{"id":1405,"date":"2019-05-28T11:08:36","date_gmt":"2019-05-28T03:08:36","guid":{"rendered":"https:\/\/tongwing.woon.sg\/blog\/?p=1405"},"modified":"2019-05-28T11:12:09","modified_gmt":"2019-05-28T03:12:09","slug":"multi-hop-phishing-attack","status":"publish","type":"post","link":"https:\/\/tongwing.woon.sg\/blog\/multi-hop-phishing-attack\/","title":{"rendered":"Multi-hop Phishing Attack"},"content":{"rendered":"\n

Today I received an email from a business associate whom I often corresponded with. Even though the email looks normal – it contains his full name and the usual email signature – something looks off. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The email body is very terse and contains only a link – alarm bells start going off. The link points to a valid Google docs document.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The document contains 2 links, both pointing to the same external site. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It is seemingly a login page for your Microsoft outlook account. But the domain is not associated with Microsoft<\/em>. A classic phishing attack.<\/p>\n\n\n\n

It so happens that the business associate is using Outlook for his email. After entering his credentials into the phishing site, the attacker must have used his credentials to send a copy of the phishing email to everyone in his contacts. Indeed that is the case, after I have confirmed with other associates. What makes this attack so successful is that 1) the email is from someone you have corresponded with 2) the first link opens a valid Google docs and some would have let their guard down at this point of time.<\/p>\n\n\n\n

The latest report from FireEye<\/a> states that 91% of cyber attacks comes from emails, and email-based attacks are getting increasingly more sophisticated. Some are also taking advantage of how email addresses are being shown on mobile devices.<\/p>\n\n\n\n

\"Email<\/a><\/figure>\n\n\n\n

As cyber threats continue to evolve, we must continue to educate users on the importance of maintaining vigilance and to be mindful of the limitations of current solutions to address the risks of phishing and other attacks.<\/p>\n\n\n\n

Edit: I have submitted the phishing site to Google’s Report Phishing Page<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Today I received an email from a business associate whom I often corresponded with. Even though the email looks normal – it contains his full name and the usual email signature – something looks off. The email body is very terse and contains only a link – alarm bells start going off. The link points […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,10],"tags":[],"_links":{"self":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1405"}],"collection":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/comments?post=1405"}],"version-history":[{"count":2,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1405\/revisions"}],"predecessor-version":[{"id":1412,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1405\/revisions\/1412"}],"wp:attachment":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/media?parent=1405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/categories?post=1405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/tags?post=1405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}