phishing emails

Phishing Email to Company Devastating Ransomware in 5 Hours

October 25, 2020 By Craig Hays 2 Comments

Reading Time: 6 minutes

How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

It started with a phish ransomware in 5 hours — Photo by Pixabay from Pexels

(This article aims to contextualise an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victims inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company CEO. It looked identical to many of other emails received that same day.

The company email servers scanned it and allowed it straight through to the victim’s inbox. It was sent through a legitimate and well-known email delivery service with a good reputation. There were no attachments to be scanned for malware. All it contained was a politely written request and a link to a web page.

The web page didn’t ask them to log in. It wasn’t trying to steal their password by masquerading as a trusted login page. All the victim saw was a message saying: ‘Oops! The document preview isn’t available. Click here to download’, or words to that effect. This is the sort of error message that we’ve all seen many times over the years. Most of us wouldn’t think twice about clicking that link, myself included.

Malware In Disguise

The browser downloaded a file named something like PreviewReport.DOC.exe. A warning message came up at the bottom of their browser asking if the user wanted to keep or discard the file as it could be harmful.

Regrettably, our unfortunate user downloads all sorts of documents all day every day and many of them give the exact same warning. They’ve learned that this warning message is just a regular part of online life. One more thing they must click on in order to get work done. Out of habit, they clicked on ‘keep’, then opened the file.

The executable was signed with a trusted certificate from a well-known vendor. It was malicious, and yet it was signed. The thing is, anyone can buy legitimate and trusted software signing certificates on the internet these days if you know where to look. The user’s PC had AppLocker configured to block unsigned executables but it made no difference. The trusted, signed malware executed without a problem.

Their local antivirus software had the latest virus signatures downloaded and available. As the malware was unique to this victim, the signature didn’t match anything on record. Nothing was blocked.

As far as the user was concerned, the file did nothing. Perhaps it was corrupted. Nevermind…

Sadly, it wasn’t corrupted. It sent a message out to a command and control server on the internet to say, ‘Hello, I’m here, And I’m waiting’, then opened a backdoor into the heart of the company network. It checked-in using standard, encrypted, HTTPS traffic, and notified the ransomware gang that it was active and waiting for instructions. From the outside, it looked exactly the same as the device’s owner viewing any other secure web page on the internet.

[Read more…]

How to Run a Phishing Simulation Test

January 29, 2020 By Craig Hays Leave a Comment

Reading Time: 12 minutes

Running a successful phishing simulation campaign is difficult. This is how to test your employees to better prepare them for real attacks.

Following on from my last article on how to write phishing emails that work, this article outlines how to run a successful phishing simulation campaign. We do this to measure how employees respond to attacks from criminals, how effective our training is, and where we need to do more to help our employees stay safe online.

[Read more…]

9 Things I’ve Learned Writing Phishing Emails

December 6, 2019 By Craig Hays

Reading Time: 7 minutes

For the past six months, I’ve been writing and sending phishing emails to thousands of innocent people and analysing the results. This is what I’ve learned.

(Disclaimer: This is for educational and authorised testing purposes only. Please don’t break the law, it isn’t nice.)

Writing phishing emails — Photo by Matthew McBrayer on Unsplash

My victims have no idea who I am, why I would want to steal their login credentials, or what I could do with them. They are trusting, hardworking people who just want to do a good job and go home to take care of their families.

Fortunately, I’m not a criminal. The emails I send are authorised phishing simulation tests. They’re designed to test our employees and their responses to various scenarios presented to them in email form.

Phishing Simulation and Awareness Training

With phishing simulation, we can measure how susceptible people are to real attacks, provide just-in-time training to those who take the bait, and measure the effectiveness of our overall training strategy. No amount of phishing awareness training is ever going to be 100% effective but if we can raise the level of caution even slightly we’re in a better place than before. No matter what we do, people will always be phished. Even me, even you.

At work, we employ people based on their ability to provide products and services to our customers, not their ability to distinguish real emails from malicious ones. Phishing simulation is a useful tool but to protect our people we need many others in our toolboxes. Things like Multi-Factor Authentication (MFA), email filtering, and a secure web gateway (filtering proxy) to name a few. Awareness training needs to be part of our defence-in-depth approach.

What I Learned Writing Phishing Emails

Writing phishing emails is a copywriting task, not a creative writing task. Creative writing is an art. Copywriting is a science. Writing phishing emails is more like writing sales and advertising material than anything typically associated with cybersecurity. The same things that convince us to buy products and services, book a holiday abroad, or subscribe to an email mailing list are the same things that make us click links in phishing emails and give away our login credentials.

Copywriting is the science of influencing people to take defined actions with the written word. Copywriters are effective through their ability to empathise with the reader and play upon their emotions. They use psychological tools such as the power of perceived authority, our natural bias towards loss aversion, a false sense of urgency through an imminent deadline, and many others. Ultimately, writing effective phishing emails is no different from convincing someone to upgrade their smartphone or buy a new car.

With that said, this is what I’ve learned so far:

[Read more…]