top of page
  • OpaCyber

Two observed changes in tactics spotted in the same recent phishing email

1. Positive rather than Negative Social Engineering


The first is a change from the usual negative social engineering (You must.. If you don’t.. Important you do this by x artificial time constraint) to positive (look, something new and shiny for you..)


We should point out this didn’t reach an inbox, it was stopped in quarantine in Defender - far too many things it didn’t like (but maybe your defences aren't as good as our client's) 🤣:


Phish email example
Phishing email example

Here’s the email:


  1. 🚩Thank you, Microsoft. They’re at least trying to warn you!

  2. 🚩The “From” is the recipient’s domain. No email address, just the domain

  3. 🚩Who now? “From” your domain but some random address in Turkey?

  4. The recipient, either the email address or the first name

  5. 🚩The Positive social engineering: "Setup New Features" along with "Enhanced email protection setup" further up. Then there's the link. Ah, the link. Hover to discover. https: //ipfs . io / ipfs / about 60 random characters followed by an html file and the recipient email address

There should be enough red flags there to have carried out one of the following, in the order we would prefer to see 🤣

  1. Report to your Security or IT team

  2. Report junk or report phishing (Outlook) or whatever your email client of choice supports

  3. Delete

With phishing emails it’s worth knowing the six principles of persuasion, as that’s what the bad actors are using. Sales people use the same principles. (Nothing wrong with sales people!!) 🤣🤣:


  • Reciprocity

  • Scarcity

  • Authority

  • Consistency

  • Liking

  • Consensus

In addition, with social engineering there are nine framing, or pretexting, triggers the bad actors are trying to use:


Negative

  • Authority

  • Force

  • Social Pressure

  • Scarcity

  • Urgency

  • Greed

Positive

  • Trust

  • Social Acceptance

  • Helpfullness

ALL social engineering can, crudely, be boiled down to two emotions; fear and/or greed


So in this case we could say “greed” (sounds a bit harsh, but..) “oh look, I get something new and shiny for free”. CLICK 🤦‍♂️


This brings us to the the second change in tactics which is the use of IPFS


OK, so what’s IPFS then when it’s at home?


We’re glad you asked.. 🤣


2. IPFS - Peer-to-Peer File Sharing


IPFS stands for InterPlanetary File System which is a peer-to-peer file sharing network. The switch to this type of network makes it much harder, vs a traditional domain, for entities like the FBI, Interpol, Microsoft to “persuade” hosting companies to take down bad domains hosting bad stuff


The second “benefit” is that it is very simple to change the url to target a new victim. One just has to change the last portion of the url.


The fact that this url really has nothing to do with your business or mail system should have been enough of a red flag, but if not anytime you spot “ifps” in a url should be enough to have you running in the opposite direction!


We’ve now seen a few of these and the “payload” varies from an html file (links to malware) to phishing for credentials for some type of service.


Stay Safe Out There!!


Incidentally the day after we spotted this dodgy email we found a great blog post from the good folks over at Inky describing, in better detail than we could, more about IPFS:





Comments


bottom of page