Wednesday, June 7, 2023
HomeOpinion & AnalysisPhishing with Worms — The Greatest Password Theft I’ve Ever Seen

Phishing with Worms — The Greatest Password Theft I’ve Ever Seen

I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.

A long time ago in a world without Multi-Factor Authentication…

The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.

The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage that had been caused. Applications used, data downloaded, emails sent, etc.

The second report came in at 10:10am. This wasn’t uncommon. Emails that made it through the filtering rules tended to hit a number of people at the same time. If you land enough phishing emails of reasonable quality it’s almost inevitable that one or two people will fall for them.

The third report came in at 10:14. As did the forth, the fifth, and the sixth. Now, this was unusual.

How to Hide Phishing Emails in Plain Sight

For so many accounts to be hit at once, it was either a really, really effective phishing attack, or someone had been biding their time after stealing credentials over a long period. I hoped so badly that it was an awesome phishing attack.

The problem was, we couldn’t see an obvious source for the initial credential theft. Nobody had received any emails from new contacts that day. There were no emails that looked anything like a phishing email leading up to the event. We were confused… So how was it happening?

RE: Contract for Review

A typical phishing email comes from an email address you’ve never seen before. Granted, it might be similar to a real address you’d expect to see such as rnicrosoft.com instead of microsoft.com, but it’s rare for an address you trust to send you anything suspicious. When someone you know does send you something suspicious it’s usually rather obvious. When it happens we contact them directly to let them know there’s a problem. ‘Looks like you’ve been hacked, mate.’ We don’t fall for the scam.

In this attack, however, all of the phishing links were sent as replies to emails in the compromised account’s mailbox. This gave every email an inherited sense of trust. ‘You asked for this thing, here it is: link to phishing page’. When I realised what was happening, I was in awe. Whether done by deliberate design or not, the outcome was incredible. The conversion rates one these emails would make even the greatest of email marketers envious!

How this Wormable Phishing Attack Worked

The original subject was retained to keep the message in the established context. The email was sent as Reply All to ensure nobody dropped off the chain. With the established subject line and previous conversation history, it was almost impossible to distinguish the bot from the real account holder. Genuine email addresses, real subject line, familiar content…. with so many trust indicators in place, I think even the most vigilant of us would have fallen for this trick. I know I would.

So What Makes This So Powerful?

The theft of credentials which weren’t protected by Multi-Factor Authentication allowed the bot to propagate to other users through every compromised account. The more accounts it gained access to, the faster it sent emails, compromised new accounts, and grew in size. And the growth wasn’t just limited to within our company. No companies work in a silo. We sent it to all sorts of people, just as it was originally sent to us. What a mess.

This exponential growth meant that a phenomenal number of accounts were compromised within a few hours. We could delete unread emails received internally, but we couldn’t stop it coming from others outside our control. Because the attack required manual interaction to leak a password and start running again, every time we thought we’d stamped it out it came back after a random delay.

Bypassing our Human Defences

This time, however, when the patient zero email came in, our user did the right thing and called the sender who immediately said: “why yes! I did send you an email with that subject! Of course, it’s safe, please go ahead and open it without delay!”, or words to that effect. They had indeed sent other emails in the thread… but not that specific one.

How We Stopped It

We got lucky.

Then we promptly rolled out Multi-Factor Authentication to anyone who didn’t have it.

What I Learned

verticla data flow on a green screen
Photo by Markus Spiske from Pexels

The Bot was Too Effective

In this attack, the credentials were used instantly and a flood of emails left each mailbox which set off a ton of alerts and red flags. The execution of the attack was ingenious, using existing email threads to leverage established trust — I love it! But it was too eager to execute the next stage and sent too many emails within a short space of time. Had it waited and paced out the delivery of emails over hours or even days, the spread could have gone undetected for much longer.

This is the sort of thing that keeps me up at night. The advanced, persistent threat. Lingering undetected under the surface, waiting to pop up and cause problems.

Had this bot been a little less eager to close the deal it could have done a lot more damage with those stolen accounts. Instead, it triggered alarms, gave itself away and was shut down.

You Can’t Do Without Multi-Factor Authentication (MFA)

There are many excuses for not having it, but they’re irrelevant. Just look what happened to me. Now with ransomware on the scene, it’s even more devastating to get caught in an attack like this.

Enable MFA and enforce it as soon as possible if you haven’t done it already. Add it to your personal accounts and your work accounts. Add it everywhere.


Read more: Spooky quantum breakthrough could change physics forever


People Inherently Trust Their Colleagues and Partners

When criminals gain access to an email account they gain access to all of the trust that comes with it. It is common for people to ask: “But I don’t have access to anything, why would a hacker want my account?”

While you might not have access to any sensitive information, to finance and payment systems, or to bank accounts, you are implicitly trusted by people who do. Adding your identity to a social engineering attack over an internal email makes any malicious requests a lot more believable. Even if they achieve nothing else, they might still be able to change your bank details and pocket your cash at the next payday.

A Great Idea with Poor Execution is Worthless, Even to Hackers

Had they spent more time considering the execution of the second phase of the attack, what to do once an account has been stolen, they could have made a lot of money. Instead, I suspect they made nothing. At least at my expense.

• Craig Hays is an aspiring writer, Cybersecurity Architect, Bug Bounty Hunter, Musician, Movie Producer and Failed Skydiver. This piece originally appeared at craighays.com

Craig Hays
Craig Hays
Craig Hays is an aspiring writer, Cybersecurity Architect, Bug Bounty Hunter, Musician, Movie Producer, Failed Skydiver. You can find him over at https://craighays.com

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like

Stay Connected

Must Read

Related News

Share it with your friends:

Phishing with Worms — The Greatest Password Theft I’ve Ever Seen