Last Updated: 2020-01-24 06:27:58 UTC
by Xavier Mertens (Version: 1)
... because it works!
Probably, some phishing emails get delivered into your mailbox every day and you ask yourself: "Why do they continue to spam us with so many emails? We are aware of phishing and it will not affect my organization!"
First of all, emails remain a very popular way to get in content with the victim. Then, sending massive phishing campaigns does not cost a lot of money. You can rent a bot to send millions of emails for a few bucks. Hosting the phishing kit is also very easy. They are tons of compromised websites that deliver malicious content. But phishing campaigns are still valuable from an attacker perspective when some conditions are met:
- The mail is properly crafted and looks like an official one (same layout, signature, no typo, correct sentences, same "style")
- The mail attracts the victim's attention (based on an event, a colleague, some "juicy" topics)
- Make the victim confident (pretend to use the tools and services used at work)
- The victim is not attentive to the content of the mail or the link (lack of concentration)
Here is a real story. Yesterday my wife explained that she felt into the trap! She was on the phone with a customer and, waiting for some feedback, she received an email from a colleague (a legit email she said - all details looked ok - signature, name, etc). That's the condition #1 from the list above. Her colleague pretended to share a file about a project via OneNote (Conditions #2 and #3). She knows the sender and she works on projects with him and the organization has the full Microsoft products stack. So, while waiting on the phone, she clicked on the link, got the classic login page and provided her credentials... (condition #4). She said, "I know that they take security seriously so it looked normal to authenticate one more time".
She did not see that the URL was, of course, not the right one (speaking with the customer at the same time). When her credentials were rejected several times, she realized that it was a phishing attempt and changed her credentials immediately. In the meantime, the helpdesk sent an email to all employees to report the ongoing phishing attack! Probably, she was the patient "zero".
Conclusion: awareness is key, you might feel confident at detecting phishing attempts but just one second of distraction and it's game over!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant