During the month of March, we saw two major phishing campaigns targeting our customers. The goal was to gain access to customer administration and email boxes. Thanks to the proactive approach of our customers, we were able to monitor both of these campaigns in detail and prevent the misuse of services by customer accounts that fell for cyber fraudsters.
Why campaigns target WEDOS customers
WEDOS is by many measures the largest provider of hosting services in the Czech Republic. Almost one in five domains goes to our datacenters. At the same time, we are one of the largest domain registrars in the Czech Republic (maybe the largest, there are no public statistics for most domain extensions).
This makes it worthwhile for cybercriminals to use our brand in their campaigns. Even if they target their spam “blindly”, with the number of customers we have, they will hit many times.
Why phishing campaigns are happening now
The physical war is being waged in Ukraine, but the cyber war is being waged all over the world. Security teams need to deal with more security incidents and are also being called upon by governments to increase surveillance and strengthen cyber defences. Attention is thus shifting more towards DDoS attacks, malware, hacked websites, etc. Classic phishing campaigns are taking a back seat, which cybercriminals are of course trying to exploit.
How a phishing campaign works
Large phishing campaigns need resources, and the botnet provides them. Which is a network of compromised machines (servers, computers, mobile phones, TVs, refrigerators, online cameras … just anything connected to the Internet) that attackers can remotely control from so-called command & control (C&C) servers.
The botnet includes compromised sites that have a backdoor. This is a script, usually well hidden, through which an attacker can perform a number of actions, including creating web pages. This is how a target website can be created, to which links from phishing emails will be directed. Respectively, dozens or even hundreds of landing pages on various compromised sites.
This need not be the rule. Sometimes attackers will use stolen credit card numbers and simply buy a VPS/web hosting service including a domain similar to the one the customer normally logs into.
Then the phishing e-mails will start. Individual devices in the botnet receive lists of where to send spam.
Nowadays, phishing emails are often well translated into English. The text is urgent and often well-tuned to achieve the greatest degree of success.
If a user enters data on a phishing site, it is immediately forwarded to the servers controlling the cyberfraudsters, evaluated there and forwarded on to be exploited. Often, the user will quickly realise that they have been tricked and can take action to prevent account misuse. Alternatively, contact customer support who will block the account until all login details have been changed.
Therefore, if you suspect that you have been tricked, do not delay the solution. Every second counts.
What is good to know about phishing
Phishing has been with us for a long time and will continue to be despite the introduction of many safeguards. It’s not just limited to emails. It also takes place via phone (vishing), SMS (smishing), social networks, comments in discussions, etc. It can even come to you by mail. But it doesn’t stop there. It can also be hidden outside on the street in a QR code, just anywhere.
In the following paragraphs we will look at phishing in more detail.
What is dangerous in a phishing email
There are multiple ways to divide phishing. For the purposes of this article, we’ll break it down into the ways it wants to hurt you.
Dangerous link
This is the most common type of phishing because it sends only text (HTML) with a few links. Most of them do not have to be dangerous and can be directed to the official site to inspire confidence. But the link that will perform the important and desired action leads to a phishing page.
HTML links
A link is not a link as a link. With HTML, you can take a regular link that looks like a direct URL and point it somewhere else.
Does the above link go to our customer administration? If you select it and copy it to the browser’s address bar, yes. But when you click on it, it takes you somewhere else.
You can find out where the link actually goes from the source code of the email. It depends on which email client you use. For example, in Thunderbird, open the source code via CTRL+U.
Many people think that if they hover over a link they can see where it actually goes. Of course, even this may not be true, because everything can be influenced, for example, via JavaScript. You probably won’t encounter this in email, but you can on the web.
It is important to know that links may point in a different direction than they appear.
URL shorteners
In case the attacker cannot or does not want to use HTML, he usually masks the links through so-called shorteners. The most famous is byt.ly. But it is also used by social networks (fb.me, t.co, etc.) It is a short and easily transferable link (URL), which when clicked, redirects to another URL.
An example of what a shortened URL can look like:
https://zkr.url/hAe71 or https://zkr.url/WEDOS
Never click on shorteners in an email.
Familiar link in URL
Another way to create a “trusted” link is to use an official piece of the URL to a subdomain. For example:
https://client.wedos.com.něco.cz/login/
It can also be put in the path name, which is similar to the case of the shortener.
https://něco.cz/client.wedos.com/login/
Only the owner of the something.cz domain decides what will be displayed on the target link.
And the protection against that? Keep links to everything you need (administration, webmail client, web pages, etc.) stored in your browser. Then you don’t have to click on them in the email.
Domain IDN
IDNs (Internationalized Domain Names) are domains that can contain characters other than the Latin alphabet. In some cases, even emoji. So you can choose a different alphabet that is similar to the Latin alphabet and create a visually similar domain on a domain with IDN support and a given character set. At first glance, the layman is unable to discern this.
Example:
https://client.wеdоѕ.com
The domain itself is a mix of Latin and Cyrillic. Specifically, it contains W and D from the Latin alphabet, and E, O, and S from the Cyrillic alphabet.
The Internet browser converts the IDN domain to a so-called punycode. So we’ll see in the address bar:
https://client.xn--wd-nlc1byh.com/
Of course, if your browser doesn’t translate the name into punycode, you can hardly tell.
Theoretically, you can use a string to ASCII translator. The upper case Latin letters start with 41 and end with 90, the lower case letters start with 61 and end with 122, the numbers are from 48 to 57. So if you use a text to ASCII string converter, you should never get more than 122 for Latin.
Example:
| Chain | Individual characters by ASCII |
| wedos | 119101100111115 |
| wеdous | 119107710010861109 |
Make sure that the browser where you open links from email translates the domain IDN into punycode.
Dangerous text
Most often you will encounter phishing emails that have a substantial part of the scam automated. That is, they contain a link to a form where you have to fill in login details, personal data or other misuseable data. However, there are a number of scams where human interaction is involved.
The most famous are the so-called Nigerian Letters(Scam419), where someone completely unknown writes to you that you have inherited, won or otherwise come into some great fortune. All you have to do is answer and work out the details. Which leads to further communication, culminating in a request for a small administrative fee. When you pay it, there will be another communication and a request for a larger fee. This is repeated until the victim of the fraud pays.
While the above-mentioned scams have a relatively transparent scenario and are already quite well known, targeted and much more complicated scams can be directed at companies in particular.
BEC (Business Email Compromise)
This is a special form of phishing attack that targets company employees. The attacker often pretends to be the company’s management and tries to get inattentive employees, customers or business partners to pay the order to another account.
This type of attack should not be underestimated. It is not yet widespread in the Czech Republic, but in the USA it contributes significantly to the losses of companies caused by cyber threats. It’s just a question of when it will really spread here.
It is a good idea to train employees, especially those who can reimburse something, that this is a real danger. They may be written to by someone claiming to be company management and demanding immediate payment of money to an important supplier. An email from them can look really real. The same template is used, the names, logos, etc. match.
How to defend yourself?
- SPF is an absolute must – without this technology and its strict control in the email client, it is possible to spoof the sender’s email address.
- Save all important emails in your contacts and let your email client notify you if you write to an email that is not in your contacts. If you reply to a fraudulent email from another domain, the browser will warn you.
- If there is something urgent, pay special attention to it. If the fraudster does not have access to internal communications, there are often inaccuracies and errors in the text. Use other communication channels within the company (phone, internal chat) to verify authenticity.
- Be especially careful about handling such emails on your mobile phone.
- Employees need to be regularly trained and reminded of the risks. It doesn’t hurt to take a screenshot and send it to the whole company as a warning.
- Within your internal systems, you should monitor who is connecting from where. In case of unusual activity, check it out. The most dangerous thing is if someone loses their email credentials and someone sends out a phishing email from an official address.
A special form is so-called clone phishing. These are emails that copy the official template and only change where to pay. Alternatively, additional information that the old account number is in the previous email. Scammers send them out just after the official email goes out. The target will thus read both the first and the second email. If he is expecting a demand for payment and receives one genuine and one fraudulent one, he may not be alert. He’s easy to fall for. This kind of scam can be done especially if you are sending challenge emails on a regular basis to everyone.
The links for immediate payment in the email are convenient, but if you want to be sure, just save the address with the orders from the customer administration in your browser.
On this page you will find a list of calls for payment and their status. You click on the call number and click on make payment or pay from your imprest account.
Another strange form is spear phishing. Here the attack is not random, but targeted. The attacker has knowledge of the target organization and/or the individual who will receive and handle the email. They will want to use this often personal information to increase credibility, pressure, etc. The target of spear phishing is usually company management and billing department employees. These groups should be given special attention during training.
Dangerous attachment
This is where we get a bit further away from classic phishing. If the botnet is not performing an attack, it tries to increase the number of attacked machines. This is often done by sending an email with a dangerous attachment that gets malware on your computer.
Technically, it is not the attachment itself that is dangerous, but the program that opens it. This is because it can take an action based on the information in the attachment that leads to the infection of the computer. The programs in which the attachments will be opened need to be secure or have limited privileges.
A security package (antivirus, firewall) will significantly increase security. It can automatically detect the threat and either eliminate or suspend it. It should not be missing on every computer. However, they must have the authority to see into the road and possibly interfere with it.
How individual attachments can be dangerous:
ALZ, ARJ, RAR, TAR, ZIP – This is a compressed file and may contain an executable. Sometimes it is encrypted (the password is in the text of the email), which means it is also encrypted and antivirus cannot find malicious code in it.
BAT – File with commands for Windows to execute.
DOC, DOCX, XLS, XLSM, XLSX – An office suite file may contain macros that help get malware onto your computer. Running macros should be disabled in the office suite.
COM, EXE – An executable file that may directly contain malware.
HTML/HTM – A web page file may contain JavaScript that attempts to call malicious code.
JNLP – Contains information for downloading a JAR file, which is a Java program.
PDF – We use PDF files every day. Most of them contain documents that we can comfortably read on any computer. The problem is that they may contain dangerous code (a worm) that can smuggle malware into the system. Every PDF should be scanned by your antivirus. If you open PDFs on your computer, the reader should have all third-party extensions disabled and JavaScript disabled. Of course, you always want to keep your PDF reader up to date. Be extremely careful with PDFs that are packaged in an archive (ZIP, RAR, etc.) and encrypted.
This list is not complete and is for illustrative purposes only.
How to defend against phishing
The key is to trust no one and prepare yourself that everything can be a scam. Every day, cybercriminals come up with better and better methods to trick you. Some are completely unthinkable, so they will always be one step ahead of you. So it doesn’t hurt to be overly cautious.
Security packages containing antivirus, firewall and other utilities can help. Firstly, they can directly detect, for example, dangerous attachments, and they can also work with blacklists of domains, URLs, IP addresses, etc. If you do get something, they may delete it or stop you from visiting the fraudulent site. However, this only works for known and mass-targeted threats.
Regularly update all software you use. Not just the operating system, but also the browsers, the email client, the programs you work with.
You should keep everything abusable separate and use it without having to click on links in the email. Bookmark internet banking, our customer administration, etc. in your browser.
Use two-factor authentication (OTP) where possible. Once the cybercriminals get the credentials, it’s useless without a second device to authenticate to.
Not everyone is up to speed on today’s cyber threats. If you are an exception, please share with others. Organise a training session with colleagues in your company. Show them examples. It is also worth sending screenshots with demos.
Conclusion
However, it is important to report if you are the target of a phishing campaign that exploits your brand. Don’t rely on someone else to do it. Sending a screenshot or source code is a matter of minutes and you can save a lot of people. Companies have internal processes to deal with these threats. From monitoring the situation, to increased surveillance, to proactively warning customers, to implementing emergency measures.