Have you ever wondered what goes on behind the scenes of some of these fake emails you might be receiving from time to time, and in particular, how our team protects you from them? Here’s an excerpt from one of our IT technician doing his bit to help thwart the attackers.
Recently an attack occurred at one of Correct Solutions’ customer. During this attack, the customer was sent an email from a breached third party that contained a link pretending to be an invoice or other shared document. Fortunately for Correct Solutions’ client, the employee was able to identify the email as a scam and raised the issue.
Our immediate actions are always focused on containment. We needed to help prevent the spread of this email. To do that, we alerted all recipients of the email to its danger and begun an investigation on the origin. The first stage was reporting the email to the original sender as their account had been breached and used for impersonation.
The second stage was investigating the weblinks in the email. Opening weblinks directly is a VERY bad idea as it might infect our systems during the testing. Fortunately for us, we use some technology that allows us to safely test the weblinks and review where they lead to.
The first link went to a service called Slidebean. This service is used for hosting PowerPoint like presentations online. We wanted to report to Slidebean that there was infected content on their site, but they did not have an abuse reporting form and no contact form on the website.
A little thing like that didn’t stop us though. We found Slidebean had a twitter page and used that to contact them. The direct message via twitter to them resulted in a response back from their social media manager and shortly after a direct message from the CEO. He was most appreciative of us alerting them to the infected content and he helped accelerate the take down of the bad public link and also make plans for an abuse link portal.
Within the Slidebean page there was a second link with text from the hacker requesting “to access your document then click this link” which pointed to yet another website. This technique is used to bypass some email phishing link scanners where the actual infringing content is hosted a second link down. By checking the website records we were able to determine the website was hosted and registered with GoDaddy. Godaddy indeed do have a public abuse form, to which we submitted information and this resulted in them taking down both the website and the domain name.
Ultimately at Correct Solutions we could have stopped our work after alerting our direct clients to the issue and left it at that. But that’s not how we work. We feel it’s incumbent on each and every one of us to work towards eliminating these types of crimes, and where possible we seek to help takedown information like in these examples to protect others from the attackers.
We hope this gives you a little more understanding of some of the things we do behind the scenes to help protect not only our clients but others as well.