Why is phishing through SendGrid more dangerous in this case?

Among the tips we usually give in phishing-related posts, we most often recommend taking a close look at the domain of the site in the button or text hyperlink that you’re invited to click or tap. ESPs, as a rule, don’t allow direct links to client websites to be inserted in an email, but rather serve as a kind of redirect — inside the link the email recipient sees the domain of the ESP, which then redirects them to the site specified by the mail authors when setting up the mailing campaign. Among other things, this is done to collect accurate analytics.

In this case, the phishing email appears to come from the ESP SendGrid, expressing concern about the customer’s security and highlighting the need to enable two-factor authentication (2FA) to prevent outsiders from taking control of their account. The email explains the benefits of 2FA and provides a link to update the security settings. This leads, as you’ve probably already guessed, to some address in the SendGrid domain (where the settings page would likely be located if the email really was from SendGrid).

To all email scanners, the phishing looks like a perfectly legitimate email sent from SendGrid’s servers with valid links pointing to the SendGrid domain. The only thing that might alert the recipient is the sender’s address. That’s because ESPs put the real customer’s domain and mailing ID there. Most often, phishers make use of hijacked accounts (ESPs subject new customers to rigorous checks, while old ones who’ve already fired off some bulk emails are considered reliable).

An email seemingly from SendGrid sent through SendGrid to phish a SendGrid account.

Phishing site

This is where the attackers’ originality comes to an end. SendGrid redirects the link-clicking victim to a regular phishing site mimicking an account login page. The site domain is “sendgreds”, which at first glance looks very similar to “sendgrid”.

A site mimicking the SendGrid login page. Note the domain in the address bar

How to stay safe

Since the email is sent through a legitimate service and shows no typical phishing signs, it may slip through the net of automatic filters. Therefore, to protect company users, we always recommend deploying solutions with advanced anti-phishing technology not only at the mail gateway level but on all devices that have access to the internet. This will block any attempted redirects to phishing sites.

And yes, for once it’s worth heeding the attackers’ advice and enabling 2FA. But not through a link in a suspicious email, but in the settings in your account on ESP’s website.

An @ symbol in the address

The simplest way to hide the real domain in the address is to use the @ symbol in the URL. This is a completely legitimate symbol that can be used to integrate a login and a password into the website address — HTTP allows to pass credentials to the web server via the URL simply by using login:password@domain.com format. If the data before the @ symbol is incorrect and not suitable for authentication, the browser simply discards it, redirecting the user to the address located after the @ symbol. So cybercriminals use this: they come up with a convincing page name, use the name of a legitimate site in it, and place the real address after the @ symbol. For example, look at our blog’s address disguised in this way:

It looks like a page with many words in the name hosted somewhere on the Google domain, but the browser will take you to http://kaspersky.com/blog/.

Numbers instead of the IP address

In the previous method, attackers often try to confuse the user with a long page name in order to distract them from the real address — because it still remains in the URL. But there’s a way to hide it completely — by converting the IP-address of a site into an integer. As you may know, IP addresses are not very conveniently stored in databases. Therefore, at some point, a mechanism was invented to convert IP addresses into integers (which are much more convenient to store) and vice versa. And these days, when modern browsers see a number in an URL they automatically convert it into an IP address. In combination with the same @ symbol, it effectively hides the real domain. This is how a link to our corporate website can look like:

In using this trick, cybercriminals try to focus attention on the domain before the @ symbol, and make everything else look like some kind of parameter — various marketing tools often insert all sorts of alphanumeric tags into web links.

URL shortener services

Another fairly simple way to hide the real URL is to use one of the legitimate link shortening services. You can include absolutely anything inside a short link — and it’s impossible to check what hides there without clicking.

Google Accelerated Mobile Pages

Several years ago, Google and some partners created the Google AMP framework — a service that was intended to help webpages load faster on mobile devices. In 2017, Google claimed that AMPed pages load in less than a second and use 10 times less data than the same pages without AMP. Now attackers have learned how to use this mechanism for phishing. An email contains a link starting with “google.com/amp/s/”, but if the user clicks it, they’ll be redirected to a site that doesn’t belong to Google. Even some anti-phishing filters often fall for this trick: due to Google’s reputation, they consider such a link to be sufficiently reliable.

Email service providers

Another way to hide your page behind someone else’s URL is to use an               ESP; that is, a service for creating legitimate newsletters and other mailouts. We’ve already written in detail about this method in one of our previous posts. In short, criminals employ one of these services, create a mailing campaign, input a phishing URL, and as a result get a ready-made clean address, which has the reputation of an ESP company. ESP companies of course try to fight such misuse of their service, but it doesn’t always work out.

Redirect via Baidu

The Chinese search engine Baidu has quite an interesting approach to showing search results. Unlike Google, it doesn’t give you links to the sites, but instead makes links to itself with a redirect to the site searched for. That is, in order to disguise a malicious URL as Baidu, all cybercriminals need do is search for the page (and that is quite simple if you enter the exact address), copy the link and paste it in the phishing email.

And by and large, we don’t know just how many other services there are that can redirect URLs or even cache pages on their side (be it for their own needs or in the name of convenience of content delivery).

Practical takeaways

No matter how confident your employees are, we doubt that they really can understand whether a link is dangerous or not. We therefore recommend backing them up with protective solutions. Moreover, we recommend to use such solutions both at the corporate mail server level, and at the level of internet-enabled working devices.

Scan the QR code, or face the inevitable

A typical email of this kind contains a notification saying your account password is about to expire, after which you’ll lose access to your mailbox, and so the password must be changed for which you need to scan the QR code in the email and follow the instructions.

The password must be reset by scanning the QR code

Another email could warn the recipient that their “authenticator session has expired today”. To avoid this, the user is advised to “quickly scan the QR Code below with your smartphone to re-authenticate your password security”. Otherwise access to the mailbox could be lost.

“Authenticator session has expired” — for a quick fix, scan the QR code

A further example: the message kindly informs the reader: “This email is from a trusted source” — we’ve already talked about why emails stamped “verified” should be treated with caution. The thrust of the message is that “3 important emails” supposedly cannot be delivered to the user due to lack of some kind of validation. Of course, scanning the QR code below will “fix” the issue.

Important emails can be delivered only by scanning the QR code for “validation”

Clearly, the authors of these emails want to intimidate inexperienced users with high-sounding words.

They’re also likely hoping that the recipient has heard something about authenticator apps — which do indeed use QR codes — so that their mere mention may stir some vague associations in their mind.

What happens if you scan the QR code in the email

The link in the QR code takes you to a rather convincing replica of a Microsoft login page.

Scanning the QR code takes you to a phishing site that steals entered credentials

Of course, all credentials entered on such phishing pages end up in cybercriminal hands. And this jeopardizes the accounts of users who fall for such tricks.

An interesting detail is that some phishing links in QR codes lead to IPFS resources. IPFS (InterPlanetary File System) is a communication protocol for sharing files that has much in common with torrents. It allows you to publish any files on the internet without domain registration, hosting, or other complications.

In other words, the phishing page is located directly on the phisher’s computer and is accessible via a link through a special IPFS gateway. Phishers use the IPFS protocol because it’s much easier publish and much harder to remove a phishing page than blocking a “regular” malicious website. As such, the links live longer.

How to guard against phishing QR codes

No decent authentication system will suggest scanning a QR code as your only option. Therefore, if you receive an email asking you to, say, confirm something, or sign in to your account again, or reset your password, or perform some similar action, and this email only contains a QR code, you’re probably dealing with phishing. You can safely ignore and delete such an email.

And for those times when you need to scan a QR code of an unknown source, we recommend our security solution with its secure QR code scanner function. It will check the contents of QR codes and warn you if there’s anything bogus inside.

Phishing email with invitation

Seemingly from HR, an email arrives containing an elaborate description of the employee self-evaluation procedure, which “promotes candid dialogue between staff members and their managers/supervisors”. It goes on to say that “you can learn a lot about your strengths and shortcomings … to reflect on your successes, areas for development, and career objectives”. All in all, quite a convincing piece of corporate spiel.

Email to employees inviting them to undergo a self-evaluation

Convincing it may be, but all the same the email does contain a few identifiable red flags regarding phishing. For starters, take a look at the domain name in the sender’s address. That’s right, it doesn’t match the name of the company. Of course, it’s possible that your HR department might be using a contractor unknown to you — but why would “Family Eldercare” be providing such services? Even if you don’t know that this is a non-profit organization that helps families care for elderly relatives, the name should ring an alarm bell.

What’s more, the email says that the survey is “COMPULSORY for EVERYONE”, and must be completed “by End Of Day”. Even if we leave aside the crude and faulty capitalization, the focus on urgency is always a reason to stop and think — and check with the real HR department whether they sent it.

Fake self-evaluation form

Those who miss the flags and click through to the form are faced with a set of questions that may actually have something to do with assessing their performance. But the crux of the phishing operation lies in the last three of those questions — which ask the victim to provide their email address, and enter their password for authentication and then re-enter it for confirmation.

Last three questions of the fake questionnaire

This is actually a smart move on the phishers’ part. Typically, phishing of this type leads straight from the email to a form for entering corporate credentials on a third-party site, which puts many on their guard straight away. Here, however, the request for a password and email address (which commonly doubles up as a username) is disguised as part of the form — and at the very end. By this stage the victim’s vigilance is well and truly lulled.

Also note how the word “password” is written: two letters are replaced with asterisks. This is to bypass automatic filters set to search for “password” as a keyword.

How to stay safe

To stop company employees falling for phishing, keep them informed of all the latest tricks (for example, by forwarding our posts about phishing ploys). If you prefer a more systematic approach, carry out regular trainings and checks, for example with our Kaspersky Automated Security Awareness Platform.

Ideally, employees should never even see most phishing thanks to technical means: install security solutions with anti-phishing technology both at the corporate mail gateway level and on all work devices used for internet access.

Les Vampires

A quick spoiler: anyone looking for supernatural blood-sucking monsters will be disappointed. The main character, journalist Philippe Guérande, confronts a daring criminal gang that calls itself the Vampires. Despite its venerable age, the film has a lot to offer in terms of information security. Take just the first scene, which illustrates why outsider access to work documents is a no-no.

The Vampires themselves are of interest for their use of what were then hi-tech methods. A large chunk of episode three (The Red Codebook) is given over to cryptanalysis: Guérande looks for patterns in the villains’ encrypted notes. And episode 7 (Satanas) is built around an attempt to copy another’s identity. But how does anyone pull off identity theft armed only with early 20^th-century tech?

Identity theft in 1915

In a nutshell, the criminal scheme goes as follows. The Vampires learn that US tycoon George Baldwin is on a trip to Paris, where they decide to relieve him of some of his money. To do so, they devise a multistage attack. First, they arrange for the millionaire to be interviewed by one of their own, Lily Flower, posing as a journalist for Modern Woman magazine. She tells Baldwin that her magazine publishes a celebrity quote every month, and asks him to write a few words in a notebook, then date and sign them.

Next, a saleswoman claiming to be from the Universal Phonograph Company visits the millionaire with a new piece of tech wizardry: an actual phonograph — the first device for recording and reproducing sound. She explains to Baldwin that it’s her company’s policy to record the voices of famous people visiting Paris. Falling for the ruse, he dictates the only phrase he can pronounce in French: “Parisian women are the most charming I’ve ever seen,” adding “All right!” in English at the end.

The full nature of the scam is then revealed to the viewer. The purpose of the first stage was, of course, to steal the tycoon’s signature. Under the sheet on which Baldwin left his autograph was some sort of carbon paper, which duly captured the signature and date. Above this, the criminals write out a fake order obliging New American Bank to pay Lily (the journalist) the sum of US$100 000 (a princely sum today; imagine its value a century ago!).

Next, they kidnap the telephone operator of Baldwin’s hotel, and send another accomplice in her place with a note: “I’m sick, sending my cousin as a replacement.” The hotel management swallows this primitive trick and puts the total stranger in charge of the phone.

Meanwhile, Lily goes to the bank with the fake payment order. The cashier decides to check the legitimacy of the transaction and calls the hotel where Baldwin is staying. There, the bogus telephone operator plays the recording of the millionaire uttering his catchphrase, which convinces the cashier to pay out.

How feasible is this scheme?

Most of it is utter twaddle, of course. How on earth would a Parisian cashier at a U.S. bank in 1915 know the signature, let alone the voice, of some American millionaire? Not to mention the fact that the phone lines back then would likely have distorted that voice beyond recognition. That said, the scheme itself is a classic implementation of a man-in-the-middle (MitM) attack — the cashier is sure the voice belonged to Baldwin, who in turn thinks that he, earlier, provided it to the “phonograph company”.

What’s more, the movie features a 2FA bypass: signature theft and fake voice confirmation. Sure, all this is now done using digital technologies, but the core attack scenario remains the same. As such, the main countermeasures could have been formulated over a century ago:

• Don’t give outsiders access to communication channels (bogus telephone operator).
• Do not share confidential personal data with anyone — ever (signature and voice biometrics).
• If in doubt, carefully double-check the legitimacy of the instruction (the phrase “Parisian women are the most charming I’ve ever seen” is not the most cast-iron verification).

Today, you can check out this wonderful movie series for yourself on Wikipedia. If, however, your employees aren’t ready to take cybersecurity tips from silent cinema, we recommend using our interactive Kaspersky Automated Security Awareness Platform instead.

Phishing email

The aim is to get the phishing link clicked. To achieve this, the attackers need to shut down the critical-thinking side of the victim’s brain, usually by scaring or intriguing them. Chances are, in early summer, mentioning the vacation schedule will do the job. At this time, many employees already have plans made, tickets bought, hotels booked. If vacation dates suddenly change, all these plans will go up in smoke. Therefore, scammers send emails supposedly from HR on the vacation topic: it might be a sudden rescheduling, the need to confirm the dates, or a clash with some important events. Such emails look something like this:

Since in this case it’s a question of mass, not spear phishing, it’s quite easy to spot the attackers’ tricks. The main thing is to resist the urge to instantly click the link to see your revised vacation dates. If we examine the email more closely, it becomes clear that:

• The sender (cathy@multiempac.com) is not an employee of your company;
• The “HR director” who “signed” is nameless and his signature does not match your organization’s corporate style;
• Hidden behind the link seemingly pointing to a PDF file is a completely different address (you can view it by mouse-hovering over the link).

It also soon becomes clear that the attackers know only the recipient’s address. The automated mass mailing tool takes the company’s domain name and employee’s name from the address and automatically substitutes them into the imitation of the link and the sender’s signature.

Phishing site

Even if the victim swallows the bait and clicks the link, it’s still possible to spot signs of phishing on the attackers’ site. The link in the above email points here:

The site itself is less than convincing:

• For a start, it’s hosted not on your company’s server, but in Huawei Cloud (myhuaweicloud.com), where anyone can rent space;
• The name of the file doesn’t match the name of the PDF mentioned in the email;
• There’s not a single attribute on the site to connect it with your company.

Of course, once the victim enters their password in the login window, it goes straight to the cybercriminals’ servers.

How to stay safe

To lessen the likelihood of your company’s employees encountering phishing emails, you need to have protection at the mail gateway level. What’s more, all internet-facing devices need to be protected by an endpoint security solution .

In addition, we recommend holding regular awareness training for employees on the latest cyberthreats, or, at the very least, informing them of potential phishing scams. For more about phishers’ tricks and traps, check out other posts on this blog.

How do attackers gain access to e-correspondence?

To worm their way into a private e-mail conversation, cybercriminals need to somehow gain access to either a mailbox or (at least) the message archive. There are various tricks they can deploy to achieve this.

The most obvious is to hack the mailbox. For cloud services, password brute-forcing is the method of choice: attackers look for passwords associated with a particular e-mail address in leaks from online services, then try them out on work e-mail accounts. That’s why it’s important, first, not to use the same credentials for different services, and, second, not to give a work e-mail address when registering on sites unrelated to your work. An alternative method is to access e-mail through vulnerabilities in server software.

Malicious actors rarely stay in control of a work e-mail address for long, but they do usually have enough time to download the message archive. Sometimes they create forwarding rules in the settings so as to receive e-mail coming into the mailbox in real time. Thus, they can only read messages and not send any. If they could send messages they’d most likely try to pull off a BEC attack.

Another option is malware. Recently our colleagues uncovered a mass conversation hijacking campaign aimed at infecting computers with the QBot Trojan. The e-mails in which the cybercriminals planted their malicious payload most likely came from previous victims of that same QBot malware (which can access local message archives).

But self-styled hackers or malware operators don’t necessarily go in for conversation hijacking themselves — sometimes message archives are sold on the dark web and used by other scammers.

How does conversation hijacking work?

Cybercriminals scour message archives for e-mails among several companies (partners, contractors, suppliers, etc.). The dates don’t matter — scammers can resume conversations that go back years. After finding a suitable exchange of e-mails, they write to one of the parties involved, impersonating another party. The goal is to dupe the person at the other end into doing something required by the attackers. Before getting down to business, they sometimes exchange a few messages just to lower the other’s vigilance.

Because conversation hijacking is a targeted attack, it often uses a look-alike domain; that is, a domain visually very close to that of one of the participants but with some small mismatch — say, a different top-level domain, an extra letter, or a symbol substituted for a similar-looking one.

Attackers’ e-mail: the letter “n” appears instead of “m” in the domain name.

What is conversation hijacking used for in particular?

The objectives of conversation hijacking are generally rather banal: to gain access to some resource by stealing login credentials; to dupe the victim into sending money to the attackers’ account; or to get the victim to open a malicious attachment or follow a link to an infected site.

How to guard against conversation hijacking?

The main threat posed by conversation hijacking is that e-mails of this kind are quite difficult to detect by automated means. Fortunately, our arsenal includes Kaspersky Security for Microsoft Office 365, a solution that detects attempts to sneakily join other people’s conversations. To further reduce the risks to both you and your business partners, we recommend:

• Protecting employees' devices to make it harder to steal message archives from them.
• Using unique passwords for work e-mail accounts.
• Minimizing the number of external services registered to work e-mail addresses.
• Not only changing the password after an e-mail incident, but also checking to see if any unwanted forwarding rules have appeared in the settings.

Anatomy of SharePoint phishing

The employee receives a standard notification about someone sharing a file. This is unlikely to arouse suspicion (especially if the company where the employee works does actually use SharePoint). This is  because it’s a real notification from a real SharePoint server.

Legitimate notification from a SharePoint server.

The unsuspecting employee clicks the link and is taken to the genuine SharePoint server, where the supposed OneNote file appears as intended. Only, inside it looks like another file notification and contains an oversized icon (this time of a PDF file). Assuming this to be another step in the download process, the victim clicks the link — now a standard phishing one.

Contents of the supposed OneNote file on the SharePoint server.

This link in turn opens a standard phishing site that mimics the OneDrive login page, which readily steals credentials for Yahoo!, AOL, Outlook, Office 365, or another e-mail service.

Fake Microsoft OneDrive login page.

Why this type of phishing is especially dangerous

This is by no means the first case of SharePoint-based phishing. However, this time the attackers don’t only hide the phishing link on a SharePoint server, but distribute it through the platform’s native notification mechanism. This is possible because, thanks to Microsoft developers, SharePoint has a feature that allows you to share a file that’s on a corporate SharePoint site with external participants who don’t have direct access to the server. Instructions on how to do this are given on the company’s website.

All the attackers have to do is gain access to someone’s SharePoint server (using a similar or any other phishing trick). That done, they upload the file with the link and add a list of e-mails to share it with. SharePoint itself helpfully notifies the e-mail owners. And these notifications will sail through all filters since they come from the legitimate service of some real company.

How to stay safe

To prevent your employees falling victim to scam e-mails, they need to be able to spot the telltale signs. In this case, the obvious red flags are as follows:

• When we don’t know who shared the file (it’s good practice to never open files from strangers).
• When we don’t know what kind of file it is (people normally don’t share files off the cuff without an explanation of what they sent and why).
• The e-mail talks about a OneNote file — but on the server we see a PDF.
• The file download link takes us to a third-party site that has nothing to do with either the victim’s company or SharePoint.
• The file supposedly resides on a SharePoint server, yet the site mimics OneDrive — these are two different Microsoft services.

To make sure, we recommend holding regular security-awareness trainings for employees. A specialized online platform can help with this.

What the above-described ploy clearly demonstrates is that security solutions with anti-phishing technology must be installed not only at the corporate mail server level but on all employees’ work devices as well.

“On the Line” as an almanac of cybercrime

The main storyline is built around voice phishing, or vishing. But the protagonist, ex-cop turned foreman Han Seo-joon, also encounters numerous other scam techniques. Let’s put the action aside and focus instead on the cyber-incidents (in chronological order).

Cell phone jamming

An intruder enters a construction site and hides a device with several antennas in a bag of building supplies. As we find out later, this is a jammer for blocking cell phone signals. The device jams the frequencies on which cell phones operate, preventing all mobile communications in the coverage area. And it soon becomes clear why the criminals are jamming the signal: to pull off a vishing attack.

Malware-infected phone

Seo-joon’s wife runs a small cafe. She receives a spam message on her phone about a small business-support program that supposedly grants a subsidy on utility bills for companies with under five employees. By tapping the link she installed malware on her phone that gave the criminals access to all her messages, call logs, and personal data, and let them redirect calls from her phone to their own numbers.

Vishing (scenario 1)

Next, the vishing attack begins in earnest: she receives a call from someone who introduces himself as a lawyer and says there’s been an accident at the construction site resulting in Seo-joon having been detained and charged. She immediately tries to call her husband, but can’t get through because of the jammer; she assumes his phone is off or out of range. She dials the number of the construction site, and a voice tells her that an accident has occurred: a worker has died and the foreman is in police custody. This is where the malware comes into play: the call has been forwarded, and she is talking to the criminals.

Shortly after the phone rings again. This time, someone purporting to be from the Busan Central Police Department informs her that Seo-joon has been arrested in connection with a construction site accident, and she can visit him at the criminal detention center.

The “lawyer” calls again and argues persuasively that, if the case goes to court, Seo-joon will be found guilty and likely go to jail. The only way to avoid this is to pay compensation. In a state of panic, the wife transfers all her savings to the account of the alleged law firm.

Quick withdrawal

On screen we see the scammers’ banking interface as someone splits up the money and deposits it into seven accounts. Next, people armed with documents and bank cards withdraw the cash at various branches. By the time the woman discovers she’s the victim of fraud and runs to the nearest banking office, the money is no longer in her accounts. And it’s gone for good.

Vishing (scenario 2)

It turns out the jammer wasn’t planted only for the sake of one victim’s savings. The head of the construction company says he too was hoodwinked and has lost a much more significant sum from the payroll account. An “insurance company” called and offered a 50% discount on family insurance for builders. The overly trusting boss sent the unknown callers not only money, but also the personal data of all his employees. And the cell signal was jammed at the very moment when he realized the call was not from insurers.

Money laundering through currency exchanges

The police explain to the victims that the money cannot be returned, because it has been laundered through a network of currency exchanges (actually a money transfer service). In other words, the criminals deposit Korean won in Korea, and withdraw Chinese yuan in China.

Mules for hire

The criminal who planted the jammer on the construction site runs a “travel agency”. In reality the travel agents are folks from the provinces looking to earn a quick buck. They are brought in, spruced up, and sent to the banking offices to cash out the stolen funds. Judging by an off-the-cuff remark, the plan is to engage each person in the cash out scheme two or three times.

Poker site with a dummy account

To figure out what’s going on, Seo-joon turns to an expert hacker he knows. At that moment, she is being pressured by petty criminals after contracting to create an online poker site, but then secretly connected it to her own account — apparently to siphon off money lost by players (or at least some of it).

Mass spoofing device

The hacker explains exactly how attackers are able to call victims’ phones from fake numbers: by using devices installed in ordinary residential apartments to spoof phone numbers.

Trading personal data

Seo-joon breaks into the office of a certain Mr. Park, who runs this criminal business in Korea. There he witnesses documents and cards being packaged, clearly to be given to the mules. What’s more significant is that someone in the office is selling stolen personal data: databases of microcredit debtors, department store customers, golf club members, and luxury property clients.

Unauthorized access to personal data

Using fake documents, Seo-joon tries to gain the trust of the heads of the criminal network in China. It turns out that the villains have access to the Korean police database and even bank payment histories. Testing Seo-joon’s claimed identity, they ask him questions about his purchases. Luckily, his hacker acquaintance who supplied him with the false documents had the foresight to make him learn a cover story.

