Anatomy of a brilliant Phishing attack
There has been an increase in the number of e-mails and text messages that are landing in my spam folders recently. I am not sure why the upturn is happening, but some of the e-mails are getting very convincing.
It was not long ago that I would get badly spelled, poorly constructed e-mails that were easy to spot,
Subject: Yuor Natwast account has ten tnarsactions pending.
Now, not only do I not have a Natwest account, but the typo’s in the subject line made it super obvious.
Yesterday I got an e-mail.
Subject: Lloyds Bank Fraud Alert.
Which looked legit to me at first glance.
Sender: FraudAlert@lloyds.co.uk
Not bad – but a quick check (by hovering over the senders name) showed that the domain was not lloyds – that was the sender name, the actual account sending the e-mail was something like
Fraud.Alert@lloyds.bank.user332798712379821.net
Additionally it was sent to an e-mail address that I do not use for banking. The e-mail address was one of the e-mail addresses that was part of a previous attach on Talk Talk – where many thousands of e-mail and hashed passwords were obtained, along with partial credit card details.
The body of the e-mail looked perfect, it looked just like a Lloyds e-mail.
It was addressed to me too, although it was First and Last names, not Mr. M R – so that gave things away slightly. But it was subtle, it had my name on it, which upgrades from a phishing attack to a spear phishing attack
What was even more interesting was that the ‘click to sign in’ looked like it would took me to https://signin.lIoydsfraudaIerts.com.user332798712379821.net/(my email address) – again hover over the link and you see the full thing.
Which again, at a glance looked super legitimate the extra junk in the domain would probably only be visible when viewed in most browsers it was very impressive.
Out of interest, I fired up a VM and visited the site.
HTTPS was valid – chrome reported the site as secure – someone had bought a certificate for this.
The sign-in page was very nicely done, this was very impressive. Most of the links took me back to the same page though….
Then the actual login piece was very clever indeed.
- It wanted my user-name : I entered zzzzhhhhhzzzz which is not my user-name.
- It wanted my password : I entered password1 – again, not my password
- It wanted character 3,4,6 of my secret code : I entered a,a,a which is not mine.
- It told me that my secret information was incorrect, and asked for 1,2,5 : I entered a,a,a
- It told me that it needed to send me a secret key and suggested I enter my phone number
I bailed at this point. I deleted the VM, just in case and sat thought about this.
After this, I got an email that contained a PDF that was a fake ‘Lloyds Satisfaction Survey’ – which had I opened it on a windows machine would have installed a worm…..
This was super good, it was a Spear-Phishing attempt. It was tailored to me. I should be honoured.
But look at what it could have collected.
- My Bank Login
- My Password
- Six of the characters in my secret data
- My phone number
Holy shit – that is brilliant.
It looked very official, it took me to a secure site, it was setup to trap useful information that would give people access to my bank account. The satisfaction survey PDF was a lovely touch too.
This is one of the best attempts I have ever seen, I am sure that the average person would have given away some or all of their information.
Let’s recap.
My e-mail address was harvested along with partial credit card details in the Talk-Talk breach. This gave an attacker my First and Last names, a valid e-mail address and potentially the bank I used based on the partial credit card data.
Knowing that I bank at Lloyds (great customer service BTW) and armed with decent spelling and grammar, customised e-mails were easy to generate, and custom landing pages to harvest the information too.
The PDF satisfaction survey was brilliant, the worm, had I been on Windows, looked like it would have run riot all over my network unless I was absolutely up-to-date on my update, virus protection and using an admin (not user) account.
Very, very nicely done.