What we learned from a recent phishing attack

“2-factor saved us, here, from a potentially devastating outcome.”

This article was written by our security lead, Aaron Wilson, who has spent countless hours monitoring and improving our internal security.

Hackers are always looking for clever ways to grab private data. On our blog we’ve covered social engineering attacks over live chat and making IT security iterative to avoid future complications.

Recently we had an attack attempt that was new for us, so we thought we’d share what happened.

On February 6th, our CEO Ben received an email that looked like this:

— — — — — — -

From: Matt Pizzimenti ← (Matt is our COO and co-founder)
Date: Sat, Feb 6, 2016 at 4:47 PM
Subject: Olark MT
To: Ben
http://www.youtube.com/watch?v=IrH0pMvf8Jo
Matt

— — — — — — -

Ben left the email in the box until the 9th. When he finally got around to opening it, he clicked the link and got what appeared to be a completely legit Google login page, down to having Ben’s actual email address pre-filled.

Ben entered his password, briefly wondering why he was being prompted, and got the 2-factor auth page next, again, looking completely legitimate.

Normally, 2-factor auth fires quickly, but this time, it didn’t. The lag was the final straw, and Ben started looking closer at the website and realized the problem: the page was on the domain qooqle.services, rather than google.com.

He had just given his Google account password to a random page on the Internet.

He changed it immediately, and double-checked the email, where he saw that the href attribute had been misleadingly changed to send him to the malicious domain, just as I’ve done with the quoted link above.

Ben forwarded the email to me and Matt. A few minutes later, these 2-factor auth messages came in to Ben:

Something’s not quite right here…

If the messages had come a bit earlier, and been phrased in English, we might have had a major security breach on our hands.

As it was, we managed to catch the problem before any real damage could be done, and the attacker never managed to actually get access to Ben’s account.

Here’s what it looked like IRL

This is the textbook example of a phishing attack. The attacker knew that Matt and Ben were at the company, and that Ben trusted Matt. They knew (or guessed) that we use Google for email. They sent a message with the bare minimum of text, to avoid triggering any alarms with strange word choice or spelling errors (they didn’t do it perfectly — theyactually sent the same email twice, typo-ing his phishing link the first time).

Ben is very technically oriented, and he knows security, but he’s also a pretty busy guy, and the attacker was able to use these bits of knowledge to trade on things Ben trusts implicitly to shortcut his judgment and get him to click something that he otherwise wouldn’t have clicked, and give up his password. If he hadn’t had 2-factor auth enabled, he wouldn’t have even have known he was compromised until much later.

There are things we can do and will be doing to make the spoofing mechanism used in this email more difficult, but unfortunately, email is an inherently untrustworthy medium, and there’s no silver bullet to stop attacks like this.

So here are some things to try to remember any time you follow a link from someone you think you trust:

  1. “Where does the link actually go?” Emails in Gmail are displayed in HTML, which means I can do something like the above and give you a link to https://www.google.com, which actually goes somewhere completely different. Hovering the link will always show the link’s destination, so one good habit to have is to get into the link of letting the cursor briefly hover before visiting a link. And if you DO end up clicking the link, check your URL bar: browsers in general, and Chrome especially, have been doing a lot of work to highlight unexpected domain names and try to combat this. Check for the green lock, check that the domain actually matches where you expect it to be, and make flicking your eyes up there a routine.
  2. “Why is Google/Stripe/PayPal asking me to login again?” If you just followed a link to something that’s asking you to log in, especially if it’s something you use often (like Google), then that should raise a red flag. Enter that site’s address directly into your browser bar and see if it asks you to log in — if it doesn’t, someone is trying to phish you.
  3. “Do I expect this email?” Is Matt actually in the habit of sending one-line emails with links in them to Ben? Probably not. It’s not something that comes easily to mind, but it’s worth trying to train yourself to ask this question any time you get an email with an action item in it.

Building these habits is obviously easier said than done. And any one of these things might not trigger every time you read an email. But if you’ve tried to make the habit of looking for them, the chances go up that one of them will trigger when it matters.

One parting note: 2-factor saved us, here, from a potentially devastating outcome. I know there are a lot of annoyances in the 2-factor flow, but if you need reassurance that putting up with that is worth it, I hope this helps.