Tracking down the phisher
Several weeks ago, a key member of the WatchGuard Technologies finance team was targeted by a spear phishing attempt. Spear phishing is a type of phishing attack in which the perpetrator customizes their attack to a particular individual or group of individuals. The attacker gathers information on the victim and then tailors the attack to be more likely to fool the target. The would-be attack arrived as an email appearing to come from the finance employee’s manager, requesting an urgent wire transfer.
Thanks to proper training, the finance employee recognized that the email’s blatant disregard for the official chain of command and finance protocols was suspicious and alerted the proper personnel. Marc Laliberte, a threat analyst at Watchguard, walks us through the ordeal.
A potential victim tries to turn the tables on a spear phisher
Time to fight back
Rather than simply disregarding the attack, WatchGuard set out to learn as much as they could by playing along with the attacker. Laliberte responded to the first email and the attacker replied, asking “the finance employee” to contact them via text to a phone number the attacker claimed was the manager’s personal line.
This email’s source address was a seemingly random seven-digit number at gmail.com. The attacker didn’t try to spoof the message to make it appear to come from a WatchGuard account. Instead, the attacker relied on the message’s “From:” header to fool the target. Most mail clients use the “From:” header to display who a message came from, and often the client only shows a sender’s first and last name. In this phishing email, the “From:” header showed the WatchGuard manager’s first and last name, which might convince uninformed employees that the message really did come from that manager.
Laliberte found that the phone number provided by the attacker was registered as a landline through Level 3 Communications with an area code matching Jacksonville, Fla. He suspected that the attacker probably was never physically located in Jacksonville, instead, he likely used a forwarding service to send and receive text messages through this number. Attackers commonly leverage the global nature of internet and telephony services to hide the true location of their attacks.
Laliberte assumed the identity of the target employee and texted the attacker using a disposable phone number. A day later, the attacker replied and quickly got to the point, requesting an urgent fund transfer as payment for a shipment of WatchGuard Fireboxes arriving the following week. He kept the attacker on the hook by alluding that a money transfer was possible and asked for further details.
Pay up?
The attacker asked for a wire transfer of $20,000 to man he claimed was in New York. Some quick research revealed that there were no fraud references related to the provided name. The attacker also sent account and routing numbers for the wire transfer itself. While providing bank account details adds legitimacy to transactions, it also increases the authorities’ ability to track payments in fraud investigations, making it risky for attackers to do. It appeared that the account details provided likely belonged to a compromised account that the attacker could quickly transfer money out of.
Expecting payment
At this point, Laliberte had gathered all of the information the attacker would voluntarily share, but still had no clear picture of where he was located. However, the attacker did expect a wire transfer confirmation message. He masked the IP address of a honeypotserver behind a URL-shortener and sent it to the attacker disguised as a confirmation link.
I got you ... maybe
When the attacker visited the link, it redirected him to the honeypot server where Laliberte logged his source IP and browser User-Agent data. The attacker’s source IP was registered to Airtel Networks Limited, a mobile Telco out of Nigeria. The User-Agent data told Laliberte that the attacker was connected to the honeypot using an iPhone running iOS 9.3.1. This confirmed the hypothesis that the attacker was using a forwarding service to receive text messages through the Jacksonville phone number. Though the attacker was in Nigeria, he used a bank account (TD Bank) that required a permanent US address, meaning the account was either compromised or the attacker had an accomplice in the US (often called a mule) who could retrieve any transferred money. Laliberte contacted TD Bank to allow them to begin an investigation on attempted fraud by someone with access to the provided account.
Use your training
This spear phishing attempt makes it clear just how big of a problem these attacks are today. No spear phishing protection is perfect. Even with technological solutions likeDMARC or S/MIME, phishing messages will still slip through and reach employees. It is critical that IT professionals train their users on how to spot and report attempted phishing attacks. With the growth of spear phishing, organizations need to update their training programs to help employees learn how to spot these more convincing, targeted email scams.
