What was the most interesting phishing trend we observed in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content.
Given this trend, a list of the best phishing emails of 2014 may not sound like a riveting exercise, but just because they reused content doesn’t mean we didn’t receive a number of interesting phishing attacks.
10 – Fax notice phishing
Fax machines may seem like something you only see on VH1’s “I Love the 90s” but fax notices are a popular theme for phishing emails. Many of the attacks discussed on this page used fax-themed phishing emails, and we recently received fax-themed attacks that sent updated versions of Dyre and an attack that featured Upatre malware. In the case of the Upatre Trojan downloader, the phishing content was the same as any generic eFax phish, but the technical methods behind the malware were cutting-edge.
9 – .NET Keylogger
This attack started with a standard banking-themed phish with a .zip attachment. The malware turned out to be a .NET keylogger that had the capability to scrape passwords stored in web browsers and other forms of media. Pretty deadly.
8 – Message from attorney
Spring 2014 saw a number of phishing emails purporting to be from a neighbour who was sending a .zip file containing sensitive information from the recipient’s attorney. Why would your neighbor email you a .zip file from an attorney? It’s a valid question, and an important one to ask, because the .zip file contained a malicious executable.
7 – Ransomware phishing
Back in May 2014, a round of phishing occurred that used fake MAILER-DAEMON email delivery failure notices to trick recipients into running an executable that installed a variant of Cryptolocker. A few weeks later, a fax-themed phish led recipients to Cryptowall. Upon examining the bitcoin wallets of the attackers, it was found they had collected over $130k in ransom payments.
6 – ADP themed email with PDF exploit
Since they allow the attacker to exercise a sense of authority, and stir up emotions such as urgency, fear, and greed – payroll-themed phishing emails are extremely common. What was unique about this ADP phish? It contained a PDF exploit that injected shellcode into Reader. To complicate analysis, the attackers used several layers of zlib compression and difficult-to-track variable names.
5 – IRS data-entry phish
Death, taxes, and phishing emails that spoof the IRS. Spoofing our nation’s tax collection agency is a tried and true tactic, and this phishing email from August 2014 played on the recipient’s excitement to receive a tax refund by linking to a page for the recipient to specify payment information for refund, provided he/she enters login credentials. After performing OSINT analysis on the phishing page, we found the same text had been used way back in 2006.
4 – Slava Ukraini phish
Back in July 2014, a new strain of Dyre appeared, packed as a zip file containing a screensaver file. The malware was interesting, but the phishing email? It was a simple fax notice.
3 – Compromised .edu domain serving ZeuS
Near the end of October 2014, a pretty ordinary phishing email did the rounds, with a .zip attachment supposedly containing information about a payment. The attachment contained a form of Zeus. Why does it make the list? The attackers sent the email from a compromised .edu domain. The trusted nature of an educational institution’s domain, and the generous amount of bandwidth those domains usually have provide attackers with an appealing platform for delivering malware.
2 – Dropbox phishing
The rise of 3rd-party cloud services like Dropbox has provided attackers with an interesting new method to deliver nasty stuff through your network. A round of emails in June 2104 that served as the precursor to Dyre, contained phishing emails that linked to a supposed invoice on Dropbox. The Dropbox link itself was legitimate, only it led to a .zip file containing a .scr, not an invoice. Dropbox has been quick to shut down this type of abuse, but it’s proven to be great method for attackers to get past spam filters. Dropbox use is so pervasive that most organizations won’t block its links. A few weeks later we would see Dropbox links abused in targeted attacks against the Taiwanese government.
1 – Dyre malware email
The most notorious phishing email of 2014 seemed innocent enough upon first glance. The content of the emails itself was bland, one simply directed the recipient to a link to an invoice, while the other was a bit more extensive, directing the recipient to a link to learn more about a failed tax payment. Both of these led to the now notorious Dyre malware, a remote access Trojan (RAT) that has targeted banking information and customer data. Dyre’s impact has been widespread enough to catch the attention of the US CERT.
If we learned only one thing about phishing in 2014, it should be that phishing attackers repeat themselves. This can prove useful to help us defend against phishing in the future. While the security industry has traditionally focused on bad IP addresses and malware when it comes to phishing, we ought to be focused on tactics, techniques, and protocol. Focusing on email content, headers, and URLs to recognize patterns and take preventive action will add another layer of phishing defense.