Phishing is a problem that affects everyone, from the untrained to the highly skilled. It’s a problem that happens everywhere, from the office to the home. It comes through email, text, phone calls, etc.
The location or means of delivery doesn’t matter—these criminals are going to target you where you are. If the location is one that you’re less likely to suspect, that’s all the better for them. The longer they can mask the scam—revealing only minor oddities that can easily be dismissed—the better chance of success in compromising your credentials.
This came to mind when a phishing email recently managed to evade my spam filters. The subject matter just happened to align with something I’d been working on that day, and I saw the email on my phone when I was out in public. Let’s talk about how this played out.
Our story begins
Lately I’ve been using a lot of Amazon services. I work with AWS inside and outside of work, and like a lot of folks, I’m a Prime member with a handful of subscriptions for various household goods.
An email popped up on the lock screen of my phone the other day. It happened to be a day when I had been looking at my AWS Billing configuration, but by this point I was outside the house dealing with something unrelated.
Most phishing emails are easy enough to spot, with strange grammar, clearly fake email addresses, and far too desperate requests for action. But occasionally they require a second glance, as was the case here. Opening the email and having a cursory look got me thinking something might have gone wrong in my AWS account. Determining if that was the case isn’t always easy on a mobile device, so I decided to review the email on my laptop when I got home.
The email appeared to come from the Amazon billing department. When I was able to sit down and have a closer look, I realized that it was talking about Prime membership and not AWS. As anyone who manages AWS accounts will understand, this alleviated my largest concerns.
The email claims that my Prime membership had been suspended because my credit card was no longer valid. The email offers instructions on how to update these details to avoid interruption.
Just to be sure, I went directly to Amazon’s website, rather than clicking on any email links, to double check. In less than a minute I knew there were no billing issues in my accounts.
This was clearly a phishing attempt, but one which the bad actors took a little more care to make look legitimate.
So, what happens if I click the link?
Go on, click it
This is the point where, if you’re inclined to follow along, we do not recommend clicking phishing links outside of a sandboxed environment. We’re doing so using Cisco Secure Malware Analytics, which can safely analyze suspicious links for malicious activity within its virtual environment.
The phishing link takes us to a site that provides a very similar login experience to a real Amazon page. After entering account credentials—email, phone number, password—the site presents a page that claims that there have been changes to the account that require further verification. The site asks you to validate billing and credit card details, alongside less commonly requested details such as your mother’s maiden name and social security number.
If you provide the information that is requested, you will eventually arrive at a page that says that your account has been recovered and asks you to log in again. It then redirects to the official Amazon landing page.
Behind the curtain
On the surface this may seem fairly ordinary, even for a phishing attempt. However, there’s more going on behind the scenes.
When the link is clicked the browser is sent through a series of redirects before arriving at the fake login page. For the most part, the domains it hops across are innocuous, except the last one hit before the landing page.
Cisco Umbrella flags this domain as a medium risk, while Talos has identified the URL as having a malicious disposition.
In this case the flagged site doesn’t appear to do anything other than redirect the browser to the “login” page of the phishing site. However, immediately after loading this page, it contacts two more domains flagged by Umbrella.
These sites are both classified as a medium risk and reside on the same IP address.
Towards the end of the process of entering data, there are two more domains that are contacted that are classified as a medium risk by Umbrella.
Finally, a domain is contacted that appears to download a Google Chrome extension. It’s hard to say what this extension is intended for, as Chrome blocks the execution of it by default.
All told, a variety of personal and credential data that the phishing site asks you to input is likely stored by the bad actors for further attacks. And the sheer number of suspicious sites contacted behind the scenes is more than enough to arouse suspicion.
A foreshadowing of events
While this phishing attempt avoided many of the telltale signs, there are still a few indicators that can help identify such phishing campaigns.
For starters, while the initial email address looks like a valid email from Amazon, if you look carefully at the letters in “amazon.com” you’ll see there are small accent marks on or between some of the letters. These oddities could easily be dismissed as flecks of dust on a phone, especially after pulling it from your pocket or bag.
These are actually non-standard characters hidden between each letter of the domain. Depending on the email client, these characters may not fully render, as is the case above. However, the characters can appear when using a different device and/or email client.
When opening the email on my laptop, it also became clear that this isn’t the sending email address, but rather the name assigned to it. The actual email address contains random characters and is not from Amazon.
Another indication that the email was a phishing attempt was the use of an email address for the recipient’s name. This is a common tactic used in phishing attempts. So much so that Secure Malware Analytics has a Behavioral Indicator dedicated to it.
Gathering molehills into a mountain
Overall, this phishing attempt did well to cover its tracks, since it lacked several telltale signs that often give them away. In many ways the experience was in line with what you might expect when needing to reset or confirm your credentials.
Even the indicators uncovered during analysis could individually be dismissed as anomalies often present in daily network traffic. There were domains classified as a medium risk (but not high), a suspicious Chrome extension that doesn’t appear to load, as well as a handful of other medium risk warnings in the resulting Malware Analytics report.
Defend from multiple angles
Any of these things could be dismissed individually but combine them and a potentially malicious attack appears.
Cisco Secure Malware Analytics is a great tool for putting the pieces together. But to go a step further and prevent attacks like these requires a suite of applications that work together to identify the disparate parts of the attack.
Phishing Defense in Cisco Secure Email can identify identity deception–based attacks such as this by leveraging local identity and relationship modeling, alongside behavioral analytics to spot them.
Cisco Umbrella can provide security at the DNS layer, blocking requests to malicious sites before a connection is even established and stopping attacks before they reach your network or endpoints.
And in the event that credentials are stolen in a phishing attack, you can ensure that they are rendered inert with a multi-factor authentication (MFA) solution such as Cisco Duo. Duo enables organizations to verify users’ identities before ever granting access.
So, while phishing attacks such as this one can affect anyone, it doesn’t mean that they will wreak havoc. The good news is that there are plenty of ways to identify the red flags, bring them together from different sources, and prevent attacks.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels