Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Why Phishing Remains So Popular?

Published: 2020-01-24
Last Updated: 2020-01-24 06:27:58 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

... because it works!

Probably, some phishing emails get delivered into your mailbox every day and you ask yourself: "Why do they continue to spam us with so many emails? We are aware of phishing and it will not affect my organization!"

First of all, emails remain a very popular way to get in content with the victim. Then, sending massive phishing campaigns does not cost a lot of money. You can rent a bot to send millions of emails for a few bucks. Hosting the phishing kit is also very easy. They are tons of compromised websites that deliver malicious content. But phishing campaigns are still valuable from an attacker perspective when some conditions are met:

  1. The mail is properly crafted and looks like an official one (same layout, signature, no typo, correct sentences, same "style")
  2. The mail attracts the victim's attention (based on an event, a colleague, some "juicy" topics)
  3. Make the victim confident (pretend to use the tools and services used at work)
  4. The victim is not attentive to the content of the mail or the link (lack of concentration)

Here is a real story. Yesterday my wife explained that she felt into the trap! She was on the phone with a customer and, waiting for some feedback, she received an email from a colleague (a legit email she said - all details looked ok - signature, name, etc). That's the condition #1 from the list above. Her colleague pretended to share a file about a project via OneNote (Conditions #2 and #3). She knows the sender and she works on projects with him and the organization has the full Microsoft products stack. So, while waiting on the phone, she clicked on the link, got the classic login page and provided her credentials... (condition #4). She said, "I know that they take security seriously so it looked normal to authenticate one more time".

She did not see that the URL was, of course, not the right one (speaking with the customer at the same time). When her credentials were rejected several times, she realized that it was a phishing attempt and changed her credentials immediately. In the meantime, the helpdesk sent an email to all employees to report the ongoing phishing attack! Probably, she was the patient "zero".

Conclusion: awareness is key, you might feel confident at detecting phishing attempts but just one second of distraction and it's game over!

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Phishing
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

German language malspam pushes Ursnif
Jan 23rd 2020
18 hours ago by Brad (0 comments)

Complex Obfuscation VS Simple Trick
Jan 23rd 2020
1 day ago by Xme (0 comments)

DeepBlueCLI: Powershell Threat Hunting
Jan 21st 2020
3 days ago by Russ McRee (0 comments)

Citrix ADC Exploits Update
Jan 20th 2020
4 days ago by Renato (0 comments)

View All Diaries →

Latest Discussions

Zip password recovery
created Jan 17th 2020
1 week ago by Anonymous (0 replies)

Strange Google-ish domain name lookups after update to Android 10
created Dec 21st 2019
1 month ago by jauntysankey (0 replies)

SANS IP data inconsistency
created Dec 14th 2019
1 month ago by phbits (0 replies)

Are SANS ISC InfoSec News RSS Feed broken?
created Dec 11th 2019
1 month ago by Rumahpods (0 replies)

"slow" half open tests (preparation for attacks?)
created Oct 28th 2019
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
7 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
2 years ago by Russ McRee (0 comments)