A security researcher, Craig Hays, posted recently about a unique worm-able phishing campaign that spreads exponentially. The phishing campaign is unique because it does not begin with a phishing email coming from an unknown email address. Instead, this campaign uses all the email threads of a compromised user account to spread to other users. As soon as an email account was compromised, a bot running on a remote server received the credentials, signed in to the account, and started looking through emails received in the last few days. For each unique email chain it found, it replied to the most recent email with a link to a phishing page to capture credentials. The wording was generic enough to fit almost any scenario and the link to a ‘document’ didn’t feel suspicious.
This has been an extremely successful phishing campaign, stealing credentials for hundreds of email accounts within an hour. For example, one of these phishing emails was a reply to a legitimate request for contract review. “RE: Contract for Review”. This phishing campaign has led to a huge wave of account takeovers. All of the accounts taken over were found accessed from strange locations all over the globe and sent out a large number of emails. What’s of concern here is that no traditional phishing emails were detected that day and account takeovers still took place targeting the suppliers, customers, and even colleagues.
This phishing campaign returned an overwhelming success rate. Additionally, no matter how careful a user is, and even if they called the initial sender to confirm the legitimacy of the email, the sender would of course agree that they have sent emails in the thread, being oblivious to that particular email. After confirmation from a sender, trust is built and any user will be tricked into providing credentials. As soon as their account is compromised, it will become a part of the account takeover spree and all email threads in their mailbox will then be used to target other contacts. Moreover, the email was sent as Reply All to ensure nobody dropped off the chain. The theft of credentials which weren’t protected by Multi-Factor Authentication allowed the bot to propagate to other users through every compromised account. The more accounts it gained access to, the faster it sent emails, compromised new accounts, and grew in size.