Incidents

Phishing for dummies

Yesterday we published our annual report, which includes my favourite topic – how the threat landscape’s going to change in 2009. One of the things we expect to see is an increase in the number of phishing attacks and scams on the Internet:

“Secondly, the technical sophistication needed to develop and spread new malicious programs will force many cyber criminals to search for simpler and cheaper ways of making a profit. Phishing may be one of the more attractive solutions.”

And, whether by coincidence or design, yesterday I got an email which is just what I’m talking about above – a scam that’s easy and cheap to implement.

Subject: please see the attachment
Sender (fake): Internal Revenue Service [nonereply@irs.gov] Message: Please see the attachment make sure you fill all the columns and send fax to: +1-646-308-1145.

This type of phishing has been around for a while, but it’s the first time I’ve received a message like this – maybe I’ve just been lucky, because I know my address is all over spammer databases 🙂

This is so-called offline phishing; the bad guys don’t even go to the trouble of making a fake site, but just ask you to fax through all your details. Using a fax number gives an additional aura of credibility to the whole thing – most people have heard of phishing sites, but a lot of them won’t have heard of phishing by fax. And the combination of a government department and a fax number fits perfectly with the perception that public institutions are more than a bit behind the times.So what threat do these messages pose? (Apart from the obvious scam factor, that is.) Well, files attached to messages could easily contain malicious programs – the sample I got had two Word docs attached. There’s nothing that makes this type of file inherently less dangerous than executables. If you’ve been following the news, you’ll know about the unpatched vulnerability in Adobe PDF Reader, and that it’s being exploited using OLE files – that’s just one example of the threat that MS Office files from untrusted sources can pose.
Because we’re experts, though, we know how to open files like this safely. So we did, to take a look at what the authors of the email wanted from us.

This is what’s in the file called Form W-4100B2 A1.doc.

 

And this is what’s in the file called Form W-4100B2A2.doc.

 

It’s pretty clear that the information you’re asked to give is exactly the type of information which always features in media reports about data leaks. And exactly the type of information that the bad guys can use to do a thousand and one bad things…all under your name!

Let’s dig a bit deeper and take a closer look at these documents or rather, at their properties.

The second file claims to be FORM W-4100B2. A quick Google gives results for a similar mass mailing back in November 2008. There’s an example here and you can see that since November, the only thing that’s been changed is the fax number.

However, the document properties show it was originally called FORM W-8BEN (NRA Recertification). Another quick Google shows results for scams which used this document running from the beginning of 2007 up until autumn 2008.

It’s no surprise that this form is almost identical to a genuine IRS document which has the same name. The only difference is that the legitimate form clearly states “Do not send Form W-8BEN to this office. Instead, give it to your withholding agent” rather than asking for information to be faxed back.

So the file properties show the old file name, even though it’s currently circulating under a different name. Makes it look almost certain that it’s the same person (or group of people) behind all the attacks – s/he just recycles the original file with slight modifications. We even know that this was last done on 22nd November 2008.

I find this pretty depressing. Someone’s been sending out these messages for at least the last two years, just tweaking the attack sometimes by changing the fax number and the name of the documents. And it looks as though they’re not having any problems at all.

See for yourself. Take a look at the number – +1-646-308-1145. It’s only linked to the current attack. Take a look at the complaints from victims. Take a look at the IRS site which has info about attacks like this. And what action is being taken? As far as I can see, none.

I don’t know the details of US law regarding anonymity for the owners of phone numbers. It just strikes me as pretty strange that for a long time now, the guys behind these attacks have been exchanging their old numbers for new ones without anyone trying to track them down and arrest them.

Take care of yourself, and take care of your personal details. “Phishing for dummies” is going to happen more and more often in 2009. It’s easy. It’s cheap. And at the moment, there doesn’t seem to be much danger of getting caught.

Phishing for dummies

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox