Customer Satisfaction Survey Leads to Credential Phishing

The CofenseTM Phishing Defense Center (PDC) has observed a phishing campaign masquerading as a Customer Satisfaction Survey from Cathay Pacific. Fake surveys are an old tactic, but the PDC has recently seen an increase in their use. Examining the following email will show you what to look out for.

At first look, the email appears to be a legitimate Satisfaction Survey. It is not uncommon to receive a reward for completing a survey, so that alone is not an Indicator of Phishing (IoP). However, as shown in Figure 1, the “Click here – Participate and Win” link feels out of place. This could be an indicator that something is suspicious and should be investigated further.

Figure 1 – Received “Customer Satisfaction Survey” Report

As shown in Figure 2, the From field shows that the email appears to be from Cathay Pacific, using the email address cathay[.]pacific[@]email[.]cathaypacific[.]com. The SMTP relay also appears to be from cathaypacific.com, but the IP address of the relay resolves to hostserv.eu, a European hosting provider. This is another indicator that the email could be suspicious as it seems highly unlikely that a Cathay Pacific would use a low-cost European hosting provider as their mail server.

Figure 2 – Email Details

Figure 3 – Email Header

Opening the “Click here – Participate and Win” link directs the user to hxxp://syconst[.]com/ebv/[.]uk/CathayP/. The threat actors have done a good job in making the survey look like the legitimate website of Cathay Pacific. Figure 4 shows a comparison of the fake and genuine website.

Figure 4 – Website comparison

On closer inspection of the fake website, you notice that its header is actually a picture and therefore users are unable to click on any of the links (Figure 5).

Figure 5 – HTML View of Fake Survey Page

Figure 6 – Credit/Debit Card Details Page

The victim is also required to select the credit card issuer. With this specific phishing campaign, the threat actors target the following banks:

  • Hang Seng Bank
  • Citibank
  • Hongkong and Shanghai Banking
  • HSBC UK
  • Standard Chartered Bank
  • DBS Bank
  • Dah Sing Bank
  • UnionPay Card

After submitting the credit/debit card details, the victim is redirected to a fake “Verified by Visa – MasterCard SecureCode” page that tricks the user into thinking the details submitted are processed by Visa and MasterCard (Figure 7).

Figure 7 – Fake Visa/MasterCard Verfication Page

Based on the selected credit card issuer, the victim is automatically redirected to another fake site that appears to be from the bank they chose. If the card issuer is not listed and the field is left blank, an error message appears, and the victim is redirected to the start of the survey.

Figure 8 shows the landing page for UnionPay which asks the victim to provide additional details such as email address and mobile number.

Figure 8 – UnionPay Landing Page

In Summary: Nothing New, But Still Effective

While Customer Survey Phishes are nothing new and have been around for years, we have recently observed an increase in such reports. Nowadays, threat actors deliver phishing campaigns that at first seem to be non-malicious as they include formatting and logos that make them look like valid emails from the company. The email and the surveys may also be customized to resemble the organisation’s genuine website. No matter how sophisticated the phishing campaigns are, they all follow the same old tactic:

The victim is first presented a form containing “bogus” questions, where often a response is not required. The victim is then prompted to supply credit/debit card details to supposedly receive the reward for completing the survey. However, this is entirely imaginary, and all information provided is collected and used by the threat actors.

Users should be very cautious of any messages that promise to pay a fee for completing a survey. While companies certainly conduct surveys and even offer a reward for participants in some cases, it is extremely unlikely to receive a substantial amount for completing a small and rather insignificant survey.

Tips to spot suspicious emails:

  • Check the email for grammatical errors—if there are any, there is a high probability that the survey is not genuine
  • Don’t open attachments! Even a genuine looking PDF can contain malware
  • Hover over a link to see where it really takes you and be cautious as there may be subtle differences between the fake URL and the genuine URL
  • Organisations won’t ask for your bank details, credit card information, or other personal information in exchange for money or free gifts

To stay on top of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

Indicators of Compromise (IOCs): 
Malicious URL:
hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv1[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv2[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv3[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv4[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/Table[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/SENG[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/CITIBANK[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/DNA[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/dna[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/SC[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/OCB[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/DBS[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/DAH[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/UnionPaym[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/uws[.]php

Associated IP:
211[.]43[.]203[.]23

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

Cofense SOARs Above Existing Security Orchestration and Automation Offerings Leveraging Human-Intelligence to Stop Active Cyber Attacks

Global human-phishing defense leader introduces new phishing SOAR platform to quickly stop phishing attacks in progress more efficiently 

Leesburg, VA – July 30, 2018 – Cofense™, the leading provider of human-driven phishing defense solutions worldwide, today announced the introduction of the industry’s first Phishing-Specific Orchestration, Automation and Response (SOAR) platform to help organizations identify and disrupt active phishing attacks in progress. The Phishing SOAR platform combines the power of improved Cofense Triage™ with a new product, Cofense Vision™ to improve the effectiveness and efficiency of phishing incident response efforts.

Recent news such as the ZeroFont exploit has demonstrated threat actors’ abilities to easily stay ahead of next-generation email security technology. Additionally, the FBI just announced Business Email Compromise (BEC) losses are expected to total $12.5 billion by the end of 2018. While it’s important for organizations to have a contextually-aware workforce of humans, security awareness alone isn’t enough to combat today’s top threats. By coupling human intuition with leading-edge technology, Cofense delivers an intelligence-fed Phishing SOAR platform designed to find and eliminate active phishing threats utilizing fewer resources – even if the attacks bypass perimeter defenses.

Orchestrate and Automate Your Phishing Defense

Cofense Triage enables security teams to quickly stop phishing attacks in progress. By leveraging real-time, internally reported attack intelligence from conditioned users, Incident Response and Security Operations teams can assess, analyze, and remediate active phishing threats. Recent enhancements to Cofense Triage help organizations to respond to threats faster and using fewer resources by eliminating abuse mailbox noise and speeding the automation of responses with playbooks and orchestration across additional security platforms:

  • Orchestrate with API integrations and Noise Reduction: Cofense Triage seamlessly integrates with nearly two-dozen existing security solutions with out of the box integrations and offers a fully documented REST API to integrate with other solutions delivering an optimized security orchestration response. Additionally, Cofense Triage Noise Reduction uses an industry-leading spam engine to review, score, and categorize emails and cut down the noise to hunt threats faster.
  • Automate with Playbooks and Workflows: Tactics, techniques and procedures used by threat actors are often repeated by multiple adversaries, so the addition of Playbooks for Cofense Triage can define a set of criteria that when met, will execute a response to mitigate risk – IE: key notifications, new help desk tickets, proxy block requests and more. Now, Incident Responders can more efficiently and swiftly stop an attack in progress.

Speed Response and Mitigation of Active Attacks

Regardless of how much is invested in “next-generation” technologies, malicious emails still make it past perimeter and endpoint defense technologies. Cofense Vision helps mitigate identified threats and potential impact by determining where else that email is lurking within your organization by storing, indexing, and enriching email messages for fast querying and quarantining before any damage occurs:

  • Find the entire phishing campaign and dig deeper. Cofense Vision Discover can quickly find all suspicious emails across an entire organization. Messages can be queried based upon sender, subject and date, as well as the attachment name, attachment hash and more. As threat actors alter their techniques, operators can hunt and find attacks with similar patterns.
  • Remove malicious emails and end the threat. Once all of the messages within an organization are discovered, Cofense Vision Quarantine makes it possible to quarantine the malicious messages in Microsoft Exchange and Office 365 from all user inboxes with one simple click.

“Our research demonstrates that silver-bullet security technologies don’t exist… It’s not a question of when an organization will be phished, but rather how quickly and effectively can they respond to the threat,” said Aaron Higbee, co-founder and CTO of Cofense. “Nearly a decade ago, PhishMe® created the phishing simulation market to improve employee resiliency against phishing. With our evolution into Cofense, we are proud to continue to lead this space by introducing Cofense Vision, the newest component of our Phishing-Specific Orchestration, Automation and Response platform, to uniquely mobilize phishing-aware humans to disrupt attacks.”

Cofense will be demonstrating their new Phishing SOAR platform at the Black Hat 2018 conference, taking place in the Mandalay Bay Convention Center in Las Vegas, Nevada on August 8-9, booth #936. Cofense Vision is expected to be available for customers in Q4 2018. To schedule a demo, please sign up at https://cofense.com/triage-soar-release.

For more information about Cofense Vision, please visit: https://cofense.com/vision

For more information about Cofense Triage, please visit: https://cofense.com/triage-soar-release

About Cofense

Cofense™, formerly PhishMe®, is the leading provider of human-driven phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. To learn more, visit https://cofense.com/.

The El Camino Effect in Anti-Phishing Training

Too often in anti-phishing training, or phishing defense in general, companies look for the wrong threats. That’s understandable to a degree, given that attackers constantly shift their tactics. But it’s a still a problem if, to use a bank heist metaphor, you’re looking for robbers who drive a Camaro vs. an El Camino.

Without training based on the latest and most relevant threats, you’ll increase the odds the bad guys get away. Sometimes when that happens, users unfairly get blamed. Not cool. As anti-phishing program administrators, it’s our responsibility to empower folks to succeed.

Understanding the El Camino Effect

To better frame a wholistic (strategic) approach to stopping phishing attacks, we need to understand the basic model outlined below. It shows why technology—normally, the first line of phishing defense—will  continue to be challenged and subverted by criminal actors.

The model shows how companies typically approach cyber-security with technology, along with the workaround attackers use. Imagine for a moment that several banks, the stand-in for users in this model, have been robbed by a gang of thieves driving a red Camaro.

The immediate response by security professionals (the police): be on the lookout for that red Camaro. Intelligence will be updated; firewalls and email gateways will be set to identify and stop further Camaro attacks in progress.

