The Devil Hiding in the Details: Context-Rich Phishing Schemes
The Devil Hiding in the Details: Context-Rich Phishing Schemes

If you've been following trends in phishing attacks over the past five to ten years, you may have noticed something interesting about the nature of innovation among malicious actors, aka the "bad guys." Most of the innovation seems to occur in the malicious payloads delivered by phishing emails as opposed to the social engineering schemes used to trick unwitting users into clicking through to those payloads.

While the bad guys constantly and consistently develop the ransomware, backdoor trojans, and trojan downloaders that malicious emails drop on users' desktops, they seem less keen on developing new social engineering hooks, preferring to recycle and tweak a well-known menu of schemes that have proven track records of enticing untutored users into taking potentially dangerous actions. Even the intermediary documents often used by malicious actors (Office files, web pages, and PDF documents) have undergone steady regimen of innovation, as the bad guys endeavor to find new and clever means to obfuscate the malicious links, scripts, and other malcode shoehorned into those delivery vehicles. Not so with social engineering schemes.

Same Old Same Old

The initial look or "public face" of phishing -- which is to say, the phishing emails themselves -- remains little changed. Thus, the flood of familiar looking malicious emails such as this one...

If the bad guys are still using such social engineering schemes day in and day out in their phishing campaigns, it is because they work. Or, at least, they have been working.

A recently released "State of Phishing" report by Wombat caught our eye when it documented a curious and encouraging trend in click behavior among end users:

"Average click rates fell across all four categories (corporate, commercial, cloud and consumer emails) this year in comparison to 2016. The researchers particularly saw a significant improvement in click rates on cloud-based templates (business-related emails include messages about downloading documents from cloud storage services, or going to an online sharing service to create or edit a document)." https://www.helpnetsecurity.com/2018/02/23/phishing-messages/

In other words, all those fake Docusign emails may not be as effective as they once were. Whether that change in user behavior comes as a result of "market saturation" (how many fake Docusign phishes do users have to see before the proverbial light bulb blinks on?), increased adoption of security awareness training in corporate workplaces, high profile media reporting of phishing campaigns, or some combination of all three we do not know.

Slow Adaptation

Whatever the cause, it appears to us that the bad guys have taken note and have begun adapting. Over the past six to nine months we have noticed a slow and steady shift in the kinds of social engineering schemes used by the bad guys. Consider the following email, provided by a customer using the Phish Alert Button (PAB):

At first glance, this email appears to be just another variant of one of the more popular social engineering schemes: the secure document delivery/signing/download phish. But it is more than that. Whereas the fake Docusign phish shown earlier clearly attempts to leverage users' familiarity with the Docusign brand and can be used against a wide variety of employees and industries, the "Final CD" email just above is more narrowly targeted, relying less on the user's trust in a brand than the user's familiarity with certain documents and processes surrounding real estate and property transactions.

While the bad guys are still using the familiar menu of phishing schemes, including spoofed Docusign emails, we have observed a noticeable increase in the use of more targeted, industry specific schemes, the majority of which dangle what appear to be standard documents that are routinely produced during the sale of houses, buildings, land, and other forms of real estate.

The Real Estate Angle

As noted, these real estate themed phishes are, in many respects, simply variations on a well-known social engineering scheme. But such real estate themed phishes offer some marked advantages over the generic document signing/delivery/download phishes of yore.

For starters, these more targeted phishes provide the bad guys with the ability to seed their malicious emails with more convincing details which, in turn, lend those emails the air of authentic context -- the appearance of an ongoing legal and financial process involving multiple individuals and organizations. This rich context stands in marked contrast to your typical fake Docusign phish, which typically lands in users' inboxes as a "bolt from the blue" that may arouse distrust and suspicion.

Moreover, while the real estate themed phishes are, in some sense, more targeted, the nature of the documents they push means that these phishing schemes can be used against a number of different types of employees and industries including:

- bank employees

- real estate agents

- insurance agents

- property buyers

- regulatory officials

Banking, real estate, insurance, and governmental entities are all lucrative targets for malicious actors seeking to get their hands on documents, data, and even financial accounts that can exploited for fraud.

Still further, real estate transactions typically involve a plethora of different types of documents, again allowing the bad guys to present a constantly changing face to potential victims (in contrast with the standard fake Docusign phish which all look the same). Consider the various documents we have seen dangled in front of users:

Closing Disclosures

HUD-1 Statements

Title Commitments

Title Policies

Deeds, Liens, and Plats

Escrow Letters

Bundled Document Packages

Unspecified Messages & Documents

Most of the examples shown above are rich in contextual detail, referencing...

- specifically named companies and firms

- specifically named individuals

- street addresses for property locations

- other related documents and processes

Given the nature of this contextual detail, we strongly suspect that most, if not all, of these example emails are based on real emails harvested from compromised accounts of people working in the banking, insurance, or real estate industries. And even though potential victims may not recognize the names of the companies, individuals, and properties referenced in these emails, the fact that they are referenced will probably be enough to convince all too many users to click through in order to take a closer look at what initially appears to be real document.

Most of these real estate themed phishes lead to credentials phishes that are often highly polished, professionally crafted, and suitably authoritative. One of the more common phishes we've seen over the past few months, for example, offers an official looking PDF attachment...

...that in turn leads to a spoofed Microsoft login page:

When the Same Old Same Old Won't Cut It

Although the bad guys do seem to have invested more resources into innovating around the payloads delivered by phishing campaigns as opposed to the phishing schemes used to sell those payloads to unsuspecting users, they have proven capable of adapting in the face of declining click rates. The real estate themed phishes we have documented here are illustrative of that fact.

When the bad guys are adapting and innovating your users need to be learning and adapting as well. It's not enough that your users have a general concept of "phishing" and are somewhat familiar with what phishing emails may look like. It's not enough that they know enough to look for bad spelling, grammar, punctuation, and usage. And the gut instincts of untrained, lay users won't be enough to protect your organization when the bad guys are harvesting real, context-rich, process-specific emails out of real inboxes and playing them back against unwitting targets working in those same industries.

What your users need is New-school Security Awareness Training, which provides them specific, tested strategies for recognizing potentially malicious emails and provides you the ability to track and measure their progress.