Merry PhishMas: PhishMe Gifts Small Businesses with an Early Present This Holiday Season

The PhishMe Free Holiday Bundle reduces end user susceptibility to potential holiday related phishing attacks. 

LEESBURG, VA. – December 12, 2017PhishMe®, the leading provider of human phishing defense solutions, today announced the PhishMe Free Holiday Bundle, which the company is gifting businesses with 500 employees or less this season. The Bundle includes the PhishMe Free phishing simulation platform and three holiday related simulation scenarios, including Holiday Gift, Package Delivery, and New Year’s Eve e-card.

Locky-Like Campaign Demonstrates Recent Evolving Trends in Ransomware

Over the US Thanksgiving holiday, PhishMe Intelligence™ observed a recent ransomware campaign, Scarab, that shares some similarities in behavior and distribution with Locky. In this campaign, Scarab was delivered by the Necurs botnet, which made headlines due to its distribution of Locky, which was one of the most prolific ransomware families of 2016 and 2017. Like Locky, Scarab can encrypt targets via both online and offline encryption.

PhishMe Inc. and Wombat Security Technologies, Inc. Announce Settlement of Patent Dispute

LEESBURG, Virginia and PITTSBURGH, Pennsylvania, December 1, 2017

PhishMe Inc. and Wombat Security Technologies, Inc.  announced today that they have settled their patent dispute and entered into an agreement resolving the claims at issue in the litigation.  The parties’ litigation in the United States District Court for the District of Delaware will be dismissed, and the proceedings pending at the United States Patent and Trademark Office will be terminated.  As a part of the settlement, PhishMe granted a license to Wombat to the PhishMe patents involved in the litigation.

About PhishMe

PhishMe is a leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report and mitigate spear phishing, malware and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision-making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare and manufacturing industries, as well as other Global 1000 entities that understand how changing user security behavior will improve security, aid incident response and reduce the risk of compromise.

About Wombat Security Technologies, Inc.

Wombat Security Technologies is a leading provider of information security awareness and training software to help organizations teach their employees secure behavior. Their SaaS-based cybersecurity education solutions include a platform of integrated broad assessments, as well as a library of simulated attacks and brief interactive training modules. Wombat’s solutions help organizations reduce successful phishing attacks and malware infections up to 90%. Wombat is helping small and medium businesses as well as Fortune 1000 and Global 2000 customers in industry segments such as finance and banking, energy, technology, higher education, retail, and consumer packaged goods to strengthen their cybersecurity defenses.

Forget Fear, PhishMe Finds Entertainment Makes the Most Irresistible Phishing Attack

Analysis of over 52 million phishing simulations finds that entertainment-based triggers account for almost 20% of successful phishing scams 

LEESBURG, VA. – November 30, 2017 – PhishMe®, the leading provider of human phishing defense solutions, today released its 2017 Enterprise Phishing Resiliency and Defense Report, which analyzes phishing simulation trends from over 1,400 PhishMe customers across the globe. With susceptibility rates on the decline and reporting and resiliency rates on the rise, PhishMe customers are seeing the benefit of anti-phishing programs within their organization.

Microsoft Word DDE Abuse Tactics Spreads to Locky, Trickbot, and Pony Malware Campaigns

In a recent Strategic Analysis, we outlined how malicious actors leveraged Microsoft Office’s Dynamic Data Exchange (DDE) protocol functionality to compromise victims with Chanitor malware within days of SensePost publicly disclosing the risks. PhishMe® has since observed the weaponization of this tactic to deliver other types of malware in several campaigns that support some of the most lucrative current online criminal operations.

“But It Looked Like It Came from IT!” – Focusing on Credential Phishing Trends

Phishing websites are designed to steal usernames, passwords, and additional PII when unsuspecting victims are enticed to log in. Credential phishing intelligence is used to hunt, detect, and block access attempts to spoofed sites as well as to raise awareness about the latest tactics, techniques, and procedures used with credential and malware phishing campaigns.

The new credential phishing feature from PhishMe Intelligence™ delivers additional information to help defend against credential-gathering attacks. The credential phishing intelligence is available via the PhishMe Intelligence API and portal.

This blog is the first in a series about credential phishing in the enterprise.

Credential Phishing and Office 365

Microsoft Office 365 was released in 2011 and the has become hugely popular among enterprises both large and small. For those in a workplace that has fully-integrated Office 365, it feels as if you use that one password to log in to just about everything using any device. It all just works seamlessly. This is what the Office 365 login page looks like on Microsoft’s site (Figure 1).

