Once a target, always a target: A second look at awareness training in action

The one constant about user awareness training is that the awareness part is supposed to stick with you. Learning how to spot one type of phishing email is only good for that particular email, thus the concept of awareness is learning to trust your gut when something looks suspicious.

The one constant about user awareness training is that the awareness part is supposed to stick with you. Learning how to spot one type of phishing email is only good for that particular email, thus the concept of awareness is learning to trust your gut when something looks suspicious.

On Tuesday, the CSO editorial team was once again reminded of why awareness training works. Last month, we explored a Phishing campaign aimed at the CSO editorial team, but our most recent encounter targeted IDG as a whole. Today, we're going to examine this latest attempt, as there are some valuable lessons to be learned.

[Raising awareness quickly: a brief overview on phishing]

Phishing is a psychological attack. The criminals behind such initiatives want you, the victim, to do something. This 'something' can be a number of things, but common requests include following links or opening attachments, because the action is simple, takes little time, and it's something everyone online does daily.

The trick though, is actually getting you to do the 'something' without asking too many questions. This is achieved by focusing on the psychological aspect of the attack. Those behind a phishing campaign will use fear, emotional pulls (e.g., asking for assistance or help), or a pretext of authority (which in itself can be a type of fear, if the pretext is law enforcement of management) to coerce the victim to do their bidding.

The phishing campaign used as an example for this article, circulated on the IDG Corporate network on October 8, 2013. Not everyone got it (including myself), but many people working with CSO and IDG as a whole did. The exact count isn't important, but suffice to say, the issue was large enough for IT to send a company wide warning about the emails.

The tone of the message leveraged fear, and did so by presenting the pretext of someone in authority. In our case, the email's message carried the air of coming from Human Resources -- and it's never wise to cross them or refuse a request.

Unlike the other phishing campaign, which focused on CSO alone under the guise of a news release, this one cast a wide net, but it was flagged almost immediately by many of the employees who received it, for several reasons.

[Social engineering and phishing attacks are getting smarter, but are employers?]

SUBJECT: Annual Form - Authorization to Use Privately Owned Vehicle on State Business

The subject of the email references a form of some kind, which authorizes the addressee to use their personal vehicle while on state business. While most of us here at IDG are sure that such a form may exist, and perhaps is required in some cases, we don't work for the state.

This is a red flag in and of itself, but in addition to not working for the state, it's common knowledge from employee training that the company allows us to use our own vehicles while traveling for business. But still, like most large companies, we're encouraged to use air travel and rental agencies when we have to travel for a story.

[3 steps to identify a potential phishing email]

FROM: Joan Leblanc (Joan [at] idgenterprise.com)

If the subject line wasn't enough to prove that the email was suspicious, or at least completely unrelated to our jobs, the email address of the person who sent it raised a second red flag.

While idgenterprise.com is a legitimate address, after all it is our corporate domain; the email address itself wasn't formatted properly. Our email addresses, as shown on our author profile pages, use something completely different. Like the previous phishing attack, a quick search of the company directory confirmed that Joan Leblanc isn't a real employee.


The last time CSO had to deal with a malicious email, it was addressed to fake employees, and the editorial team. In addition, the message was also addressed to two aliases that simply didn't exist. This time however, the aliases were valid, increasing the number of people who received the message.

Some common email aliases, such as support or sales, are fine for organizations of any size. However, aliases that are easily guessed that include a large number of employees should be considered during the risk assessment process for implementing email security.

"All of us do a little risk calculation whenever something comes into our inboxes...and it's a subconscious thing," explained Trevor Hawthorn, the CTO of ThreatSim, a company that focuses on spear phishing and awareness training.

"When something comes into something like an alias, I would speculate that most of the users &mdash when something comes into that email address, the little voice in their head probably said, 'this is probably okay, because it's only internal people that ever send to this list'," he added.

In this example, the attackers managed to guess the name of an email address used by a business unit within IDG. However, it is still entirely possible that those targeted by this latest scam had their addresses harvested, as many of them are publically available. Still, the lesson here is that just because an email is addressed to a known internal alias, doesn't instantly grant it immunity.

[A firsthand look at why user awareness training works]


While the other red flags are more than enough to discount this message as a scam, the body is still worth examining. The tone presented by the message is one of fear, as it says that unless the form is completed and submitted, then reimbursement could be delayed. In essence, "...do as we say, or you won't be paid."

Again, "Joan Leblanc" is supposed to be someone with authority. Thus, the tone of this email and the subject line are the psychological aspect to the campaign.

All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor. Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.


Again, our awareness training drills the point that you never open random email attachments or follow random links into our heads. The attachment for this email was rather simple: Form.idgenterprise.com.zip

Like the previously covered phishing scam, this too contained a Zeus Trojan variant. Although, the uptick in detection was faster this time around, with 24 of 48 AV engines on VirusTotal detecting the malware for what it is, as of early Wednesday morning.

[Social engineering study finds Americans willingly open malicious emails]


This email likely originated from the same group of bots that sent the last one. As covered in the slideshow that examined the previous campaign's headers, this message also came from a Comcast user, but the headers show sources in Indiana and Florida. However, there were other ISPs included, which were scattered throughout the globe.

This scam spoofed the idgenterprise.com domain, but it also used aexp.com again as the Return-Path as well as the Received header. As mentioned previously, AEXP.com is American Express, and this domain has been spoofed by criminals many times in the last year, including several noted Phishing attacks. The domain itself is usually whitelisted by network defenses, due to the use of corporate credit cards.

For additional technical details, including a list of domains and IPs to block, as well as files dropped, the Malwr report has them.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityfraud

More about American Express AustraliaComcast CableCSOIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place