains.

0365 Account Phishing

Leveraged heavily in 2020, Proofpoint reports that users are about 7x more likely to click on Malicious SharePoint/OneNote/OneDrive links.

A link in an email, often tailored with an urgent matter, leads victims to seemingly familiar websites. Documents shared via cloud/fax, competition payouts, and missed deliveries are common lures to used acquire credentials.

More blatant than BEC or credential harvesters, Consent Phishing outright asks to abuse account privileges. In consent phishing, hackers register malicious applications with an OAuth provider.

These malicious apps ask for excessive permissions as shown to the right, like contact list visibility, access to cloud storage, and sending email as the user.

All that remains is to get an authorization link in front of a user. This attack vector relies on those targeted to blindly grant rights to what they believe are trustworthy programs.

Krebs on Security calls these apps “the Ultimate Insiders”, dodging 2FA and persisting after password resets.

Multi-stage Malware Delivery

Attempting to evade email filtering, malware developers use lightweight modules to stage additional payloads. The modules, known as downloaders, droppers, and loaders, are found in malicious attachments or hosted in cloud environments.

A favorite of the Dridex banking trojan, Excel documents are increasingly used as first-stage delivery due to Microsoft’s 4.0 Excel Macro (XLM) and Visual Basic for Applications (VBA) functionality.

Also starting with a malicious Excel document, Uncategorized Group 2529 (UNC2529, FireEye) uses a three-step delivery technique. First, an Excel (or JavaScript) downloader, dubbed DOUBLEDRAG, executes and downloads a dropper. The 2nd payload, DOUBLEDROP, assembles a backdoor; DOUBLEBACK, the third stage of the attack.

Nobelium (APT29/Cozy Bear), the group behind the SolarWinds hack, is using a four-stage payload distribution technique. A complex infection chain uses EnvyScout, BoomBox, NativeZone, and VaporRage to compromise systems, as shown below.

                                                       Envy Scout                Boom Box            NativeZone         VaporRange

Conclusion

Now the threats – Increase your knowledge regularly on different phishing techniques and current attack campaigns.

Recognize the threats – Be skeptical of the emails in your inbox. Use precaution when communicating about money or sensitive information. Know your company’s email policy and protocols, so you are using the proper channels for sharing sensitive information.

Know the threats, recognize the threats. Keep yourself and your organization secure.

Additional Resources

FBI, 2020 Internet Crime Report https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Proofpoint, https://www.proofpoint.com/us/corporate-blog/post/three-common-business-email-compromise-tactics-and-how-fight-back

Proofpoint, https://www.proofpoint.com/us/blog/user-protection/why-onedrive-and-sharepoint-attacks-are-successful-and-how-fight-back

KrebsonSecuirty, https://krebsonsecurity.com/2021/05/malicious-office-365-apps-are-the-ultimate-insiders/

The Hacker News, Excel Abuse https://thehackernews.com/2021/04/cybercriminals-widely-abusing-excel-40.html

FireEye, UNC2529 https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifectaphishing-campaign.html

MicroSoft, Nobelium Attack https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset

SOD Phishing Trip Full Report