Vishing (scenario 3) — the criminals’ perspective

Seo-joon finds a job in a call center and observes how a group of scammers tries to get someone else to part with their money. Pretending to be cybercrime investigators from a bank, they claim the victim’s account is being used for fraudulent purposes, for which he could be prosecuted as an accomplice. If he knows nothing about it, it means his identify has been stolen and he must contact the financial control department. The victim, suspecting something is amiss, tries to contact the bank to block the account. But his phone is infected with the same Trojan that redirects the call back to those same criminals, who convince him it will take two hours to block the account, and only the financial control department can provide urgent assistance. Fortunately, Seo-joon manages to sabotage the scheme.

Vishing scriptwriters

In search of the vishers, Seo-joon infiltrates their operation and observes how they create their schemes. It’s serious work: the fraudsters do market research, find vulnerable groups of people, and develop scenarios for each of them. The head “scriptwriter” explains that vishing is based on empathy — they exploit not stupidity and ignorance, but fears and desires.

Vishing (scenario 4)

The scammers come up with a whole new playbook. Somewhere they get hold of a list of job seekers who have had interviews with a large firm. The criminals call everyone on the list and inform them that they were accepted as employees. Before starting work, however, they must comply with a few formalities: undergo a medical, a credit check, and give details of a guarantor. This can be a relative over 40 years old who is able to contribute a certain amount of money to the federal youth employment program…

How realistic is all this?

The on-screen vishing is shown quite plausibly, and pretty much all the tricks described are doable in real life. But do attackers really mix them together in such a way? Fortunately, only very rarely. The story of phone malware imitating a call is quite real — see our post about a similar Trojan. But a jammer is more reminiscent of a targeted attack, and is unlikely to be deployed in a mass scheme. Money laundering through currency exchanges could probably happen in Korea, but would be more difficult elsewhere. Using mules to cash out really does work like that. What’s undeniably true is a line uttered at the end of the movie: “Many blame themselves for swallowing the bait, but in fact they were hunted down by smart, calculating predators. But they’ll be caught sooner or later.”

Why attackers use Google Translate links

Let’s take a look at a recent example of phishing through a Google Translate link caught by our traps:

The senders of the email allege that the attachment is some kind of payment document available exclusively to the recipient, which must be studied for a “contract meeting presentation and subsequent payments.” The Open button link points to a site translated by Google Translate. However, this becomes clear only when clicking on it, because in the email it appears like this:

The strange wording is perhaps intentional — an attempt by the attackers to create the impression of not being native English speakers to make the Google Translate link seem more convincing. Or maybe they’ve just never seen a real email with financial documents. Pay attention to the two links below (“Unsubscribe From This List” and “Manage Email Preferences”), as well as the sendgrid.net domain in the link.

These are signs that the message was not sent manually, but through a legitimate mailing service — in this case the SendGrid service, but any other ESP could have been used. Services of this type normally protect their reputation and periodically delete mail campaigns aimed at phishing and block their creators. That’s why attackers run their links through Google Translate — the ESP’s security mechanisms see a legitimate Google domain and don’t consider the site to be suspicious. In other words, it’s an attempt not only to dupe the end-user target, but the filters of the intermediary service as well.

What does a link to a page translated by Google Translate look like?

Google Translate lets you translate entire websites simply by passing it a link and selecting the source and target languages. The result is a link to a page where the original domain is hyphenated, and the URL is supplemented with the domain translate.goog, followed by the name of the original page and keys indicating which languages the translation was made to and from. For example, the URL of the translation of the home page of our English-language blog www.kaspersky.com/blog into Spanish will look like this: www-kaspersky-com.translate.goog/blog/?_x_tr_sl=auto&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp.

The phishing email we analyzed sought to lure the user here:

The browser address bar, despite the string of garbage characters, clearly shows that the link was translated by Google Translate.

How to stay safe

To keep company employees from falling for cybercriminal tricks, we recommend periodically refreshing their knowledge of phishing tactics (for example, by sending them relevant links to our blog) or, better still, raising their awareness of modern cyberthreats with the aid of specialized learning tools. Incidentally, in the above example, a trained user would never have gotten as far as the phishing page — the chances of a legitimate financial document addressed to a specific recipient being sent through an ESP service are pretty slim at best. A while back, we posted about ESP-based phishing.

To be extra sure, we additionally recommend using solutions with antiphishing technologies both at the corporate mail server level and on all employee devices.