By Stu Sjouwerman

Since the very dawn of organized phishing attacks, the bad guys have recognized the power of exploiting trusted brands and online services. Our original experience with phishing was defined by spoofed emails purporting to hail from popular banks. Their objective was simple: trick users into coughing up their online banking credentials with convincingly branded emails and fake login pages.

It’s a technique that has kept on giving, long after the bad guys scaled their ambitions beyond merely draining the bank accounts of individual marks. Perhaps the most infamous phishing email of all time — the John Podesta phish that was exploited by the Russians in the 2016 U.S. presidential election — spoofed a common Google security notification email that has likely been seen by millions of users. By trading on the good names of established companies and leveraging users’ trust in their offerings, the bad guys can effectively hide malicious content in plain sight.

In the vast majority of cases, the bad guys leverage the power of brands by simply spoofing the emails and web pages of trusted brands and online services. They may do it more or less well. And the resulting emails and web pages range from utterly convincing to barely believable.

When Faking It is No Longer Making It

At the end of the day, though, those spoofed emails and web pages are still fake. More and more the bad guys are discovering that clever fakes aren’t cutting it anymore. Not only are users getting more savvy, anti-virus and Exchange security services have become more sophisticated and capable in their ability to identify spoofs.

Phishing campaigns that rely on spoofed emails and web pages can fail for a number of reasons:

  • headers reveal the true origin of malicious emails
  • email subjects and body content are fatally flawed in terms of format and textual content
  • embedded links tip off users and security software to the true destination of apparently innocuous URLs
  • hosted content (and the host itself) offer tell-tale clues that everything is not as it seems

Here is a fairly typical spoofed Dropbox phishing email, which is littered with clues that should tip off attentive users that this is not a real Dropbox email:

The problems begin with the From: line, which uses an aol.com email address instead of the standard no-reply.dropbox.com. The problems continue with the awkward attempt to shoehorn the “via Dropbox” (with the parentheses misplaced) into the Subject: line instead of the From: line. The formatting and arrangement of items in the body contain still more clues, including the inexplicable use of Adobe PDF icons and file names.

Even users who don’t bother to hover their mouse over the link should recognize that something is amiss once their browsers open to this landing page:

From the URL — which points to a free web host instead of Dropbox itself — to the offer of multiple login options, users who are paying attention should have ample opportunity to sidestep this ham-handed attempt to trick them into coughing up their credentials. Smartly written security software, which can dig into this phish email’s headers, would be in the same position as the proverbial mosquito in a nudist colony: one hardly knows where it would begin.

These problems are baked into the process of spoofing trusted online brands and services. The bad guys can do little about the headers and delivery of spoofed phishing emails — those are largely determined by the choices bad actors are forced to make when figuring out how and where to host and maintain their malicious content. Moreover, while some criminal groups may have a talented and disciplined pool of developers to work with, others are forced to rely on whatever local talent they can get.

What most often gives away spoofed phishes to users is the link. The most reliable, objective strategy that users can employ to spot potentially malicious emails is the link check. Email headers may be a confusing chore to wade through. Links don’t lie — at least to those who bother to check.

And the bad guys know this. Thus, in many cases it’s not enough to simply spoof legitimate brands and online services in order to leverage the trust users have placed in them. To create truly convincing fakes of trusted online brands and services, it’s imperative to actually exploit the functionality of those services and brands so that malicious emails can land in users’ inboxes like so many Trojan horses.

The Gold Standard for True Fakes

Bad guys looking to disguise bad links are increasingly exploiting the very features of web sites and services associated with trusted brands, not just spoofing them. That means turning to sites that allow user-hosted content or offer other useful features — even things as simply as URL redirection.

The best “true fakes,” however, do more than simply fuss over the link. The real goal when constructing phishing campaigns that leverage trusted sites and services is complete brand continuity throughout every aspect of the campaign. Complete brand continuity brings with it the power to confer near full stealth on malicious emails and hosted content — a cloak of protection that fool both end users as well as the layers of security software that protects them.

To achieve full or nearly complete stealth campaigns must ensure that…

  • the link is trusted
  • branding is consistent between embedded links and the rest of the email body
  • embedded links are appropriate, matching the email’s purpose as well as its form
  • malicious emails are delivered through a recognized and trusted brand or service
  • malicious content (including malware, if possible) is hosted partially or entirely on a trusted, branded service
  • hosted content itself preserves brand continuity

Complete brand continuity offers a number of other potential advantages for malware campaigns beyond full stealth, though:

  • malicious content enjoys free hosting
  • malicious emails land in user inboxes via free email delivery
  • malicious files can sit behind a login-protected wall of obscurity

In short, the gold standard for bad guys looking to move beyond spoofed fakes is complete alignment between the social engineering schemes used to hook unwitting users on the one hand and the exploited site or service on the other.

Realizing such an alignment is easier said than done. In what follows we’ll take a look at the efforts of bad guys to achieve full stealth — and the numerous ways they can fail along the way. And we shall do so with the help of customers who have shared with us real phishing emails reported to them by employees using the Phish Alert Button (PAB).

Brand Mishaps

Bad guys looking to host malicious content on trusted sites and services have a number of options. Dropbox, for example, is becoming an increasingly popular choice. But while many users will be familiar and comfortable with emailed links pointing to Dropbox, unless placed in the right context a Dropbox link will usually not be enough to pull off a convincingly “true fake.”

Consider this DHL-themed phish, which uses a professionally designed, spoofed email to hook users:

As with the previous Dropbox email we looked at, minor formatting discrepancies plague this attempt to spoof DHL. The biggest problem, though, is the use of Dropbox to host the initial malicious content that users will be hitting, for a Dropbox link in a DHL email sticks out like a sore thumb.

