The basic premise of a phishing email is to entice you to click through to a website which then asks you for some sign in details for a service so that the perpetrator (note – NOT the ‘hacker’; hacking is something completely different) can steal your credentials.
We can’t say what a phishing email looks like per se, but we can spot the signs. (For more details see our earlier post How to Spot a Fake Email). What they all generally do have in common is a call to action of some kind that often involves either:
- Scaring you into thinking you have to do something immediately to avoid a fine, pay an invoice for services, or avoid some other penalty
- Enticing you with a new business opportunity (or, perhaps, a new love interest…) but absent any real detail of what the opportunity is
Common to all is some sort of urgency – click now or you’ll be fined or miss the opportunity. They rely heavily on either FUD – fear, uncertainty, doubt – where they relate to avoiding a fine, or curiosity where they relate to opportunities.
In this post we’ll focus on a real example of a business opportunity. All the key details have been redacted, as the message was from a real email account from a real company that had itself been compromised and used to send the email.
The opportunity was innocuous enough, but true to form, contained no actual detail about the proposal being offered, just a link to click through to find out more.
Luckily the client was immediately suspicious and sent it through to us. Now, the worst thing I could have done to check would have been to click and check for her! We suspect phishing, but there could have been some other malicious software behind the link. Windows Sandbox is a brilliant Windows 10 feature that boots a simple virtual machine separate from the rest of your computer that you can use to check things like this safely.
The link opens a site called Tresorit. This is a legitimate site for end-to-end encrypted file storage, used in this case for nefarious purposes. The document appears to be an Adobe PDF which we can either View or Download.
All looks OK so far, doesn’t it? Now, though, things start to get weird. Clicking on ‘View’ we get through to another page, this time for Microsoft OneDrive, another file sharing service. Why would a file be stored in one place, but when you click to get it, you’re taken somewhere else? Now, again, I can either Review or Download.
If we look closely in this screen shot, the URL is linking to a PDF, but appears to be a web page. Now things start to make sense. The Tresorit site was hosting a PDF, which has opened in a new browser tab, default behaviour when using Microsoft Edge. But the PDF is made up to look like a OneDrive download page, which of course is odd for a PDF, but easy to dismiss when opened in a browser.
This is all fairly typical – if we had downloaded the PDF, it might have been easier to spot right away. The PDF would have still looked like this web page, which would have been strange. But, as we said earlier, these scams rely on a lack of attention to specific details. Just enough people they are targeting won’t notice or question these oddities (remember, these emails are usually sent in their hundreds or thousands, and only need a few people to fall for the ploy).
In our Sandbox environment, we’re safe (for now) and exploring further, so let’s continue. We click on and get to another new page.
Now this one is really interesting! I was fully expecting a typical fake Office 365 sign in page, but not this time. Now I have options, to either sign in with Outlook, Office 365, or something else. But wait, it’s asking me to sign into Adobe Document Cloud. Weren’t we just going to go to OneDrive?
So we have options. This is clever (if you ignore the obvious illogicality of how we got here) and suggests that the scammer is not only asking for an email address and password, but also which service it’s for. Each option has its own little splash window you can enter the credentials into. And a nice touch – they’ll never share your email with anyone else! Now I’m reassured!
What happens next?
Needless to say, this is where I stopped, because I know what’s going to happen next – nothing. At least not immediately. I won’t get a file to download and I won’t get any new business from this wonderful opportunity. What I will get is my email address and password nicked which the perpetrator will use to try to sign into my account and have a good poke around all of my emails and files. If I’m really lucky, they’ll sell it on to lots of other people too.
Chances are I won’t even notice anything at first; I’ll think it was odd and probably forget about it. But in a few days, I’ll stop receiving any emails. At first it will seem like a quiet morning, then someone will say ‘did you get my message’ and I’ll say no. Why?
The following is not always exactly what happens but it’s usually some variation on this theme. They’ll watch my emails for a bit (perhaps by setting up forwarding to somewhere else, so they can read them at their leisure without having to keep accessing my account, potentially raising suspicion), then at a juicy moment, perhaps at the start of a conversation about a payment transfer, they’ll inject a new reply into the chain asking to change the payment details to a new bank account. They may even set up a new email address on a new domain that’s almost the same so they can continue completely outside of my account. They’ll set up a mail rule that moves emails in the chain to another folder so I won’t see them and be alerted before the scam is complete.
Even if they don’t get as far as getting any cash, what always happens is that when they are done with me, they’ll set up a rule to divert all inbound emails to another folder, then use my account to send out hundreds or thousands of the same message I fell for, to all my contacts and more, and start over.
How can we stop this?
Luckily, there are lots of precautions that we can all take, not least of all having 2 Factor Authentication on your accounts (see Why Use Multi-Factor Authentication). Office 365 has some other tools to help prevent and mitigate phishing too, but nothing is 100% perfect. Even with 2FA, these scams also rely on the fact that people have a tendency to re-use passwords, so while they might not get into your email account, they may try the same credentials on other sites.
The best precaution we can all take is to be wise to the fact that these scams are real, that they really do work, and learn how to spot the tell-tale signs. Spend some time examining the emails you receive, especially if you don’t know the sender, but also if you do if the message seems suspicious. In particular, avoid taking action on your mobile phone, as the signs of phishing are usually much harder to spot.
Would your CEO usually ask you to spend money on Amazon vouchers via email, just before heading into a long meeting? Is that invoice from one of your actual suppliers? Better to wait and check out the facts before diving in. You’ll be grateful in the end, and as the old adage goes, better safe than sorry.