This Phishing Attacker Takes American Express—and Victims’ Credentials

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

UK Banking Phish Targets 2-Factor Information

Recently, the Cofense Phishing Defense Center observed a wave of phishing attacks  targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses.

The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards.

Most UK banks implement two-factor authentication. They require users to set a standard password and a piece of memorable information, which users authenticate with their user name and password. Users are then asked to provide three random characters from their memorable information. This does two things to help improve the security of your bank account:

  1. It can help mitigate against man in the middle attacks, as any intercepted data would only reveal partial fragments of the memorable information.
  2. If a user’s email address and password combination has been leaked online, it provides an extra barrier for attackers attempting to access their accounts.

Again, if successful this phish could help the attacker evade these extra controls. Here’s how it works:

Email Body:

The attacks begins with an email purporting to be from the TSB customer care team, informing the customer that a new “SSL server” has been implemented to prevent access to customer accounts by third parties. It then asks the user to update their account information by clicking on the conveniently placed hyperlink.

Fig 1. Phishing Email

Headers:

To add authenticity to the attack, the threat actors have spoofed the sending information to make the email appear to come from the sender customercare[@]tsb[.]co[.]uk If we correlate this with the message ID, we can see that it actually originated from the ttrvidros[.]com[.]br a Brazilian registered domain.

From: TSB Bank <customercare[@]tsb[.]co[.]uk>
To: "MR, Example" <example@cofense.com>
Subject: EXTERNAL: Account Update Notice
Thread-Topic: EXTERNAL: Account Update Notice
Thread-Index: AQHVJzUy0rKRdi+45UWU8FPBrgSqiQ==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Thu, 20 Jun 2019 06:55:28 +0000
Message-ID: <5630c1ff905b65891e435ec91b8a1390[@]www[.]ttrvidros[.]com[.]br>
Content-Language: en-GB

Fig 2. Header Information

Phishing Page:

The malicious page shown below on fig3 is almost identical to TSB online banking portal. The first page is directed to ask for a User ID and password.

Fig 3. Phishing Page 1

The victim is then asked to supply characters from their memorable information. This is typically a word that is memorable to the user and six characters or longer, usually a pet’s name, mother’s maiden name, or a favorite city or sports team. It is standard practice to only provide three characters of your memorable information. However, this is just a clever ruse to gain the confidence of the victim.

Fig 4. Phishing Page 2

The user is then redirected to a fake error page that states, “There is a problem with some of the information you have submitted. Please amend the fields below and resubmit this form.” Afterward, the form asks the victim for the full memorable information and the mobile phone number. Armed with the victim’s user-ID, password, memorable information, and phone number an attacker can easily gain access to the victim’s bank account and credit cards through the online portal—or perhaps more worryingly, they can utilize this information to launch a social engineering campaign over the phone, commonly referred to as vishing (Voice Phishing).

Fig 5. Phishing page 3

Gateway Evasion:

This threat was found in an environment running Microsoft Exchange Online Protection (EOP) which provides built-in malware and spam filtering capabilities it is intended to screen inbound and outbound messages from malicious software spam transferred through email. 

Learn More

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe™, which among many training scenarios offers an “Account Update Notice” phish to prepare for the type of credential attack examined in this blog post.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense Reporter™.

Quickly turn user reported emails into actionable intelligence with Cofense Triage™. Reduce exposure time by rapidly quarantining threats with Cofense Vision™.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker™.

Thanks to our unique perspective, no one knows more about the current REAL phishing threat than Cofense™. To improve your understanding, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Double Duty: Dridex Banking Malware Delivered with RMS RAT

Cofense IntelligenceTM analyzes millions of emails and malware samples each day to alert organizations to emerging phishing threats. Thanks to our expansive view of the threat landscape, we recently were able to discover and investigate a campaign impersonating eFax that appeared to have an attached Microsoft Word document. The attachment was a .zip archive which contained a .xls Microsoft Excel spreadsheet. This spreadsheet included an Office macro which, when enabled, was used to download and execute two malicious executables: samples of Dridex and Remote Manipulator System Remote Access Tool (RMS RAT).

What’s notable: By delivering a banking trojan and a RAT, the threat actors are able to use the banking trojan purely for credential stealing via browsers and use the RAT for more complex management of the infected computer. Dridex may be able to handle some of the machine management tasks, but by using RMS RAT and Dridex for separate purposes threat actors can more efficiently accomplish their tasks. And having both available provides a backup communication channel in case one of the malware families is detected and removed.

RMS RAT Features

RMS RAT is a legitimate remote access tool appropriated for malicious use by threat actors. RMS RAT has a large number of features that include logging keystrokes, recording from the webcam or microphone, transferring files, and manipulating Windows Task Manager and other Windows utilities. This multi-featured tool allows for significant control of a compromised computer as well as multiple methods of information gathering. Due to its legitimate origins and usage of legitimate components, not all endpoint protection suites will immediately detect this tool as malicious, which allows threat actors more time to establish a foothold in the infrastructure.

Dridex Web Injects

Banking trojans often target a large number of websites and use different kinds of scripts for different targets. Some banking trojans will even share the same scripts and targets with other banking trojans. When a victim on an infected machine visits one of the targeted websites in an internet browser, the script will be “injected” into the browser. This allows the threat actor to steal information entered, redirect traffic, bypass multi-factor authentication, and even provide additional “security questions” to obtain information from the victim. In this case, the web injects used by Dridex were unusual because of both the large number of possible web inject scripts and the fact that some of the web injects were labeled as being from the Zeus banking trojan.

There are three types of web injects used in this case. The first type is used to hide or display content on certain web pages, making it possible to insert additional requests for personal questions used to verify banking accounts. The second type monitors the URLs visited by the browser and downloads additional files; the web injects labeled as Zeus fall in this category. Both of these web injects come hard coded into the original malicious binary. The third type of web inject is downloaded from a remote host and often has more capabilities, including greater information-gathering capacity.

Web injects in this sample of Dridex target a variety of websites:

  • The first set targets crypto currency websites such as coinbase[.]com and banking websites such as hsbc[.]co[.]uk and synovus[.]com. The web injects for these targets are downloaded from the same command and control location, 144[.]76[.]111[.]43.
  • A second set of web injects targets e-commerce websites, including paypal[.]com and bestbuy[.]com, and is sourced from a different location: akamai-static5[.]online. The threat actor’s use of this particular domain name is clever because it is similar enough to an Akamai network domain name that the domain might not be reported because it looks legitimate.
  • The final set of web injects are tagged as “Zeus” injects. The use of these injects is particularly unusual because several of the targeted websites overlap with those in other web injects, such as paypal[.]com and amazon[.]com.

By using multiple types of web injects, and in some cases duplicating websites of other web injects, the threat actors have a wide variety of possible targets at their disposal. Using both old and new web injects can also help threat actors target information even when the structure of the webpages’ URL has changed over time.

Threat Results and a Look Ahead:

The dual-pronged attack in this case provided the threat actors with multiple methods of compromise, access to data, and some resistance to traditional endpoint protections. RMS RAT provided remote access, key logging, and credential stealing. And using different types of web injects enabled threat actors to utilize some of the features of Zeus to improve the capabilities of Dridex. Each different type of web inject also made use of a different command and control location to provide information, which can help make the threat actor’s infrastructure more resilient.

Knowing all of the possible threats in combination rather than those seen individually can help organizations prepare for and defend against threats. Training employees to spot and report possible phishing messages can help stop malware from making it to an endpoint and prevent threat actors from ever establishing a foothold.

Learn More

See how Cofense Intelligence analyzes and processes millions of emails and malware samples daily so security teams can easily consume phishing-specific threat intelligence. Discover how to proactively defend your organization against evolving phishing attacks and the latest malware varieties.

Appendix:

Table 1: List of potential web inject source

Web Inject Sources
hxxps://144[.]76[.]111[.]43:443/5/amex_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bbt_biz_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bbt_corp_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bmo_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bnycash_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/bremer_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/pnc_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/scotiabank_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/5/tdbank_tdetreasury_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/510/tiquani_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/amama_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/amunba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/atonbu_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/bacana_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/bahaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/bokafi_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/bomobo_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/buliba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/camaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/camaci_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/camana_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/cibaca_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/cobaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/cobuba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/emriba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/ewaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/facosa_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/famaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/finiba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/fumaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/hacaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/hasaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/hasaba_uk_pers_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/iboaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/inruba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/irisoba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/katata_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/lakala_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/lemiba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/madaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/magaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/matawa_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/mecoma_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/moboma_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/osv_cetiba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/osv_fasaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/osv_sabatu_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/osv_tobipu_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/pawaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/peniba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/pocoba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/povaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/rabaca2_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/rabaca_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/rasaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/satara_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/secaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/sigaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/socoba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/synova_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/tadaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/todoba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/ubatra_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/unbaba_l4R5Ej69o91Bc3ja/
hxxps://144[.]76[.]111[.]43:443/520/wabaca_l4R5Ej69o91Bc3ja/
hxxps://akamai-static5[.]online/appleadmin/gate[.]php
hxxps://akamai-static5[.]online/bestbuyadmin/gate[.]php
hxxps://akamai-static5[.]online/costcoadmin/gate[.]php
hxxps://akamai-static5[.]online/ebayadmin/gate[.]php
hxxps://akamai-static5[.]online/neweggadmin/gate[.]php
hxxps://akamai-static5[.]online/ppadmin/gate[.]php
hxxps://akamai-static5[.]online/samsclubadmin/gate[.]php
hxxps://akamai-static5[.]online/walmartadmin/gate[.]php
hxxps://bustheza[.]com/lob[.]php
hxxps://cachejs[.]com/lob[.]php
hxxps://46[.]105[.]131[.]77:443/B88U86giIPyD55RK/
hxxps://46[.]105[.]131[.]77:443/ehf9i7ywh5kdyu50/
hxxps://46[.]105[.]131[.]77:443/xobj6j20x84lhk3x/

Table 2: Command and control hosts (C2)

RMS RAT C2
217[.]12[.]201[.]159:5655
Dridex C2
hxxps://71[.]217[.]15[.]111:443/
hxxps://97[.]76[.]245[.]131:443/
hxxps://24[.]40[.]243[.]66:443/
hxxps://159[.]69[.]89[.]90:3389/
hxxps://159[.]89[.]179[.]87:3389/
hxxps://62[.]210[.]26[.]206:3389/

Table 3: Payload locations

Office Macro Payloads
hxxp://topdalescotty[.]top/filexxx/wiskkk[.]exe
hxxp://topdalescotty[.]top/filexxx/wotam[.]exe

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics.

In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place.

Fast forward to this week where our Phishing Defense Center™ stopped a phishing campaign aimed at customers in Finance. The analysis below outlines the attacker’s use of a URL encoded in a QR code to evade the above-named technologies.  While you’ve probably seen QR codes in your everyday life, this might be the first time you are seeing QR codes used as a phishing tactic.

The Phish:

The email itself is relatively simple. It poses as a pseudo SharePoint email with the subject line: “Review Important Document”. The message body invites the victim to: “Scan Bar Code To View Document”. The only other visible content is a tantalizing QR code that a curious user may be tempted to scan.

Figure 1, Email Body

The message body in plain text consists of several basic HTML elements for styling and an embedded .gif image file of the QR code. Very basic, but very effective.

When the QR code is decoded we can see that that it contains a phishing URL: hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-college/Sharepoint/sharepoint/index.php

Most smartphone QR code scanner apps will instantly redirect the user to the malicious website via the phone’s native browser. In this case the victim would be redirected to a SharePoint branded phishing site. The victim is then confronted with options to sign in with AOL, Microsoft, or “Other” account services. While this sounds like a simple phish, there is a more nefarious tactic in play: removing the user from the security of a corporate business network.

Figure 2, Phishing site

Standard Security Controls Circumvented:

By enticing the victim to pull out their smartphone and scan the QR code the attacker manages to evade standard corporate security controls. Secure email gateways, link protection services, sandboxes, and web content filters no longer matter because the user is now interacting with the phishing site in their own security space: their mobile phone. And yes, the phishing site is optimized for mobile viewing. Here’s a glance at what the site looks like on a smartphone:

Figure 3, Phishing page viewed on phone

Though the user may now be using their personal device to access the phish, they are still in the “corporate” mindset as the original email was received at their business email address. Therefore, it is highly likely that the victim would input their corporate account credentials to attempt to access this “document”. 

Gateway Evasion:

This attack was observed passing through an environment utilizing Symantec Messaging Gateway. When scanned, the message was deemed “Not spam” by the system as seen in Fig 4 below.

Figure 4, Email Header Snippet

Conclusion:

In the past QR codes were reserved for geeks on the bleeding edge of technology. Today we interact with QR codes more and more as we cut the cord on cable, setup home internet devices, transact crypto currencies, etc…  Will QR codes be a common phishing tactic of the future? Time will tell.  But THIS phishing attack that snuck past best in class phishing technologies was only stopped by an informed, in tune human, who reported it with Cofense Reporter ™ , so that their security teams could stop it.

Today over 90% of phishing threats observed by the Cofense Phishing Defense Center ™ bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe ™ and remove the blind spot with Cofense Reporter.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attacks on High Street Target Major Retailer

By Jake Longden

The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year.

With the goal of stealing your store credit card and login information, here’s how it works:

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Fig 1. Email Body

Email Body:

The message itself follows a standard phishing template to inform the user that their account has been restricted and that user sign in is required for verification. The use of bad grammar and typos are a dead giveaway that this email communication is not genuine.

Message body in plain text:

In reviewing the body of the email, we see the hyperlink for “Sign into your account” which directs the potential victim to: hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/

The attacker repeatedly used the string of the legitimate Argos site in the URL, both as part of the subdomains, and as a subdirectory. This was an attempt to mask the true source, and to lure the victim into trusting the legitimacy of the website.

Upon examination, we see that the link is wrapped by a URL filtering service.

href="hxxps://clicktime[.]symantec[.]com/3AuyExDNpRSjkQbgT2gXygH6H2?u=hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/" target="_blank" rel="noopener"><span class="ox-dad7652f0e-m_609589041267919212link-blue ox-dad7652f0e-m_609589041267919212MsoHyperlink ox-dad7652f0e-m_609589041267919212MsoHyperlinkFollowed">SIGN
INTO YOUR ACCOUNT

Fig 2. Email Body in Plain Text

 

Email Headers:

Analysis of the headers indicates that the “from” address is spoofed; the “reply to” field contains the address ‘no-reply[@]creativenepal[.]org’, which does not match ‘no-replays[@]multitravel.wisata-islam[.]com’.

Research on the ‘multitravel.wisata-islam’ domain failed to produce relevant data and reinforces the suspicion that the address is spoofed. At the time of analysis, we were unable to resolve an IP address, or load the domain.

From: <no-replays[@]multitravel[.]wisata-islam[.]com>
To: <xxxx.xxxxxx@xxxxxx.com>
Subject: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make sure
 you complete the form correctly.
Thread-Topic: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make
 sure you complete the form correctly.
Thread-Index: AQHVIXUk7CjiCOKjHEyntcvh4etMFg==
Date: Wed, 12 Jun 2019 23:18:17 +0000
Message-ID: <7d885f411da93272271ec8ad32e5064b@localhost.localdomain>
Reply-To: <“:no-reply”[@]creativenepal[.]org>

Fig 3. Email Headers

Phishing Page:

Once the user clicks on the “Sign into your account” hyperlink, they are redirected to a convincing imitation of the true Argos login page requesting the victims’ Username and Password.

This then leads the user to a second page, where the user is requested to supply details for their Argos store credit card account. This page follows the standard format for regular credit/debit cards with one key difference: the additional request for a ‘Card Amount’. This request is specific to the Argos Card as referenced in the copy: “The Argos Card lets you shop at Argos, with flexible payment plans that give you longer to pay” (see: https://www.argos.co.uk/help/argos-card/apply). This deviates from standard forms by asking the user for their credit limit.

 

 

Fig 4. Phishing Page

Gateway Evasion:

This campaign has been observed to pass through the ‘Symantec Messaging Gateway’.

We can see the influence of the Email gateway which injected ‘Warning Suspected Spam’ headers to the Subject Line and incorrectly presented this phish as a benign marketing email, and not a phishing attempt.

Conclusion:

To help protect against this type of credential phish, Cofense PhishMe™ offers a template called “Account Limitation.”

This credential phish eluded gateways and was actually mis-identified as harmless marketing spam. In fact 75% of threats reported to the Cofense Phishing Defense Center are Credential Phish. Protect the keys to your kingdom – condition end users to be resilient to Credential Harvesting attacks with Cofense PhishMe.

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

i Google Search “Argos Data Breach 2018”

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley

The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

John Podesta’s Phish Foreshadows Doom for 2020

If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

By Milo Salvia and Kamlesh Patel

The Cofense Phishing Defense CenterTM has observed a phishing campaign that masquerades as a voicemail message from a well-known company. The goal is to steal your domain credentials by mimicking the Outlook Web App (OWA). 

Email Body: 

The message body is designed to mimic your typical VOIP missed call message delivered via email when a user misses a call. A simple HTML box appears with a blue hyperlink, Play Voice. One would assume it was meant to say Play Message or Play Voice Message. This could indicate that English is not the threat actor’s first language and the original message was mistranslated. It’s the first indicator that something is not quite right about this message. 

Fig 1. Email Body

Message body in HTML:  

If you look at the message body in HTML, you can see that the embedded hyperlink redirects to www[.]lkjhyb[.]com_dg[.]php=”. As you can tell, the URL has been wrapped by a URL filtering service. 

 

<Div align=”center” style=”text-align: center;”> 

<a href=”hxxps://urldefense[.]proofpoint[.]com/v2/url?u=hxxps-3A__www[.]lkjhyb[.]com_dg[.]php=“>Play Voice</a></div> 

</span></font></div>* 

 

Fig 2. Email Body in Plain Text  

Email Headers: 

A closer look at the header information reveals that the threat originates from the domain “protogonay.com. Further research into this domain suggests that it could be a throwaway domain—no company or website can be found that is directly linked to the name 

ext-caller108[@]progonay[.]com.” The threat source itself uses ext-caller108 to add legitimacy to the voicemail ruse. 

** From: Voice Ext <ext-caller108[@]progonay[.]com> 

To: <dxxx.mxxx@axxxx.com> 

Subject: Voice call from ******* (39 seconds) 

Date: Wed, 22 May 2019 08:23:33 -0700 

Message-ID: <20190522082333.8F2288151F642334@progonay.com> 

Content-Type: text/html; charset=”iso-8859-1″ 

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-05-22_08:,, 

 signatures=0 

X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 priorityscore=1501 malwarescore=0 

 suspectscore=2 phishscore=0 bulkscore=0 spamscore=1 clxscore=-94 

 lowpriorityscore=0 mlxscore=1 impostorscore=0 mlxlogscore=206 adultscore=0 

Fig 3. Email Headers

Phishing Page:  

Once the user clicks on the “Play Voice (sic)” hyperlink, it redirects to what looks like the default corporate Outlook Web App (OWA) login page. This page is designed to steal your O365 domain credentials. As we can see, it asks the victim to supply domain/username:  and password.  

