This blog examines a credential phishing attack that spoofs an account suspended email notification from GoDaddy, the world’s largest and trusted domain registrar and hosting platform. Clicking the link in the email attempts to exfiltrate victim's sensitive PII data.
In today’s Blox Tale, we will look into a credential phishing attack that took advantage of a legitimate company’s brand reputation targeting unsuspecting victims of a financial institution. Attackers utilized the trust victims have in the brand, GoDaddy, in an attempt to steal confidential information. This targeted email attack bypassed native Microsoft email security controls.
The email attack spoofed GoDaddy, the world’s largest and trusted domain registrar and hosting platform. The email attack looked like a legitimate notification email workflow from GoDaddy, informing recipients of a suspended account and asking for verification in order to continue receiving email communication. Upon clicking the button within the email body, victims were navigated to a fake GoDaddy-branded login landing page that prompted victims to sign in before proceeding.
Summary
Mailboxes: ~ 1,500 mailboxes
Target: This email attack targeted an American multinational financial institution
Email security bypassed: Microsoft Office 365
Techniques used: social engineering, brand impersonation, spoofed landing page
The Email
The subject of this socially engineered email read, “Immediate Required Action :Email # 300098744332118654333” evoking a sense of urgency in the victims before the recipient even opened up the email attack. Once opened, the email looked like a legitimate notification email workflow from GoDaddy. The attackers further impersonated the brand, GoDaddy, with both a customer number and a customer offer included within the email body.
At a quick glance, the email looks to be sent from GoDaddy, with the email sender name reading Godaddy. Recipients who did not pay close attention to the sender address, could have easily fallen victim to this email attack and complied with the attackers’ wants - to engage with the call to action within the email and click the button Enable Here.
The Phishing Page
After clicking the Enable Here button within the malicious email body, victims were navigated to a spoofed landing page, that mimicked a legitimate GoDaddy login interface. The spoofed page included the following elements in order to instill trust in victims that they have landed on a trustworthy, legitimate landing page: GoDaddy logo in the upper left-hand corner, plus a copyright watermark on the bottom with a hyperlink to the GoDaddy privacy policy. The attackers took care to include additional elements, to ensure victims comply with the request to login, including a mention of 24/7 contact line for questions, a graphic to represent company branding, a way for visitors to request a new password, and even auto populated the victim’s email address where the email attack was sent (this has been removed from the image below for privacy).
The form found on this fake landing page suggested victims input his or her email login credentials: email address and password. The attacker’s goal was to exfiltrate sensitive PII user credentials across the recipients of this credential phishing email attack. Victims who completed this step in the attack flow would have voluntarily given attackers sensitive PII information that puts themselves as well as the company at risk.
Attack Flow
This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers included legitimate logos and company branding across the malicious email and fake landing page, in order to exfiltrate the victims’ sensitive PII data. The socially engineered email was carefully constructed so the victim's curiosity and trust was leveraged, with the goal of exfiltrating sensitive data.
The Power of Armorblox
The email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the emails; meaning the emails skipped spam filtering because Microsoft determined they were from a safe sender, to a safe recipient or were from an email source server on the IP Allow List.
Attackers used a valid domain to send this malicious email, with the goal to exfiltrate sensitive PII data. The sender domain received a reputation score of trustworthy and global threat history of zero security events. Microsoft allowed this email to be delivered to approximately 1,500 user mailboxes. Fortunately these end users are protected by Armorblox, who accurately detected this malicious email attack that contained a bad URL. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to provide organizations and end users better protection from these types of targeted, socially engineered email attacks.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (GoDaddy) and a sense of urgency through the language used within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
Brand impersonation: The email has HTML styling and disclaimers similar to GoDaddy branding. The information included within the body of the email attack is similar to legitimate notification email communications, plus the logos used within both the email and landing page are the same in order to try and trick the victim and instill trust.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.
3. Follow multi-factor authentication and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use password management software like LastPass or 1password to store your account passwords.
