Category Archives: Threat Intelligence Insights

Inside the Phish: How a Phishing Campaign Really Works

Even with all of the hacks and third party breaches that have plagued some of the biggest global corporations over the past few years, phishing still remains one of the most frequent ways into an organization. It has been reported that up to 93% of all breaches start with a phish.

LookingGlass has broad and deep access to phishing data and insight into phishing campaign techniques for catching phish. We hope that in sharing the “behind-the-scenes” of a phishing attack, your organization can be more prepared to defend against this recurring digital risk.

Year-to-date we have observed the following as some of the top phishing “targets” or brands used as bait:

  • Wells Fargo
  • Microsoft
  • PayPal
  • Dropbox
  • Google

None of these should come as a surprise, as they are all well-known brands with expansive customer bases, and attackers typically cast a wide net in an effort to reach as many victims as possible. For example, if an attacker wants to infiltrate a corporate environment they can make a fairly educated guess that the likelihood of that business using a service such as Microsoft 365 is quite high. Thanks to widely available dumps of email addresses and account information, the attacker just needs to collect a list of email addresses associated with the business, craft their strategically themed phishing email, and then wait for the clicks to commence – and they will most certainly commence.

A common theme we have observed in association with these targets are login pages designed to harvest user credentials. In August, we took a look at a phishing campaign that targeted PayPal. In this instance, the phishing link was hosted on a WordPress site of an apparent victim domain, where the domain owner most likely had no idea that they were serving up malicious content on their site. A visit to the site’s home page revealed a very unobtrusive comment indicating that the site had been “Hacked by Virus-ma” (figure 1):

Virus Ma


Some quick research revealed Virus-ma had at least one hacking-related YouTube video channel.

When a user visits the phishing page via the phishing link, they are presented with an extremely realistic PayPal spoof (figure 2):

PayPal Login Page

Regardless of what credentials the user enters (we obviously did not use legit PayPal credentials in our testing), they will be accepted and the user is directed to the next screen which requests contact information. The screen following that asks for credit card information, social security number, and account number (figure 3):

Update Your Credit/Debit Card

The credit card data is checked in real time, so incorrect or false entries are instantly rejected. Our research did not go beyond this screen as we were not willing to provide legitimate user financial information that could be verified. Also, it is noteworthy that the website is encrypted, which gives a false sense of security to the user, ultimately making them more likely to provide confidential and sensitive information. In this case, the domain used a TLS certificate signed by cPanel (figure 4):


The page source behind these pages revealed some interesting data about the attacker, in which they identify themselves and out the page as being a “scam page” (figure 5):

Phishing Log

At LookingGlass Cyber we see hundreds of phishing attacks like these every day. Trying to prevent them is a daunting task, but with an understanding of the processes behind the phish, organizations can better educate their users about what to avoid as well as put appropriate detection methods in place.

Protect yourself from future phishing attacks here, or contact us.


The post Inside the Phish: How a Phishing Campaign Really Works appeared first on LookingGlass Cyber Solutions Inc..

Can Your SOC Use More Visibility?

The Security Operation Center (SOC) is an intricate ecosystem of personnel, network equipment, cybersecurity appliances, traffic and flow data, all working to manage the workflow from threat alerts. To minimize exposure, a SOC is designed to provide a “defense-in-depth” posture. This comprehensive approach to cybersecurity involves antivirus and endpoint tools, log management, a Next Generation Firewall (NGFW), website defenses, and other complimentary security technologies. However, SOCs have several critical limitations.

The first limitation is “paralysis of analysis.’” With each layer of defense, a level of complexity occurs. For example, a miscreant attempting to access the network may simultaneously trigger alerts for known malware, a rules-based violation from a SIEM, and an extrusion attempt by an end-user from a restricted port found by the NGFW. Redundant alerts are often mixed in with benign alerts from non-security events.

A perimeter defense only activates through alerts or an ongoing breach. Step back and think about this for a second. When a SOC analyst begins a forensic investigation, the analyst only knows that something is wrong. Their first move should be to look for bad malware hashes or perhaps look up IP addresses, fully qualified domain names, DNS, and registered owners to learn about an attack’s origins or what sites an end-user has visited and where malware has been acquired. Historically, SOC teams have had no advanced triage of the external threat environment, and they often must develop strategies on the fly.

Another problem is that traditional SOC strategies assume that threat vectors must always be signature-based. In 2018, the malefactor is pride-less. Often, an adversary can create a damning social media attack against a company’s brand or against individuals—the proverbial “fake news.”

The network is changing to expedite business use cases. From a security perspective, this brings about new challenges. Contractors may need access to a network, and integration partners often share intellectual property on the network to facilitate better operations or integrate to build a deeper security posture. However, contractors and business partners may bring their own sets of vulnerabilities to the host network.

External threat feeds can add to the aggravation. Like flow data, network performance indicators, and the investigation of alerts, external threat feed data is yet another source of information that needs to be normalized and contextualized inside the SOC.

Fundamentally, IDC believes there needs to be an approach that can complement defense-in-depth. With LookingGlass ScoutPrime, we see a platform that:

  • Produces a single risk score called the Threat Indicator Confidence (TIC) score that calculates the potential impact of malware, the topography of connections to the network, and the reliability of the source.
  • Provides a platform that scans the entire Internet which is a greater capability than collecting and normalizing multiple threat feeds.
  • Monitors deceptive proxy activities to spot when adversaries are using APIs, fuzzes, and anagrams of keywords to make a website look authentic.
  • Combines human insight with machine-readable threat intelligence to normalize data in real time. LookingGlass has over 500 algorithms designed to prioritize threat feed data and weed out redundancies.

Defense-in-depth is still effective, and cybersecurity is often the execution of many things done well. However, the next security wave may be to think outside the SOC.

The post Can Your SOC Use More Visibility? appeared first on LookingGlass Cyber Solutions Inc..