Figure 1 – Real Office 365 Login Page

Outlook 365 users are reporting suspicious messages to PhishMe® that contain links a  page that looks like figure 1, but are hosted on compromised or fraudulent sites. As seen below in figures 2-5, are some examples of the suspicious messages that enterprise employees are receiving:

Figure 2 – Suspicious O365 Message (1 of 4)

Figure 3 – Suspicious O365 Message (2 of 4)

Figure 4 – Suspicious O365 Message (3 of 4)

Figure 5 – Suspicious O365 Message (4 of 4)

All of these messages are designed to look legitimate – like something from IT – and mimic the Office 365 login page.  But in reality, they deliver the unsuspecting user to a fraudulent site to steal their information.  This type of phishing has been growing rapidly.  The examples shown in Figures 2-5 were captured within only 90 minutes. Over the past month PhishMe has detected credential phishing pages hosted on over 1,100 hostnames, which have likely distributed via tens of thousands of email messages. Microsoft’s own Security Intelligence Report reveals that there has been a dramatic increase in the number of account sign-ins attempted from malicious IP addresses.

The fallout from a successful Office 365 credential-based attack is so large that measuring it has become a data analytics problem. Estimating the extent of the damage is near impossible. Because many of victims don’t know they have entered their credentials on a fake site. If compromised, a threat actor could be in your system for a long time before you discover a breach.  The time between the initial intrusion and detection of compromise, known as dwell time, is currently estimated to be 49 days (seven weeks).

New and different

While the attacks described above have been appearing for years, we’ve seen some new examples that seem a bit different.  In these examples, the attackers are exploiting features of Office 365 as part of their phishing campaign.

Office 365 Forms

In the first example an attacker uses the Office 365 Forms app to create realistic phishing pages that are hosted on a Microsoft domain. Figure 6, below, shows a message linked to to redirect to Forms[.]

Figure 6 – Message contains link to URL

When that link is clicked, the phishing form is displayed (figure 7) on a domain that just about any IT department would be reluctant to block.

Figure 7 – form reached from link in phishing message

URL Shortening

To make things more confusing, consider that Microsoft conducts URL shortening using the domain name 1drv[.]ms. PhishMe customers are reporting phishing messages that contain URLs on that domain that then redirect to Onedrive[.] to load a PDF document that contains yet another link. As you can see in figure 8, this message contained a shortened link that slipped through technological defenses:

Figure 8 – OneDrive Shortened Link

The resulting PDF (figure 9) can open in the browser and deliver a link to a compromised site that hosts a phishing page.

Figure 9 – PDF from OneDrive with Malicious Link

By the time the victim reaches the somewhat-generic page below (figure 10), they have clicked through at least three trusted services.

Figure 10 – Final Destination from Original OneDrive Link

Personalized Email

Many of the phishing messages are created using a template that inserts the recipient’s email address into the URL that the victim is enticed to click. Seeing a personalized link, the victim is made to feel that the message was built just for them so that they can log in as normal and resolve the supposed problem with their account. Other, similar functionality can extract the domain name from the recipient’s email address and display it in a large type, with an uppercase letter, to further spoof a login page for that company.

To reach the page in figure 11, we clicked a link containing the test email address [email protected]’ in the query string, as follows:

hxxp://www.medicalinnovation[.]it/wp-admin/user/[email protected][.]com

Though the landing page was on a different domain, the address was passed along so that it remained a part of the URL and was displayed on the page, already conveniently completing half of the form:

Even though the above example above does not represent a spear phish per se, we do see soft targeting and targeting of employees at specific large companies. Soft targeting involves the use of social media or public information about a company to tailor the recipients, the message templates, and the landing pages to be attractive to those in certain roles at a company.

What can you do?

  • Use PhishMe Simulator™ and the PhishMe Reporter® plugin for Outlook to condition your employees to recognize and report suspicious messages to your incident response team.
  • Employees can also fall victim to phishing attacks that compromise PCs with malicious software. Use PhishMe Intelligence™ to identify when users go to credential phishing sites or their machines exhibit indicators of compromise with malware.
  • Enable two-factor authentication on all employee accounts.
  • Once a credential phishing message is detected:
    1. Delete other related messages received within your enterprise
    2. Check perimeter devices for connections to the phishing URL
    3. Adjust controls to block similar messages by the URL and its host and/or domain, by the subject line, and/or by the sending IP address
  • For employees who fell victim to a credential phish, force password re-sets and provide additional training about phishing attacks. Consult Microsoft’s technical support pages “How to determine whether your Office 365 account has been compromised and “How to fix a compromised (hacked) Microsoft Office 365 account“.

Learn More

Don’t miss out on another threat! Sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.