Analysis of over 52 million phishing simulations finds that entertainment-based triggers account for almost 20% of successful phishing scams
LEESBURG, VA. – November 30, 2017 – PhishMe®, the leading provider of human phishing defense solutions, today released its 2017 Enterprise Phishing Resiliency and Defense Report, which analyzes phishing simulation trends from over 1,400 PhishMe customers across the globe. With susceptibility rates on the decline and reporting and resiliency rates on the rise, PhishMe customers are seeing the benefit of anti-phishing programs within their organization.
URL shorteners are a great tool to share a web address without a lot of typing. PhishMe Intelligence™ recently observed malicious actors using these services to evade security controls. They use these services to conceal the actual URL and bypass controls put in place to block known malicious domains.
In a recent Strategic Analysis, we outlined how malicious actors leveraged Microsoft Office’s Dynamic Data Exchange (DDE) protocol functionality to compromise victims with Chanitor malware within days of SensePost publicly disclosing the risks. PhishMe® has since observed the weaponization of this tactic to deliver other types of malware in several campaigns that support some of the most lucrative current online criminal operations.
Phishing websites are designed to steal usernames, passwords, and additional PII when unsuspecting victims are enticed to log in. Credential phishing intelligence is used to hunt, detect, and block access attempts to spoofed sites as well as to raise awareness about the latest tactics, techniques, and procedures used with credential and malware phishing campaigns.
The new credential phishing feature from PhishMe Intelligence™ delivers additional information to help defend against credential-gathering attacks. The credential phishing intelligence is available via the PhishMe Intelligence API and portal.
This blog is the first in a series about credential phishing in the enterprise.
Credential Phishing and Office 365
Microsoft Office 365 was released in 2011 and the has become hugely popular among enterprises both large and small. For those in a workplace that has fully-integrated Office 365, it feels as if you use that one password to log in to just about everything using any device. It all just works seamlessly. This is what the Office 365 login page looks like on Microsoft’s site https://login.microsoftonline.com. (Figure 1).
Figure 1 – Real Office 365 Login Page
Outlook 365 users are reporting suspicious messages to PhishMe® that contain links a page that looks like figure 1, but are hosted on compromised or fraudulent sites. As seen below in figures 2-5, are some examples of the suspicious messages that enterprise employees are receiving:
Figure 2 – Suspicious O365 Message (1 of 4)
Figure 3 – Suspicious O365 Message (2 of 4)
Figure 4 – Suspicious O365 Message (3 of 4)
Figure 5 – Suspicious O365 Message (4 of 4)
All of these messages are designed to look legitimate – like something from IT – and mimic the Office 365 login page. But in reality, they deliver the unsuspecting user to a fraudulent site to steal their information. This type of phishing has been growing rapidly. The examples shown in Figures 2-5 were captured within only 90 minutes. Over the past month PhishMe has detected credential phishing pages hosted on over 1,100 hostnames, which have likely distributed via tens of thousands of email messages. Microsoft’s own Security Intelligence Report reveals that there has been a dramatic increase in the number of account sign-ins attempted from malicious IP addresses.
The fallout from a successful Office 365 credential-based attack is so large that measuring it has become a data analytics problem. Estimating the extent of the damage is near impossible. Because many of victims don’t know they have entered their credentials on a fake site. If compromised, a threat actor could be in your system for a long time before you discover a breach. The time between the initial intrusion and detection of compromise, known as dwell time, is currently estimated to be 49 days (seven weeks).
New and different
While the attacks described above have been appearing for years, we’ve seen some new examples that seem a bit different. In these examples, the attackers are exploiting features of Office 365 as part of their phishing campaign.
Office 365 Forms
In the first example an attacker uses the Office 365 Forms app to create realistic phishing pages that are hosted on a Microsoft domain. Figure 6, below, shows a message linked to Google.com to redirect to Forms[.]Office.com:
Figure 6 – Message contains link to Google.com URL
When that link is clicked, the phishing form is displayed (figure 7) on a domain that just about any IT department would be reluctant to block.
Figure 7 – Office.com form reached from link in phishing message
To make things more confusing, consider that Microsoft conducts URL shortening using the domain name 1drv[.]ms. PhishMe customers are reporting phishing messages that contain URLs on that domain that then redirect to Onedrive[.]Live.com to load a PDF document that contains yet another link. As you can see in figure 8, this message contained a shortened link that slipped through technological defenses:
Figure 8 – OneDrive Shortened Link
The resulting PDF (figure 9) can open in the browser and deliver a link to a compromised site that hosts a phishing page.
Figure 9 – PDF from OneDrive with Malicious Link
By the time the victim reaches the somewhat-generic page below (figure 10), they have clicked through at least three trusted services.
Figure 10 – Final Destination from Original OneDrive Link
Many of the phishing messages are created using a template that inserts the recipient’s email address into the URL that the victim is enticed to click. Seeing a personalized link, the victim is made to feel that the message was built just for them so that they can log in as normal and resolve the supposed problem with their account. Other, similar functionality can extract the domain name from the recipient’s email address and display it in a large type, with an uppercase letter, to further spoof a login page for that company.
To reach the page in figure 11, we clicked a link containing the test email address [email protected]’ in the query string, as follows:
Though the landing page was on a different domain, the address was passed along so that it remained a part of the URL and was displayed on the page, already conveniently completing half of the form:
Even though the above example above does not represent a spear phish per se, we do see soft targeting and targeting of employees at specific large companies. Soft targeting involves the use of social media or public information about a company to tailor the recipients, the message templates, and the landing pages to be attractive to those in certain roles at a company.
Employees can also fall victim to phishing attacks that compromise PCs with malicious software. Use PhishMe Intelligence™ to identify when users go to credential phishing sites or their machines exhibit indicators of compromise with malware.
Enable two-factor authentication on all employee accounts.
Once a credential phishing message is detected:
Delete other related messages received within your enterprise
Check perimeter devices for connections to the phishing URL
Adjust controls to block similar messages by the URL and its host and/or domain, by the subject line, and/or by the sending IP address
As Black Friday draws near, it seems that every company with anything to sell is sending emails to advertise their specials. Consumers can expect to see emails from all sorts of major retailers: Amazon, Dell, Fry’s, Home Depot, Khol’s, Microsoft, and everyone under the sun, with some really great deals. However, mixed into this pile of email are a tremendous number of messages touting shady deals that could lead consumers to give up personal information, money, or just land them with fake products instead of what they were shopping for. Here are two major categories of trouble that you might want to watch out for in your Black Friday Emails:
PhishMe Intelligence™ has uncovered a phishing campaign that delivers a new loader/browser plugin combination that we have dubbed Vulture Stealer. Vulture Stealer is a two-stage data stealer that includes a version of Banload banking trojan malware. However, paired with an extensive secondary stealer it can target and gather information beyond Banload’s reach within Google Chrome—effectively gathering any information entered within the compromised Chrome browser. This campaign, which uses Portuguese-language phishing messages, may be targeting Brazilian banks and their customers. This is the first time PhishMe® has observed Banload coupled with a malicious browser extension.
Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.