I got an interesting email this morning. It was “from” one of the owners of Xiologix – but the return address was a bit odd: “ofceo@comcast.net” As this unfolded, it became obvious that this was a classic “spear phishing” attack. I’ll run you through the email exchange for entertainment purposes, and then talk about the lessons to be learned here. The original message was short and sweet:
Are you free right now? I’ll need you to run a task ASAP.
P.S.: I’m currently in a meeting right now, just reply back. Is that okay with you?
Thanks
Sent from my iPad
There were several things about this email that made my antennae go up. First, I didn’t recognize the return email address. Even if this was being sent from a personal iPad, I would expect it to come from a xiologix.com email address. Second, I’m in Seattle, and corporate HQ is in Tualatin, OR. There are lots of other people in the Tualatin office who would probably be asked to “run a task” before I would. And the wording just didn’t sound like the person who purportedly sent it to me. Now, it was also possible that this was an internal phishing test initiated by our own techs – which is something we do from time to time (and you should too – we partner with a company called KnowBe4, and we can hook you up). So I forwarded the email to the supposed sender’s legitimate Xiologix email address, and to our CTO, and asked whether (1) she had actually sent it, and (2) whether our CTO was trying to liven up our Monday morning with a phishing test. No to both questions. So, what the heck? I decided to play along, and sent the following reply to the original message:
Sure – what’s up?
In a few minutes, I got another email:
I’m currently in a meeting right now and I want to gift out some Gift Cards to some clients today ASAP. I want you to make arrangements to get the gift cards. Is that okay with you?
P.S.: I’m currently in a meeting right now, just reply back. Is that okay with you?
Thanks
Sent from my iPad
Aha. Now money is involved. And notice the use of “I’m currently in a meeting right now” as an obvious attempt to discourage me from calling to check on the legitimacy of the messages. Let’s see how far we can run this:
Sure. How can I help?
And the reply again:
I need 20 PHYSICAL Apple iTunes gift cards of $100 face value. That’s $100 x 20 = $2,000.
Note: $100 x 20 qty of Apple iTunes Gift Cards are needed. Once you get the physical cards, you should gently scratch-off silver lining at the back for the pin codes, lay them all out in batches, then snap a photo and email the clear picture to me via email before leaving the store right away. Make sure you email them to me before leaving the store. Is that okay with you?
P.S.: I’m currently in a meeting right now, just reply back. Is that okay with you?
Thanks
Sent from my iPad
Yep, nothing suspicious at all about that, is there? Let’s push it a little:
I’m on my way into the office now. I can either drop them by your office, or just leave them at the front desk. Will that work?
Well, apparently not:
Thanks
Sent from my iPad
Interestingly enough, the “from” email on this one was different – “off.ceo1@comcast.net” – and apparently she’s now out of her meeting. So…
They won’t accept the company credit card – they want cash only for the gift cards. Looks like you’re out of your meeting – can you have someone cut a check for me? I’ll be happy to run it down to the store and pick up the gift cards.
Apparently that’s not going to work…
Thanks
Sent from my iPad
Thanks
Sent from my iPad
Well, geez, that’s mighty kind of you to let me front this with $2,000 of my own cash, but…
I’m sorry, but I don’t have an extra $2,000 at the moment to front this. I’ll be at the office in 5 minutes, we can talk then.
But these folks just don’t want to let it go:
Sent from my iPad
They obviously think I’m pretty stupid, and the feeling is mutual. Bear in mind that I’ve already told them that I would be in the office in 5 minutes, and that was about a half hour ago. But let’s try to milk it a bit longer:
You want one $500 card or five $100 cards? And which email address do you want me to send to – ofceo@ or off.ceo1@?
So I’ve just told them that I’ve noticed that they’ve used two different email addresses to communicate with me. You’d think that this might imply that I’m getting suspicious, but they’re not prepared to give up yet. They went back to the original from address, and added “(Send it here)” to the subject line.
Sent from my iPad
I won’t bore you with the rest of the exchange. At this point, I just want to see how long I can successfully jerk them around, and whether maybe, just maybe, I can get a mailing address of some kind to send the “gift cards” to. And when I finally run this as far as I can, I plan to email them a link to this blog post, as a “thank you” for helping me demonstrate what a spear phishing attack looks like.
So…what should we learn from this?
- This was a targeted attack (which is what distinguishes “spear phishing” from ordinary “phishing” emails that are blasted out to thousands of recipients). Someone did enough research on Xiologix to identify which individual within our organization was likely to have the authority to make a request like this, and used that individual’s name to specifically target me.
- Consider that Xiologix is not a large company. We have roughly 20 employees. You might think that we would be too small for someone to go to that much trouble to target us. You’d be wrong.
- The amount they requested ($2,000) was not an unreasonable amount for a company our size. Trying to scam us for $50K would have been an obvious overreach. Again, you might think that it’s not worth the trouble to only score $2,000 – let alone the $500 that I negotiated down to. But if they can actually score a half dozen times a month, it adds up to a reasonable payday – particularly if this is originating somewhere offshore where there is a favorable exchange rate for U.S. dollars.
- These guys didn’t care whose money they took. Company credit card? Fine – even if it ended up costing me my job when my employer found out how stupid I had been. My own money? That’s fine too. Can’t afford $2,000? How about $500? They’ll take whatever I’m dumb enough to give them.
- You are not exempt from attacks like this! Your organization is not too big or too small to be targeted. Whether you know it or not, you probably have already been targeted. If you haven’t been, you will be.
It is axiomatic that the “weakest link in the security chain” is the end user. Those of us who are IT professionals may live and breathe this security stuff, but your users don’t. They’re just busy trying to get their jobs done. And one end user who clicks on the wrong link, or responds incorrectly to a phishing attempt like this one, can circumvent all of the expensive technological security solutions you’ve put in place. It’s important to educate your users – using a method that they will actually retain – and then test their knowledge from time to time. We’d be happy to help with that.