Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
You probably know that phishing attacks – cyber attacks using faked email – are getting more sophisticated. You may not know exactly how sophisticated. For the anatomy of one high-end account, the Federal Drive with Tom Temin turned to cybersecurity entrepreneur and Vice President of Strategy at INKY Roger Kay.
Tom Temin: And you have discovered a phishing campaign conducted using the Labor Department’s accoutrements and appearance and what was it after? And how did it work? And what should people know about this type of phishing attack?
Roger Kay: Well, we at INKY have a service that we put out there to protect our customers from phishing attacks. And we don’t actually look at their emails, that’s their private business, but they have the ability to report emails. And so we do see reports. And when we begin to see reports that correlate, we noticed that there’s a new campaign afoot. And so we wrote about it in this particular instance. So basically, what the phishers did was, they stood up various sites, and used them as a way to lure people into a credential harvesting scheme. So the payload was credential harvesting, they wanted your Microsoft credentials, your login name and password. And so to get you to do that, they pretended to be the Department of Labor. And as you know, in this environment, where we’ve been under COVID, and everyone’s been isolated, it’s a lot easier to go after individuals who aren’t in a context, they’re just sitting there looking at their computers, and they get something that looks like it came from the Department of Labor and says, “We have a big contract, maybe you’d like to bid on it?” Now, we know that most of the people that receive an email like that aren’t in a position to bid on federal contracts. And so a lot of them are wasted. But there are a few people who would say,”Well, wait a minute, we’re in that business. And I’m the person who could look at that. So let me see what we’ve got here. I’m a small and mid-sized business and so I’m hoping to get some piece of this large contract. I’ve heard that the feds are just doling out money. So I should be able to get a hold of some.” And so one of the things that these guys did was that they set up a number of domains that kind of look like the Department of Labor. So they use domain names like dol-gov.com, dol-gov.us and so on, none of which are the actual DOL site, which of course, is the .gov site. So that’s sort of one of the ways they did it. They then sent phishing emails from a site that could pass normal security checks, because typically, what they’ve done is they’ve taken over an account from a legitimate sender. So from the incoming side, if you do that sort of analysis, if your email servers do that analysis, then it looks like a perfectly fine email. It passes all of those checks. It comes from a legitimate center, it’s just not the right sender. So someone has impersonated this person and they send you an email, which has a PDF in it. And the PDF itself looks pretty good. It has Department of Labor logos and verbiage. In fact, they often clone sites like Department of Labor perfectly, all of the elements are exactly the same. That’s one of the nice things about the digital world, you can clone something completely.
Tom Temin: So there’s really two implications here. One is that the harvesting of some other campaign gave them good credentials from which to launch the site in the first place. And second, the fact that federal artwork and federal logos are, even though they’re trademarked they’re available in the public domain, pretty easily.
Roger Kay: You can literally grab a site and clone it and just change one tiny little element, which happens to be the bad button, the button that says “click here,” a big red or blue button that says “click here and you can do your bidding.” But then when you try to do that it takes you to one of these recently stood up sites, like sites where we’ve looked at the “who is” data, and we realized they put them up a week before the campaign started. And they have names that look pretty good so if you’re not looking too closely, you don’t realize oh, yeah, that’s not really Department of Labor. But when you get there, in this case, it was a big, black bid button. And behind it was a malicious link. And when you went to the site, again, it was this stood up site just recently for that, you were then asked to use your email credentials to log in. Now so one of the odd things that we’ve noticed this in quite a number of different campaigns, the phishers have a kind of a look back at the old con artistry which used to happen in the analog world where they needed something called a blow off to leave the mark down gently, so they could get out of town before the mark realized that they’d been hacked or stolen from, or whatever it was. So even though in the digital world, they’re not even there, they don’t have to get away, they seem to have put together the same type of ritual. So they asked you twice. If they enter your credentials, and you enter your credentials, and it says, “That was wrong. Try again.” So when that happens, one of two things happens. One is either you confirm those credentials, and they’ve got a sure copy. Or you say, well, maybe it wasn’t that account, maybe it’s a different account, you give them two. But then on the third go, they drop you into the real Department of Labor site. So all of a sudden you find yourself, they’re looking at actual DOL going like, I don’t know, why am I here? And they sort of wandering around in a daze moment, however long that takes gives the phishers theoretically, time to get out of town, even though they don’t really need it.
