BYOB (Build Your Own Botnet) in action
Perception Point’s platform recently intercepted an attack leveraging the BYOB framework. This is the first time the BYOB framework is seen being used for fraudulent activity in the wild.
Phishing via email has always been a core attack technique. Simply sending an email with a link to a deceptive website with a fake login is a favorite move. Recently, we have observed frequently utilized evolutions of this technique – where attackers leverage a fake login to trick the user into exposing his username and password by presenting fake files that require one to “login” in order to view the content of the file.
The attack involves sending an email with a legit looking document (either a PDF or Office file). The files don’t have any malicious content inside such as macros or exploits, and therefore easily bypass the most popular email security solutions.
When opening the file, the user will see some blurred content in the background and a claim that the file is protected by password or only available in the cloud. Therefore requiring the user to login to his account in order to view the content.
In the next image we can see an example of an email sent to one of our financial institution customers. As you see there’s a PDF attachment with a link inside leading to a fake Adobe login screen.
Here is a similar example with an Excel file:
These phishing attempts can be more effective than just sending a link inside an email. First, they easily bypass email security solutions that only scan URLs placed directly inside emails (for example Office 365 “safe links”). Second because it creates a call-to-action for the busy end user – the email is already in his inbox, he his seeing some blurry content that be believes he needs to access and all that’s left is to do a quick “login”.
The way Perception Point is able to identify this technique as malicious, and block it before it reaches the user, is thanks to our Recursive Unpacker, which “unpacks” several layers of files and links to identify embedded attacks, combined with our advanced Phishing engines.
To learn more about our solution,
Perception Point, a leading provider of advanced threat protection to Email and Shared Drive services, has been recognized as a Select Technology Partner in the Amazon Web Services (AWS) Partner Network (APN).
APT28, a highly advanced attack also known as Fancy Bear, is associated with the Russian military intelligence agency GRU.