Tuesday, January 21, 2020

UGLY EXPLOIT: Sneaky Phisher Goes for Google, Microsoft, Office 365 on PC, Smartphones too?

I received a bogus email from my spouse, sent to my @msn.com email address.  It arrived on my Google Pixel (shown arriving by each of my phone's Outlook and Gmail apps).  It also arrived on my PC in Office 365 desktop Outlook.

Here is a facsimile I created by forwarding the message to myself, changing the names and email accounts accordingly to protect the identification of the exploited victim.

Beware of Any eMail that resembles this, with just the names changed




  • In the actual exploit emails, the "To:" entry is empty.
  • There is no attachment.  The Adobe icon is an image, not a link.
  • The exploit is via the Original URL of the link "Open"
  • The URL is not wrapped for checking as a Safe Link.  The copy I mailed to myself has a safe-link-check wrapper URL; that's not the case with the ones received from the attackers.
IF YOU SEE ONE OF THESE, DO NOT CLICK THE "Open" LINK.

Background

On January 20 (a US holiday, always a good day for exploits), my spouse received an email on the same pattern as the one fabricated above.  
  • It was from someone known to my spouse, but not a regular correspondent.
  • It was from that person's @hotmail.com email address.
  • The bottom line was "Sent from my iPhone" rather than "Get Outlook ... ".
  • The link ending "0ogctna2j3" is the same.
  • My spouse did attempt the "Open" 
  • Doing that now opens a fake "Google Drive" login page on my spouse's PC.
    • The fake I see is at a sercin.co.mz page for a site that has likely been compromised.
    • The Google Drive login handily accepts Google Mail, Microsoft, Office 365, and Other Email logins.
    • It is a phishing for credential attack at this point, and offering a login will have awful consequences, depending on which one is chosen and submitted.
  • At that point, a glance at the browser address bar should reveal that there is something awful at hand.
I learned of this exploit by receiving the exploit email to my @msn.com address from my wife's @msn.com address.  This is also the Microsoft Account that is tied to her Windows 10 PC.

It also appears that there has been scraping of my spouse's Contacts @msn.com (essentially, Hotmail now named outlook.com) that are shared on her Pixel 3, along with the Outlook.com calendar.  Those contacts are no longer accessible from her Office 365 Outlook contacts screen.

In addition, she has since received an apparent "Security advisory" email from Google.  This may be legitimate, except it is asking for confirmation using an email address password that has nothing to do with Google.  We will see.

Precautions

If you ever receive an email that offers you an attachment, whether an image, a PDF, or anything else, AND YOU WERE NOT ALREADY EXPECTING IT, DO NOT ATTEMPT TO OPEN IT WITHOUT CONFIRMATION FROM THE ALLEGED SENDER.

There are other clues.  Brief and innocuous content with no explanation.  Strangeness in the salutation or ending name.  IF YOU MISTAKENLY CLICK AND END UP AT WHAT SEEMS LEGITIMATEDO NOT LOG IN.  JUST DON'T.  On your desktop machine the browser should show you a URL (in the address window) that seems completely unrelated to what the page you are viewing is identified as being.  That's another clue:



Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)