Each Blox Tale will take a look at a targeted email attack, outline why it made its way past legacy security defenses, and provide guidance and recommendations for organizations looking to stop such attacks. In this blog, we’ll focus on a credential phishing attempt where attackers sent an email resembling a secure message from Verizon Support. Clicking the email link took targets to Verizon lookalike site with a phishing flow that aimed to steal user IDs, Verizon passwords, phone numbers, and email account passwords.
A summary of the attack flow is given below:
Fig: Summary of the Verizon credential phishing attack
A few days ago, we saw a credential phishing attempt to land in multiple customer inboxes. This email claimed to come from Verizon Support, telling readers to view an “urgent” secure message on their Verizon account. The email was titled “Your attention is urgently required”, furthering the sense of fear and underlining the paucity of time at the targets’ disposal. When targets clicked the link, they were led to a Verizon lookalike website (through a redirection) with a phishing flow that asked them to part with their email, Verizon account password, email account password, and phone number.
A screenshot of the email is given below:
Fig: Email where attackers impersonate Verizon and share a link to view a secure message. Some Armorblox detection highlights are included in the screenshot.
Why The Attack Got Through
This email got past existing email security controls because it didn’t follow the tenets of more traditional phishing attacks.
1. All pages hosted on unrelated parent domain
The phishing page in this attack flow had ‘blacksuncoven[.]com’ as its parent domain, which redirected from another URL that had ‘dimecovert[.]com’ as its parent domain. This domain - blacksuncoven[.]com - hosts an unrelated website devoted to a Wiccan coven.
Fig: The parent domain of the phishing page is an unrelated website.
The domain was first created in 2019 and updated a few weeks before this attack was launched. WhoIs details for the domain are given below:
Fig: WhoIs record details for the parent domain of the Verizon lookalike site.
By hosting phishing pages on unrelated parent domains after redirections, attackers are able to evade security controls based on URL/link protection and get past filters that block known bad domains. Assuming the website being discussed here is legitimate, the attackers likely exploited vulnerabilities in the web server or the Content Management Systems (CMS) to host phishing pages on the legitimate parent domain without the website admins knowing about it.
2. Lookalike website with full phishing flow
Once targets click on the link in the email, they land (via a redirection) on the main phishing site resembling the Verizon login page. Upon closer inspection, it’s evident that the parent domain is not ‘verizon[.]com’ and that the browser has warned targets of this being a dangerous page. But the attackers are banking on people to fall prey to the superficial similarity of the phishing site to Verizon’s website.
Fig: Phishing site resembling the Verizon login page
Once targets fill in their login details (user ID and password), the phishing flow continues with another screen asking targets to enter their email address and email password. This way, attackers try to steal as much information as possible from targets who have bought into the faux legitimacy of the communication. When we entered ‘1234’ as our username on the previous screen, this screen included a welcome message with our entered name.
Fig: Phishing flow asking targets to fill in their email account details
By hosting phishing pages on legitimate parent domains, attackers are able to evade security controls based on URL/link protection and get past filters that block known bad domains. Attackers likely exploited vulnerabilities in the web server or the Content Management Systems (CMS) to host these pages on legitimate parent domains without the website admins knowing about it.
3. Socially engineered
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The sender name was “Verizon Support” and the email was titled “Your attention is urgently required”, furthering the sense of fear and underlining the paucity of time at the targets’ disposal. The email language and topic was intended to induce urgency owing to its confidential nature (a secure message from Verizon). The call to action - LOGIN HERE - is simple and effective.
Fig: Email header showing the email title and sender domain
Guidance and Recommendations
Here are some points of guidance for organizations looking to protect themselves against targeted email attacks like this one:
1. Watch over your web servers
To prevent cybercriminals hosting phishing pages on legitimate domains, website admins should patch any vulnerabilities on their web server and make sure to update their CMS to the latest version. If possible, organizations should move to more secure CMS solutions.
2. Try reading every email rationally
Whenever possible, engage with emails related to money and data in a rational and methodical manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (eg. why is this Verizon email being sent to my work address with a different sender email address domain?).
3. Augment native email threat detection with additional controls
To augment existing email security capabilities (e.g. Exchange Online Protection for Office 365 or the Advanced Protection Program for G Suite), organizations should invest in technologies that take a materially different approach to threat detection. Rather than searching through static lists and blocking known bad domains, these technologies should learn from custom organizational data and be able to stop socially engineered threats that contain zero-day payloads (or lack payloads altogether).
How Armorblox Detected The Attack
Armorblox was able to detect the email attack based on the following insights:
1. Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks). Armorblox language models also detected a sense of urgency used in the email, which is uncommon for support emails from wireless providers.
2. Low communication history
Armorblox detected that the sender email in question had a low communication history with the target’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
3. Low domain frequency
Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.
3. Suspicious phishing URL
Armorblox detected the presence of a suspicious URL in the email, based on factors including but not limited to threat intel sources, suspicious redirections, language used associated with the link, and so on.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. The email was automatically quarantined based on predetermined remediation actions for the credential phishing detection category.
If you found this attack overview interesting, you might also like to read our earlier Blox Tale focusing on an Amazon credential phishing attempt.