UA-72240440-1

Anatomy of a Navy Federal Phishing Attack

The following attack was observed in the wild on July 3, 2018 targeting members of the Navy Federal credit union:

Phishing Email Purports “security” and “Restore Your Account”

This phishing attack is immediately obvious if one looks at the FROM address domain mismatch of “unx[.]net”:

Domain Mismatch on FROM Email

The link provided in the body of the email is also obviously suspect or malicious if one simply hovers over it to view the actual link:

Duber[.]ru link pointing to intel.htm Link

Attempting to visit the website using an updated browser such as Chrome may result in a security warning as this was already identified as a hostile phishing site before the user visited the website:

Browser Security Alerts User of Deceptive Site

Visiting the site results in an official look and feel to that of the legitimate credit union, but it is a fake phishing site designed to capture credentials:

Phishing Page

Notice that the Sign In prompt exists on the upper left portion of the page, where the phishing takes place if a user enters credentials.  Investigation into the open directory on the vulnerable server hosting the phishing page reveals changes to the “secure.review” directory on the same day as the phishing event, July 3, 2018.  Four days prior to the actual attack, on June 29, 2018, the domain used in the attack was registered and then hosted out of Prague.   This reveals that attackers are likely registering sites, using privacy protection to avoid attribution or proactive tracking of such domains, then configuring them and using them in spam campaigns which can be orchestrated in a single day.

The good news is that rapid identification of such threats may result in an integrated warning and blocking of such sites for unsuspecting users that may click on the link.  A little user awareness training can go a long ways, by simply hovering and reviewing the FROM address and link provided in the email.  The bad news is that some users will still click through and enter credentials, and some before such integrated security solutions may alert or help block such attacks.