Fig 4. Phishing Page 

Gateway Present:  

This threat was found in an environment running Proofpoint Email Gateway and URL filter. 

Conclusion:  

Threat actors pull out the stops to deliver malicious messages to users’ inboxes. This “voice mail” message is yet another creative example.  

To help protect against this type of credential phish, Cofense PhishMeTM offers a template called “Play Voice Message.” 

Learn more about evolving phishing tactics and techniques—view the Cofense Phishing Threat and Malware Review 2019. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways

By Kaustubh Jagtap

Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up.  The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response.

Credential Phish Are the Most Common Threat

90% of verified phishing emails were found in environments using email gateways. This included over 23k credential phishing emails and approximately 5k emails that delivered dangerous malware. The Cofense Research and Cofense IntelligenceTM teams also noted a change in tactics with Business Email Compromise (BEC) attacks. Threat actors are now targeting payroll administrators, as compared to the usual CEO/CFO targets. Our teams also found an increase in extortion tactics including sextortion and bomb threats to create urgency and panic.

Threat Actor Tactics Are Evolving

As they shifted malware delivery mechanisms, threat actors showed a strong preference for the exploitation of CVE-2017-11882, an older Microsoft Equation Editor vulnerability. Over 45% of all malicious attachments over the past year exploited this CVE to deliver malware.

Between August 2018 and February 2019, Cofense observed malicious .ISO files bypassing gateways, indicating the use of novel file types to escape detection. There were also significant developments in Installation-as-a-service (IaaS). Emotet embraced the IaaS business model in 2018 to deliver other malware like TrickBot, IceID, and QakBot. Cofense Research observed 678k unique Emotet infections through April 2019.

Cloud Filesharing Services Are Being Badly Abused

Cofense saw widespread abuse of cloud filesharing platforms to host and spread malicious content, including “legitimate” links to the content embedded in the phishing email. We found 9445 phishing emails that abused cloud filesharing services to deliver a malicious payload. Threat actors preferred SharePoint (55%) and OneDrive (21%) over other cloud filesharing providers.

How to Protect against Phishing and Malware

The report details numerous ways to defend against email threats. They include:

  • Educate users – Train and condition users to spot phishing emails. Faster incident response begins with better human intelligence.
  • Focus education on new TTPs – Make sure to educate your SOC team and end users on emerging threats and phishing tactics. Threat actor TTPs are constantly evolving. Complacency can breed painful consequences.
  • Train users to spot credential phish – Pay special attention to phishing scenarios where users are asked to login and supply credentials.
  • Enable multifactor authentication- It’s especially urgent if you have single sign-on.

To see more tips and the full story on phishing and malware threats, download your copy of the Cofense Phishing Threat & Malware Review 2019.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Using Windows 10? It’s Becoming a Phishing Target

CISO Summary

Cofense IntelligenceTM has recently seen a complex phishing campaign that delivers a simple payload, FormGrabber keylogger malware. The targets are Windows 10 operating systems running Windows Anti-malware Scan Interface (AMSI). The phishing emails deliver a Microsoft Excel Worksheet containing a MS Word macro that initiates infection.

What’s notable: threat actors are hitting Windows 10 instead of Windows 7, a more common target. Expect to see greater abuse heaped on the newer version as more businesses adopt it. No one aspect of this campaign is novel, but the attackers easily assembled a complex infection chain using multiple obfuscation and evasion techniques—another sign of how quickly criminals innovate when motivated.

 Full Details

Cofense Intelligence recently observed a campaign where threat actors targeted Windows 10 operating systems and used a complex multi-stage campaign to deliver the relatively simple FormGrabber keylogger. The emails utilized a Microsoft Office Excel Worksheet with an Office Word macro to initiate the infection. If macros were enabled, this macro would execute a PowerShell script that compiled embedded C# code content into a .NET dll. The .NET dll was loaded as a PowerShell module that then downloaded and executed the FormGrabber keylogger. The code used in the PowerShell module specifically targets Windows 10 computers which have the Windows Anti-malware Scan Interface (AMSI) installed.

