Dissecting the Attack - Invasion of the Signature Snatchers
I'd like to take a deeper look at how criminals (note I didn't say hackers) target our personnel in these highly targeted phishing attacks known as Spear Phishing.
Spear phishing occurs when an attacker has knowledge about the internal workings of your company, business, or in our case, our School District. These attackers will often times take advantage of our trust and try to subvert any questions of authenticity by utilizing display names with people we know, logos we trust and even copies of our signature blocks. Often they will also utilize aspects of fear (deadlines, "act now"), intrigue (tantalizing topics, "DCSD 2018 Budget Review.xls") or even trust.
In the example below I'd like you to take a look at this attack, and identify all of the indicators you see.
First off this message was sent from an address from the domain, plano.gov. However something is strange with the display name. The Bold Text indicates that the name this address is using is Douglas County School District however plano.gov is not one of our trusted domains.
Another indicator the attacker is requesting information from you through a survey. Now this is not a foreign concept, of course we use surveys, forms and other ways to gather data. However in this particular attack the link directed the user to a sign in page for an Office365 (Microsoft Document Management Storage).
Once the user inputs their information, the phishing site presents a survey of sorts to eliminate any questions or alerts being sent to our help desk. This survey does not matter, because at this point the criminals have what they want from you, your username and password.
Within a few minutes after delivery, our email gateway provider Proofpoint identified this attack as malicious and began blocking access to the phishing site by utilizing a technology called URL re-write utilizing proxies. This works by downloading a copy of the website on first click, so the first user who clicked the link, gave Proofpoint a copy of the website to begin scanning. They identifed it as a phishing page and now are presenting users the following warning.