Deep Sea Phishing: Examples & Countermeasures
Phishing is impersonation of a person or brand.
Our focus is email-based phishing.
Phishing is not malware, spam, or xss, although these often coincide.
Current countermeasures Awareness training using synthetic (fake) phishing emails. Big lists of crowdsourced URLs and domains known to be bad. Cryptographic email standards like DKIM, SPF, DMARC.
Deep Sea Phish You can t seem them, but they re there! And they re really nasty. They use tricks to avoid detection by even well-trained users. They thwart URL and domain blacklisting. And they re thriving. Deep Sea Phishing: Examples and Countermeasures
Example One Bank of Scamerica
Bank of Scamerica This message looks like a legitimate message from Bank of America. But it s actually a phishing scam. There are no obvious visual clues. Even trained experts get fooled by forgeries that are this well-crafted.
Bank of Scamerica Maybe you ve trained your users to look at the From: line to make sure the sender is legitimate. Does this From: line look forged? Look carefully! Deep Sea Phishing: Examples and Countermeasures
Bank of Scamerica Maybe you ve trained your users to look at the From: line to make sure the sender is legitimate. Does this From: line look forged? Look carefully! That s not a Latin lowercase A. It s a Unicode GREEK SMALL LETTER ALPHA a totally different letter. Deep Sea Phishing: Examples and Countermeasures
Bank of Arnerica: Under the Hood The From: and Subject: lines hide the brand name from scanning tools. So this looks like it s from Bank of America to a person, but not to software. This mail was sent from a compromised Cox mail account.
Bank of Arnerica This message has a single URL for the user to click. Let s hover over it. Now look closely at where it points in the zoomed in version below. Notice anything peculiar?
Bank of Arnerica This message has a single URL for the user to click. Let s hover over it. Now look closely at where it points in the zoomed in version below. Notice anything peculiar? How about now?
Bank of Arnerica: Under the Hood The attacker has registered and linked to a visually similar domain.
Bank of Arnerica But what else lurks below? A bunch of invisible text! We ve changed its color from white to red so you can actually see it.
Bank of Arnerica The invisible text was scraped from a language learning website. https://www.lingq.com/lesson/chapter-tenthe-wedding-631789/ Why does the message include this? Because it fools programs that perform statistical analysis on the message text. It makes them think this is a personal email rather than a transactional email from Bank of America. After all, it s mostly text!
Bank of Scamerica: Under the Hood Even the HTML includes extra text, in the form of fake elements and attributes.
How we caught it Fuzzy matching of the From: line that is resilient to Unicode substitutions Visual similarity of the domain in the link to a major brand domain B of A brand imagery detected Not sent from a legitimate B of A mail server therefore, malicious
Example Two Scamerican Express
Scamerican Express This message looks like a legitimate message from American Express. But it s actually a phishing scam. Once again, you d be hard-pressed to tell this is fake, even if you re a trained expert. Like the previous example, this uses several clever tricks to get past mail protection software.
Scamerican Express This is another variation of the From: line cloaking technique we saw in the previous example. Unlike the Bank of America phish, you can tell something s wrong if you look closely. In practice this From: line looks good to most users. But that first A is actually Unicode LATIN CAPITAL LETTER A WITH GRAVE. Deep Sea Phishing: Examples and Countermeasures
Àmerican Express Here s another variation of the From: line disguising we saw in the previous example. Unlike the Bank of America phish, you can discern this if you look closely. But most people won t. In practice this From: line looks good to most users. But that first A is actually Unicode LATIN CAPITAL LETTER A WITH GRAVE. Deep Sea Phishing: Examples and Countermeasures
Àmerican Express: Under the Hood Here again, the From: line makes a person think this is from American Express, but prevents the mail filter software from matching the brand name. Note also the plausible aexp-ib.com domain in the From: and Reply-To: headers.
Let s see where aexp-ib.com is hosted WTF? mail-qk0-f194.google.com?
The DKIM signature is valid, the SPF and DMARC checks both pass, and Exchange Authentication-Results tell us this message is A-OK!
DKIM/SPF/DMARC prove that the mail really came from aexp-ib.com but who controls that domain? Obviously not American Express!
Guess where else we found this host?
The same hostname and IP address appear in this email. It s one of the leaked DNC emails, from Debbie Wasserman Schultz.
DKIM/SPF/DMARC prove what server the mail came from
but not who controls that server!
Àmerican Express This mail actually came from a compromised Google mail server. Servers like this are invaluable to attackers because they have very good sender reputations. The attacker even went to the trouble of properly configuring DKIM, SPF, and DMARC for aexp-ib.com too so this looks entirely legitimate to most mail protection software. Microsoft EOP let it sail right through.
Àmerican Express Now that we know it s fake, we can see a few other tip-offs. Notice the IP address? The last number is 274. But that s an impossible IP address value because each of the four values in an IP address is a single byte, and bytes only range from 0 to 255! And Hello Membership Card? That s rather impersonal
How we caught it Doman aexp-ib.com was registered the same day as the email was sent. Recognized American Express brand imagery in the message Fuzzy-matched American Express brand term in from text Àmerican Express. Not from a valid American Express mail server.
Scared yet?
Takeaways Attackers are using new techniques in Deep Sea phishing emails that make these forgeries difficult for both trained humans and software to spot. These emails use brand terms, imagery, and domain names that are real-looking enough to fool people, but different enough to get past naïve software filters. Inky detects and blocks Deep Sea phishing with machine learning models trained to detect these kinds of emails. Deep Sea Phishing: Examples and Countermeasures