Common Patterns Used in Phishing Campaigns Files

Common Patterns Used in Phishing Campaigns Files
Phishing campaigns remain a common way to infect computers. Every day, I'm receiving plenty of malicious documents pretending to be sent from banks, suppliers, major Internet actors, etc. All those emails and their payloads are indexed and this morning I decided to have a quick look at them just by the name of the malicious files. Basically, there are two approaches used by attackers: They randomize the file names by adding a trailing random string (ex: aaf_438445.pdf) or the complete filename. They make the filename “juicy” to entice the user to open it by using common words. This is the second approach that looks interesting. I extracted all the IOC of type ‘filename’ from my MISP[1]. The raw export contained 4692 filenames (4247 unique). I also exported all payloads from my archive (574.879 unique files). I extracted interesting strings based on: words common brands abbreviations Warning: This list is provided "as is" and is not intended to be used to quality files as malicious or not (it will generate too many false positives). abuse account acompte advice agreement airline alert archive bill bitcoin booking brochure budget caller cancellation card caution certificate changes christmas client company complaint confirmation contact contract controls copy credit cv date debit debt decrypter delivery details dll diplomatic directory document download draft-msg dropbox dscf ebay ecard egift efax email energy engineer employee eps epson eula extract express exported facebook facture fax file finance financial flash flight free gdpr gift-card google-drive googleupdate help history hp holidays-gift-card hotel human-resource img important inf information install Instruction invite invoice insurance javaupdate label lettre letter license log login-required logmanager mail malware message microsoft-hotfix microsoft-upgrade money msg myresume mote officeupdate order overdue package parcel password payslip photo pic pid picture pdf po proposal purchase poster powerpoint privacy private project quotation quote ransom readme receipt remittance report resume restore sale salary safe scan screenshot security secure selfie service settings setup sheet shipping skype specialoffer ssh ssl staff statement statistics strike support swift tax task tracking trade trademark transaction transfer travel unpaid untitled upcoming update urgent us user vcd video visa voice vpn vmware webmail wifi windows youtube [1] https://www.misp-project.org/ Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam August 2020 Part 2	Xme 537 Posts ISC Handler Mar 2nd 2018
Subscribe	Mar 2nd 2018 2 years ago
yes. i have personally received phishing mails using the term gdpr. i understand a lot of businesses now are changing their policies because of GDPR and thus mailing their existing customers. while i did get a lot of legit notifications emails from legit providers i'm using the services of like twitter, ivacy vpn, hotjar and others, i did get fake mails that required me to enter details so they could be phished.	Anonymous
Quote	May 8th 2018 2 years ago