The Triple Trouble: 3-Stage Phishing.
2020-08-05 21:05:49 Author: perception-point.io(查看原文) 阅读量:140 收藏

Perception Point’s platform intercepted a unique, 3-stage attack that uses multiple evasion techniques, in order to infiltrate the targeted organization. In this post, we will present the complex attack and how Perception Point’s unique engines prevented it.

Chen Abadi, Senior IR Analyst

Overview.

Attackers are always evolving in their pursuit to keep trying to bypass security vendors and get to the end-user, using many creative techniques to achieve this. Recently, Perception Point’s platform intercepted a unique, 3-stage attack that uses multiple evasion techniques, in order to infiltrate the targeted organization. In this post, we will present the complex attack and how Perception Point’s unique engines prevented it.

The Attack.

The attack is based on 3 stages with each stage using evasion techniques and target a US-based enterprise. Each stage has its own purpose and role, in order to trick the end-user and make them to step-by-step act wrongfully.

Stage One: Leveraging a Cloud Storage Platform

The attack starts with a phishing email that impersonates Dropbox, a leading cloud storage platform. The disguise is comprised of:

  • Domain spoofing
  • Usage of a logo
  • Overall design of Dropbox’s email templates

But the interesting part is actually related to where the payload is stored. The email itself doesn’t include any malicious payload on its own – but only a legitimate link that later points to a malicious piece of content (a file). This first level of evasion will successfully bypass most email security, vendors.

Screenshot of the original email

Stage Two: The Intermediate File

Once the user clicks on the link, a Dropbox link is opened – This is a real clean Dropbox domain. As with any Dropbox sharing, there is a button to download a file. This means that the email security solution needs to somehow click that link, download the file, and then scan it with their detection engines.

Screenshot of Dropbox download page

Once the end-user clicks on the download button, a PDF is downloaded. The file its self does not have a malicious payload. However, as can be seen below, once opened, the document requires the end-user to log-in to open the contents.

Screenshot of the file once opened

Stage Three: The Phishing Form

One would expect the file to be the final stage of evasion, but you’re in for a surprise. The attacker took another step to ensure the success of the attack. Instead of creating a simple Microsoft login page to steal the user’s credentials, he chose to create it as a Google Form. This means that the page is a “legitimate” form which can be created in Google freely, without any limitation and without any security solution “blacklisting” docs.google.com. Google is aware of the fact that many security solutions cannot prevent these attacks, as such, they even inserted a warning about this option (“never send passwords using google forms”). With Perception Point, we can also detect this trick, as is explained below.

Screenshot of the phishing page using Google Forms

How Perception Point Prevented the Attack.

In the screenshot below, taken from our X-Ray viewer, we see that the attack was caught by the Threat Intelligence and Anti-phishing layers. But, before that, we had our “secret sauce” in action – the “Recursive Unpacker”. We uncovered the attacks using the following technologies:

  • The Anti-evasion Layer:
    At the end of the 3-stage deep attack, there is a phishing attack but in order to find it, you need a strong anti-evasion layer that identifies the deeply concealed payload. As you can see below, our anti-evasion layer successfully tracked the entire path to find the malicious content and flagged it in the system. This unique capability is a result of advanced R&D effort and is unique to Perception Point in order to extract any hidden payload or attack technique.
  • The Threat Intelligence Layer:
    Perception Point manages a large Threat Intelligence database that identifies any known specific attacks as well as attack techniques, that are updated by the minute from worldwide sources. In this case, our Threat Intelligence layer identified many indicators that seemed suspicious to our system, and based on advanced mechanisms the mail was deemed malicious.
  • The Anti-phishing Layer:
    This layer includes several different engines and unique algorithms, including ones leveraging image-recognition. These algorithms identify any attempt to impersonate both general-abused brands, as well as niche brands. In this case, we see how the phishing identified that the Google Form was actually an attempt to look like Office365 log-in page and trying to steal credentials.

IOC’s:

  • Subject: Hu Zhengguo sent you “Audit_Review_9.pdf”
  • Sender: Dropbox <[email protected]>
  • IP: 54.240.60.149
  • Phishing URL: https[:]//docs.google[.]com/forms/d/e/1FAIpQLSfhYAN86rffb2mKjGZQM8lkq5_dgR1jKvSKUxTVCzvuij4fXA/viewform

Ready to Try
Perception Point?

Channel Next, an emerging value-added distributor (VAD) has taken on the exclusive distribution of Perception Point, a global leader in advanced email and collaboration security threat prevention solutions, in the UAE.

Listen to this short podcast to learn about content-based threats, the potential cyber threats of collaboration tools, and how the COVID-19 pandemic affects the current threat landscape. At the end of this session, you can also learn how Perception Point solves these issues and how we’re bringing PREVENTION is back.

Perception Point was selected to present its solution in DoiT’s webinar. Tune in to learn about Cloud Storage Security from Shlomi Levin, our Co-founder & CTO had to say.

An interview by Safety Detective with our CEO, Yoram Salinger, on his cybersecurity journey, his thoughts about the impact of COVID-19, and about Perception Point in a nutshell.

After testing a range of email hosted protection services, Perception Point wins SE Labs Email Security Services Protection Award

Next gen solution recognized within cloud email security (CESS) category

This website uses cookies. By continuing to browse this site, you agree to this use. Learn more.


文章来源: https://perception-point.io/the-triple-trouble-3-stage-phishing/
如有侵权请联系:admin#unsafe.sh