Instead, they found a webpage redirection script, hosted on a benign website - one that was unlikely to raise suspicion - and linked to that, using the redirection script to navigate the employee’s browser to the malicious website. This attack mechanism struck our analysts as unusually complex – the phone call urging the target to click the email the specially crafted email with no text in the body the attacker-registered website with a customized “delivery” themed domain name used to host a file to download – but the complexity seemed to have purpose.įor one thing, the fact there was no PDF attachment gives the attacker an advantage, since many email systems treat messages carrying such attachments with (appropriate) suspicion when they originate from unusual sources and would either delay the delivery of, or automatically filter, emails with PDF or other office-format attachments.įor another, the attackers also didn’t link directly to the website they controlled hosting malicious code. …isn’t an attachment at all, as the tooltip shows. Instead, when the employee clicked where they thought an attachment appeared in the email (or if they clicked anywhere else), they triggered Outlook to visit a website. The employee saw what looked like an Outlook message with a PDF attachment, but it was actually a graphic embedded in the message body, designed to look just like an Outlook message with an email attachment: Both the “attachment” and the accompanying email message were just static images embedded in the message body. There was no PDF attachment to the message, even though it appeared there was. The curious email message triggered the attack chain that followed, but not in the way you might guess. The source code of the email references “content with picture links” There are German-language comments embedded in the HTML (“Inhalt mit Bild links,” which translates either to “content with picture links” or “content with picture left”) that made up the email message body, which was sent to someone who used Outlook as their mail client. Both are considered “official” Swiss languages. The email also indicates the “shipment” is something that weighs about what a letter would weigh, and that it has “elevated (government agency)” priority.ĭespite the fact that the email message was written in the French language, technical clues left behind indicate the attackers knew the Swiss target might be a German speaker. It goes on to say that, for reasons of security, delivery isn’t possible unless the target provides the correct code to the shipper, and that the target can only get the code from the attached PDF. The message body says that “your documents had been sent by a delivery service that hasn’t had contact with” the destination. From the phone to the payload, this attack relies on multiple layers of social engineering Phishing message embeds graphical elements The email message shown below (written in French) said that a PDF file attached to the message contained the code the delivery driver was waiting to hear before they could bring the package to the employee’s location. While the caller was still on the phone with the employee, the employee received an email message, purportedly from the caller’s shipping company. In order to redeliver the package, he continued, the employee would have to read aloud a code the shipping company would email. The caller, whose voice sounded like a middle-aged man, told the employee that he was a delivery driver with an urgent package destined for one of the company locations, but that nobody was there to receive the package, and he asked for a new delivery address at the employee’s office location. The alert employee sensed something was wrong, and disconnected the infected computer from the network, but not before the malicious payload was already at work. Sophos Incident Response analysts found that the attackers may have targeted the call recipient personally, and crafted an elaborate social engineering attack chain that resulted in the attackers taking control of the target’s computer, briefly, before the target literally pulled the (ethernet) plug on the compromised computer. The caller prompted an employee of a Switzerland-based organization to initiate a complex attack chain that compromised the employee’s computer. In the course of performing a postmortem investigation of an infected computer, Sophos X-Ops discovered that the attack began with an innocent-sounding phone call.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |