Phishing click into chaos or Never ever write to me again, dear Santa

Who’s banging on the door? White beard, red robe, big sack of goodies on his shoulder! The familiar appearance of Santa Claus dispels any scepticism. Rooted deep in culture, well known to everyone, he returns every year – but his true identity always remains hidden. Such a leap of faith can have fatal consequences in the digital environment. Because not everyone who appears in a constellation of trust is actually harmless. Cyber criminals utilise this principle successfully. The Federal Office for Cybersecurity (BACS) even reports a dramatic increase in business email compromise (BEC) for the first half of 2024 compared to the previous year.

“But I’ve been well-behaved, Santa”. This nursery rhyme shows how deeply rooted the figure of Santa Claus is in our culture. A familiar yet unfamiliar visitor who bangs loudly on the front door year after year – and who’s welcomed in. This is Santa Claus. A man with a white beard – wearing a red robe and heavy boots – strides into the living room. In eager anticipation and encouraged by their parents, children throughout the land recite verses they’ve learnt by heart. As if he were omniscient, he uncovers the little sins of children and noble deeds in front of the whole family – praising or reprimanding them with a raised admonishing finger. In his authoritarian, educational role, Santa Claus skilfully plays with children’s emotions: Praise here, treats there – but always the threat of punishing anyone who’s been naughty.

When gullibility becomes a cyber danger

An equally careless approach to the figure of Santa Claus can be fatal in connection with digital media. Cyber criminals ruthlessly exploit our credulity towards persons of authority or trust – with increasing success! For example, the Federal Office for Cyber Security (BACS) reported at the beginning of November 2024 that the number of phishing scams doubled in the first half of 2024 compared to the previous year. Our own intelligence data from our Cyber Defence Center also shows the same trend (see Figure 1). (Spear) phishing links are by far the most threatening method of attack. This perfidious method deliberately exploits human trust to trick its victims – usually individuals or a group of people in an organisation – into unwittingly introducing malware into the system or triggering transfers to the attackers.

Figure 1: Intelligence data 2024 of our SOC (source: own presentation)

What’s become a cosy custom for families can quickly turn into a fiasco in the cyber world. For this reason, companies should ensure continuity in their security policies and make sure that their employees understand and comply with them.

5 tips for your security awareness training against phishing and social engineering

We often reset our security awareness to level 0 when we believe we are already familiar with the other person. Encountering a familiar face or a seemingly trustworthy sender often makes us act carelessly. As in the example of Santa Claus: While we have been taught since childhood not to accept sweets from a stranger, the majority of us trust Santa without any ifs or buts.

Targeted awareness training is essential to counteract this credulity. Employees must be made aware of how to deal with digital threats such as “Phishing” – often used in practice for Business Email Compromise (BEC). A deep understanding of the tactics used by attackers and the development of a critical attitude in everyday digital life are crucial.

These five measures provide companies with lasting protection against social engineering and phishing attacks:

• Regular training courses: Awareness programmes should be held regularly and cover the latest fraud techniques and cyber threats. This keeps employees informed and alert at all times.
• Phishing simulations: Practical exercises such as phishing simulations help to consolidate what has been learnt. By experiencing realistic scenarios, employees can react better to real threats.
• Open communication: A corporate culture that promotes dialogue on safety issues is essential. Employees should feel encouraged to report suspicious messages or ask questions without fear of negative consequences.
• Technological support: The use of behaviour-based security software, restrictive Internet access and multi-factor authentication provides additional security. Regularly updating all systems is also crucial to prevent attackers from finding loopholes.
• Supply chain management: A structured approach includes regular identification of critical suppliers, repeated assessment of their risks and implementation of appropriate emergency plans and training programmes for employees.
  
  

Security Operation Center (SOC): Respond immediaitely to suspicious activity

Security Operations Center (SOC): The supply chain is often the target of attacks where a compromised email account of a supplier, customer or partner is used to launch a spear phishing attack. In such cases, a Security Operations Center (SOC) is required that is able to react immediately to attacks and contain them quickly. Raising security awareness in the digital space is an ongoing process that requires constant attention. This requires regular training and a willingness to deal with constantly evolving threats. Only if employees are actively involved in corporate security can the company effectively weaken the threat of cybercrime.

Business email compromise: When the vulnerability leads to compromise

Some time ago, we dealt with a social engineering incident that effectively illustrates the course of a security incident. This involved a cyberattack that began in the supply chain of one of our SOC customers and was ultimately contained by 24/7 SOC monitoring in our ISO 27001-certified Cyber Defence Center without causing any major damage. But read about it for yourself!

It all started with a phishing email attack

A supplier of one of our SOC customers, a large Swiss company with around 10,000 employees, was hacked by a successful phishing attack. The attacker used Qakbot to infiltrate open customer communication at the service provider. By pretending to be a customer of the service provider, the attacker sent a reply email with a link that supposedly contained the expected file.

The attacker thus succeeded in launching a classic social engineering attack. As a supposedly known customer contact, he utilised the constellation of trust established at the real customer for his criminal intent.

