I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.
A long time ago in a world without Multi-Factor Authentication…
The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.
The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage that had been caused. Applications used, data downloaded, emails sent, etc.
The second report came in at 10:10am. This wasn’t uncommon. Emails that made it through the filtering rules tended to hit a number of people at the same time. If you land enough phishing emails of reasonable quality it’s almost inevitable that one or two people will fall for them.
The third report came in at 10:14. As did the forth, the fifth, and the sixth. Now, this was unusual.
How to Hide Phishing Emails in Plain Sight
By the time we had recovered the first two accounts and done an initial damage assessment, we were facing a huge wave of account takeovers. We could see that all of the accounts were being accessed from strange locations all over the globe and sending out a large number of emails.
For so many accounts to be hit at once, it was either a really, really effective phishing attack, or someone had been biding their time after stealing credentials over a long period. I hoped so badly that it was an awesome phishing attack.
The problem was, we couldn’t see an obvious source for the initial credential theft. Nobody had received any emails from new contacts that day. There were no emails that looked anything like a phishing email leading up to the event. We were confused… So how was it happening?
RE: Contract for Review
As we dug deeper and compared sign-in timestamps with email timestamps, it became clear what was happening. The phishing emails were being sent as replies to genuine emails. Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.
A typical phishing email comes from an email address you’ve never seen before. Granted, it might be similar to a real address you’d expect to see such as rnicrosoft.com instead of microsoft.com, but it’s rare for an address you trust to send you anything suspicious. When someone you know does send you something suspicious it’s usually rather obvious. When it happens we contact them directly to let them know there’s a problem. ‘Looks like you’ve been hacked, mate.’ We don’t fall for the scam.
In this attack, however, all of the phishing links were sent as replies to emails in the compromised account’s mailbox. This gave every email an inherited sense of trust. ‘You asked for this thing, here it is: link to phishing page’. When I realised what was happening, I was in awe. Whether done by deliberate design or not, the outcome was incredible. The conversion rates one these emails would make even the greatest of email marketers envious!
How this Wormable Phishing Attack Worked
As soon as an email account was compromised, a bot running on a remote server received the credentials, signed in to the account, and started looking through emails received in the last few days. For each unique email chain it found, it replied to the most recent email with a link to a phishing page to capture credentials. The wording was generic enough to fit almost any scenario and the link to a ‘document’ didn’t feel out of place.
The original subject was retained to keep the message in the established context. The email was sent as Reply All to ensure nobody dropped off the chain. With the established subject line and previous conversation history, it was almost impossible to distinguish the bot from the real account holder. Genuine email addresses, real subject line, familiar content…. with so many trust indicators in place, I think even the most vigilant of us would have fallen for this trick. I know I would.
So What Makes This So Powerful?
A vulnerability is said to be wormable if it can be used to successfully propagate malware to other hosts without any human interaction. In this case, I’m willing to overlook the ‘lack of human interaction’ part of the definition given that a user sign-in was required but also inevitable. The malware never actually left the origin server, it just needed additional accounts to increase the speed of its spread. Call it cloud-hosted malware if you like. Malware as a Service (MaaS).
The theft of credentials which weren’t protected by Multi-Factor Authentication allowed the bot to propagate to other users through every compromised account. The more accounts it gained access to, the faster it sent emails, compromised new accounts, and grew in size. And the growth wasn’t just limited to within our company. No companies work in a silo. We sent it to all sorts of people, just as it was originally sent to us. What a mess.
This exponential growth meant that a phenomenal number of accounts were compromised within a few hours. We could delete unread emails received internally, but we couldn’t stop it coming from others outside our control. Because the attack required manual interaction to leak a password and start running again, every time we thought we’d stamped it out it came back after a random delay.
Bypassing our Human Defences
One of the messages we all push in our cybersecurity awareness training is “if in doubt, call and find out.” This can be really effective as the most common answer is “um… no, I never sent you that?”
This time, however, when the patient zero email came in, our user did the right thing and called the sender who immediately said: “why yes! I did send you an email with that subject! Of course, it’s safe, please go ahead and open it without delay!”, or words to that effect. They had indeed sent other emails in the thread… but not that specific one.
How We Stopped It
Eventually, we identified a pattern in the URL of the phishing pages being linked to which we could use to block them. Adding a rule to quarantine any emails matching the pattern gave us the break we needed. Had we not spotted this, who knows how long the attack would have lasted.
We got lucky.
Then we promptly rolled out Multi-Factor Authentication to anyone who didn’t have it.
What I Learned
To this day, this is still my most favourite attack I’ve seen in person (just don’t tell the others that I have favourites). I learned a lot from this attack. Let me share some of my lessons with you.
The Bot was Too Effective
Like many viruses in history, those that are too effective eventually burn themselves out. All of the hosts die before they can pass on the virus to another victim.
In this attack, the credentials were used instantly and a flood of emails left each mailbox which set off a ton of alerts and red flags. The execution of the attack was ingenious, using existing email threads to leverage established trust — I love it! But it was too eager to execute the next stage and sent too many emails within a short space of time. Had it waited and paced out the delivery of emails over hours or even days, the spread could have gone undetected for much longer.
This is the sort of thing that keeps me up at night. The advanced, persistent threat. Lingering undetected under the surface, waiting to pop up and cause problems.
Had this bot been a little less eager to close the deal it could have done a lot more damage with those stolen accounts. Instead, it triggered alarms, gave itself away and was shut down.
You Can’t Do Without Multi-Factor Authentication (MFA)
It’s 2020. Everyone needs Multi-Factor Authentication. Had MFA been in place for all users, this would never have happened.
There are many excuses for not having it, but they’re irrelevant. Just look what happened to me. Now with ransomware on the scene, it’s even more devastating to get caught in an attack like this.
Enable MFA and enforce it as soon as possible if you haven’t done it already. Add it to your personal accounts and your work accounts. Add it everywhere.
People Inherently Trust Their Colleagues and Partners
Everyone who fell for this attack did so because the link was sent by someone they trusted. They have to trust them, otherwise, nothing would get done.
When criminals gain access to an email account they gain access to all of the trust that comes with it. It is common for people to ask: “But I don’t have access to anything, why would a hacker want my account?”
While you might not have access to any sensitive information, to finance and payment systems, or to bank accounts, you are implicitly trusted by people who do. Adding your identity to a social engineering attack over an internal email makes any malicious requests a lot more believable. Even if they achieve nothing else, they might still be able to change your bank details and pocket your cash at the next payday.
A Great Idea with Poor Execution is Worthless, Even to Hackers
The goal for this attacker was probably to harvest credentials to sell on the dark web. They achieved their goal of harvesting a lot of credentials, but they were too noisy about how they went about it and immediately raised alarms, losing any value they had gained.
Had they spent more time considering the execution of the second phase of the attack, what to do once an account has been stolen, they could have made a lot of money. Instead, I suspect they made nothing. At least at my expense.
• Craig Hays is an aspiring writer, Cybersecurity Architect, Bug Bounty Hunter, Musician, Movie Producer and Failed Skydiver. This piece originally appeared at craighays.com