Research Saturday 2.24.18
Ep 24 | 2.24.18

Phishing for holiday winnings — Research Saturday


Dave Bittner: [00:00:02] Hello everyone and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Or Katz: [00:01:02] We saw a lot of our customers being redirecting to domain web server that contained a very odd and unique domain name.

Dave Bittner: [00:01:13] That's Or Katz joining us once again. He's principal lead security researcher for Akamai's Enterprise Security Business Unit and the research he's sharing today is a widespread phishing campaign targeting users using an advertising tactic. The research is titled "Gone Phishing for the Holidays."

Or Katz: [00:01:31] That led us to investigate that a bit more in trying to understand what stand. What kind of web applications stands beyond that domain name.

Dave Bittner: [00:01:38] What was unique about that domain name that grabbed your attention?

Or Katz: [00:01:42] So first of all, we saw many very similar domain names that had the same prefix saying holiday seasons dot com which is actually practice that is the subdomain of a different domain saying something different which is a good indication for something well that might be suspicious or something that is being said as a technique being used for phishing attacks where you put something in the subdomain that hints on something that is not really the real purpose of the website. So this was the first thing that we were able to see.

Dave Bittner: [00:02:18] And so where did it lead from there?

Or Katz: [00:02:20] So after we saw those domains, we did a few things. First of all, we tried to figure out what kind of traffic we can see goes to that domains. We try to figure out how a few things about the domain when those domains were registered for the first time and we try to figure out what is actually the application that is being deployed on that domain on those domains actually because we saw very more than 30 different domain names with the same prefix and the same content. But the actual domain was different. So once we looked into that domain we actually saw a domain that was a fake domain. It's a domain that gives the users the chance to answer some questions regarding some company that well-known software company. And we saw that there is a lot of fake indication on that given domain and we were able to see a lot of those indications being related to different phishing attacks that we saw in the past. For example that given domain contains some question about that software company that regardless of the answer that you will give to those questions you will win the prize. And that was this funny thing that we were able to see and a lot of the things that we were able to see on that given domain and on that given web application that the web application, is that it contains a lot of elements well we call them the "art of deception" they're trying to gain the user's trust in order to make them believe that this is a genuine web application that once you will answer questions, you will win a prize. For example, a few of those techniques being used to get the trust. First of all we're to see that there is indication of fake social media on that web application. Obviously not truly related or even communicating with that given social media in this case it was Facebook. We were able to see all kind of indication that telling the user "Well we are now in progress and application is trying to figure out if you are a winner or not." But actually behind the scenes, there is no progress just a javascript that's running on the background and create that sense of "in progress." And at the end of the day, when the users were winning a prize, the application told them to choose the prize, to choose a random choice of one of the options. And once you choose that random option, you can win a prize. And in all cases regardless what you would choose will win the same prize which was an iPhone. And that will at that point I think that users all that well as well the user were tempted to go to that web application will get us some sort of a sense that they want to prize. They were they will be very happy about it. And at that point, they will have the full trust with the web application giving the web application the information that they want to retrieve.

Dave Bittner: [00:05:24] I see.

Or Katz: [00:05:25] And in our case, that information was an email address the user's email address. That was the sole purpose of that campaign.

Dave Bittner: [00:05:33] Well let's back up a little bit and walk through it step by step because there are some interesting details here. One of the things you pointed out in your research is there was I think as you said there was a common prefix on many of these upstream sites. They said sale dash gadget dash promotion was on many of these sites with different subdomains. So you saw that commonality between many of these destinations. But then let's walk through this this part that you called the "art of deception." First of all, what would lead someone to end up on this site? Was it random happenstance or were they phished to go visit this site?

Or Katz: [00:06:14] So what we were able to see as part of the evidence is that we were able to collect is that this kind of campaign was well planned and part of the techniques being used in order to have as much as distribution of this campaign was to use advertisements meaning the bad guys are going to a legit website. They put their own ads those ads one being clicked will redirect to those phishing websites, and in a way we can see that each domain on that campaign was active for only a few days getting a lot of attention from users and after a few days it was you know vanishing there was not relevant any longer.

Dave Bittner: [00:06:56] So the bad guys are paying for a legitimate ad to insert this ad but then when someone clicks on the ad it takes them to the phishing site.

Or Katz: [00:07:05] Exactly.

Dave Bittner: [00:07:06] So when when they go there, they're first met with an audio greeting. That's that's a bit unusual.

Or Katz: [00:07:12] Yeah in a way that is part of the phishing campaign goal to get the user attention, they use an audio message that once you hear that audio message that got your attention and then you are engaged with that given campaign. And it's not just the website. This is a website that is talking to you so I have my attention to that website. That part of the techniques that they are using in order to get the trust and attention.

Dave Bittner: [00:07:39] Yeah and it says please click to claim your prize before we give away to anyone else and gives you no option to click away. Your only choice just to say OK and then it takes you to the quiz. And as you said it takes you to a quiz about a popular software company but there's no way to get a wrong answer on this quiz.

Or Katz: [00:07:57] Exactly. Regardless of your answer, you will win a prize. That's their goal. You will win a prize they will get your attention and trust. And from that point forward they will be able to retrieve from you the relevant information that they want to retrieve. That's part of their phishing techniques being used.

Dave Bittner: [00:08:15] And then once you've you've won, whether you give the right answers or not, you get to choose what your prize is going to be and in this case they have several little treasure boxes that they show you and they offer up a PlayStation 4, an iPhone 8, Samsung S8—all good prizes but it's really a forced choice here. The iPhone 8 is the only one you can actually get, right?

Or Katz: [00:08:38] Exactly. You will get an iPhone 8. Because this is will this information will be used in the follow up redirecting linking which you will have to leave your credentials well not your credentials, but your email address and in that link when you redirect to that other website that want to retrieve your information, you will see an ad saying well you won an iPhone. So they want to be able to make sure that you'll always win an iPhone. And that's the reason for that.

Dave Bittner: [00:09:06] I see. And I suppose if someone is falling for this going down the path they might say "Well I'd had my heart set on that PlayStation 4, but for whatever reason I guess an iPhone 8 is a good prize. I'll I'll still go along with that.".

Or Katz: [00:09:19] No doubt about it.

Dave Bittner: [00:09:20] So the next part they take you to a next screen which shows other people like you said sort of the social media component of other people's showing photos of the iPhone 8s that they've had delivered to them.

Or Katz: [00:09:32] Exactly included pictures included fake identities of users. It was obviously a fake social network indication on that page. And the reason for that is that they want to give you a sense that there are others that one that prize. You should do the same, right? Getting the trust that they want to gain from you.

Dave Bittner: [00:09:53] So step by step they're building up the trust and making people feel as though this is a legitimate thing and you might be steps away from actually getting this iPhone.

Or Katz: [00:10:02] Exactly.

Dave Bittner: [00:10:03] And so there's another part of your research where you call it additional tactics. Double trouble. And there was some issues with vulnerability to cross-site scripting can you take us through that?

Or Katz: [00:10:15] So this isn't a funny anecdote actually. What we're able to see that this website those websites that were used as part of that campaign was were actually vunerable to a cross-site scripting vulnerability and, in a way, you know it's funny that the bad guys are also having those vulnerabilities on their websites. And you know it's an anecdote that you know obviously should not be used but but in a way that show us that they feel also applications that are vulnerable.

Dave Bittner: [00:10:47] I see so perhaps pointing to the amateurishness of these particular attackers even their own site was vulnerable to attack from someone else.

Or Katz: [00:10:57] Exactly.

Dave Bittner: [00:10:58] They were ultimately trying to harvest email addresses. That strikes me as interesting because I wouldn't imagine that an email address had a whole lot of value these days.

Or Katz: [00:11:09] Well that's a question that I'm getting a lot. And actually we have a sense of thinking that an email address is something that is not that important. And what can happen? But there is a very important part of the bad guys getting our email addresses because first of all those email addresses are actually the gate for our environment for our computers, for our laptops. for our iPads. And, the second part of those attacks is one wants the bad guys had those email addresses they can start a different set of attack campaigns in which they can send you an email saying well you should press this link, and once you pressed the link for something that is related to you or even associated with you you will be redirected to malware download page when you will be infected by malware. So in a way it started with an email but it can be evolved and can be escalated to much more severe issues as malware being installed on your computer or different kind of credential being stolen from you.

Dave Bittner: [00:12:16] And I suppose it's at a certain level there are sort of pre-filtering for people who might be vulnerable to this sort of attack a certain amount of I suppose gullibility if you if you go through all the steps of this and fall for them well then you're probably more likely to fall for an email phishing attack when we hit you with the next round.

