Every once in a while, there is a story that we wish was only a fairy tale, but it ends up being reality instead. Still, like most good fairy tales, there’s a lesson to be learned. The moral of this story? Stay alert.
This was the case with a recent phishing incident. In March, the lab blocked about 3.5 million suspicious emails; however, one got through and was delivered to 866 people. About 32 people clicked the link inside the email. This action could have installed malicious software on 32 laboratory machines. The auto installation of malware from clicking a link is dependent on the evil actor’s goals and skill level in writing or using malicious code. Fortunately, for this particular phish, the linked page seems to be benign.
Of the 32 people who visited the page, four people clicked the link and provided their Argonne credentials directly to the evil actors. Of the four who provided credentials, one was a postdoc in the Materials Science Division (MSD). The evil actors almost immediately remotely logged into their Office 365 Webmail and began sending the exact same phish from the “trusted” Argonne account. Thankfully, 30–40 users reported this to the cyber office on Saturday. Cyber was alerted by employees 10 minutes before Microsoft sent out their automatic detection to the team. The cyber office, in concert with the Cyber Security Program Representative in MSD, had disabled the offending account and had reset passwords on other identified accounts. Microsoft also removed the capability of the user from sending email.
So what got these employees all tripped up into clicking and providing credentials? The “invoice phish!”
This is a scam that preys on our natural curiosity. For example, I make a claim that you owe me $50. I attach a document and/or provide a link to view a document that is an invoice of the detailed charges you owe me. Depending on the actor, the document may be infected or the link may contain malicious code, but in this specific case, the link went to a generic logon page stating that your username and password were required to unlock the document (the invoice) to view it.
That is the hook, line and sinker for the phish we experienced. The end goal is account stealing. The document that was presented was a fake invoice. However, the people who click through don’t realize this is not legitimate work, and thus, they don’t report that they gave their credentials away. They think they are just performing Argonne work. Simple steps that technical representatives who purchase things should be trained to know. If you didn’t buy something and are not a trained technical representative, why are you getting an email to pay an invoice? Only trained technical representatives should be participating in the procurement process. If you are a trained technical representative, did you place an order for the amount and/or service? Is this from an established contact with your buying responsibilities? If not, these are clues to an invoice phish.
Simple tools (like Workday and the Argonne address book) can be used to look up the job title of the compromised Argonne user and ask yourself why a postdoc in the MSD division is emailing you about an invoice when the Office of the Chief Financial Officer (OCF) handles this work? That should be your first clue that the internal email was not legitimate.
The cyber office has interviewed employees and analyzed results with the end goal of updating training, changing configurations and implementing new technologies to help better defend Argonne.
By Matt Kwiatkowski, Cyber Security Operations Manager, BIS