Tom Temin: Sure. So the question is, does this have any danger to the Labor Department itself in some manner?
Roger Kay: Well the Labor Department should be aware of it. And often when we see these campaigns, we try to get a hold of the impersonated entity to say, Oh by the way, do you know you’ve been impersonated, and maybe you want to look into this? But in fact, they have nothing to do with it. The sites are all impersonating them, and they come from somewhere else. So it’s nothing that DOL has done wrong.
Tom Temin: So for the recipients of this type of email, will the DMARC [Domain Based Message Authentication Reporting] architecture help or are there any remedies that you can install to keep this from happening?
Roger Kay: Well, unfortunately, no. So the just vanilla email has some very simple things. On the outbound side, there’s SPF and DKIM. And DKIM basically is a cryptographic signature that says that this server is known publicly to be the right server. And SPF basically says that server has the right to send email from a certain range of IP addresses. And it was sent from a legal address. The DMARC side of it is on the incoming side. And so if you’re a recipient, then you know your people should have stood up DMARC. And that examines the SPF and DKIM data as it comes in and says, yup, these are OK. Now, the problem with that is that it’s very easy to pass those things as the bar is very low. So if for example, if someone takes over an account, or if they stand up a new account, a new email server under a new domain that has never been seen by anybody before, there’s nothing wrong with it. So that server puts out good DKIM and good SPF information. And your DMARC reader will say those look fine. So the answer really is you need phishing detection. And so the key to phishing detection is that it detects impersonation. So it says, “Can we figure out what this email is trying to be? Who does it look like it’s coming from? Does it look like it’s coming from the Department of Labor?” Well, it does to us because we see logos that look like DOL, and we see language that says DOL and so on. And on the other side, we can look under the hood, and say, “Where did it really come from?” So if it came from a machine shop in Kazakhstan, that we know that it’s not under the control of Department of Labor, therefore, it must be an impersonation. So if you mark something as an impersonation, you can be pretty sure that it’s a phish.
Tom Temin: Got it.
Roger Kay: Oh, by the way, if you do detect a phish, you can be pretty sure that behind it is a campaign. So the DOL campaign was credential harvesting, which is only essentially a partway campaign. So it’s a campaign on its way to another campaign.
Tom Temin: First, they want the credentials, and then they’re going to do something else with them.
Roger Kay: Exactly. So they may be dropping malware that does various sort of spying in your organization, they may be looking to launch a ransomware attack, either for money or for other purposes. In the current situation in Russia and Ukraine, there’s a certain amount of the first half of a ransomware attack where they shut down something, but they don’t offer the keys. The ransom, where you say, “Well if you pay us, we’ll give you the keys.” In this other case, they’re just saying, “We’re shutting you down. We’re not giving you the keys.” So that’s another possibility.
Tom Temin: Right, so basically, they’re gathering the ammunition and they’re going to fire it in the second campaign. And that was my other question, is INKY noticing an increase in this type of activity from Russia at this point? I mean, they’re always there.
Roger Kay: We actually looked at it this morning, I asked one of our data analysts about it, he said, “Nothing but fine, Russian brides seem to be coming through at the moment.” So we’re not seeing an obvious increase in this sort of activity right now, which is just very interesting, by the way.
Tom Temin: But phishing detection, though, that is a capability that people can put in and it runs in an automated fashion?
Roger Kay: Yes. If you look at the various classes of email providers, you start off with the big ones. So you’ve got Google and Microsoft who supply most of this sort of email infrastructure for almost everybody. And they will offer pretty basic stuff with their basic services, and they’ll offer slightly better stuff with their better services. On top of that, there’s another group of folks we call the secure email gateways that have more capabilities for detecting things. Almost all of that was built for the spam era, though, which tries to say does this look like something that we identify as spam? And the difference between that and the more sophisticated and recent phishing attacks is that we’re saying the better phish it is, the better it will look. So it’ll really look like DOL, to the point where a human couldn’t tell the difference. And so, if you’re trying to detect anomalies, you’re going to find the wrong thing, because there will be no anomalies. And so basically, unless you can do the impersonation detection, you can’t figure out whether it’s a phish or not.
Tom Temin: Roger Kay is vice president of Security Strategy at INKY. Thanks so much for that detailed explanation.