Phishing Attacks Via Unsubscribe Emails

Authored By: Morey Haber, Chief Security Officer at BeyondTrust

As a part of any mature security management process, providing security awareness training and penetration testing via phishing helps protect the organisation from a myriad of threats. And while there are a variety of products to help automate and measure detonation of emails, the effectiveness of any phishing testing is all in the content. If the sample phishing attacks are blatantly obvious, the expected click rate should be low.

If the phishing samples are targeted, have few misspellings, and contain spear-phishing or whaling attributes, the click rate and detonation should be significantly higher. However, there is one flaw in this approach. Each phishing test is generally a snapshot in time and a single email campaign. Rarely are they a series of similar emails in a campaign that build end-user confidence in the frequency or content, but in reality, are just another form of phishing attack. One such very successful phishing attack relies on the unsubscribe feature built into many email solicitations that turn into watering hole attacks and credential theft. If you think this is a crazy example, read on.

If you are like me, like clock-work, I get a slew of marketing emails from my favourite vendors selling furniture, clothes, and electronics. These arrive nearly every day at the same time and all of them have an unsubscribe button. Once clicked, some sites require authentication before modifying your preferences and others do not. Any site that requires authentication is a red flag, and if the email is a phish in the first place, then asking for credentials is potentially an attack vector. Why should you have to authenticate to manage your email preferences? Here is how the phish works and is a great way to penetrate your employees with a continuous campaign.

First, let's start with your favourite vendor that sends you spam every day. Copy the contents into your favourite phishing penetration tool (on a daily basis) and change the unsubscribe "like" to a faux authentication page (watering hole). Most phishing tools can create this type of website out of the box and customise it to look very legitimate. Now send the email to your targets multiple times a day and then change the content every day based on the latest advertisements. If they click on the link, they get a real product so the email looks legitimate. Soon, they will get annoyed at the volume and eventually click "unsubscribe" based on sheer irritation. Once they do, and if they fill in the credentials or launch another payload, they have been owned for that site. 

Now I know this is devious. I get it. But it illustrates a very important point in cyber education and phishing attacks. Often training and testing are a point in time and not continuous. And when continuous penetration testing with phishing is applied, many tests do not provide a sequence of emails or related emails that can break down the end-user into falling for an attack. In my opinion, these are some of the most successful. The attributes demonstrate continuity and set expectations that the end user is "expecting" the email. That creates a basic level of trust. And with that, those phishing emails are the ones employees are most likely to click on. Unsubscribe is a simple example of creating this type of attack and your response rate may vary, but there is one thing that is clear, employees trust emails they expect to see on a regular basis and are likely to take action versus a one time attack or test.

share us your thought

0 Comment Log in or register to post comments