Whaling Attacks

We recently came across the term “whaling” so of course, we needed to know more about it. Here is what the Victor crew found out. It is a form of phishing aimed at high-profile business executives, managers, CEOs, etc. They are going after the “big fish.” The emails sent to them are more official looking and target a particular person. A regular phishing attack usually goes out to a lot of people trying to lure anyone. Whaling is also considered “spear phishing” where it is an attempt to target an individual person or company.

As with phishing, whaling is used to get a person to reveal sensitive information, such as login credentials, to an account. They do this by trying to scare the individual into giving this information up.

Whaling goes so far as to make a web page or email that looks like the legitimate one. You may even be enticed into downloading a program in order to view a page or to get your information. It may come in the form of a false subpoena, message from the FBI, or some kind of legal complaint against you.

Be aware of what you are clicking. If you can, hover over the link and see where it is taking you. Try putting the URL in an analyzer, such as VirusTotal or TrendMicro to see if it is safe. If in doubt, don’t click or download anything you are unsure of.

New type of phishing attacks affecting browsers

The Victor crew came across an urgent matter. If your browser is Chrome or Firefox, be aware of a new phishing attack. An attacker can send you an email with a link to a malicious website. You could visit a site that will either infect your computer or make you think you are signing in with your credentials as they trick you into thinking you are accessing the correct site.

The people from Wordfence, a security plugin for WordPress found this last Friday, April 14, 2017. They set up a demo site to show what is happening. It is well worth it to check their article and see if you are affected and what to do. They have set up a demo using a medical site, epic.com, so you can test your browser and browser settings. You can visit their demo site here in Chrome or Firefox. To compare the demo site with the real site they faked for comparison, you can click here to visit the real site here.

This does not affect Windows or Safari browsers. Currently there is a fix for Firefox browsers. Here is what you do:

Open your Firefox browser
Type about:config in the address bar
Search for ‘puny’ (without quotes)
You should see network.IDN_show_punycode set for ‘false’
Double click it to make it ‘true’

Chrome currently does not have a fix for it.

Gmail Alert

If you use Gmail, like many others, the Victor crew wants you to be aware of a new phishing attack going around. This one is even fooling tech-savvy and security conscious people. They are trying to steal usernames and passwords for Gmail.

It starts as an email that appears to come from someone you know and may even have an image of an attachment you might think is from the sender. If you click on it, it will give a preview, like Gmail normally does but instead, a new tab will open and want you sign in to your Gmail account again. Make sure you look at the address bar and see only https://accounts.google.com… If you see “data:text/html,” before it, (data:text/html,https://accounts.google.com/ServiceLogin?service=mail), DO NOT ENTER YOUR LOGIN!

If you think you may have already fallen for this attack, change your Google password.


Phishing for your credentials

Google and the University of California, San Diego conducted a study to analyze the effectiveness of email scams. The study ran from 2011 to 2014. They explored how criminals acquire credentials of their victims, how criminals monetized the account credentials and how Google gave control back to the victim.

They found accounts were hijacked most often through phishing. Most of the hijacking attempts came from China, Ivory Coast, Malaysia, Nigeria, and South Africa based on the geolocation of their ip addresses. Criminals attempted to access 20% the accounts within half an hour. . Victim’s accounts were found to be restored through SMS 81% of the time. A secondary email address helped 75% of the time. Without these to be relied on, they need to rely on secret questions and the causes the success rate to fall to 14%.

The ways criminals manually hijack an account consists of phishing the user’s credentials, installing malware on the machine to steal the credentials or trying to guess their password. The study was limited to phishing emails sent to victims and specifically to 100 emails selected at random from 5000 emails reported by users. They also used phishing pages that were detected by SafeBrowsing. They found that once they are into the account, the contacts are also targeted.

Of the hundred phishing emails studied January 2014, 62 of them contained urls that pointed to pages designed to impersonate a well-known site to trick users into putting in their credentials. The other 38 emails asked for users to reply to the email with their credentials. Since the emails with the links go to the page from the email itself, they found there wasn’t a referring website when they were tracking which confirmed when they were clicked on.

One surprise is that the most common email addresses being phished had the .edu top domain. The study reported that it was possibly due to schools having less robust spam filters and more social networks being used by the students.

The study estimated that 13.7% of visitors complete the web forms used in phishing, higher than they thought it would be. In order to get some data, they submitted 200 fake credentials into a random sample of phishing pages that asked for Google credentials. They recorded the times so they could follow the response times. They found 20% of the fake accounts were accessed within half an hour and 50% within 7 hours. Once logged in, they spent an average of 3 minutes to assess the value of the account before exploiting it. The criminals would look through email history for the victim’s banking information or what they flagged as important.

The hijackers would spend some time going through emails and contacts to see how they could monetize the account. They found some of the scams to consist of story to pull at people’s heartstrings in order to try to make some money.

What you can do:
Use 2-factor login. Check your account often. Have backup email address or SMS number available for account recovery.

Jody Victor