Or Katz: [00:12:37] Exactly. Well for example I can say that you know me and you all we are probably our attack savvy. We're familiar with those attacks. We will most likely will not fall for those attacks but a lot of people young people, people that are not fully aware of phishing attack, can fall for those traps. And you know, I can tell you from my experience at my home that we have one computer at home that is being used both by me and my kids, and in a way if my kids will fall into a trap such as that phishing attack, the same computers used by both of us will be infected by malware. So in a way it sounds like it will target very specific people or people with a sense of understanding on phishing landscape but actually can affect a lot of people that are actually not related today.

Dave Bittner: [00:13:33] And I suppose like many of these attacks it's it there's there's very little cost to run the campaign it at a large scale. And so it pays off ultimately.

Or Katz: [00:13:42] Exactly. I can tell you for example that well I'm located in Israel and a few weeks ago we saw a very huge phishing attack that was targeting a well-known company that sells furnitures. And on that given week it was the week of the special sale of that company. And, in a way we saw a lot of people very, you know, tech savvy and other people that have a sense of understanding what's good and what's bad being you know falling for that trap and following that phishing campaign just because you know the context of the phishing campaign on a given week when they have a big grand sale for those furnitures led us to you know fall into those traps.

Dave Bittner: [00:14:28] Yeah in this particular campaign as you pointed out really targeted people during the holidays when perhaps you know money might be tight they're looking for maybe something a free bonus so they might be more susceptible to something like this that time of year.

Or Katz: [00:14:43] Exactly. People are much more trustworthy at the holiday season where they had a sense of understanding that you know they can win a prize. And this is a great period of time of the year when you you know there is a lot of willingness to give prizes and a willingness to communicate and get from the companies to the people that are consumers of those companies so that's also was the context of that given campaign.

Dave Bittner: [00:15:13] It seems to me like I've seen a lot more of these types of attacks and I think we've seen reports of that that these these annoying pop up ads of you know, "You're a winner, congratulations!" particularly on the mobile side. It seems like we've really been flooded with these have you all been seeing that as well?

Or Katz: [00:15:32] Yes, definitely we see hundreds if not thousands of such campaigns on on a given week. We can see that there is a trend of a lot of traffic or a lot of targeting more of the mobile users for very tactical reasons. So the bad guys understand that they can abuse those kind of platforms because they are less secured. For example if my computer is part of my work is being protected by the security control that we have in our office, my mobile phone in most cases will not be protected. Therefore the bad guys are targeting those actual platforms, those those devices.

Dave Bittner: [00:16:15] And in terms of advice for people to protect themselves against these sorts of things or even you know protecting your family members, your kids, maybe your elderly parents, things like that. What do you suggest?

Or Katz: [00:16:26] So I think the most important thing here is awareness. We have to educate our young ones. We have to educate our peers and our colleagues to be well suspicious in such cases even though they feel that they want a prize that there is something good happens to them. They need to stop for a minute and ask themselves, "Is it legit? Is it not? Should I give my credentials so freely?" And these are the things that we should do as a community obviously and this is part of the motivation for us to create such blogging and create the insight that we're able to see in such a very specific campaign.

Dave Bittner: [00:17:04] Can you describe some of the invasive techniques that this campaign is using?

Or Katz: [00:17:08] So yes we were able to see a few techniques being used for example. We were able to see that the domains being associated with that giving campaign are domains that were registered over 6 months prior to the time that the campaign was executed and in a way their reason for that is that the bad guy understands that once you use a newly-registered domain that will create a lot of alerts a lot of security control. We will be able to detect those domains just because they were just recently registered and tracked down. Now if you registered domain over six months ago, that will lower the level of suspicion around those domain and that gives the bad guys the advantage of not being detected so quickly. This is the first technique. The second part of the technique that the bad guys are using in order to stay evasive is the fact that they actually use 30 different domains. Each domain is being activated to a limited timeframe and we can see that once one domain inactive, a new domain comes in and being active. And, in the way they are being longly while they abuse our trust. But getting a lot of attention and a lot of traffic of users abusing one domain after the other and by that creating that amount of attention that they want to again.

Dave Bittner: [00:18:36] Now, is this campaign has it wound down or is it still running or were they only really running during the holiday season?

Or Katz: [00:18:43] This given campaign was running during the holiday season but we actually see a lot of campaigns similar to that are being activated on a weekly basis so it's not that giving campaign but there are others you know in the pipeline and we are being abused by a lot of those campaigns.

Dave Bittner: [00:19:03] Our thanks to Or Katz from Akamai for joining us. You can read the complete report  "Gone Phishing for the Holidays" in the blog section of the Akamai Web site. Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. It's produced by Pratt Street Media. The Coordinating Producer is Jennifer Eiben, Editor is John Petrik, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.