Who is reeling in the phish?

…or what happens if a link in a phishing e-mail is clicked?

It is a hard question to answer because attackers usually implement filtering methods. For example:

  • If you have an apple device you get directed to one place
  • If two hours go by before you click the link, its sent to a different place
  • Or if the same link is clicked again, from a different source the request is sent to a legitimate site.

An example…

A few years back the payment of my Spotify account failed a few times due to switching credit cards. In a stressed situation I checked my e-mail on the phone whilst waiting for a takeaway coffee. Another (third one!) failed payment notification from Spotify had arrived. Stressed and frustrated I never thought twice about clicking the link and providing my new credit card number.

Not until a database error page was returned rather than a payment success dito, I understood what (might) have happened.

I blocked my new credit card three days after it was activated, annoying – yes, but the alternative was not really an option.

A few scenarios…

The example above is perhaps the most likely one, where you are redirected to a location somewhere (for ex. a forged site) where an adversary would try to get hold of credit card details.

If its bad, they would mimic Office 365 for example (company branding and all), to try and get hold of valid account credentials. Most often this is to access your e-mail opening up the possibility to reset passwords in other places.

The worst-case scenario is if the attacker get the recipient to download and click on files, for example because C++ libraries supposedly need updating to get site functionality to run properly or a similar plausibel-sounding reason to bait clicks.

Microsoft has recently published warnings about the latest scenario and is providing more technical details on how that happens:

So, what can be done?

The most important thing to remember is that you should never be afraid to let someone know that you might have clicked on something phishy.

Like calling the credit card company or… contacting your CyberSOC or SIRT staff!

That is the only way anyone can help.

The phish should have been stopped in the mail filters. Installation of malware should have been stopped by anti-malware systems. However, a complete IT environment is sometimes like a Swiss cheese model with different holes in different places and different owners and responsibilities and given the right situation and the right parameters sometimes something will get through.

Eventually someone is going to click something!

Even IT security professionals…