The Phishing Email – Just one click… | Smart Thinking Solutions

This is a continuation of last week’s article that looked at stealth malware infection from a malicious phishing email.

Phishing Emails

I spend a lot of my time writing and talking about malicious phishing emails. It is the easiest attack vector into your organisation that a threat actor has access to, so it is not surprising that it absorbs a lot of my time. Making sure you and your people understand what a phishing email can look like and the social engineering techniques threat actors use to exploit your trust to get past your defences is an essential cyber security step for any organisation, large or small.

In the majority of cases, your technical defences work and email filtering and anti-virus products work perfectly and stop the threat – as in this screenshot of an email notification I got this morning, minus the infected attachment:

Now this was not a particularly sophisticated social engineering message and was not likely to deceive me into opening the infected attachment if my anti-virus had failed. But what happens when the threat actor does a bit of research on the target before sending the email?

We all put a lot of information out there, which is invaluable to a threat actor when they are crafting an attack. We cannot help it. As businesses we want to sell our things – this means web pages, sales pitches, contact email addresses, free ebooks, profiles on LinkedIn etc., all made publicly available. All available to the threat actor to build a model of you. Have a look at this piece I wrote looking at this practice – it is called OSINT, open-source intelligence:

OSINT – Do you know what it is?

By the way all the information sources I listed above are ones that I use…

But what happens when the AV fails and the message is so good you click?

I outlined this article as I was writing last week’s, “Infected and you didn’t even know it…” article, and had planned at this point to describe clicking on an infected attachment and some of the business consequences of doing so, however…

Phishing emails and the real-world consequences of clicking

Linus Tech Tips is a very popular tech channel on YouTube and the channel has millions of subscribers and more importantly active viewers – our support team members are all regular viewers, as am I. You know where this is going, don’t you – Linus Tech Tips got hacked through a phishing email to their sales team. Watch the video and see how easy it was for the hackers to get in, how hard it was for people with a lot of technical knowledge to cope with the attack and the real-world consequences to their business:

My Channel Was Deleted Last Night – Linus Tech Tips on YouTube

Lessons you should learn from their video

No one was blamed. The person who opened the offending pdf file has their leg pulled in this video and other follow up videos and probably in the office, but they were not blamed.

“… but then on the flip side, I can hardly blame a sales rep or a video editor, or someone in accounting for not being up on the latest in cyber crime. And I also believe that in a healthy organisation, **** actually rolls up the hill rather than down. So there’s not going to be any disciplinary actions because the simple truth is that if we had more rigorous training for our newcomers and better processes for following up… …this could have been easily avoided.
Linus Sebastian – Linus Tech Tips

Everyone should be aware that if a file is opened and it does not respond as expected, it should not be ignored. See my previous article on stealth malware. Have you got a notification process for this situation?

Staff training in cyber security awareness and incident response is essential to contain any problems, to check what you do not know, so you can be ready for the real thing.

In Conclusion

It was a coincidence that Linus Tech Tips got breached using the very techniques I had planned to write about today. Thanks to them for this very useful video and you really need to watch it. If you want a protective cover for any of your tech have a look at their sponsor. (Pushed for time? Then just watch the few minutes starting at 4:58 – however cyber security is important so you really should spare 15 minutes to watch the whole thing.)

Are you ready if the coincidence happens to you? Get in touch if you need help!

Do you want to know more?

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Phishing Emails

But what happens when the AV fails and the message is so good you click?

Phishing emails and the real-world consequences of clicking

Lessons you should learn from their video

In Conclusion

Further Reading