Phishing attacks: Lessons to be learnt

It is crucial for all of us to be aware of the power of phishing attacks. Recently, Troy hunt who is one of cybersecurity advocates and expert fell for a sophisticated phishing attack that stole all of his MailChimp mailing list and this highlights the dangers this attack vector still poses. To be fair Troy hunt did a great job of identifying the issue and notifying about the breach within 34 minutes.

What is a phishing attack?

A phishing attack is a type of cybercrime where an attacker impersonates a legitimate entity, such as a bank, company, or well-known service, and tricks the individuals into revealing sensitive information like passwords, credit card numbers, or personal identification details. Phishing typically happens through deceptive emails, text messages, or websites that look very similar to real ones.

Why do I need to worry?

Troy hunt who is one of cybersecurity advocates and expert fell for a sophisticated phishing attack that stole all of his MailChimp mailing list. This attack started with a well crafted email sent out, posing as a MailChimp official account. The wording of the email is well designed to generate sense of urgency by mentioning that future campaigns cannot be launched from MailChimp due to spam complaints. This pushed the receiver of the message to click on one action item in the email asking them to review the account.

On clicking the link, receiver is taken to mailchimp-sso.com domain and prompted to enter credentials. An OTP is sent out to the mobile and after entering it, the webpage hung. This is when Troy realised that something is not right and he received email from MailChimp confirming login to the account. There is another email that mentioned mailing list has been exported from IP address in New York and a successful login from same IP. This was obviously highly automated and designed to immediately export the list before the victim could take preventative measures. There are approximately 16k records in that export containing info Mailchimp collects and is successfully phished.

Please have a look out for spam if you are on the mailing list of Troy Hunt and to be fair this is a very sophisticated attack and wording that it is not easy to miss the cues in the email.

What are lessons for us from this attack?

These are the things to reflect upon:

1. Due to enormous amounts of phishing emails we receive daily, it is easy to fall prey to fatigue and not go through our checklists before acting on email. Attackers need that one opportunity to steal valuable information from us.

2. "Urgency" or "Urgency-based Phishing", where attackers create a sense of urgency or fear to manipulate the victim into acting quickly, often without thinking or verifying the situation.

3. Do not rely only on the behavior of password managers and OTP messages to protect the accounts. Due to high level of automation and the design of OTP services, there is possibility that attacker might login first into out account using the details we entered.

4. Unsubscribed users are still part of MailChimp mailing list. This is due to the way they are handling unsubscription list. This acts as a lesson to any businesses to archive or delete the unsubscribed entries from mailing lists instead of toggling a flag saying they unsubscribed.

5. Passkeys should be mandated instead of password and OTP based logins. In the current technology landscape, this is one of the unphishable second factor and it would be playing into attackers hands if we as a community do not explore and mandate it.

6. Attackers are using email domains of small companies that are not yet in watch list of email spam filters. This is another trick, companies and individuals have to be vigilant.

Who might be behing this phishing attack?

Scattered Spider (UNC3944) is a hacking group, primarily composed of young operatives from the U.S. and U.K. They are known for extorting major companies like Caesars Entertainment, MGM Resorts, and Visa. Recently, they have targeted Snowflake and other large organizations, including PNC, Transamerica, and Twilio.

What should I do to protect from these attacks?

1. Employ zero trust mentality. Do not trust any message or email received. Even if there are call to actions in email, always go to the official website url that is bookmarked or the one you know to check the validity.

2. If in doubt call the company phone number by taking it from official company website or trusted sources and ask them about the email content and if there are any actions you need to take.

3. Look for any tell tale signs like domain names that look suscpicious when you hover on the links.

4. Continue using MFA till websites give better second factor options like passkeys.

5. If possible login into different services with different emails. This way you can pinpoint the source of leak of the email address as well.

6. Look for sender details with long email addresses or automated numbers being appended to the email accounts.

7. Report emails as phishing attempts once you did your due diligence and you are certain it is a phishing attempt.