Crown Logo

Business Technology Support For San Diego Est. 1996

Click here for 60 minute consultation858-483-8770
Schedule a Meeting

Fake Message Phishing

Jan 23, 2023

Another day, another attempt to steal your personal data. Phishing attacks are unrelenting and can lead to serious security breaches of all kinds. Attackers can compromise your login credentials, place malware on your device, or just gather information about your location and propensity for clicking on unsolicited links. A lot of these attacks are just the tip of an iceberg, because their endgame isn’t to just infect one device, but to use one compromised login or device to launch a series of escalating attacks. We revisit the topic often, but as the attacks change, it gives you an advantage to see what the new style of attacks look like. That way, when you see them, you can confidently go about your business and keep your personal and proprietary data intact. Today, we’ll share with you and break down some of the more convincing fakes that have been sent recently to Crown Computers’ CEO, Sean Goss. These are the kind of messages that can be blocked by an email security service like Proofpoint, but those services (like all security principles) aren’t perfect. While those services help cut down on spam and phishing, the only real way to stop compromises is to not click attachments or links unless you expect the message and it comes from a trusted source.

Exhibit A

Exhibit A
Depending on what phone and carrier you use, you may have integrations between your voicemail and your email. It may seem like second nature if you use these features: a voicemail is left on your phone line, then an email gets sent to your inbox with a transcription. This attack is supposed to look like one of those services and give the impression that this is an important but routine message. The sender here uses a plausible name in the “From:” field, as if they are some kind of service that you may use; the subject is appropriately generic for this kind of service as well. The names are personalized, making use of your domain name from your email address, which could make it seem like your IT team has set up a new service. Notice that the attachment says that it’s an audio file, a .wav, but right underneath the name, Outlook shows that it’s an HTML file instead.

Exhibit B

Our next example has a little more “computer speak” in its subject line to make it seem like it came from a utility or printer. It looks like an app or service that you might use, with the subject “Scanned image” making it seem like someone is just sending a picture from a printer.

It has an image in the message (to help convince you that this is just some arcane fax service) but it also has an .htm file as its attachment. The icing on the cake here is the CONFIDENTIALITY NOTICE, which is designed to make it look like a typical internal email and get you to subconsciously trust the sender.

Exhibit B

Exhibit C

Exhibit C

This message uses emojis in the file name to make the .htm file look like it might be part of an app or new feature. It’s more brief than the others, attempting to generate an impulse to push the play button right where it says “Play_Now.” Again, it has a generic title to make it seem mundane and normal, and simply says “Please see attached.” By not saying much, the message is just trying to generate that impulse to click, and any number of bad things can happen if you slip and open the attachment.

Exhibit D

Our last example is engineered to make it look like you’ve received a shared file on SharePoint. It may look legitimate at first glance, simply because it uses the SharePoint branding. The other main element here is the use of the terms “secured” and “encrypted.” By employing the language of legitimate security mechanisms, the attackers here are trying to get you to feel comfortable with the links because they reference security practices that really do help make email more secure. Clicking the link likely takes you to something that spoofs the Microsoft 365 or some other kind of Microsoft SSO login page. If you entered your credentials to view the “secured document,” you’d simply be giving the credentials to your Microsoft account to the attackers, which would be the perfect way to impersonate you in an attack on other parts of your organization.
Exhibit D