Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a credential phishing attempt that impersonated Bank of America with an email that asked readers to update their email addresses lest they get recycled. Clicking the link led readers to the credential phishing page that resembled the Bank of America home page.
A few days ago, we saw a credential phishing attempt to land in a customer inbox. This email claimed to come from Bank of America and asked readers to update their email address. Clicking the link took the targets to the credential phishing page resembling the Bank of America home page, designed to make targets part with their account credentials. The attack flow also included a page that asked readers for their ‘security challenge questions’, both to increase legitimacy as well as get further identifying information from targets.
A snapshot of the email is given below:
Why The Attack Got Through
This email got past existing email security controls because it didn’t follow the tenets of more traditional phishing attacks.
1. Not a mass email
This was not a bulk email and only a few people in the target organization received it. This ensured that the email wasn’t caught in the bulk email filters provided by native MIcrosoft email security or the Secure Email Gateway (SEG).
2. Got past authentication checks
Although the sender name - Bank of America - was impersonated, the email was sent from a personal Yahoo account via SendGrid. This resulted in the email successfully passing all authentication checks such as SPF, DKIM, and DMARC.
3. Zero-day link and lookalike website
The attacker created a new domain for the link in this email attack, so it got past any filters that were created to block known bad links. The final credential phishing page was painstakingly made to resemble the Bank of America login page. A screenshot is presented below:
The superficial legitimacy of this page would pass most eye tests from busy readers that want to get on with their other work duties after ‘updating their email address’ as soon as possible. Upon closer inspection, it’s evident that the domain is not owned and hosted by Bank of America. The domain - nulledco[.]store - was created on June 1. The screenshot below shows the certificate’s common name for the webpage, which is nulledco[.]store and not Bank of America.
Fig: The certificate’s common name makes it evident that this is a new domain created for the attack.</Center>
4. Security challenge questions increase legitimacy
After readers filled in their account credentials, they were led to a page asking them three ‘security challenge’ questions. This tactic greatly increases the legitimacy of the attack in the eyes of the readers, because Bank of America also asks for security questions upon login by default. If a reader follows through the entire attack chain, adversaries would gain access to not only their account credentials but also the answers to their security questions.
5. Socially engineered
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The sender name impersonated Bank of America, making the email likely to get past eye tests when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The email language and topic was intended to induce urgency in the reader owing to its financial nature. Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.
How Armorblox Detected The Attack
Armorblox was able to detect the email attack based on the following insights:
1. Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected many financial topics within the text. Armorblox also detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).
2. Brand impersonation
Armorblox brand impersonation detectors flagged that the sender name was ‘Bank of America’ but the parent domain name of the sender was Yahoo.
3. Low communication history
Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
4. Low domain frequency
Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. The email was automatically quarantined based on predetermined remediation actions for the credential phishing detection category.
Stay tuned for more Blox Tales! If you’re interested to learn about Armorblox, you can schedule a demo with one of our email security experts.