Close

March 11, 2020 • RBS

In our 2019 Year End Data Breach QuickView report, and elsewhere on this site, we wrote about modern phishing attempts and how malicious attackers are targeting unsuspecting people on the web.

There’s a tendency to associate phishing with crude boilerplate emails, dubious attachments, and poor attention spans, but that’s only part of the story. In the covert redirect examples we explored, attackers were spoofing system update prompts or redirecting users to pages crammed to the brim with all sorts of dubious code.

We saw some impressive fakery at work, so let’s take a moment to dig deeper into a new example.

An Example of Modern Phishing

A single mistake could be a catalyst that exposes thousands, or even millions, of records – potentially into the hands of malicious actors. Attackers are constantly adapting their methods to manipulate your trust, as in all social engineering attempts.

We won’t propagate the scam by publishing the URL, but here’s a detailed screenshot of the real-life example we came across:

Trust Me, I’m Not a Bot

This fake forum was constructed to give the appearance of an organic conversation that includes a free download of the real book Intelligence-Based Security in Private Industry (safe to click).

Even in the face of Santa Hat Armageddon, there are reassuring signs that might lead you to assume that this is authentic. Take the site information, for example:

This might be enough for many users to conclude legitimacy. The site has a valid certificate, and the footer of this page displays a copyright for vBulletin (a legitimate website tool). So far, everything appears to check out.

The cast of characters on the forum is reassuringly familiar, too. Let’s meet the players:

Characters In Order of Appearance:

  • Jack, our protagonist who, like the visitor, is searching for a copy of Intelligence-Based Security in Private Industry;
  • Harry, a senior member of the forum, ready to help Jack out;
  • Oscar, a man who encourages Jack to give his details because it’s a trusted site;
  • Other Jack, another senior member, who reminds us that credit cards can be used for identification purposes;
  • Sofia, the mid-section of an attractive and patriotic American female, who has also been searching for the same book for a long time;
  • William, grateful man who now has what he needs,
  • Admin, a mysterious authority figure who helpfully closes the thread because the definitive solution has been found

It’s easy to imagine a user who resembles Jack taking all this at face value, clicking the link, and filling out their credit card information. After all, other grateful users (with faces) say it is legitimate and that it works. The browser tells us that it is a secure connection and that “your information (for example, …credit card numbers) is private when sent to this site“. However, unlike Dawn’s fingertips, we all know that the real picture isn’t quite so rosy.

Dissecting the Page

When checking the details, a couple of things stand out. For starters, all of the key points are conveniently embolded:

“That’s great, thank[sic], solid website, entered CC and just got what I needed.”

William, Junior Member

Also there are glaring inconsistencies.

  1. Other Jack is a senior member despite having only 48 posts and his Join Date is “caffeine”. We’ve all had mornings like that.
  2. The admin goes back in time and “closes” the topic before it was opened, validating our suspicion that forum admins are not of this realm.

Unless you’re specifically looking for inconsistencies or red flags, most readers will not catch these. These are small things that cast doubt on the legitimacy of the forum, but that could easily go unnoticed by a casual reader.

Going Deeper Casts Darker Shadows

For example, removing the bulk of the URL reveals that the website dynamically fills in the heading and posts:

Intelligence-Based Security in Private Industry” is gone. Theoretically, this forum will pop up for any subject matter that the attacker has previously encoded in the URL, making this a convenient and replicable phishing method.

And the link that Harry and pals are trying to get Jack, and you, to click? It diverts to a new unsecured http:// domain. The link also implies it is a .torrent file, yet it is not.

Going Down the Rabbithole

What else can we find? Well, going down the rabbithole we can see just how detailed the attacker was (and wasn’t) when it came to engineering this forum. Let’s revisit our characters.

“Sofia”

Among all the profile pictures, Sofia’s stands out the most.

A reverse image search reveals a lot more about Sofia. Aside from her keen interest in Intelligence-Based Security in Private Industry, she has varied tastes including Tai Chi, and is an active member of a Healing group in California. She has quite an online presence, with a number of Twitter handles and Facebook profiles under an array of aliases. Sofia/Alexei/Amira has even taken the time to review her skateboard purchases from lesser-known online retail outlets:

“great sport”

Sofia/Alexei/Amira

“Harry”

The savior with the link. Aside from Sofia, this picture is extremely ordinary. This, however, was an easy search because not many people have ever stood on a hill… Unsurprisingly, typing “man on hill” reveals the path to stock photo nirvana. But there are other hidden clues involving Harry’s avatar and the root of it also sheds light on a different topic as well – the source of “caffeine” that appears under Other Jack’s Join Date.

What is “Caffeine”?

If you noticed, all the profile pictures have a santa hat. Hovering over the hat reveals an image tag that reads “caffeine” which all the other profile pictures share. However, Harry has an additional hidden tag that reads “yurikuzn”.

What/who Exactly is “yurikuzn”?

Searching for “yurikuzn” lands you on GitHub, revealing that “yurikuzn” is the username of a developer. We seriously doubt that yurikuzn has anything to do with this malicious page, but this is definitely an interesting find. The actual creator of this phishing website may be an anonymous follower, or could have parsed yurikuzn’s information randomly. Perhaps, somewhere on GitHub there is another fake library lurking in the shadows.

“Oscar”

Like Harry’s profile picture, there is an additional image tag for Oscar, which in this case reads “Makov”. Image searches end with no results and searching “Makov” in GitHub doesn’t yield the same concrete answer as “Harry” did.

This is where the trail runs cold.

Attackers are Adapting

This example shows just how much work attackers can put into modern phishing attempts. After an initial and brief inspection of the site, casual users would likely see that the site itself had a secure connection and that it was hosted on legitimate software, and might be sufficiently convinced to click through, exposing their credit card details or opening the door to malicious software.

A New Book

As we predicted, we found the same page but for a different book, Risk-Based Structural Evaluation Methods: Best Practices and Development of Standards.

Nearly every element between the two forums are the same, except for the date which has been updated.

What If You Clicked It?

We don’t know exactly what the repercussions of clicking this specific link could be. It could take you to ransomware, malware, or even a copy of the book. OK, probably not that last one.

We could have our research team set up a sandbox to examine the possibilities further, but they’re busy serving the needs of our clients. Jack is on his own…

So what can people do in the face of phishing attempts like this? Well, look for details that would give a malicious website away. It will definitely slow you down while you’re trying to find that book you’ve been looking for, but it’s better than trying to unpick that malicious browser extension that’s mysteriously found its way onto your system, or reclaim your identity from whoever is now using your credit card (Oscar looks pretty guilty right now). Ultimately, remember that you shouldn’t click a link if you do not 100% trust the source and know where it will take you.

As a decision-maker within an organization, it is hard to keep track of every employee’s credentials. Not only are there countless users and endpoints to account for, but you need to know immediately if any have been compromised and to what sources. With Cyber Risk Analytics, you can get real-time alerts straight to your inbox whenever any of the organizations you care about are breached.

See for yourself why Cyber Risk Analytics is the standard for actionable data breach intelligence, risk ratings, and supply chain monitoring.

Our products
VulnDB
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
YourCISO
Risk Management
Learn more
Request Demo