Error Message Phishing Attacks- Templates, Examples & Prevention Strategy
If your target is comprised of mostly low-tech staff members then attackers may opt to leverage seemingly legitimate technical data to entice users to follow a link or open a file. As with most targeted phishing attacks, the ruse that the attacker elects to use depends on the amount of publicly available information the attacker can gather. A favorite subject attackers like to profile is technical information related to the target organization’s personnel, security stack or email delivery system. The reason for this is two-fold:
- The attacker wants to identify any technical staff to make sure they are not included in the target list. Incorrect technical data in the phishing message will most likely raise a red flag if received by users of the technical community.
- Even if targeting non-technical staff, the attacker still wants to know the technology in the organization for multiple reasons, including spoofing it.
Since most organizations need to communicate with the internet in some form, the provides individuals with nefarious intentions a way of gather simple, yet valuable technical information that can be used in a social-engineering attack.
Phishing simulations & training
The image below shows how an attacker can perform a simple DNS query to gather DNS and SMTP information.
The idea of this attack is to use legitimate information to inundate the recipient with seemingly legitimate error messages along with a simple remediation recommendation. The attacker hopes that the victim would rather follow the provided instructions instead of opening a ticket with the company’s help desk. Of course the remediation procedures provided are in reality instructions for the recipient to infect himself or herself, but the attacker is betting that the user will not question anything as long as the error messages cease.
The image below is an example of the type of message an attacker would generate.
This particular technique requires sending repeated messages, spaced out over a period of time. By sending the message in pre-defined intervals aids in making the message appear to be an authentic system-generated message.
The image below shows an example of how the user’s inbox may look during this type of campaign.
In the example above, the attacker has leveraged the available DNS information and created a ruse stating the user’s mailbox is out of sync. The attacker has provided a simple resolution, which is to click a link in order to sync their resources. Of course this link will offer up some sort of malicious payload but like stated earlier, the attacker hopes that the user will find it more efficient to click the link instead of opening a ticket while their inbox continues to fill up. A lot of times the attacker is right.
Organizations are hard pressed to expect low-tech staff to be suspicious of these types of attacks. In a perfect world, the user community would be suspicious of everything, but this is not a perfect world. User awareness helps, it really does, but in cases like this you have to assume that awareness training is moot. Furthermore, most likely your organizations DNS information is publicly available, so there is really nothing that can be done to sanitize it. So being that you can assume that attackers are armed with legitimate network information, and the users are more than likely vulnerable to this attack, the remaining compensating controls will have to be preventive controls. Detective controls are nice but usually once a system has been compromised, the attacker has pivoted through the network and the damage is done.
As always – the strictest web proxy filtering rules will prevent many of these attacks. If possible, your web proxy should be configured by policy to only communicate to categorized domains. Furthermore, domains that have been registered in the last 30 to 90 should also be blocked, as this is usually indicative of a phisher registering a categorized domain that has recently expired.
Phishing simulations & training
The best preventive measure, albeit highly aggressive, is to explicitly whitelist allowed domains for both web access and SMTP negotiation. This is an extremely intensive undertaking, but it is also a solid method of protecting your organization from phishing and web-based attacks.
In this Series
- Error Message Phishing Attacks- Templates, Examples & Prevention Strategy
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
