Crafting the perfect spear

January 9, 2018

Crafting the perfect spear

Adam Robinson is a Security Engineer with Loop Technology who specialises in the deployment and management of Intel Security based solutions. He is also Loop’s Entrust SSL Certificate expert and he has a keen interest in analysing and unpacking malware. If you have a question for Adam, please email info@looptech.com.au.

 

Malware and those distributing it are getting smarter. Gone are the days when malware was so easily identifiable that everyone but the most inexperienced deleted it or we could rely on automated processes to capture all of the attacks.

A common tactic used by attacks is phishing, posing as a legitimate company and trying to attack en masse. These are often reasonably easy to detect and ignore as required.

A twist on old school phishing is spear phishing. No, it's not a sport, it's an attack style - and you are the target. Spear phishing is an email that appears to be from an individual or business that you know, sometimes from information gained from phishing. The attacker thrives on information – Your name, people you commonly communicate with and companies you work with.

A bit of background before we proceed – I work for Loop Technology, a specialist IT Security Company with a heavy focus on Intel Security/McAfee products. Working with these everyday means we transact with McAfee on a daily basis for both our clients and ourselves.

Presenting, one of the most impressive examples of spear phishing I’ve seen:

Thank You

 

An amazing example of spear phishing aimed at an organisation with such a heavy McAfee presence!

Mafee Email

OK, it isn’t going to win any awards for this email address, but it isn’t exactly fer543f4gg.ru either. It has the word McAfee in the email, and it isn’t completely unreasonable McAfee would use an email address similar to this (Hint: They don’t)

 Macfee

 

Emails from McAfee concerning licensing generally start with the logo and Dear (FirstName). In this example, this wasn’t exactly correct, but still close. Inclusion of the logo is particularly impressive and shows the attacker has done some research about what it is Loop Technology does as a business. Or they have looked up our MX records and seen the records pointing at McAfee’s SaaS service. Either way, the attacker has clearly done their homework.

Renew Center

The McAfee Renewal Center? OK, not quite, but if you were not familiar with the Channel approach McAfee takes, then you might be tempted to click on the link.

 So I did - for investigative purposes.

I was greet with a Live Chat which looked seemingly legitimate – Clearly the attacker has put some effort into this!

Comment

 

It says McAfee Renewal Support, it has the McAfee and Intel Security logos…And anybody who has discussed anything with McAfee knows the familiar “May I please put you on hold while I …”

So far, this is an extremely impressive attack attempt. It is well targeted, well researched and even well executed. There is even a live person trying to scam you!

Clearly this scam won’t be going any further. But it isn’t going to stop me from having some fun!

Information Information Information

Jokes aside, staying vigilant is the key to protecting yourself and your information. This was one of the most impressive examples of spear phishing aimed at us we have seen, and we sure it won't be the last. How will your organisation fare against these sort of attacks?

With an attack as impressive as this, we protect ourselves using McAfee ClickProtect, which is included in the McAfee Email SaaS service. SaaS is a great product - Antivirus, Content control, GTI and email continuity in one.

By default, ClickProtect is disabled, but it can be enabled at various levels from the SaaS portal. The functionality is simple - Click a link, check that it isn't malware, present the end user details of the link and allow them to continue if deemed to be safe.

ClickProtect helped us identify this as a malicious email from its metadata, as shown below:

McUntitled

Metadata

protectmcafeenow@gmail.com? Enough said.

ClickProtect is a powerful tool as it doesn't cache the page - It re-scans the contents of an embedded link whenever clicked and emulates the destination URL contents. Users may be presented with a safe preview showing the unmasked URL and a live screen shot of the destination web page. This preview provides ongoing reinforcement of anti-phishing education, and allows the user to decide whether to abort the operation. Anti-phishing protection follows emails everywhere they go, including mobile devices.

As always, stay safe out there.

Join 9,000 cyber security-obsessed readers on our mailing list.

Expertly curated emails that’ll help you stay on top of cyber security news and trends