Posted on Leave a comment

Here’s what a targeted Russian spear phishing attack looks like

image thumb 3 1

Spear phishing: An email or electronic communications scam targeted towards a specific individual, organization, or business.  Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer – Kaspersky Lab

Russian hackers are basking in a lot of cred from their recent hacks against US government institutions.  In most cases, their most successful attempts where made via spear phishing attacks.  Here’s what a Russian targeted spear phishing email attack looks like:

image

The email looks like any other notification from a vendor you do business with (1and1 in this case).  A click on the link in the email takes you to this screen – a very well-done, but fake 1and1 Control Panel login page.

image

So how do we know this was a spear phishing attack?  Better still, how do I know it was a targeted attack?

Determining if you’re targeted is a bit difficult – along the lines of mind-reading, I guess.  Still, it looks much like a targeted attack.  First, the email and linked website are very familiar to me (and they would not be familiar to most people).  1and1 is a Internet hosting provider, known to many website operators.  An email such as this is not out of the ordinary for a website owner but would probably confuse anyone else.  Thus, it looks like the attack specifically targets website owners like me.

Information in the email seems legit too – a brief explanation of the event that cause the purported account lockout (the browser string listed was made to look like a Gecko/Firefox browser).  And of course, a motivated hacker will cover all bases – including making sure the account referenced in the email is indeed locked.  Hackers know all they have to do is miss the password a few times and the target’s account will lock itself.  Lock the account then send an email to have it unlocked.  Seems fairly targeted to me.

So what did the hackers do wrong?

Thus far, everything with this attack looks spot on legit.  Email seems okay and the website I was directed to looks like the 1and1 Control Panel login I’m familiar with.  So how do we know it’s a phishing attack?

Firstly, the date shown in the email is not in US formatted date and there’s a grammar error in the email (see if you can find it).  1and1 will format date/times in their emails according to the customer’s geo-location – and it’s highly unlikely they’d make a simple grammar mistake.

Secondly, the email composition is unusual.  If the HTML source behind the email is examined you will find a standard Sony password retrieval email.  Yes, “Sony” – not 1and1. Why?  This lets the email slip right through email filters and into your inbox undetected.  You see, the visible 1and1 email content is really one large graphic file which provides nothing for the scanners to alert on.  For someone moving through email quickly and not paying attention, you’d never notice the email content was a single graphic instead of inline HTML.  However, if you hover around the email you will find that more than just the “Verify in  your service area” text is linked – the entire email window is linked!  You can click anywhere on the email and you will be directed to what appears to be a 1and1 Control Panel login page.  This has the added advantage of making it easy to accidentally click through the email.

Thirdly, and this is a big one – the email “from” (sender) address was wrong.  It appeared to come from Sony.  This may seem like a dumb mistake on the hacker’s end but the Sony domain in the “from” address matches the content in the email.  Remember, the real content, the HTML that is NOT visible in the email client, is straight from a Sony password retrieval email.  Although hidden from visual examination, a email filter application will appreciate that the “content” of the email (the hidden HTML) matches the from email address.  Thus the email slips through the filters.  Pretty clever trick.

image

Finally, the target link in the email is a dead giveaway that something is amiss – bear-buddies.org.  Bear buddies, Fancy Bear – get it?

JavaScript is used to mask the link address in the email client and “View Source” is hidden through use of the giant graphic and silly Outlook tomfoolery, but a quick “view in browser” makes the source easily available.  The source reveals a large graphic hotlinked to bear-buddies.org with some purposely-hidden HTML to confuse the email security scanners.

As for the target domain, bear-buddies.org is registered to “Bear Buddies” out of Wisconsin – a legit business but their working domain is bearbuddies.com – not bear-buddies.org.  A whois lookup of the fake domain produces results that look remarkably similar to the real bearbuddies.com.

Also, the link target (bear-buddies.org) never truly renders in the browser because you are immediately redirected to laconlykos.com – this is where the fake login screen is served from.  Indeed laconlykos.com is hosted on 1and1 servers – a whois would lead some to believe the login page is indeed a 1and1 login screen.  What’s really on laconlykos.com?  A hacked BuddyPress/Wordpress installation. Doh!

Fill out the username/password (enter a snide message), click the login button (give it a second while the Russians snag your username/password and persist it to disk), and you’ll be redirected to a legit 1and1 login page informing you that the username/password you entered were incorrect.

But wait, why are Russians suspected?

Finally, why do I think the phishing attempt was initiated by Russians?  Because the IP address has been used in the past to host Russian content and malware nodes.

A for effort, B- for execution

It wasn’t a terrible attempt – I’ve seen worse.  The grammar mistake sunk them.  But hey, we can’t expect Russkies to be great hackers *and* masters of the English language.  I’d give them a “A” for effort but only a “B-“ for execution.

Leave a Reply

Your email address will not be published. Required fields are marked *