This is a good thing and exactly how technology should be utilized, but a significant gap in coverage remains. We must ask ourselves: what happens when the gang dumps the red Camaro and begins driving the blue El Camino instead?

An even more challenging question: are we really going to blame the banks (our users and victims) for being robbed because our security systems were looking for the Camaro instead of the El Camino? The same question applies to anti-phishing programs. Does it make sense to point fingers at users whose training isn’t as relevant as it needs to be?

Don’t Blame the Victims!

The answer, of course, is no. While I personally believe that improved anti-phishing requires appropriate use of the carrot and stick, it’s critical that any reinforcement achieves the results you want.

In anti-phishing, the focus needs to be on user reporting, not susceptibility. Understand that users are your last line of defense prior to a breach in the phishing kill chain. Rewarding them for reporting rather than falling victim is key to maintaining positive engagement and increased reporting of suspicious emails.

Too often, I see organizations go too far in the other direction, being too aggressively punitive.  Again, it’s fine to use the stick as well as the carrot, but not if it places blame on people who were trained to look for a Camaro and missed the El Camino. Let’s be clear about who’s to blame: first and foremost, the criminal hackers. And the responsibility for stopping them starts with us, the phishing awareness professionals, not our users.

A better solution begins when we understand (and admit to ourselves) that attacks will make it past perimeter defenses. Any assumption that technology alone will stop an attack is, quite frankly, irresponsible.

As the El Camino model demonstrates, any bank would (and by the way, most do) implement a response strategy for those times the criminals bypass the early warning and mitigation capabilities. Banks utilize silent alarms, activated and monitored by people, to protect against and respond to robberies in progress.

Anti-phishing programs need to do the same.

Collaboration is Key

At conferences over the last few years, security vendors have pushed a new silver bullet— machine learning and artificial intelligence. Honestly though, we should be learning a key lesson from decades of security breaches and the history of change in associated technology.

That lesson is simple: no single technology investment will stop all attacks on our networks and users.

Further, we need to recognize the leading security issue of our time: human interactions with and management of available technology. Put simply, we can no longer ignore the fact that criminal actors, security professionals, and victims are all people doing their best either to subvert or harden the protection of personal (private) and corporate (confidential) data and communications.

It is at this intersection of technology and people where we can achieve the most gains in cyber-security.

The first step is to implement solutions that empower not just awareness but the user’s capability to recognize, report, and mitigate threats. Working with your security teams, you need to base awareness training on active threats, whether they’re Camaros, El Caminos, or Ram trucks.

I have seen this collaborative, user-integrated model achieve stunning results, over and over and over. If we really want to stem the rising tide of breaches, we can’t make criminals of victims. Instead, let’s combine our security technology with well-trained humans. Let’s empower everyone to succeed—except the guys in the El Camino.

To learn more about phishing awareness effectiveness, view the 2017 Cofense™ Phishing Resiliency and Defense Report.

 

All third-party trademarks referenced by Cofense, whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Why You Need to Keep Brands Out of Phishing Simulations

The top 4 brands in the world—Apple, Google, Microsoft, and Facebook—are worth over $500B. Not the operations of those brands, not their proprietary technology, or their real estate—the brands alone. When something is that valuable, companies protect it zealously. They monitor how their brands are used and take action to defend them.

Cofense stands firm on not allowing 3rd party brands or logos to be utilized in our phishing simulations without prior express permission. There are times when we may partner directly with specific brands and organizations on the official inclusion of their brand assets in simulation content where it makes sense for something like an enterprise targeted phishing simulation. However, this is done in strict strategic collaboration with the brand’s legal and executive counsels to ensure the mission and strategy of protecting both the brand and reputation of ourselves and our strategic brand-partners is maintained throughout the entire exercise.

Who’s Got Access? “Value at Risk” Anti-Phishing

Part 3 of 3 

So far, we have looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. We’ve seen how this model can guide your anti-phishing program by focusing on the value of assets you protect. We’ve also examined ways to translate your organization’s data to dollars, which is useful if you’re responsible for data oversight and governance—in other words, it helps to know where data might live and the (estimated) value of digital assets should a breach occur.  

A Very Convincing Tax-Rebate Phishing Campaign Is Targeting UK Users

The Cofense™ Phishing Defence Center has observed a convincing new phishing campaign targeting taxpaying UK nationals. The threat actors posing as Her Majesty’s Revenue and Customs (HMRC) have imitated the Government Gateway tool which is commonly used by UK citizens to access government services online. The threat actor attempts to convince victims that they are due a tax rebate of £458.21 using the lure below.

This “Man in the Inbox” Phishing Attack Highlights a Concerning Gap in Perimeter Technology Defenses

“Man in the Inbox” phishing attacks come from compromised email accounts. They look like someone from within a business, for example the HR director, sent an email directing employees to do something legitimate—like logging onto a fabricated page to read and agree to a corporate policy. When employees log on, the attackers harvest their credentials. These attacks are yet another example of increasingly sophisticated credential phishing.