Phishing Emails: Origins, Damage, and Protection
In recent years, there has been a tremendous increase in cyber attacks originating from phishing emails. Attackers are becoming more sophisticated in the crafting mechanisms to deploy malware on systems. This article will analyze the different ways that we have seen malware attack a system as well as it’s origins and how we can stay protected.
Where do phishing emails come from?
Based on our research, most of the IP addresses that we are seeing originate from Eastern Europe. Cybercriminals utilize various methods of malicious code injection through user activation. A common method is perceiving the user into inputting the password for the company’s email on a web server deployed by the hacker. We will explore two phishing emails that were received in the span of one day to our case management system, discover the origins, and the damage that this can cause to computer systems.
Do phishing emails steal passwords?
The first email we received is designed to persuade the recipient into thinking that the email comes from an authorized shipping center. It then describes that we have an available invoice and that our documents are available for pickup. Below is the screenshot of the email that was received.
<img fetchpriority="high" fetchpriority="high" decoding="async" class="alignnone size-full wp-image-15571" src="https://www.provendata.com/wp-content/uploads/2023/09/Phishing-emails-try-to-steal-passwords.jpg" alt="" width="850" height="668" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Phishing-emails-try-to-steal-passwords.jpg 850w, https://www.provendata.com/wp-content/uploads/2023/09/Phishing-emails-try-to-steal-passwords-300x236.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Phishing-emails-try-to-steal-passwords-768x604.jpg 768w" sizes="(max-width: 850px) 100vw, 850px" />
We can investigate this email further by using the link included in the email “Track Here”. Of course, we used a virtual machine with a sandbox environment in order to avoid damage to personal or company data.
The “Track Here” option contains a link to a malicious address. Upon entering the site in a sandboxed environment, we can see the following:
<img decoding="async" class="alignnone size-full wp-image-15573" src="https://www.provendata.com/wp-content/uploads/2023/09/Fraudulant-DHL-Login-Page-Phishing-Attack.jpg" alt="" width="850" height="563" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Fraudulant-DHL-Login-Page-Phishing-Attack.jpg 850w, https://www.provendata.com/wp-content/uploads/2023/09/Fraudulant-DHL-Login-Page-Phishing-Attack-300x199.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Fraudulant-DHL-Login-Page-Phishing-Attack-768x509.jpg 768w" sizes="(max-width: 850px) 100vw, 850px" />
Upon analyzing the network traffic on Wireshark, we can see that the site used to communicate with the web server originates from the IP: 80.239.152.137 which is located in Switzerland. A more advanced hacker would most likely use a VPN or multiple Proxies to hide the true IP address of the web server. Moreover, an experienced hacker would place this server on a remote web hosting service in order to avoid detection. Therefore, we cannot conclude that the hacker’s location is currently in Switzerland.
Based on the information presented by the site, we can determine that this site will trick the victim into entering the password for a DHL account. The site will then capture the victim’s password and transfer it to a database in the attacker’s web server. This type of attack is very common when stealing user’s passwords as the sourced website can be cloned.
Users need to be educated about these attacks by looking at the sourced URL on their internet browser. The example below shows the internet browsers knows the website is dangerous.
<img decoding="async" class="alignnone size-full wp-image-15574" src="https://www.provendata.com/wp-content/uploads/2023/09/Check-the-URL-safety-Phishing-Emails.jpg" alt="" width="900" height="38" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Check-the-URL-safety-Phishing-Emails.jpg 900w, https://www.provendata.com/wp-content/uploads/2023/09/Check-the-URL-safety-Phishing-Emails-300x13.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Check-the-URL-safety-Phishing-Emails-768x32.jpg 768w" sizes="(max-width: 900px) 100vw, 900px" />
Emotets and phishing emails
Emotet is a polymorphic banking trojan whose purpose is to steals banking information and send this information to an attacker. It can spread through infected phishing attachments to multiple computers and change its code over time.
The second phishing email received contains Emotet and it appears to be more realistic than the DHL site. It persuades users to believe that they have received a payment on one of their Chase accounts.
Below is a screenshot of the email received at one of our emails:
<img loading="lazy" loading="lazy" decoding="async" class="alignnone size-full wp-image-15575" src="https://www.provendata.com/wp-content/uploads/2023/09/Emotet-Phishing-Email-Attacks.jpg" alt="" width="850" height="444" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Emotet-Phishing-Email-Attacks.jpg 850w, https://www.provendata.com/wp-content/uploads/2023/09/Emotet-Phishing-Email-Attacks-300x157.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Emotet-Phishing-Email-Attacks-768x401.jpg 768w" sizes="(max-width: 850px) 100vw, 850px" />
The email comes with a download link encouraging the user to click on this link to obtain the form with details of the payment. Upon opening this link, a file is automatically downloaded to the machine in a document called form-0407216657.doc. Thanks to Cisco Advanced Malware Protection (AMP) we can determine that this document contains an Emotet. Furthermore, this file uses macros to infect the system embedded into Microsoft Word. It asks for the victim’s permission to “enable editing” and “enable content”.
Below are screenshots of this process:
<img loading="lazy" loading="lazy" decoding="async" class="alignnone size-full wp-image-15576" src="https://www.provendata.com/wp-content/uploads/2023/09/Emotet-Attempt-via-Phishing-Emails.jpg" alt="" width="900" height="420" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Emotet-Attempt-via-Phishing-Emails.jpg 900w, https://www.provendata.com/wp-content/uploads/2023/09/Emotet-Attempt-via-Phishing-Emails-300x140.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Emotet-Attempt-via-Phishing-Emails-768x358.jpg 768w" sizes="(max-width: 900px) 100vw, 900px" />
After the user clicks on “Enable Content”, the malware starts to execute in the background.
<img loading="lazy" loading="lazy" decoding="async" class="alignnone size-full wp-image-15577" src="https://www.provendata.com/wp-content/uploads/2023/09/Do-not-click-enable-content-Phishing-Emails.jpg" alt="" width="850" height="195" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Do-not-click-enable-content-Phishing-Emails.jpg 850w, https://www.provendata.com/wp-content/uploads/2023/09/Do-not-click-enable-content-Phishing-Emails-300x69.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Do-not-click-enable-content-Phishing-Emails-768x176.jpg 768w" sizes="(max-width: 850px) 100vw, 850px" />
AMP detected that Form-0407216657.doc connects to various IP addresses with HTTP traffic including the following:
<img loading="lazy" loading="lazy" decoding="async" class="alignnone size-full wp-image-15578" src="https://www.provendata.com/wp-content/uploads/2023/09/Bearsneed-Emotet-HTTP-traffic.jpg" alt="" width="850" height="267" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Bearsneed-Emotet-HTTP-traffic.jpg 850w, https://www.provendata.com/wp-content/uploads/2023/09/Bearsneed-Emotet-HTTP-traffic-300x94.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Bearsneed-Emotet-HTTP-traffic-768x241.jpg 768w" sizes="(max-width: 850px) 100vw, 850px" />
These IP addresses communicate directly with the Word document to further download additional files. One of these files is called “bearsneed.”Bearsneed is downloaded and placed in the Microsoft Windows AppData folder.
This file automatically starts to run as a process as demonstrated below:
<img loading="lazy" loading="lazy" decoding="async" class="alignnone size-full wp-image-15579" src="https://www.provendata.com/wp-content/uploads/2023/09/Bearsneed-Emotet-Phishing-Emails.jpg" alt="" width="850" height="396" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Bearsneed-Emotet-Phishing-Emails.jpg 850w, https://www.provendata.com/wp-content/uploads/2023/09/Bearsneed-Emotet-Phishing-Emails-300x140.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Bearsneed-Emotet-Phishing-Emails-768x358.jpg 768w" sizes="(max-width: 850px) 100vw, 850px" />
According to Cisco AMP threat intelligence, bearsneed.exe is the Emotet that runs in the background collecting banking information.
Bearsneed.exe also contains HTTP traffic to the following IP addresses:
<img loading="lazy" loading="lazy" decoding="async" class="alignnone size-full wp-image-15580" src="https://www.provendata.com/wp-content/uploads/2023/09/Malicious-network-activity-from-phishing-emails.jpg" alt="" width="850" height="336" srcset="https://www.provendata.com/wp-content/uploads/2023/09/Malicious-network-activity-from-phishing-emails.jpg 850w, https://www.provendata.com/wp-content/uploads/2023/09/Malicious-network-activity-from-phishing-emails-300x119.jpg 300w, https://www.provendata.com/wp-content/uploads/2023/09/Malicious-network-activity-from-phishing-emails-768x304.jpg 768w" sizes="(max-width: 850px) 100vw, 850px" />
An uneducated user might follow the steps in the phishing email, click on the link to download that document, and follow all the steps to grant access causing widespread damages to the company’s infrastructure and data.
How do I stay protected from phishing emails?
Although the malware on the second email does not encrypt files on the system, it is an Emotet that can potentially steal banking information. Malicious sites can steal usernames and passwords which can later be used against the company. Moreover, an executed attachment can potentially open a shell console for the attacker to have remote access to the infected system through a Remote Administration Tool (RAT).
Therefore, we recommend users to be mindful of the emails that they receive containing suspicious attachments and links. A robust social engineering training should be in place for all companies to avoid attacks such as Phishing, Whaling, Baiting, and Vishing.
If you want to learn more about Social Engineering Training and cyber security costs for your company, please contact Proven Data.
If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.
Our expert advisor will contact you to schedule your free consultation.
You’ll receive a customized proposal or quote for approval.
Our specialized team immediately jumps into action, as time is critical.
Related Articles
What Are LOLBins (Living Off The Land Binaries)? A Legal and Compliance Guide
Living Off The Land Binaries (LOLBins) use trusted system tools to stay invisible. Understand the legal, compliance, and forensic risks for your organization.
Anubis Ransomware: Operational Profile, Attack Chain, and Response Priorities
Anubis ransomware analysis explaining wipe capability, extortion tactics, encryption methods, and practical detection and response strategies.
NightSpire Ransomware: How It Works and How to Defend Against It
A deep analysis of the NightSpire ransomware covering tactics, encryption behavior, indicators of compromise, and practical response guidance.