Phishing Email Alerts
Catch of the Day: Morse Code Attack
Chef’s Special: IONOS Phish
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to email@example.com.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
IONOS Credential Stealer
Here’s another example of a credential stealing phish and web page combination. From the examples I’ve gathered, credential stealing does appear to be the leading purpose of most phishing emails. Credential stealing leads directly to account hijacking, and the most targeted account is your email account. With access to your email account an attacker can generate password reset requests on your other accounts, and access your social networks, e-commerce, and even work accounts.
The Update Now link resolves to https://onezoo.com.au/oneapp/iro/ which redirected to https://azoiuekl-7fb609.ingress-daribow.easywp.com/neu/ionos/login.php?5a75a999867bb6039468980021ad69d3797af9bd. Virustotal reported this as a phishing link.
The first attempt to connect to the landing page was blocked by Malwarebytes, so I closed MB and tried again. The error page and the landing page follow.
Another IONOS Phish
Below is the email, and the button links to this address: https://tributoildivo.com/HOS7firstname.lastname@example.org. Virustotal did not flag this link,
The landing page.
Yes – you read that right: Cybercriminals have found a way to use 1830’s technology to trick 2020s security solutions into not identifying phishing attachments as malicious.
Like you, when I first read about this I shook my head and through “no way – how would that even work?!?”” But according to a post on reddit, the bad guys realized they could digitally encode their malicious java script in Morse Code, effectively bypassing any email scanners.
The phishing attack starts out like any other, using some basic social engineering around paying an invoice and hosting an attachment made to look like an invoice with the filename ‘[company_name]_invoice_[number]._xlsx.hTML.’
The result of all this is a pretty creative rendering of a fake Excel document and an Office 365 logon screen, stating the user’s session had timed out.
Creative? Yes. Unique? No – bad guys can derive even their own simple character replacement encoding (e.g., ‘A’ would be replaced with ‘D’, ‘B’ with ‘E’, etc.) and one can achieve the same result.
The real stopping point here is the bogus email theming and horrible attachment name. Users that get stepped through security awareness training are able to quickly see this for what it is and stop the attack before it goes any further than making it past your filters.
Blog post with example screen shot:
Australian medicinal cannabis company Cann Group has lost $3.6 million in a business email compromise (BEC) attack, Stockhead reports. The company had thought it was paying an unnamed “overseas contractor,” but the payments were actually going to “an unknown third party.” The attack was discovered overnight on February 4th, and the fraudulent payments were related to the construction of the company’s 34,000 sq/m growing facility in Mildura, Victoria.
Cann Group said it’s “working with its bank to determine if any of the payments can be halted and if any of the funds involved are recoverable.” The company added that “[t]he matter has been reported to police in Victoria, Australia, the Netherlands and Hong Kong, as well as the Office of Drug Control.” The company’s stock price fell 6% upon the news.
Blog with links: