Spammers dive into design for better phish

7 years ago

The newest phishing email to hit my Outlook inbox had a visual message: Spammers have learned that design sells.

Most phish are really like fish – they smell, and not just after three days. There usually is something that screams “FAKE” and practically pushes you to trash it.

The obvious forgery of most phish also makes it hard to sympathize with phishing victims. After all, if they would have kept their eyes open for those really blatant visual issues, they would never have fallen into the trap of the latest malware which did so many nasty things to them.

For example, Hillary Clinton campaign chairman John Podesta. He (and a couple others) clicked on phishing emails sent by some alleged Russian hackers. That wasn’t so smart: It led to the Hillary’s campaign emails being hacked wide open, a gush of negative publicity, and we know who lost that election.

Phish swim in schools

The Podesta phishing attack was reportedly from a Russian hacking group tied to the Russian government, but I haven’t figured out just whom to blame for my morning spam.

The most likely source of my spam was an organized crime syndicate (89%) according to the Verizon 2016 Data Breach Investigations Report. The chance of a state-affiliated Actor is just 9%, especially for an unimportant person like myself. I can’t claim to have been seduced by a super-sexy phishing attempt.

But there is some close similarity in the visual wrapper of both phish. The Hillary campaign emails appeared to come from Google’s Gmail service and requested a password reset. The one that came to my inbox purported to come from something similar – Microsoft’s Outlook.

Let’s talk about design

What I noticed about my spam note was its imitation of the Microsoft design language. The authors worked hard to copy many of the visual elements that a real message might contain.

Header – That little violet ball with the “OT” for Outlook.com Team is cute.
Font – They used the usual Microsoft font.
Color – A nice Microsoft sky-blue.
Notification – Wow, this is really a trademarked notification?!
Language – The English in the text was better than usual – at least for my sleepy morning cleaning up of the email box.

There ends the list of positive points. While I could go into a much longer list of stylistic and grammar errors in my little phish, I will not. After all, why do a free in-depth quality analysis for the bad guys?

Greater minds have been fooled

Give Mr. Podesta some credit. He didn’t pick impulsively. A campaign staffer – maybe a tech savy Millennial – said that email was probably legit. However, the staffer also recommended that he go through the official procedures to update his password, a sound bit of advice that was not followed. Others were not so careful, with at least one impulsively responding at 4 a.m. and clicking on the bogus “change password” button.

According to SecureWorks, a cybersecurity firm involved in this situation, the Hillary campaign phishing emails were sent to 108 email addresses and resulted in about 20 clicks – a success rate of about one in five.

Yes, phishing attempts usually run on impulse. According to the Verizon report, the median time for the first target in a phishing campaign to open that email is just 1 minute and 40 seconds after receiving it. And, the median time for the bad guys to get their first click on the malicious attachment is 3 minutes and 45 seconds. And yes, most people have phish for a morning snack as they clean out their email box before lunch.

Verizon calculates that on average, about 30% of phishing messages are opened by the target with about 12% of recipients going on to click the malicious attachments and enabling the attack to succeed.

Going beyond the style

Just to confirm that this was indeed a phishing email, the email was forwarded to the Avira Virus Lab for their analysis. Their verdict:

“This is a clear Phishing case. The mail has the typical scary message to make the user click on the link, then it redirects them to the web.”

Malware analyst Oscar Anduiza explains his next steps:

The phishing website is almost identical to the official login page for a Microsoft account. But, by checking the browser URL, you can see that it has nothing to do with Microsoft. I put a totally fake mail and password there and this was accepted.

Then the site asked me to add a phone number and another mail “for verification” – which I did.

I was redirected to the official Microsoft page.

But, after adding in the new email details from Step 2, this data was not accepted and you can see that the account does not exist.

“Phished users can logically think that the login process failed somewhere. But this interaction was completely successful for the bad guys. They have your Microsoft email account, the password, your phone, and even another email address.” — Oscar Anduiza, Malware Analyst at Avira.

The Golden Rule is clear: Think before clicking – always. Because phish are getting more design conscious. And, you probably won’t be able to pin your faulty decision on an Evil Hacker State.