Initiation

Each email identified within this campaign had two attachments: the first was a Microsoft Office Excel Worksheet, the second was an RTF document. This RTF document contained five embedded copies of the same Excel Worksheet, as shown in Figure 1.

Figure 1: Copies of the same embedded Worksheet object

When the document is opened, the victim is prompted five times (once for each of the embedded worksheets) to enable macros. After all the prompts have been responded to, the RTF document will be opened. The method used to embed the worksheet objects into the RTF document requires that the worksheet objects be displayed in some form or fashion. In most cases, threat actors will carefully attempt to hide the object to avoid tipping off victims. As shown in Figure 2, in this case the threat actors simply let the default primary worksheet display in the footer section of the document.

Figure 2: The image displayed in the footer of the RTF document

Here the threat actors repurposed a legitimate example worksheet from Carnegie Mellon University to hide malicious content. The file size and macro run by the attached and embedded Excel worksheets are different, however the end result and final payload location are the same, indicating that the two attachments were likely used for redundancy.

Worksheets

Automated systems often examine the macros in documents in an attempt to determine their intentions. Even if the macro is encoded or obfuscated, modern anti-virus should be capable of reversing the changes or at least detecting key malicious components without running the macro. The macros in these worksheets used a simple technique that may have allowed the threat actors to avoid some automated defenses, crafting a macro that decoded content stored in a cell on a seemingly empty page of the worksheet, as shown in Figure 3. Note that the macro (one line of which appears at the top of the image) references cell “J106” on sheet “RPNLU.” All cells in sheet “RPNLU” appear to be empty and the default page view has cell “J106” out of view, ensuring that even if manually opened, the only obvious discrepancy between the original legitimate worksheet and the malicious one is the addition of the sheet “RPNLU.”

Figure 3: Disguised data used by macro (top of image)

Once decrypted, this macro then launches a PowerShell process which contains another subsection of encrypted data, as shown in Figure 4.

Figure 4: Second stage of the PowerShell script

This PowerShell command takes the encrypted content and decrypts it into C# code, which is then compiled into a .NET dll and loaded as a PowerShell module.

Bypassing

The compilation and multiple layers of encryption involved in this process are all used to “bypass” AMSI. AMSI is a Windows 10 exclusive feature intended to help detect and prevent scripts and “fileless threats.” In order to “bypass” AMSI, the threat actors avoid downloading files and perform other obviously malicious activity in the code that runs in the PowerShell console. Instead they focus only on disabling AMSI by adjusting where it looks for malicious content. The code used for this is similar and almost identical in some places to the proof of concept described in this blog post. Once AMSI is properly disabled, the threat actors then load in the C# code including the explicitly malicious code compiled in a .NET dll as a PowerShell module. A relevant portion of this code can be seen in Figure 5.

Figure 5: A modified version of the original POC code to bypass AMSI

Results and a Look Ahead

Threat actors used a complex infection chain that specifically targeted a key component of Windows 10 operating systems, rather than the more common Windows 7-focused malware, to deliver FormGrabber keylogger. As more businesses switch to the Windows 10 operating system, threat actors, like the ones seen here, can be expected to switch their targets to Windows 10 as well. Although none of the techniques used in this campaign were particularly novel, the fact that it utilized multiple obfuscation and evasion techniques and was so easily assembled from already created work indicates how quickly and significantly threat actors can improve, given the proper impetus. As is usually the case when it comes to vulnerabilities in key components, a patch to prevent this method of AMSI bypass exists. However, businesses first need to be aware of the problem. Knowledge of the evolving threat landscape and the different ways that it can affect a company are key to promoting a secure environment. To improve your security posture, take preventative action by patching systems and training employees to recognize and prevent the first stage in an infection chain.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.