When Phishing Schemes Go South: Too Many Moving Pieces
When Phishing Schemes Go South: Too Many Moving Pieces

It's not easy being a bad guy. Even in an age where a bad guy wanna-be can turn to a bustling black market of tools and services to facilitate criminal activities ranging from banker trojans and ransomware to bot-nets, would be malicious actors still face plenty of challenges. And, yes, those challenges do extend beyond how to count all the money pouring in and figuring out how what to do with it all.

When planning a phishing campaign, for example, the bad guys face a host of conflicting requirements. On the one hand, the social engineering scheme that lies at the heart of any good phishing campaign must be simple, straightforward, and convincing. It must also usher potential marks (most of whom will not be very computer savvy) into a series of actions they can execute with a minimum of effort. Hand in hand with this requirement is the need to keep the online infrastructure used to support the campaign simple and robust, as that infrastructure will be subjected to scrutiny and direct assault by the good guys almost as soon as the campaign's malicious emails begin hitting users' inboxes.

On the other hand, though, the bad guys need to take care when assembling what we shall call the phishing email's moving pieces -- the links, landing pages, and attachments that actually empower clueless office employees to compromise their own employers' workstations and networks. These components must not only be designed to be enticing, convincing, and useable by victims, they must also be built to resist easy analysis and targeting by security companies and their researchers in order to give the campaign as much time as possible to draw in as many victims as possible before anti-virus applications and other security programs and services begin blocking the campaign's emails.

It is this tension between simplicity on the one hand and robust survivability on the other that drives much of the innovation we see in the ever-changing landscape of phishing campaigns. Malicious actors are constantly developing new ways to exploit various aspects of Windows and the common collection of applications in use within most office environments.

Occasionally the bad guys are lucky enough to discover a new zero-day exploit to incorporate into their phishing campaigns. More often, though, they simply develop new ways to assemble existing techniques and tools and deliver them to victims. Put another way, they figure out a new way to bake the cake. New recipes that look good on paper, though, don't always produce equally good results in practice.

In what follows we take a look at one particular phishing email reported to us by a customer through the Phish Alert Button (PAB) -- a phish that succeeded at one level but failed at yet another.

An Unremarkable First Look...

The email reported to us by a customer was, at a glance, utterly unremarkable.

Phishing emails in which the bad guys pose as potential customers interested in making purchases are all too common. Malicious PDF attachments are even more common, as are phishing emails loaded with bad grammar as well as punctuation and spelling errors.

Users who open the attached PDF file are presented with a prompt to download what is purported to be a "Secured PDF Online Document."

In our experience, the vast majority of PDFs with embedded links used in these kinds of phishing attacks whisk users to slickly constructed sites designed to spoof the login pages for popular online services and entice gullible employees into coughing up their email credentials.

As phishes go, these PDF-based credentials phishes succeed in minimizing the number of actions that potential victims must step through before the bad guys get the data they are after: a click on the attachment, a click on the embedded link, and then the familiar routine of inputting a username and password. The entire process can be accomplished in a matter of seconds and nothing that is asked of the user is too unusual or befuddling. Moreover, users are prompted at every step along the way. Embedding the link with the PDF does add an extra step, but embedding the URL in the PDF does make the job of analyzing and identifying more difficult.

But this particular phish was not your run-of-the-mill credentials phish.

...Then Down the Rabbit Hole

The embedded link in the PDF file consisted of a TinyURL-shortened URL. Again, this isn't entirely uncommon, as malicious actors increasingly turn to simple tricks like URL shorteners and PDF-embedded links to add a basic layer of obfuscation to elements (a URL in this case) that might be leveraged by security applications to identify and block the phishing campaign's emails.

In this case, however, that shortened URL kicked off the download of a .ZIP file. Windows has long had the ability to automatically unpack .ZIP files and present them to users as just another variety of folder. The problem here is that users were not prompted on how to handle that .ZIP file or the .HTA file (New_Order098766544321.pdf.hta, sporting a fake .PDF extension) lurking inside.

Most regular users will not have encountered .HTA files, which are one of the more exotic attachment types the bad guys have added to their arsenal of tricks over the past few years. .HTA files are HTML application files, which use a mix of plain text HTML and scripts to execute through Internet Explorer.

The script in this particular .HTA file used yet another link-shortened URL (ow.ly) to kick off the download of a 2.5 mb PE file, UPLOAD.EXE, which turned out to be a trojan dropper.

To their credit, the bad guys designed the script that downloaded that PE file to execute it as well, sparing users from having to double-click the file themselves. Already left to their own devices with the zipped .HTA file, few users would likely have recognized that they needed to open yet another file to see this process through to its conclusion. And even those that did would likely be wondering why the apparently routine task of viewing a simple purchase order suddenly became an exercise akin to dealing with nested Russian Easter eggs.

Too Many Moving Pieces

As phishing schemes go, this was a rather involved one. All told it consisted of:

- an email to present the social engineering hook

- an attached PDF file

- a link-shortened URL embedded in the PDF

- a .ZIP file downloaded by the embedded link

- an .HTA file archived in the .ZIP file

- another link-shortened URL in the .HTA file

- a PE file (UPLOAD.EXE) that in turn dropped malicious code on the target box

Put simply, this phish has a lot of moving pieces, including the use of two different link shorteners, leaving this particular scheme exposed to two online services that are becoming increasingly aggressive in taking down malicious links.

Consider also what is required of users who, we should remember, are initially expecting to simply open an overlooked purchase order:

- open the email

- open the PDF attachment

- click the embedded link in the attachment

- open the downloaded .ZIP file

- open the .HTA file

With each additional step in this process the bad guys risk losing a certain percentage of users growing increasingly weary or suspicious as the expected purchase order fails to materialize.

It's fairly clear what was driving the design of unusually involved phishing scheme: the desire to push truly malicious links and files as far away from the initial email and attachment as possible, making the task of analyzing, identifying, and targeting this phish more difficult.

To be sure, the bad guys did enjoy some amount of success on this front. When we received this phish from our customer not a single antivirus on VirusTotal detected the PDF with the embedded link that kicks this whole process off. One antivirus engine detected the .HTA file. Two engines detected the PE file. Thus, it is not surprising at all that this nasty little phish sailed through the company's multiple layers of security and landed in someone's inbox.

In making this phishing scheme more difficult to analyze and detect, however, the bad guys failed to balance the desire to obfuscate against the need to keep the user process simple and straightforward and to minimize the number of moving pieces. Although we have no hard numbers on what percentage of users who encountered this phish actually managed to step through the entire process required to get malware executing on their boxes, we have to believe the actual percentage was very low.

Every Organization Has One...

In reviewing the overly elaborate design of this phishing scheme, we might be tempted to breathe a little easier knowing that the bad guys also have their own fair share of misfired phishing campaigns. But that would be too easy. And dangerous. If you think about the employees in your organization, you can undoubtedly call to mind that one special employee -- the one just curious enough, clueless enough, and persistent enough to see this phish all the way to its ugly conclusion. Every organization has one. And you know that all the bad guys need to get in is one.

Although this particular phish used an overly involved process to resist identification and detection by automated security products and services, that involved design also made it ripe for identification by properly trained human employees who could not fail to see one red flag after another at every step along the way. New School Security Awareness Training is designed to give your users the upper hand should they encounter cleverly designed phishing schemes lurking in their inboxes. When all else fails, your users are your last line of defense -- provided you give them the tools to protect themselves and your organization's network.