Ride the Lightning

Be Wary of E-mails from Friends, Colleagues – and Your Attorney

October 25, 2016

Naked Security reported on a phishing e-mails in a story you should really read. The tale involves a man whose solicitor's e-mail account had been hacked. He then received an e-mail from the solicitor's real (not spoofed) e-mail address, including his normal e-mail signature. As the recipient was in the middle of moving to a new home and expected paperwork from his solicitor, the e-mail and attachment appeared normal at first.

But as he moved his cursor to open the attachment, he noticed the attachment was called Drafted Contract003.pdf.htm – a clever use of the double extension .pdf.htm which was an attempt to trick him into thinking that this was a PDF document instead of the HTM (web page) file that it actually was.

On opening the file, instead of a PDF viewer launching, his browser opened with a popup alert: After closing the alert, he was taken to a very realistic looking Google login page. But the address bar revealed that the address wasn't Google or even a website URL, but code included in HTM file, which he could see when he opened the HTM in text editor. If you looked at the source code of this page in a browser, you could see that any user who enters their username and password would have those details submitted to the hacker and not Google.

At this point, he contacted his solicitor and alerted him to the fact that his e-mail account had been compromised and it was sending phishing e-mails. The solicitor changed his password and contacted his clients to advise them to be on the lookout for suspicious e-mails.

It is worth reading the story simply to see all the graphics that accompany the narrative above.

This wasn't the end of the attack. The next day, he received another e-mail purportedly from the same solicitor, with the same signature, but this one came from a random Gmail address. This time it had a real PDF file attached called Financial Statements001.pdf. On opening this file, a blurry picture appeared with a link at the top.

The blurring was deliberate by the cybercriminal, leaving only the Barclays bank logo and an 'Approved' stamp legible. The idea is to trick you into thinking you had been approved for some kind of contract or loan and that if you click the link at the top you would be able to view the details.

In reality, clicking the link took you to a web page hosted on the same domain as the previous phishing e-mail, which again requires you to 'log in' on a fake Google page. Looking at the Whois ownership information for that domain, he saw that it had been registered one week earlier using presumably fake or stolen personal details of a woman called Fiona in Lagos, Nigeria.

He surmised at this point that the hacker had not only gotten into his solicitor's e-mail account but also stolen all the contact details in his address book. This allowed the attacker to continue targeting him and other customers using the same details but from different e-mail addresses.

He contacted his solicitor again to try and understand if he knew how his account had been hacked and what else had happened. It came as no surprise that he had recently received a similar e-mail that had tricked him into entering Google login credentials. So he was phished, which led to the account compromise.

Now he wanted to understand the purpose behind the actions of the crook: was he just after usernames and passwords to sell on the Dark Web? The answer was derived from the filters on the solicitor's e-mail account.

He had twenty new e-mail filters named A, B, C… all the way through to T. Most of these had a similar theme: any e-mail containing a keyword in the subject or message, such as Bank, Statement, or Sort Code would be moved into a Recently Deleted folder.

For hackers working against the clock, aware that the victim could change their password at any moment, this would make it very quick for them to get hold of the most valuable e-mails and save them for further investigation later.

The last few filters targeted e-mails that contained references to Contract003.pdf.htm. These would be automatically dumped into the Spam folder. This meant that anyone who tried to warn the solicitor that he had been hacked by sending him an e-mail would fail – they would have vanished into his Spam folder and never been seen, giving the hacker more time to keep the scam going.

To protect yourself from e-mails sent under false pretenses by crooks, the author offers the following advice:

• Look out for e-mails that come from different addresses to what you'd expect.
• Be careful of documents that ask you to enable macros or editing before you can see the contents.
• Tell Windows Explorer to show file extensions to protect you against misleading filenames.
• Watch out for double file extensions (e.g. .pdf.htm) or extensions you aren't familiar with (e.g. .js, .wsf, .lnk).
• Hover your mouse cursor over links to see if they go where they say they are going.

If in doubt, call or speak in person to your friend, colleague or attorney and ask them if they sent the e-mail.

To protect yourself from having your e-mail taken over by crooks to attack your friends and customers, pick strong passwords and use two-factor authentication whenever you can.

Stop and think before you click – good advice indeed.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson