Fun with phishing 01
Use Case
Find all the signs of a fraud
Ukatemi Technologies
02/10/2023
Background
Phishing is a form of social engineering: attackers aim to gain confidential and valuable user information or to infect computers with malware (like ransomware), for example by sending large amounts of spam email, specific personalized email, SMS, voice messages or calendar invitations. The message sent by the attackers contains some kind of malicious file or link that triggers the attack as soon as the user opens it or clicks on it. The higher someone is in the corporate hierarchy, the more desirable the target. According to the FBI Internet Crime Complaint Center 2020 survey, this form of cyber-attack is by far the most common, with more than 240,000 victims per year in the USA only. [LINK]
From time to time we also receive spam messages, unwanted requests, and even WhatsApp or Viber messages about difficulties in delivering our non-existent packages. We have accepted this fate when we made some of our business email addresses publicly available on our website. (Other unsolicited inquiries come from GDPR incompatible data processing practices – but that’s the subject of another blog post).
We have noticed that attackers have shifted from sending out massive amounts of generic emails to the more company and person-specific nonsense. We’re sampling from these now, underlining of course the information that can be used to identify phishing attacks in general. Enjoy!
Example: Police Interpol KONVOKÁCIÓ
Red flags and more
For our non-English speaking readers, we have received a blackmail email on behalf of the Hungarian Police AND Interpol, threatening to take action against us. We show this gem for its obviousness. It has many recognizable features though, that can be used to identify phishing activity even if you are not a technical person, for example:
🚩 Check the sender email address! In our case it was POLICE <bpm.copj0@gmail.com>. It is unlikely that any kind of police department or office would consult you from a gmail.com email address.
🚩 Check the recipients! This mail was sent to undisclosed-recipients which means that all recipients are set as Bcc. This means the email was sent to multiple addresses. If the real police had contacted you, they would have sent the email directly.
🚩 Check the instructions! They want us to reply to oipc.s@aol.com. AOL is an American web portal and online service provider based in New York City. They are not directly connected to Interpol or any kind of “POLICE” in general.
🚩 Check the spelling! The header says: RENDOR-FOKAPITANYSAG without accent (ékezet), but in other parts of the document they used accents.
🚩 Check the grammar! The letter contains the formal addressing “Ön”, mixed with informal versions of verbs “teszed”. Also see the multitude of ungrammatical expressions. Attackers were probably working with a less advanced translator.
🚩 Check the logos! That bright green in the Hungarian flag is absolutely dreadful. Besides, we are pretty sure that the Hungarian Police only uses this neon yellow on their high-visibility vests. These visual elements have been probably added to reinforce the appearance of professionalism, but they have the opposite effect.
🚩 Check the text formatting! It is a hot mess, really: a mixture of multiple fonts, paragraphs and bullet points, underlining and other methods of highlighting.
The list of red flags is not complete of course, but it gives a quick insight into the daily life and struggle of a phishing attacker: the more tailored attacks you try to carry out (i.e. segment the market), the more likely you are to fail because of the small details. This exact email also appeared on Reddit, make sure to check the comments! [LINK]
In case of a very general phishing email, usually we do not take further action, but as the Hungarian Police was impersonated in this attack, we informed them about the email, and further actions were taken in consultation with them. See our follow-up blog post about the topic next week.
