1. Positive rather than Negative Social Engineering
The first is a change from the usual negative social engineering (You must.. If you don’t.. Important you do this by x artificial time constraint) to positive (look, something new and shiny for you..)
We should point out this didn’t reach an inbox, it was stopped in quarantine in Defender - far too many things it didn’t like (but maybe your defences aren't as good as our client's) 🤣:
Here’s the email:
🚩Thank you, Microsoft. They’re at least trying to warn you!
🚩The “From” is the recipient’s domain. No email address, just the domain
🚩Who now? “From” your domain but some random address in Turkey?
The recipient, either the email address or the first name
🚩The Positive social engineering: "Setup New Features" along with "Enhanced email protection setup" further up. Then there's the link. Ah, the link. Hover to discover. https: //ipfs . io / ipfs / about 60 random characters followed by an html file and the recipient email address
There should be enough red flags there to have carried out one of the following, in the order we would prefer to see 🤣
Report to your Security or IT team
Report junk or report phishing (Outlook) or whatever your email client of choice supports
Delete
With phishing emails it’s worth knowing the six principles of persuasion, as that’s what the bad actors are using. Sales people use the same principles. (Nothing wrong with sales people!!) 🤣🤣:
Reciprocity
Scarcity
Authority
Consistency
Liking
Consensus
In addition, with social engineering there are nine framing, or pretexting, triggers the bad actors are trying to use:
Negative
Authority
Force
Social Pressure
Scarcity
Urgency
Greed
Positive
Trust
Social Acceptance
Helpfullness
ALL social engineering can, crudely, be boiled down to two emotions; fear and/or greed
So in this case we could say “greed” (sounds a bit harsh, but..) “oh look, I get something new and shiny for free”. CLICK 🤦♂️
This brings us to the the second change in tactics which is the use of IPFS
OK, so what’s IPFS then when it’s at home?
We’re glad you asked.. 🤣
2. IPFS - Peer-to-Peer File Sharing
IPFS stands for InterPlanetary File System which is a peer-to-peer file sharing network. The switch to this type of network makes it much harder, vs a traditional domain, for entities like the FBI, Interpol, Microsoft to “persuade” hosting companies to take down bad domains hosting bad stuff
The second “benefit” is that it is very simple to change the url to target a new victim. One just has to change the last portion of the url.
The fact that this url really has nothing to do with your business or mail system should have been enough of a red flag, but if not anytime you spot “ifps” in a url should be enough to have you running in the opposite direction!
We’ve now seen a few of these and the “payload” varies from an html file (links to malware) to phishing for credentials for some type of service.
Stay Safe Out There!!
Incidentally the day after we spotted this dodgy email we found a great blog post from the good folks over at Inky describing, in better detail than we could, more about IPFS:
Comments