Spear Phishing on Steroids

Spear Phishing on Steroids

Hello there my spear phishing survivors! Hopefully your week has been filled with happy users, many donuts, and zero Sev 1's! Today blog is going to review the best social engineered spear phishing attempt I personally have ever seen and will go over how you can easily defeat the best of the best when it comes to things like this.  

To begin, lets show you the physical mail that started this all...a true work of a phishing renaissance master.  A true master, cut from the same genius that Mitnick himself would be amazed with! In the 30+ years I have been in IT, this is by far the most amazing piece I have ever seen.  Whomever did this really deserves a table in the bad actor hall of fame! 

 

I have covered up the name for obvious reasons, and I also covered up the phone number as I don't want anyone to call the number accidentally and fall for the trap! 

First off, please zoom in to the picture and take a good hard look at the letter and the envelope.  I looked at this for a clean 20 minutes after our process (to be detailed later in the blog) alerted us that the mail itself was a physical mail phishing attempt! 

Waiting for you to give it a good look! 

Oh come on, keep looking 

Fine, I still think you need to look more, but we will begin the review now! 

 <slow clap> 

I dare you to find anything that will alert you to this being a fake! I honestly couldn't see a thing...well other than the fact that we didn't change our address and this account is essentially a "dead" account for us. So how did we catch it? 

As always, the best defense is a multi-layered defense tactic that relies not only education and a keen eye, but it also involves a process! 

Layered defense/Defense in depth relies on a simple concept...If you have two different types of defense, acting on two different "layers"...bad actors would have to traverse multiple check points to be able to deliver its payload! 

In this case, I normally look for misspelled words, or some type of grammatical error...maybe a physical anomaly that would tell me that this is a fake. For physical mail, this is my first layer of defense...checking on the tell tale mistakes that have traditionally been part of these types of phishing attempts. As you can see, there is nothing immediately apparent...Security layer 1 we will find out soon enough, has failed horribly. <insert failure sound here>  Boooooooooooo!  

Gone is the paradigm that bad actors will intentionally use bad grammar or misspell words on purpose to weed out those who pay attention to detail. We should all immediately stop thinking that paradigm will continue.  I knew it was going to end one day, but it seems that the bad actors have altered their tactics so that they are not immediately identified. 

This all being said, any good security person has at least one more layer to fall back on when layer 1 fails! Layer 2 to the rescue! Always remember that your layers should be acting on totally different areas of the attack landscape...I always like to layer in a process, as the process will defeat most of these phishing attempts cold mostly because...the process will mostly be an unknown to the bad actor. The process can be architected to cover where a more traditional physical or IT layer fails.  

As a general rule I don't normally publicly publish process based layers as that would give bad actors some insight that they might be able to bypass the defense. I am not too worried about writing about this process as....well...its pretty but this one is one that even if the bad actors knew about this, they could not over come it. Its pretty rad! 

In this case my process based layer is simply...Verify the number. So we typed in the number for Target's red card in a search engine and it did not show up as being owned by Target! It gets even more curious! 

At this point in the game, I got really interested.  We already had a good feeling this was a bad actor mail...but we wanted to really prove it out as the letter and envelope just looked so legitimate! 

So we looked up Targets Red Card's known good number (we searched for Target red card customer support) and didn't trust the one provided. We called the known good number and we found out the following information from the customer support rep. 

1) There has been no activity on the card since last year 

2) Target has not emailed us a change of address letter. 

3) We asked him if the number on the letter was a legitimate number, and he searched all of Targets numbers on his system and.... 

 <drum roll> 

 That number on the letter was not owned by Target. 

 <insert victory sounds here> 

I cannot tell you the sound that came out of my mouth that day, but the laughing lasted minutes at the minimum. I clapped to the talent of this bad actor, and immediately started writing this blog. 

The moral to the story...you need layered defense.  If you only have one layer protecting you or your data, then that one layer will fail given enough time. Without a second layer, we could have easily called the number provided in the mail and fallen prey to this Michelangelo of Phishing.  

Any data you have to protect, putting them on a share that you need a password to access is not enough.  You need another layer.  The firewall can only do so much on its own, you will need something else to fully protect you. So please make sure that you are always protected and have at least 2 layers of protection on anything important.  IT is no longer just managing the systems and endpoints...we now have to focus on process to fully protect our users and landscape. 

As a parting comment, I also learned that there doesn't seem to be a term for physical mail phishing. Lets not make one up for this...I am still mad about "smishing" and "vishing"...it should all be phishing...and we should stop this mad attempt to give it all a name...soon we will have AI driven video call phishing and vishing is already taken...either way, lets not make a special name for this...and if we do...i suggest "Pphishing", the first P is for Physical...lol...yes its horrible, so don't use it!  

Until next time my cyber security phishing gurus! 

 

Contact Us for more information!

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.