The service provider’s employee did not recognise the malicious malware as such. From his perspective, this was a standard communication from an existing customer. Similar to the uncritical behaviour towards the familiar Santa figure – and thus ignoring any security measures – the employee clicked on the link and thus initiated the entry point (A). The service provider’s antivirus system sounded the alarm and reported a malware download. Ignoring this, he missed the first and decisive moment to intervene. Oblivious to the security precautions, the employee asked the attacker to resend the file as a PDF, as the link had been blocked by the antivirus scanner.

Figure 2: Phishing attack on the supply chain without SOC monitoring (source: own illustration)

In the meantime, the malware was functional on the service provider environment and began to wreak havoc. From this point onwards, the attacker would have been neutralised with system isolation from a SOC.

From malware download to initial compromise in just 20 minutes

The malware installed in the service provider environment and the missing SOC allowed the attacker to scan and compromise the service provider domain. He then moved sideways via a cobalt strike (lateral movement). Gaining an overview of the potential prey and realising that his victim supplied our SOC customer with web-based services, he seized the opportunity to compromise the large company.

The attacker was well prepared with the spear phishing attack. Just 21 minutes passed from the successful phishing attack until the attacker managed to penetrate the Legacy.eu domain of the large company – moving unchecked through its infrastructure.

But how did the attacker obtain the administration credentials of the domain controller? The forensic investigation by our Computer Security Incident Response Team (CSIRT) subsequently formulated two possible theories:

• The administrator password had not been updated for over 10 years.
• The administrator was vulnerable to so-called Kerberoasting attacks.

The compromise then set off a veritable chain reaction of lateral movements (Spread B) until the entire infrastructure of the large company was compromised outside the area that could be visualised in the 24/7 SOC monitoring of our Cyber Defence Center.

Figure 3: Anatomy of lateral chain reaction (source: own presentation)

24/7 SOC monitoring recognises suspicious activity and triggers an alarm

After completely compromising the service provider and Legacy.eu environment, the attacker eventually jumped over to the servers we were monitoring. The strong security system of our Cyber Defence Center (CDC) environment detected the suspicious activities of the attacker. The attacker had difficulty establishing a stable and high-throughput “Command & Control (C2)” connection, as the Internet proxy server did not allow this connection.  At this point, the 24/7 SOC monitoring triggered the alarm and brought our team in the Cyber Defence Center to the starting line.

Our intervention process and the forensic investigation were launched with the alarm at the Cyber Defence Center. Our Blue Team from the Cyber Defence Center investigated the attacker’s activities in the customer infrastructure and drew up a containment plan.

Figure 4: The intervention process at a glance (source: own presentation)

We disabled VPN access at the service provider (1), cut the connection between the service provider and Legacy.eu environment (2), used an EDR solution to isolate the two compromised server systems (SRV) of Legacy.eu and the environment monitored by our CDC (3) and implemented a DNS sinkhole to neutralise the attacker’s command & control connections (4). With this coordinated containment briefing, we were able to slow down the chain of attack and protect our customer from a massive loss of business. 

CSIRT: Professional support in the event of a cyberattack 

If a cyber incident is discovered, quick and well thought-out action is crucial! However, an ill-considered attempt by a company to initiate defence measures itself – typically by closing systems or deleting malicious software – can drastically exacerbate the situation. If an attacker realises that he has been detected, there is a considerable risk that he will immediately resort to drastic measures, activate encryption Trojans or spread malware to other system areas.

Figure 5: InfoGuard CSIRT - professional and structured through a cyber incident (source: own illustration)

Our CSIRT offers professional support: Thanks to their many years of experience and modern technologies, our forensic experts at the CSIRT know exactly how attackers operate and how their activities can be analysed without alerting them. This so-called “coordinated containment” ensures that security vulnerabilities and backdoors are fully identified before the attacker is finally removed. In this way, the threat is eliminated efficiently and sustainably.

Specialising in incident response and forensics, the CSIRT has the necessary expertise and strategy to professionally fend off the attack and restore the company’s ability to act as quickly as possible. If negotiations do occur, the CSIRT is also on hand to advise the crisis team, support crisis communication and guide your company safely back to normal operations.

The big InfoGuard Santa competition: guess and win

Cyber criminals act like Santa Claus in a familiar guise, or take advantage of moments of surprise like a precision hit in ice hockey. But with a strong defence and a clear view, you can stop the attack - and secure victory for your team.

Put your skills to the big Santa competition: guess the right answer to the following question and win great prizes. 🏒🎅

Estimation question: How many Business Email compromise cases did our Cyber Defence Center (CDC) process at InfoGuard from 1 January to 30 November 2024?

It’s worth joining in the guessing:

• 1. Place: 2 seating tickets for a EVZ home match*
• 2. Place: Digitec voucher (CHF 100)
• 3. Place: Digitec voucher (CHF 50)

*EV Zug vs. ZSC Lions Saturday, 22 February 2025 or EV Zug vs. Lausanne HC Saturday, 01 March 2025 both in the Bossard-Arena

Send us your estimate by 31 December 2024 and we will notify the winners personally by email by 31 January 2025.

Join the guessing, fill in the form and don't forget your details! 😊

Thank you and see you in 2025! 🎄

Thank you very much for your interest in our articles and your trust in the outgoing year! We wish you a Merry Christmas with your loved ones and a Happy New Year for a healthy and successful 2025!

Caption: with AI generated image