Targeted webmail phishing attacks

Man being phished

Man being phishedWhen most people hear the term “phish” in relation to email, they tend to think of big banks and financial institutions, or services like PayPal and eBay. The purpose is to gain access to some online service tied to money.

This may have been mostly accurate five years ago, but over the past two or three years there has been an increasing number of attacks against online services which have no obvious access to money, but which do provide other value to the scammers.

One such example is targeted webmail phishing, which has been on the rise and is affecting more and more organizations.

Phish example #1

In most cases these phishing attacks consist of an (often poorly worded) email sent to accounts within a specific organization or domain that provides web-based email access. Within these emails the attackers will request the reader take immediate action to prevent some impending disaster.

The attacker asks for a reply to the email or for the reader to click a link to fill out an online form, which requests an email address and password. Once this information has been collected by the scammer, the attacker can log in and access the email account for a number of nefarious purposes, such as:

  • Collecting further names and email addresses within the organization.
  • Collecting personal information.
  • Digging for official internal notifications from groups responsible for IT or email infrastructure maintenance, which can be used to craft more believable subsequent attacks.
  • Sending further phishing attacks within the organization.
  • Testing deliverability of further phishing attacks against the organization.
  • Sending spam from the organization’s mail server to email addresses world-wide.

The last purpose is the main motivation for the most of these attacks.

Phish example #2

Most of the samples SophosLabs has seen use similar techniques to convince the recipient to act on the phish.

A “reason” that is the root cause of these messages being sent:

    "Mailbox Has Exceeded The Storage Limit"
    "Upgrading our security system"
    "Detected malicious e-mail traffic"
    "Result of a continuous error script"
    "Maintainance on our university website"
    "A virus has been detected in your mail account"
    "Unusual invalid login attempt"
    "Due to congestion in all <target_university> webmail users account"

A request to take some action:

    "Validate Your Email Account"
    "Update your information"
    "Confirm your account"
    "Please leave all information requested"
    "Confirmation of your personal information"

Some consequence if the recipient doesn’t take immediate action:

    "You may not be able to send or receive new mails"
    "Which may result on account suspension"
    "We have blocked your e-mail account from sending e-mail"
    "Failure to do this, we are sorry to let you know that your account will be deleted immediately"
    "If you do not update your account details within 48 hours
    after receipt of this email message, your account will be deactivated"
    "You have limited time to supply the above details for effective services by replying to this email and any delay or incorrect username or password, may cause our server to automatically log you out from our system."

A call-to-action:

    "Click here to fill and submit the requested information"
    "To re-activate your account please click the link below"
    "To re- validate your mailbox please click here"
    "To re-set your SPACE on our database prior to maintenance on your inbox CLICK HERE"
    "Confirmation link:"
    "In order to reset this email address, you must reply to this e-mail by
    providing us the following Information for confirmation"

An attempt to make the message look official:

    "Webmail Admin Support Centre."
    "System Administrator"
    "Admin Help Desk"
    "Secretary Services IT"

Phish example #3

What is the point?

Why do these specific attackers bother with compromising existing accounts when, for the most part, they just want these accounts for spamming? Especially when it is widely known that the vast majority of spam is sent via computers acting in a botnet, which can be achieved quite cheaply.

One obvious answer is they want the spam messages to be delivered to as many of their recipients (victims) as possible, which tends to be difficult to achieve when sending from IPs acting in a botnet. This is due to the fact most receivers are able detect these spam sources with high accuracy, and in some cases will proactively block networks that send little or no legitimate email.

Using these compromised legitimate accounts, spam can be relayed from mail servers that generally would have a positive or neutral reputation, as they tend to send significant amounts of legitimate email. This forces the receiving network to base many of its filtering decisions for this type of spam on content analysis rather than sender reputation. Effectively bypassing the most effective method of filtering spam (IP reputation) will no doubt significantly increase their deliverability rates, especially if the message content is frequently changed.

Phish example #4

Why should you care?

If in most cases financial information is not stolen, and scammers are only gaining access to a handful of email accounts, why is this an issue for organizations targeted by these attacks?

Email accounts often contain a large archive of personal or company confidential information, which quickly becomes an issue if it ends up in the wrong hands.

A handful of compromised accounts can quickly send spam, phishing and malware attacks to other accounts within your organization (even via internal distribution lists), often with little or no spam filtering.

The IP addresses your organization uses to deliver outbound email can suddenly end up blocked by receivers world wide. This can significantly hurt your business in the short term, but also last for months due to some “set and forget” manual blacklists.

Phish example #5

Is your organization a target?

Targets of this type of mail are typically higher education (domains with TLDs such as .edu, and .cc.<state>.us), school districts (k12.<state>.us), government organizations, free email providers and ISPs. However, you can consider yourself a target if you provide a service that uses single-factor authentication to remotely connect and send email, such as a web-based email system like Outlook Web Access.

How can you reduce the potential impact?

There is no foolproof way of protecting yourself from every one of these attacks. However, implementing some of the following measures can significantly reduce the impact:

  • Use an SMTP filter with features specifically targeting this type of spam – ideally, one that is able to react quickly. (That said, filtering can only ever block a percentage of this spam – solution providers who tell you they block 100% of these phishing attacks do not understand the complete problem – so relying on filtering alone won’t solve the issue.)
  • Make use of a two- (or multi) factor authentication system for users to connect to your email infrastructure.
  • Consider automated methods to alert you to a potential problem (e.g. flag suspicious user agents or client IP addresses).
  • Apply limits to the volume of email sent by specific accounts.
  • Flag, or limit, the number of recipients per message.
  • Employ outbound spam filtering, with alerts when appropriate thresholds are reached.
  • Educate users. Keep those within your organization informed and up to date on potential, past, and current attacks. This is the most important measure required to reduce the number of successful attacks.

How are you protecting your users against this type of phish?

Have you at least made sure they are aware of these attacks, so they are significantly less likely to be tricked?

If you would like to report this type of attack to SophosLabs, please forward the message as an attachment to: