Not All Phishing is Sophisticated, but that Doesn’t Mean it Doesn’t Work

Today, a very unsophisticated phishing campaign targeted our company. In fact, there is nothing terribly exceptional about it, aside from the fact that about 25% of our employees received their own version of it and as I did a little research online, I saw many others received a similar email also. Despite the low sophistication and the fact no harm was done, this does afford me the opportunity to remind everyone that not all phishing needs to be sophisticated for it to work. We must continue to train, educate and raise awareness of how critical it is to not succumb to such easily identifiable phishing emails.

Here is one of the phishing emails that we received (numbers are indicators of phishing that I will explain below):

Before we dive in to the seven phishing indicators herein, note how short and simple this is.  There is nothing terribly sophisticated about it.  Yet such simplicity can be effective when it targets a person who is very busy, especially when it appears to come from someone in authority. Note also that it does not have an attachment nor a link, so how does the hacker expect to gain any benefit from it?  Well, we’ll address that as we go through the email.

1. In this case, the email appeared to be from our CEO, Peter Bybee. This is a strategy that hackers use to put weight behind the email and hopefully instill an inherent sense of fear, anxiety, or whatever it is inside of us that causes us to not want to question or upset the boss. This also tells us that these emails were targeted toward our organization. The hacker at the least needed to get the name of the CEO before sending them out.
2. This may be different per org, but employees – especially the CEO – may have a picture tied to their profile and it would show up here. If that is normal, then not having the picture populate may be an indicator of phishing.
3. The actual email address that it was sent from is NOT Peter’s email address. In fact, in this case, the hackers didn’t even try to fake it. It’s just blatantly wrong.  However, when viewing the email in the Outlook client, you often don’t see the email address of the sender. Just the name.  This is what the hacker was betting on.
4. This is probably the most interesting. As we noted above, there is no attachment or link as we often see in phishing. Just a single line with an obscure request.  Why would they do this?  Well, it is an attempt to bypass email security software that may quarantine or isolate emails with attachments or links. By sending just this obscure request, the hacker is hoping to get someone to reply to the email for more instructions.  Once that back and forth communication occurs it may free them to send an attachment or a link – which may not get blocked due to it being expected – or simply send over instructions on what to do on the errand that is beneficial in some way to the hacker.
5. Note the poor grammar. I know that when people are sending mobile emails, mis-types may occur, but in reality, it is difficult in the middle of a sentence to mess up a capitalization and add in a “?” from a mobile phone.  It is highly unlikely that a CEO would have made those particular mistakes.
6. The sender is trying to instill a sense of urgency with the targeted victim. They use the words “quick” and “now”. They are hoping that you will not think too hard about it and just act.
7. This is a smaller indicator and is dependent on the personality of the sender. The sender used the full name of the CEO. In most cases it is likely that the CEO would send it more informally considering the rest of the email is very informal. Our CEO would have just signed it as “Peter”. Of course, it is possible that Peter could have an auto signature on his mobile app that automatically adds his name to the end of the email, but most likely that would include a full signature block with title and contact information.

So just in this short email alone there are seven pretty good indicators that this is a phishing email and should be ignored or sent on to the security team for action. In the event though that you aren’t sure if it is legit or not, simply ask (not via email reply, mind you) the CEO directly if he/she sent it or reach out to your security team for verification. My personal favorite rule when I’m not sure is to trust my gut – i.e. “if it smells phishy, it probably is phishy”.

According to the 2017 Ponemon – Verizon DBIR report, up to 66% of all data breaches occur via phishing. Think about the impact our security teams could make if we could even just drop that number from 66% to 33%?  It would be huge.  Making that leap should not be terribly difficult. In fact, I argue that through a regular training and awareness regiment, that number is attainable.  So feel free to take this blog post and pass it around in your organization as a training tool on how to identify a phishing email and better protect yourself from such attacks.

Deeper Analysis for the Security Professional

Beyond looking in the body of the email to identify phishing emails, analyzing the email header can be quite useful to confirm the phishing attempt. This can give you more evidence or simply help to develop a little threat intelligence that you can feed back into your email security tool or into your SOC.

The header in this particular email reveals some interesting things:

Received: from NEW-02-2.privateemail[.]com (new-02-2.privateemail[.]com [198.54.122[.]46])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ************** ESMTP Server) with ESMTPS id AB4D64C005C
for <**********@securityondemand.com>; ****** Apr 2019 18:28:42 +0000 (UTC)
Received: from MTA-06-1.privateemail[.]com (unknown [10.20.147[.]16])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by NEW-02.privateemail[.]com (Postfix) with ESMTPS id 1ECD960759
for <*********@securityondemand.com>; ***** Apr 2019 18:28:42 +0000 (UTC)
Received: from MTA-06.privateemail[.]com (localhost [127.0.0.1])
by MTA-06.privateemail[.]com (Postfix) with ESMTP id 0A81260039
for <***********@securityondemand.com>; ****** Apr 2019 14:28:42 -0400 (EDT)
Received: from APP-01 (unknown [10.20.147[.]151])
by MTA-06.privateemail[.]com (Postfix) with ESMTPA id E7F7960045
for <**********@securityondemand.com>; ******* Apr 2019 18:28:41 +0000 (UTC)

This gives us some solid intelligence and reveals part of the path the email took from the original sender to the targeted victim. Apparently the email started presumably on device or in application APP-01 on 10.20.147.151.  Because this IP address is not publicly routable, it’s not a very good indicator for alerting or blocking. However it is useful if you are an intelligence analyst trying to build a profile of the actors and gather as much info as possible. From here it went through what appears to be various web-based email servers on privateemail[.]com until it reaches the public facing side of the servers at NEW-02-2.privateemail[.]com on IP address 198.54.122[.]46.  Each of these various server URL’s and the IP address are worthwhile indicators to put into your security systems for monitoring or blocking. A quick google search of these indicators reveal that they are known to be malicious. For example, the Anti-Hacker Alliance has a page dedicated to this IP address.

Further in the header, the following information is also provided:

X-Mailer: Open-Xchange Mailer v7.8.4-Rev55
X-Originating-Client: open-xchange-appsuite

Each of these fields provide intelligence on the threat actor. The X-Mailer provides information on the email server they are using and the X-Originating-Client provides information on the overall client applications being used. It turns out, the entries in each of these fields are also somewhat commonly seen in phishing emails. Both make solid threat indicators that can be used to flag future phishing emails and block them. It is unlikely there will be many legitimate emails you will receive using these applications.

Finally, the last indicator is the email address used to send the email in the first place. This is pulled from both the body of the email and the header: mantle@bacwan[.]live.  If you are worried about blocking possible legitimate emails, you could simply block this singular email address. However, it is probably not a bad idea to simply block any email coming from “bacwan[.]live”.

Indicator List (for blocking and identification)

• *.privateemail[.]com
• 198.54.122[.]46
• *.privateemail[.]com
• *.bacwan[.]live
• Open-Xchange Mailer v7.8.4-Rev55
• open-xchange-appsuite

About Security On-Demand

Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.