Craig Hays

You are here: Home / Archives for phishing awareness

phishing awareness

Phishing Email to Company Devastating Ransomware in 5 Hours

By 2 Comments

Reading Time: 6 minutes

How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

It started with a phish ransomware in 5 hours
Photo by Pixabay from Pexels

(This article aims to contextualise an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victims inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company CEO. It looked identical to many of other emails received that same day.

The company email servers scanned it and allowed it straight through to the victim’s inbox. It was sent through a legitimate and well-known email delivery service with a good reputation. There were no attachments to be scanned for malware. All it contained was a politely written request and a link to a web page.

The web page didn’t ask them to log in. It wasn’t trying to steal their password by masquerading as a trusted login page. All the victim saw was a message saying: ‘Oops! The document preview isn’t available. Click here to download’, or words to that effect. This is the sort of error message that we’ve all seen many times over the years. Most of us wouldn’t think twice about clicking that link, myself included.

Malware In Disguise

The browser downloaded a file named something like PreviewReport.DOC.exe. A warning message came up at the bottom of their browser asking if the user wanted to keep or discard the file as it could be harmful.

Regrettably, our unfortunate user downloads all sorts of documents all day every day and many of them give the exact same warning. They’ve learned that this warning message is just a regular part of online life. One more thing they must click on in order to get work done. Out of habit, they clicked on ‘keep’, then opened the file.

The executable was signed with a trusted certificate from a well-known vendor. It was malicious, and yet it was signed. The thing is, anyone can buy legitimate and trusted software signing certificates on the internet these days if you know where to look. The user’s PC had AppLocker configured to block unsigned executables but it made no difference. The trusted, signed malware executed without a problem.

Their local antivirus software had the latest virus signatures downloaded and available. As the malware was unique to this victim, the signature didn’t match anything on record. Nothing was blocked.

As far as the user was concerned, the file did nothing. Perhaps it was corrupted. Nevermind…

Sadly, it wasn’t corrupted. It sent a message out to a command and control server on the internet to say, ‘Hello, I’m here, And I’m waiting’, then opened a backdoor into the heart of the company network. It checked-in using standard, encrypted, HTTPS traffic, and notified the ransomware gang that it was active and waiting for instructions. From the outside, it looked exactly the same as the device’s owner viewing any other secure web page on the internet.

[Read more…] about Phishing Email to Company Devastating Ransomware in 5 Hours

Phishing with Worms – The Greatest Password Theft I’ve Ever Seen

By 4 Comments

Reading Time: 6 minutes

I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.

Photo by Miguel Á. Padriñán from Pexels

A long time ago in a world without Multi-Factor Authentication…

The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.

The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage that had been caused. Applications used, data downloaded, emails sent, etc.

The second report came in at 10:10 am. This wasn’t uncommon. Emails that made it through the filtering rules tended to hit a number of people at the same time. If you land enough phishing emails of reasonable quality it’s almost inevitable that one or two people will fall for them.

The third report came in at 10:14. As did the forth, the fifth, and the sixth. Now, this was unusual.

[Read more…] about Phishing with Worms – The Greatest Password Theft I’ve Ever Seen

3 Tips To Run The Best Phishing Tests In The World

By Leave a Comment

Reading Time: 3 minutes

If you want to run the best phishing simulation tests possible that actually make your people more risk-aware, do these three things.

best phishing test tips
Photo by Jonathan delange on Unsplash

1. Make Phishing Tests Real

Make your phishing tests as real as possible. As the military maxim goes, ‘train as you fight, fight as you train’. While training for the D-Day landings, soldiers were instructed to make pretend gunshot sounds instead of pulling the trigger to conserve ammo (blanks still need casings) for the real event. When the real event came, soldiers would occasionally revert back to their training and shout ‘Bang, Bang!’ instead of pulling the trigger.

Don’t send those awful phishing emails that so many vendors push on you. Forget the Microsift and Goggle emails and logos. Don’t be afraid to use all of the official logos, style guides, and trademarks. Criminals don’t care about trademark infringement. When organised crime comes after your colleagues it will be branded like the real thing.

The best phishing tests use either real emails from real companies and replace the original links with phishing links or real, high-quality phishing emails sent by actual criminals and run the same scenarios that criminals are running for real.

[Read more…] about 3 Tips To Run The Best Phishing Tests In The World

Why More Than Half of Email Phishing Leaks Happen on Mobile Devices

By Leave a Comment

Reading Time: 5 minutes

Over 60 percent of people who are phished by email are phished on mobile devices. This is why it happens and what you can do about it.

mobile phishing
Photo by Rasheed Kemy on Unsplash

Why Mobile Devices are More Prone to Phishing

I’ve sent a lot of phishing emails. All with good intentions I must add. While reviewing the results, one of the most surprising things that I discovered was that the majority of people who fall for phishing tests (and therefore real phishing attacks) are using mobile devices. In my experience, 60% of those who are successfully deceived are victims of mobile phishing.

These are my conclusions as to why this is true and recommendations on what we can do to help people stay safe online.

[Read more…] about Why More Than Half of Email Phishing Leaks Happen on Mobile Devices

How to Run a Phishing Simulation Test

By Leave a Comment

Reading Time: 12 minutes

Running a successful phishing simulation campaign is difficult. This is how to test your employees to better prepare them for real attacks.

phishing simulation
Fishing Fleet image by Bernard Benedict Hemy

Following on from my last article on how to write phishing emails that work, this article outlines how to run a successful phishing simulation campaign. We do this to measure how employees respond to attacks from criminals, how effective our training is, and where we need to do more to help our employees stay safe online.

[Read more…] about How to Run a Phishing Simulation Test