The bad guys attempt to recover brand continuity in the document hosted on Dropbox…

…but it falls flat once users click this second link and find themselves yet again at the same free web host as the previous email:

…where we once again that strange use of Adobe PDF logos amidst branding elements that oddly neglect to include DHL’s trademark yellow.

Casual Stealth

Sometimes malicious actors hoping to lull users into false sense of security opt to sidestep the branding issues altogether in the initial phishing email:

SurveyGizmo, along with similar DIY survey sites, is another increasingly popular option for bad guys looking to draw users onto a recognized, trusted site where the bad guys can host malicious content.

The ruse falls apart on the landing page at SurveyGizmo, though, where we encounter the introduction of not one but two new brands (Office and OneDrive) along with sloppy use hyphenation and capitalization:

Some malicious groups have yet to learn what we shall dub the “Goldilocks principle” of branding in phishing emails: not too much, not too little. To be truly convincing, the branding has to be just right.

Functional Stealth

Bad guys willing to apply a bit of discipline and hire the right talent to craft their phishing campaigns can achieve impressive, though still imperfect results.

Although there are still formatting issues in this spoofed Dropbox phish, the brand consistency from the initial email through to the landing page is several cuts above either of the previous Dropbox phishes we looked at. Not only does this phish spoof the From: line and hue true to the minimalist arrangement of elements of real Dropbox emails, it takes care to set up user expectations with respect to the file name they will be asked to download (6 pending documents).

And the landing page is, as it should be, on Dropbox, though some architect seems to have taken offense that the bad guys — perhaps in a fit of overconfidence — have attempted to push a ragingly malicious, full-blown executable on unsuspecting users.

That is one potential downside to using Dropbox for malicious files — users can blow the game in the Comments section.

Another group of bad guys achieved similar results with this OneDrive-themed phish, which leads off with another professionally crafted, yet still fake, email:

While the link takes users to SharePoint, one suspects most users won’t be too bothered by that discrepancy given that both are Microsoft services often used in conjunction by many organizations.

Brand consistency is maintained, for the most part, all the way through to the slickly designed final landing page, which attempts to distract users from the wildly inappropriate URL with still more prominent and visually polished OneDrive branding elements.

Inexplicably, though, the page offers the familiar, tell-tale assortment of login options — a feature almost completely unique to bad-guy web sites.

Near Stealth

To go full stealth requires that malicious actors exercise discipline in accepting and working creatively within the limits of the trusted service they are exploiting.

To execute this phish, the bad guys elect not only to host some of their malicious content on Dropbox, but to exploit the messaging capabilities of that service by delivering the social engineering hook through an actual Dropbox email:

On the landing page we see that bad-guy love for Adobe PDF logos seems irrepressible, though the Comments section to the right gives plenty of evidence that more than a few users remain entirely undisturbed, happily offering up their email addresses along with entreaties to the bad guys to email malicious file directly to them.

As is so often the case, the problem is that users must be taken outside of Dropbox in order to present with the endgame: a credentials phish. As we have seen in previous cases, brand consistency can take a hit, as it does with this spoofed Microsoft login page hosted on a rogue .TK domain.

Will users pause to wonder why they were taken to a Dropbox-hosted PDF file only to be shuffled off to a Microsoft login page?

The malicious actors behind this WeTransfer-based phish encounter a similar difficulty. Starting off with a real WeTransfer email…

…that takes users to a PDF file downloaded hosted on WeTransfer…

…the bad guys smartly elect to bridge to transition to an outside site with WeTransfer branding in the PDF to preserve the ruse:

Despite the lame attempt to shovel a faux WeTransfer URL into the address bar, this final stop along the way to a credentials phish may be a bridge too far for some users for many of the same reasons we’ve explored in previous examples.

Still, the bad guys behind this phish did manage to keep the ball in the air through several hops.

Full Stealth: The El Dorado of Brand-Based Phishing

If you’ve made it this far you have undoubtedly noted that many of our example phishes for this piece involve file sharing sites of one sort or another (Dropbox, OneDrive, SharePoint, WeTransfer). That’s no accident. At present file transfer sites offer a number of tools helpful to bad guys trying to confer stealth status on their phishing campaigns.

In addition to offering trusted brand names and services familiar to millions of corporate email users, the provide cheap or even free file hosting as well as email delivery and, in some cases, login protection to keep pesky link scanners at bay.

What malicious actors really need, though, is a complete phishing platform that would ideally let them execute malicious content in addition to hosting and promoting. Good analytics would, of course, be a welcome bonus. For now, though, file sharing sites will do.

As the big players on the internet build out their platforms (Google, Facebook, Microsoft, Apple, etc.) to offer users a more complete range of services, many of them involving content uploaded and published by users and organizations, malicious actors will be looking to convert those increasingly powerful service offerings into true phishing platforms.

If you’re currently working in the IT trenches, you have more than enough to worry about as it is, even with the limitations of the current range of online services, many of them implicitly trusted by users throughout your organization from the lowliest receptionist or intern to C-suite executives who still haven’t figured out that real bad guys are actually targeting them through brands they know and love.

As we saw in all the examples discussed above, the bad guys still manage to leave plenty of telltale clues of their malicious intent even when cleverly exploiting remarkably functional file sharing services. But your users have to be trained to look for those clues. Without the right training, they remain your biggest vulnerability (and the bad guys’ greatest opportunity).

With the bad guys turning to increasingly powerful online tools to cloak their malicious emails behind the trusted veneer of familiar online services, it is imperative to step your employees through New-school Security Awareness Training and follow up with regular simulated phishing campaigns to test their mettle against simulated phishes modeled on actual malicious emails in use today by the bad guys. Short of that, you could very well find your users hanging out in the Comments section for a malicious Dropbox file blithely inviting hardened criminals to send them more malware.