October is Cybersecurity Awareness month, and it just happened that I received an interesting email yesterday that I can use to show the importance of being aware of what you click on with your computer, smartphone, or tablet device. This is the story of how I was able to detect a Location-Based Phishing Attack with a Malware Dropper yesterday.

I received an email that at first glance appeared to come from Delta Airlines. (See the image attached to this article).

Since I do travel a lot, I was thinking that maybe this was a mistake because I don’t normally travel on Delta. The body of the message also indicated travel out of Riverside, which was not far from where I was working yesterday.

The following things looked strange to me:

1. The creator/sender of this email had captured the location from my ISP (Internet Service Provider), and used a script to automatically write into the body of the email the closest airport as a way to get me interested in clicking on the attachment. I did not have plans to travel out of that airport, but I was still curious in case Delta had made an error somehow.

2. When I looked at the attachment, it was not an eTicket or even a PDF file, it was a .ZIP file, which is a container for files inside of it.

3. Upon further inspection, the actual email address domain was not @delta.com but something close @deltaa.com – there was an extra “a” in the domain name. Anyone could have registered that domain name to send out legitimate email from a legitimate domain source (no DNS spoofing required), and the domain name was close enough to fool someone that did not take the time to look closely at the domain name.

4. At this point, my spidy senses were on alert, and I was about 99% sure that this was a malicious phishing attack, but I wanted to check out that .zip file.  I carefully copied the .ZIP file into a clean sandbox VM (virtual machine) environment, and expanded its contents. The internal file that the .zip container was holding was a .EXE executable file and it was definitely malicious.

You see, several years ago hackers used to try clever ways to bypass firewalls or overwhelm system resources, but these tactics eventually were detected, logs of their attempts alerted system administrators, and defenses were built to keep them outside of the network. Many in the offensive community determined quickly that since firewalls allow certain types of traffic through as part of the normal process of doing business, an easier way to compromise a system is to slip a malicious file or malware through existing open channels, like email, web, or other known legitimate business traffic. Now all they needed to do was to have a human on the other end click on their bait to essentially digitally invite them into the network.

This email that I received was what I would call a Location-Based Phishing Attack with a Malware Dropper. It used my location to automatically craft an email with the closest airport, it used a legitimate domain name so as to ensure not to get labeled as junk mail or blocked as a domain spoofing attack, and it used a dropper (.zip file container) to drop a malicious executable onto the victim’s machine. The .EXE automatically installs itself as a rootkit, thus inviting or allowing the attacker to connect to the compromised computer through the firewall. The dropper file essentially beacons outbound through approved firewall ports to one or more C&C (command and control) servers on the Internet that allows the attacker to have remote control of the computer.

Now this attack was definitely clever, and could have been successful on me had I not noticed a few things that seemed out of place. If I had my black hat on though, I would have made this attack even more deadly by using a compromised PDF file that looked like a boarding ticket instead of a zip file. Most people happily click on PDF documents every day.

Hope this example that happened to me can be a lesson for all of us to be careful of what we click on. Please pass along this link to coworkers, friends, and family.

I know this month overlaps with Breast Cancer Awareness month, but I don’t think my laptop would be happy with a pink cover on it.

Happy Cybersecurity Awareness Month, and practice safe computing!
Jonathan