As we head in to spring, leaving behind an eventful winter, the EdgeWave Threat Detection Center continues to see interesting approaches to bypassing traditional email security gateways. While it’s difficult to place them in the “campaign” category, it’s good to review some of these tactics as a reminder of how some “oldies but goodies” are still successful.
Our last couple of blogs described campaigns where credential scraping was the goal. Recently we’ve seen examples where the cybercriminals returned to attempting wire fraud. This Florida school district is yet another cautionary tale of how effective email borne wire fraud can be for criminals, but all organizations should consider themselves targets.
Following a very similar approach as the above referenced Florida school district, an email was received by EdgeWave customers from General Excavating informing them of changes to their remittance information. General Excavating is a real company, and the actual company logo was used in the message as well as the company’s tag line. Also, the email claimed to be from the actual president of General Excavating, trying to create a higher sense of legitimacy.
First red flag comes from the phone number used in the email signature. While the fax number shown is associated with General Excavating, the phone number is not. In fact, the 706 area code used primarily services the city of Columbus, Georgia, a long way from Nebraska where General Excavating is located.
Next up is the senders email address. While the email domain looks correct, on closer examination it’s discovered that the “g” in excavating has been replaced with a “q”. For many years, we have been playing the “O” (letter) vs 0 (number) game, yet it continues to be an effective tactic. And, at a quick glance by an unsuspecting user, it would be easy to not notice the difference.
The email comes with two PDF attachments. While neither of them had any malicious content, they do provide more evidence of shady intent. In one, the remittance instructions reference a completely different address for General Excavating – in Missouri (again, not Nebraska where General Excavating is located). Having fun with this round of analysis, Google street view shows the address as a house in a residential neighborhood.
For technical details, the spoofed domain was only 15 days old at the time EdgeWave received the first sample. We increasingly find that domain age is a good indication of suspicion, especially when combined with such obvious elements as close spelling of an active domain.
Digging a bit deeper we find the email server responsible for sending these emails is based in Honolulu, Hawaii, but the originating IP was in Des Moines, Iowa. By themselves, these elements aren’t suspicious until you remember that General Excavating is based in, wait for it, Nebraska.
So, the question becomes “How did this get past my email security gateway?” It’s easy.
• All links point to valid web sites
• No suspicion for any associated IP addresses
• No malicious content in either PDF attachment
• Text was clear, no misspellings and grammar was accurate
No gateway could connect the dots, for example, that information in the email signature was not related to General Excavating. It took human analysis to put the pieces together and accurately classify this as a malicious email.
And THAT’S the power of EdgeWave Inbox Detection and Response.