Bargain Bait: How Cheap Phishing Scams Deceive Many and Tips to Stay Safe
This article is my authorship

Bargain Bait: How Cheap Phishing Scams Deceive Many and Tips to Stay Safe

Hello, folks! Today, I'm going to delve into the latest "I know your password" type of phishing scam circulating on the internet. We'll explore some of its key characteristics and I'll share handy tips to ensure you don't fall prey to this devious ploy.

This article is especially for you, the end-user. I'll apply the same approach I use when working with organizations to help you understand how we, as security professionals, tackle such attacks when we stumble upon them in a mailbox.

So, without further ado, let's get straight into it.

The attack

Below is a snapshot of the attack in its original form. My email provider, with a strong focus on security and privacy, had already flagged it as suspicious.

No hay texto alternativo para esta imagen
The sender address implies a valid domain, but it appears that this particular address has been compromised

Upon receiving such an email, my immediate response is to further analyze it and validate if it's indeed a phishing attempt. Even though this email is an outright threat, I'll take the same approach to demonstrate my process in cases where the content is a "potential" phishing attempt.

I typically divide my analysis into three steps:

  1. Check for signs of phishing content such as threats, urgent requests, grammar mistakes, etc.
  2. Review the sender's address: If it's an unrecognizable hash, then the best action is to ignore the email, delete it, and blacklist the address. A real email address simply won't look like that. On the contrary, if it seems valid, we proceed to the next step.
  3. Review the domain status: In this step, we validate the domain's reputation. This allows us to identify if that specific domain has been hijacked for spamming (and phishing) and whether it has been blacklisted by other domains or cybersecurity portals/organizations.

While each step could be elaborated further, we won't focus on those details in this article.

Point 1: Content Analysis

The email kicks off with the chilling phrase "I know your password!", hence my naming of this article as "Bargain bait". This isn't the first time I've encountered such an email - they used to be even more aggressive.

There was a particular phishing email I once found, where that exact phrase was followed by a password I'd used in the past. That was the only time a phishing attempt almost got me.

But how did I manage to dodge it? I searched for "I know your password attack" and discovered that there had been a series of breaches back in 2017. Major online service providers had their user databases leaked and distributed, providing attackers access to a vast list of users with their emails and passwords in plain text.

Moreover, what truly saved me is adhering to one of the most crucial password rules (which you should follow too):

Regularly change your passwords! In other words, don't use the same password for an extended period. And, please, DON'T use the same password for different services and accounts.

The attack I described was well-planned, utilized a real password I had previously used, and was specifically aimed at me (spear phishing). In contrast, the current attack we're reviewing haphazardly threatens with insufficient evidence, assumes I own a webcam (I don't), and claims to have access to my contacts but provides no evidence - not even a single sample!

Lastly, they vaguely state they "have the proof above." Which proof, pal? The previous attacker at least put in the effort to target the correct plaintext password to the right account. The current attacker simply copied and pasted the same content and blasted it to as many email accounts as possible, a classic phishing campaign.

However, I've seen much more sophisticated and believable phishing campaigns.

Point 2: Domain Review

First, I looked up the domain for any potential blacklists or reports. The tool I used is Talosintelligence.com, a useful service provided by Cisco that allows you to verify the reputation and status of IPs, domains, and addresses if you receive a suspicious email.

You can do it too by simply entering the domain name or IP number into the text box, then clicking on the magnifying glass icon.

In this step, we'll review the address.

Here's what I found:


No hay texto alternativo para esta imagen
Nothing out of place so far

As you can see, nothing seems amiss with the address so far. Keep in mind that an attacker can compromise an account or the entire domain depending on their skill level in escalating privileges.

What does this tell us? So far, it suggests that this account has been recently compromised. Once this phishing attempt lands in an organization's email account and gets reported, it will slowly start to be blacklisted and flagged by other organizations and services, like Talos.

Point 3: Website Evaluation

Let's now explore their website:

No hay texto alternativo para esta imagen
Oh, look! It's a finance-related site. It's no surprise that one of their accounts was targeted

If you look closely, you'll spot the subdomain whose email address was used for this phishing campaign. Check the 4th button from left to right, at the top banner: Quickbooks. Let's investigate that too.

No hay texto alternativo para esta imagen
Nothing unusual here either.

Well, this site offers accounting software. So we can conclude that someone mistakenly provided the attacker with access to Quickbook's account, or it could potentially be an inside job.

If we're considering an inside job, it implies that a person with legitimate access to this account decided to use it for phishing. This is unlikely unless this individual wishes to lose their job. Typically, inside jobs involve silently stealing a company's data. Using one of the organization's email accounts for phishing would jeopardize the entire operation.

What's next?

A responsible course of action (and a good deed) would be to inform the site owners about the ongoing issue within their organization so they can take appropriate measures. Sometimes I don't even receive a response from them, but at least I rest easy knowing I did my part. They might take action to prevent their site from being blacklisted or flagged.

Conclusion

In an effort to understand the reach and impact of these phishing scams, I frequently analyze Bitcoin (BTC) addresses, which are often used by attackers for receiving ransom payments. These addresses can be checked through a tool known as a blockchain explorer, which provides transaction history and balance of any Bitcoin address. I'm not as experienced in this analysis as experts like the folks at glassnode.com, a leading provider of blockchain analytics. But in this case, I noticed something startling.

The BTC address associated with this phishing attack showed over seven transactions, each averaging around 400 USD. This indicates that at least seven people fell for this scam and made payments to the attacker. This highlights the severity and effectiveness of such attacks, emphasizing the importance of understanding and recognizing phishing scams.

The email threatens to expose content that would shame the target of the phishing attack. This is a critical factor: Phishing capitalizes on psychology and emotional responses. Don't let fear, anxiety, or any other negative emotion cloud your judgment.

To conclude, the best practices for avoiding phishing boil down to taking a moment to think and assess. Don't rush into paying the attacker. ALWAYS take your time to evaluate and consider the email's content. When in doubt, Google is your best friend.

And if you prefer professional assistance, you know where to find me. I'm always eager to help 😉

Stay safe!

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics