Security as Social Engineering: Phishing Campaigns Spoofing Locked Account Workflows

Abhishek Iyer
Written by Abhishek Iyer
Threat Research /
Security as Social Engineering: Phishing Campaigns Spoofing Locked Account Workflows

Each Blox Tale will take a look at targeted email scams, outline why they made their way into an inbox, and provide tips and recommendations to protect against such attacks. In this blog, we’ll focus on three email attacks impersonating Facebook, Microsoft, and Apple respectively. All attacks aimed to extract victims’ account credentials by spoofing automated emails informing victims that their accounts had been locked or that they had a subscription that was close to expiry. Phishing pages were set up using services like Omnisend and DDNS[.]net to trick security technologies and users into thinking the links were legitimate.

Let’s go through the attacks in greater detail:

1. Facebook Phishing Attack

Org mailboxes: ~10,000

Email security bypassed: Cisco ESA, Office 365 (the email was assigned a Spam Confidence Level of -1)

Attacker techniques used: Social engineering, brand impersonation, compromising existing email workflows, domain spoofing, sender name spoofing

A summary of the attack is presented below:

Img

Fig: Summary of the Facebook phishing scam showing the attack flow

The Email

Recently, the Armorblox threat research team observed an email impersonating Facebook attempt to hit one of our customer environments. The email was titled ‘Reminder: Account Verification’ with the sender name ‘Facebook’ and the sender domain ‘noreply@cc[.]mail-facebook[.]com’. The email informed victims that their account usage had been restricted due to some security concerns, and invited victims to verify their account activity to restore full access to their Facebook account.

A snapshot of the email is given below. You will notice the Spam Confidence Level (SCL) of ‘-1’ assigned to this email on the top right corner of the screenshot, highlighting that the email skipped Microsoft’s spam filters:

Img

Fig:  Email impersonating Facebook informing victims that their account access had been restricted due to security concerns

The Landing Page

Clicking the email link takes victims to a phishing page resembling the Facebook login portal. The page attempts to extract victims’ mobile number/email address and Facebook account password.

Img

Fig: Landing page resembling the Facebook login portal

The parent domain of the page is ‘sliderdoyle[.]com’, which should tell circumspect users that this isn’t a legitimate site. However, the surface-level resemblance of the page to Facebook’s real login portal combined with the urgency generated by the context of the email (restricted account access) means that many users will rush through this page and fill in their account details without looking at the URL.

2. Microsoft Phishing Attack

Org mailboxes: ~10,000

Email security bypassed: Cisco ESA, Office 365 (the email was assigned a Spam Confidence Level of -1)

Attacker techniques used: Social engineering, brand impersonation, compromising existing email workflows, sender name spoofing, different reply-to and from addresses

A summary of the attack is presented below:

Img

Fig: Summary of the Microsoft phishing scam showing the attack flow

The Email

Recently, the Armorblox threat research team observed an email impersonating Microsoft attempting to hit one of our customer environments. The email was titled ‘Your subscription has expired’ with the sender name ‘Microsoft’ and the sender domain ‘no-reply@microsoft[.]com’. Notably, the ‘reply-to’ address was different from the ‘from’ address, which is a common technique used by scammers in email attacks.

The email informed victims that their active subscriptions were soon expiring, and invited them to log in to the admin center to renew their subscriptions.

A snapshot of the email is given below. You will notice the Spam Confidence Level (SCL) of ‘-1’ assigned to this email on the top right corner of the screenshot, highlighting that the email skipped Microsoft’s spam filters:

Img

Fig:  Email impersonating Microsoft informing victims that a few of their account subscriptions were close to expiry

The Landing Page

Clicking the email link takes victims to a phishing page resembling the Microsoft login portal. The page attempts to extract victims’ Microsoft account credentials.

Img

Fig: Phishing page resembling the Microsoft login portal

The parent domain of the page is ‘support-outlooks[.]ddns[.]net’, which highlights that attackers used DDNS[.]net, a free dynamic DNS service, to stand up the phishing site. The spelling mistake in the URL (outlooks instead of outlook) coupled with the long URL length should signify to circumspect users that the URL isn’t legitimate. However, the surface-level resemblance of the page to Microsoft’s real login portal combined with the urgency generated by the context of the email (subscription that is expiring) means that many users will rush through this page and fill in their account details without looking at the URL.

