Phishing Startups for Profit

It seems like lately I’ve been bombarded by phishing attacks that are much closer to home than the news. The attacks are succeeding in affecting fellow startup companies that are knocking on my inbox asking for thoughts and advice. I’m always happy to help where I can but occasionally one pops up that needs further investigation.

Let’s discuss one. Just a week ago, an investor in Apozy called me to urgently request that I help a fellow portfolio company recover from a phishing attack they fell for. I obliged, of course.

The Attack

As far as we know the attack, while still not completely fleshed out, appears to have sent phishing emails to the employees of the fellow startup. Once one phish succeeded, they injected some sort of malware onto the machine in order to steal credentials. Those credentials were then used to access the entire corporate Google Suite including emails, contacts, Google Drive documents, etc.. Within those, the attackers identified a number of customers.

Upon identifying the customers, they came up with the brilliant plan to invoice them. The hackers crafted invoicing documents via PDF. Those PDFs contained invoicing information demanding payment from the customers to an account. The account, of course, does not belong to the startup we’re discussing but to the attackers.

The Impact

The customers, agreeing they need to pay, submitted payments in the range of $40,000 to the attackers. The invoicing attack originally occurred in Oct/Nov 2017. They’re just discovering the impact of it this month — March 2018.

Their description of the problem led me down a rabbit hole of potential issues and things that could STILL be infiltrated. They have since taken the affected machines out of service and changed passwords, however, they’re not sure if the infections were contained. Further, they’re not sure how many people in total fell for the phishing attack. For all we know, the entire contents of their GSuite could be backed up on a torrent somewhere.

I walked the CEO through some thought processes he should be following and requested he send over any emails, files, or malicious examples he may have from the attack. From there, I recommended he either try to tackle some of this himself or go with a firm to handle it. He sent over some emails including the PDFs and ultimately went with a local Incident Response firm.

The Recovery

My initial analysis of the PDFs is that they contain some suspicious calls, however I don’t have the tools or time to dive further. It seems more likely that they simply had the proper (stolen) authority to simply solicit the clients for money. Both the affected startup and clients fell for the attacks hook-line-and-sinker.

Following up on all that I had found and after reviewing the IR proposal, we discussed what they should do for the future. Being that I run Apozy, which was created for this EXACT purpose, I gave him a rundown on how startups, just like enterprises, need to go the extra mile to protect against phishing attacks. Not only was there a monetary loss, there was a confidence loss on the customers’ part. They need reassurance that steps will be taken.

Apozy NoHack nullifies phishing pages, malicious downloads, malvertising, crypto miners, and malicious scripts using Native Browser Isolation. It deploys to teams in seconds due to it’s agentless nature and has NO infrastructure or implementation overhead. Once deployed, it lives quietly within Chrome or Firefox and protects against all malicious sites in real-time. Perfect for startups. Perfect for this company.