This worm phishing campaign is a game-changer in password theft, account takeovers
A phishing attack taking place against an organization has revealed a crafty method to bounce between victims in a way deemed “ingenious” by a researcher.
On September 29, cybersecurity architect and bug bounty hunter Craig Hays outlined a recent phishing attempt which went far beyond the usual spray-and-pray tactics and basic attempts to compromise a network, to become “the greatest password theft he had ever seen.”
In a Medium blog post, Hays detailed how a response team received an alert from their organization at 10 am, when a user fell prey to a phishing attack.
Originally, the security expert simply deemed the notification “another day, another attack.” The team locked the impacted account down and began to investigate the incident in order to find the root cause and any potential damage.
Within minutes, several more alerts pinged their inbox. This, in itself, isn’t unusual. As Hayes noted, “emails that made it through the filtering rules tended to hit a number of people at the same time.”
However, after the sixth report, the responders noticed this was potentially something more substantial — and by the time they had conducted an initial damage assessment and two accounts had been recovered, they faced a “huge wave of account takeovers.”
“We could see that all of the accounts were being accessed from strange locations all over the globe and sending out a large number of emails,” Hays said. “For so many accounts to be hit at once, it was either a really, really effective phishing attack, or someone had been biding their time after stealing credentials over a long period.”
The problem was, the initial credential theft vector wasn’t obvious and no victim had received an email from a new contact on the day — the latter of which being how phishing messages are generally sent, often appearing from a spoofed or seemingly-legitimate source.
Eventually, the team turned to sign-in timestamps to connect the account takeovers with emailed communication — and this revealed the attack vector.
“The phishing emails were being sent as replies to genuine emails,” the researcher explained. “Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.”
This is how it worked: once one email account was compromised, the credentials for the account were sent to a remote bot. The bot would then sign into the account and analyze emails sent within the past several days.
“For each unique email chain it found, it replied to the most recent email with a link to a phishing page to capture credentials,” Hays said. “The wording was generic enough to fit almost any scenario and the link to a ‘document’ didn’t feel out of place.”
Sent as a reply-all, using a legitimate email account, and given the conversation history, trying to distinguish the bot from the genuine account owner was difficult.
The technique, resulting in worm-like mass takeovers, left Hays “in awe” of the “phenomenal number of accounts [that] were compromised within a few hours.”
Unfortunately, as the bot grew in size and took over account after account, this allowed it to propagate beyond the impacted company itself — the phishing emails were also sent to other people outside of the organization.
The phishing attack was out of control by this point and the only way the team was able to clamp down on it was by finding a pattern in the URL of the phishing pages that could be used to add a quarantine rule.
While Hays calls the campaign “ingenious” and “the most favorite attack I’ve seen in person,” he also notes that the bot was “too effective” and its eagerness to propagate set up red flags and alerts too quickly to reach its full potential.
Multi-factor authentication was quickly implemented for email accounts that had not enabled the additional security measure.
“The goal for this attacker was probably to harvest credentials to sell on the dark web. They achieved their goal of harvesting a lot of credentials, but they were too noisy about how they went about it and immediately raised alarms, losing any value they had gained,” Hays commented.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0