3. Apple phishing attack

Org mailboxes: ~8,000

Email security bypassed: Symantec ATP, Office 365 (the email was assigned a Spam Confidence Level of 5 and diverted to users’ junk folders)

Attacker techniques used: Social engineering, brand impersonation, compromising existing email workflows, sender name spoofing, leveraging free services to stand up phishing site

A summary of the attack is presented below:

Img

Fig: Summary of the Apple phishing scam showing the attack flow

The Email

Recently, the Armorblox threat research team observed an email impersonating Apple attempt to hit one of our customer environments. The email was titled ‘Re: Your Apple ID has been locked on March 11, 2021 PST’ followed by a reference number. The sender name was ‘Appie ID’, using a common technique of misspelling words to get past deterministic security techniques like filters/blocklists while still passing victims’ eye tests. 

The email informed victims that their Apple ID had been locked for security reasons. The email invited victims to verify their account within 12 hours of risk having their Apple ID suspended. 

A snapshot of the email is given below. This email had a Spam Confidence Level (SCL) of 5, highlighting that Microsoft identified the email as spam and diverted it to victims’ junk folders: 

Img

Fig: Email impersonating Apple informing victims that their Apple ID had been locked

The Landing Page

This attack was put together in a more amateurish manner than the previous two attacks covered in this research note - as a result, the phishing page has already been identified and taken down. The phishing page resembled the Apple login portal and attempted to extract victims’ Apple ID and login credentials. 

Clicking the link in the email now throws up the following page:

Img

Fig: The Apple phishing page was set up using Omnisend, a free software used to send email campaigns and create landing pages/forms

The phishing page was set up using Omnisend, an ecommerce email marketing and SMS platform used to create email campaigns, forms, and landing pages. Attackers likely used the free trial of Omnisend to both set up the phishing page and send these emails. This aligns with trends observed by Armorblox where attackers exploit freely available online services to increase the success rate and simplify the setup of their email attacks.

Summary of techniques used

These email attacks employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users.

Using security themes: Two of the email attacks used the guise of locked accounts and security concerns to extract account credentials. As employees want to be good corporate citizens, they will tend to take quicker action on communication that claims to be security-related. The irony has all the subtlety of a sledgehammer here.

Replicating existing workflows: The context for all three email attacks replicates workflows that already exist in our daily work lives (locked accounts, expiring subscriptions). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.

Attempting MFA bypass: As more organizations have adopted multi-factor authentication (MFA) for work accounts, attackers continue to try creative workarounds. The Facebook phishing attack attempts to extract victims’ Facebook credentials, assuming it less likely that people use MFA on Facebook. Since Facebook is used as an SSO mechanism for so many other services, it represents a rainbow with a full pot of potential gold for attackers. The Apple phishing attack tries a similar tactic, aiming to extract victims’ Apple IDs and account credentials to effect compromise.

Social engineering: The email titles, language, and context all aimed to induce a sense of foreboding and urgency in victims, nudging them to take quick action and click before they think. 

Brand impersonation: The sender names, email content and designs, and phishing page designs impersonated well known and trusted brands like Facebook, Microsoft, and Apple. 

Exploiting free online services: The Apple phishing attack exploits the free trial of Omnisend to execute the email and stand up the phishing page. The Microsoft phishing attack hosts its final landing page using DDNS[.]net, a free dynamic DNS service. Using freely available online services reduces the bar for cybercriminals to launch successful phishing attacks. Check out our recent threat research on a phishing attack hosted on Google Firebase if you’re interested to learn more.

Email header spoofing and other classic techniques: The email titles, sender names, and sender domains were spoofed to lend a faux air of legitimacy to these emails, either making it seem like they came from trusted brands or making it seem like the victims were part of an ongoing conversation (by including ‘Re:’ in the email title). The Microsoft phishing attack also had different ‘reply-to’ and ‘from’ addresses, a common adversarial technique employed in email attacks. 

Guidance and Recommendations

Here are some points of guidance for individuals or organizations looking to protect themselves against targeted email attacks:

1. Augment native email security with additional controls

Two emails highlighted in this blog got past Microsoft’s Exchange Online Protection (EOP), with an assigned Spam Confidence Level (SCL) of -1, which means the emails skipped past spam filters. For better protection coverage against email attacks (whether they’re phishing, business email compromise, or 0-day credential phishing attacks like this one), organizations should invest in technologies that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is the email sender name ‘Appie ID’ instead of ‘Apple ID’, why is Facebook sending this email to my work account, etc.).

3. Follow 2FA and password management best practices

Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances, and family members.

If you haven’t already, implement these hygiene best practices:

  • Deploy multi-factor authentication (MFA) on all possible business and personal accounts (although it’s not a panacea for all your email phishing woes, as covered earlier in this blog).
  • Don’t use the same password on multiple sites/accounts.
  • Use a password management software to store your account passwords. 
  • Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
  • Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.

For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.

Join Mailing List

Read This Next