Email Reply Chain Attacks

As the 2021 draws to a close phishing campaigns continue to run their course. Phishing is a type of email scam where a malicious actor attempts to take on the identity of a trusted party e.g. bank, government, organisation to get you to provide information, money or download a malicious file.
Phishing emails often ask for private and or confidential information relating to a person or an organisation. Spear-Phishing is a more targeted attack that targets a specific individual e.g. specific people within a company or organisation rather than many people at once. Emails may appear to be from an internal department of your organisation like an executive or finance asking for sensitive business information.

Recently there has been a rise in a more sophisticated type of phishing attack known as a ‘reply chain attack’ where the attackers hijack email chains to insert a phishing email into an existing email thread. This increases the likelihood that a victim may open malicious documents or follow the direction of the attackers. A example of a reply chain attack is the one IKEA suffered earlier this month. Employees were sent these phishing emails as a reply to a legitimate email thread. These emails appeared to come from people the victims work as a result were hard to identify as malicious.

Here is a list of key identifiers of a phishing email taken from CERT.govt.nz

  • you don’t recognise the sender
  • the sender name doesn’t sound quite right
  • you don’t recognise the name of the company
  • the company logo doesn’t look like it should
  • the email refers to you in a generic or odd way — for example, ‘Dear You…’
  • the email contains bad grammar or spelling
  • if you hover over a link in the email with your mouse, the address that you see doesn’t match the place it’s saying it’ll take you. 

What to do if you receive an phishing email
Flag and report it with your IT provider immediately

  • Delete the email as soon as possible.
  • Do not click on any links
  • Do not download any attachments
  • Do not reply to the email.
  • If you gave out some personal or financial details:
  • contact the service provider for your online accounts — like your bank or your email provider. Let them know what’s happened and ask what they can do to help.
  • change the passwords for any online accounts you think might be at risk
  • get a free credit check done. This will let you see if any accounts have been opened in your name. There are three main credit check companies in NZ, and you’ll have to contact all of them. You can ask to have your credit record corrected if there’s any suspicious activity on it.

Continue to keep up staff education around what to look out for and the procedures to undertake when phishing emails are received.

References

https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/

https://www.stealthlabs.com/news/ikea-suffers-reply-chain-phishing-attack-same-as-microsoft-exchange-server-hack/

https://www.cert.govt.nz/individuals/common-threats/phishing/