Cybersecurity in the Workplace: Hikvision Cybersecurity Director Discusses Spear Phishing Part 2
Last week, Chuck Davis, Hikvision’s director of cybersecurity for North America, blogged about spear phishing that targets people whose online accounts have been compromised. As promised, this week, Davis offers a more in-depth overview of an extortion attack.
Overview of an Extortion Attack
In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark web underground market site four years later. The vast majority of passwords were not well protected, and were quickly cracked in the days following the release of the data.
Most people probably do not remember this data breach, or vaguely remember it, but the list of millions of email addresses and passwords is still accessible on the Internet. While most of those account owners have changed their passwords, this group of attackers thought of a clever new way to monetize an old list.
Below is an explanation of how the attackers probably created this attack with little investment of time and money.
Step 1: Getting the List
Getting a list of compromised usernames and passwords isn’t very difficult, especially a list that is more than two years old. While it may take some time to find them, links to the data has been available online for years, especially if you know where to look.
Step 2: Create a Bitcoin Wallet
This is an easy step. I won’t go through the details of how to create a bitcoin wallet, but this step allows the attacker to collect money that is very difficult to trace back to them.
Step 3: Automated Phishing Email
I assume they automated this phishing attack by using a script or program. The script would automatically take the email address and put it in the "To:" field of an email, then take the first name and the known password and place them in the body of the email. Using this method, the attackers could quickly send out large volumes of emails. As you can see, this was likely not something that was written specifically for the recipient.
For our example, let’s assume that one of the LinkedIn accounts was for the following email address: firstname.lastname@example.org and the password for this account is: Wangchungindaclub! The script would send an email to email@example.com, with the password from the LinkedIn list that looks like what is below.
I know that your password is Rover.1980 because I am in your computer, watching you and everything you do and type. Send me $1000.00 in bitcoin to the following address or I will send your pics and text messages to all of your contacts. Here is the bitcoin address to send the money and save yourself from embarrassment. You have 24 hours to pay.
BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)
Lessons Learned: Check Emails Closely
In summary, we must be vigilant about checking email closely. According to a 2017 report, 90% - 95% of all cyberattacks start with a phishing email. With this being such a large attack vector, we have to continue to learn how to identify those attacks that get past our spam filters.