What is a Pyramid phishing attack?
Pyramid phishing attacks are email phishing scams where phishing emails are sent from one trusted user to another within the same organization. They are an increasing source of concern for security professionals. Internal phishing emails are used in multi-stage attacks in which a user’s email account is taken over either by manipulating the computer with previously installed malware or by compromising the user’s account credentials.
Internal phishing emails are widely used in targeted attacks aimed at stealing information or extortion, as well as in Business Email Compromise (BEC) schemes aimed at stealing money. The recipient is more likely to act on the email because the sender is an internal and trusted person.
Features of a pyramid phishing attack
When we speak about phishing emails, one of the most popular trends in the email world, which can be spoofed are the domain, a false look-alike, or a public email domain. Imagine a scenario where a phishing email arrives from a legitimate domain, originating from a real email server belonging to a recognized organization or from another internal employee’s email address. Security measures are designed to detect and respond to these anomalies. Attackers are gradually using this technique, known as Pyramid.
The following are the features of a Pyramid attack:
1. A threat actor creates several websites and installs them on web hosting domains with the primary aim of accepting email addresses, usernames, and passwords and storing them.
2. The threat actor sends a phishing email to a large number of corporate email addresses, instructing them to act on their email account for “Mailbox Limit Update,” “Account Unlock,” “Mail Storage Exceeded,” or other email management-related problems.
3. Since the URL and email content are both new, the email will pass through gateway security. It appears to the email recipient like a genuine email from their IT department. Few users, if not all, will fail to identify the email as phishing and may provide the requested information by clicking “Submit.”
4. A BOT in the background, using the compromised passwords, sends out a new wave of phishing emails to a number of corporate email accounts.
a. The BOT sends the majority of emails to the compromised domain’s internal addresses and only a few to external domains, since internal users will have a high level of trust. Furthermore, emails sent from another business domain are trusted by external domains.
b. The BOT also bundles email broadcasts based on the most common services’ standard email thresholds.
c. The phishing link in different emails is dynamically updated by the BOT.
5. Steps 2–4 are repeated, and the Domino Effect happens each time a threat actor sees a compromised account.
Examples of pyramid phishing attacks
Eye Pyramid Targeted Attack Campaign
The Eye Pyramid attackers ran a fruitful information-stealing operation for years before being apprehended. Their preferred approach was to use phishing emails with malicious attachments to jump from one user to the next. The attachment contained malware that gathered and exfiltrated data, including email addresses, which were then used to target the next victims.
Their tactics, which compromised over 100 email domains and 18,000 email accounts, smacked of a state-sponsored attack, but it was actually carried out by an Italian nuclear engineer and his sister who wanted to benefit from the information.
Internal Office 365 Credential Phishing
Due to its success, Microsoft Office 365 has become a common target for attack campaigns. Many instances of attackers attempting to phish users’ Office 365 credentials have been identified. Once one user’s account has been compromised, attackers will launch a Business Email Compromise attack.
Financial Times Destructive Attack
A few years ago, the Financial Times was the subject of a potentially disruptive attack. The intruder (later known as the Syrian Electronic Army) sent internal phishing emails to steal additional account credentials using a compromised email account. As IT learned of the internal phishing cyberattacks, they sent all users an alert email with a connection to update their passwords.
The problem was that the attacker saw the email and sent it again, but with a link to their own phishing website instead of IT’s. The attackers finally obtained access to all of the systems they needed but decided that the Financial Times was the “lesser of two evils,” and moved on to other media companies.
Methods to stop internal phishing attacks
To minimize the risk of an attacker taking possession of stolen account credentials, a first step in mitigating internal phishing attacks is to introduce multi-factor authentication (MFA). Internal phishing attacks can still happen if a user’s computer is infected with malware, even if MFA is enabled.
Many people are unaware that email gateway security solutions that search inbound and outbound SMTP email traffic are blind to an internal email. You can either use a journaling-based approach or one that interacts with your mail service or mail server to search for internal email. By scanning email content, attachments, and URLs, the best solutions will search for all forms of email threats.
Journaling Based Solutions
The first approach is to send a copy of each internal email sent to a security service for offline review using the journaling mechanism of your email systems. This approach is effective at detecting attacks, but it does not eliminate them. Some journaling-based security services will remove an email after it has been evaluated using Exchange tools.
However, the user maintains access to the email and attachments during the study, which may take up to 5 minutes if sandboxing is needed. If the attachment contained malware, such as Teslacrypt, which encrypts 10,000 files in 40 seconds, it would be too late to analyze.
ProPHISH- Phishing Simulation & Employee Awarness Tool
It is equally important to make sure that your employees understand the types of attacks they may face, the risks, and how to address them. Well-educated employees and properly secured systems are the key helping to protect your organisation from such phishing attacks. Following a good cyber hygiene never fails to prevent breaches. A simple care can save us from losing the confidential data and inviting its after effects.
ProPHISH comprises of numerous activities to train your most important first line of defense in the organization — the employees. . Get Started with top-class cybersecurity solutions for your business at ProgIST.