Under the Radar – Phishing Using QR Codes to Evade URL Analysis

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics.

In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place.

Fast forward to this week where our Phishing Defense Center™ stopped a phishing campaign aimed at customers in Finance. The analysis below outlines the attacker’s use of a URL encoded in a QR code to evade the above-named technologies.  While you’ve probably seen QR codes in your everyday life, this might be the first time you are seeing QR codes used as a phishing tactic.

The Phish:

The email itself is relatively simple. It poses as a pseudo SharePoint email with the subject line: “Review Important Document”. The message body invites the victim to: “Scan Bar Code To View Document”. The only other visible content is a tantalizing QR code that a curious user may be tempted to scan.

Figure 1, Email Body

The message body in plain text consists of several basic HTML elements for styling and an embedded .gif image file of the QR code. Very basic, but very effective.

When the QR code is decoded we can see that that it contains a phishing URL: hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-college/Sharepoint/sharepoint/index.php

Most smartphone QR code scanner apps will instantly redirect the user to the malicious website via the phone’s native browser. In this case the victim would be redirected to a SharePoint branded phishing site. The victim is then confronted with options to sign in with AOL, Microsoft, or “Other” account services. While this sounds like a simple phish, there is a more nefarious tactic in play: removing the user from the security of a corporate business network.

Figure 2, Phishing site

Standard Security Controls Circumvented:

By enticing the victim to pull out their smartphone and scan the QR code the attacker manages to evade standard corporate security controls. Secure email gateways, link protection services, sandboxes, and web content filters no longer matter because the user is now interacting with the phishing site in their own security space: their mobile phone. And yes, the phishing site is optimized for mobile viewing. Here’s a glance at what the site looks like on a smartphone:

Figure 3, Phishing page viewed on phone

Though the user may now be using their personal device to access the phish, they are still in the “corporate” mindset as the original email was received at their business email address. Therefore, it is highly likely that the victim would input their corporate account credentials to attempt to access this “document”. 

Gateway Evasion:

This attack was observed passing through an environment utilizing Symantec Messaging Gateway. When scanned, the message was deemed “Not spam” by the system as seen in Fig 4 below.

Figure 4, Email Header Snippet

Conclusion:

In the past QR codes were reserved for geeks on the bleeding edge of technology. Today we interact with QR codes more and more as we cut the cord on cable, setup home internet devices, transact crypto currencies, etc…  Will QR codes be a common phishing tactic of the future? Time will tell.  But THIS phishing attack that snuck past best in class phishing technologies was only stopped by an informed, in tune human, who reported it with Cofense Reporter ™ , so that their security teams could stop it.

Today over 90% of phishing threats observed by the Cofense Phishing Defense Center ™ bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe ™ and remove the blind spot with Cofense Reporter.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attacks on High Street Target Major Retailer

By Jake Longden

The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year.

With the goal of stealing your store credit card and login information, here’s how it works:

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Fig 1. Email Body

Email Body:

The message itself follows a standard phishing template to inform the user that their account has been restricted and that user sign in is required for verification. The use of bad grammar and typos are a dead giveaway that this email communication is not genuine.

Message body in plain text:

In reviewing the body of the email, we see the hyperlink for “Sign into your account” which directs the potential victim to: hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/

The attacker repeatedly used the string of the legitimate Argos site in the URL, both as part of the subdomains, and as a subdirectory. This was an attempt to mask the true source, and to lure the victim into trusting the legitimacy of the website.

Upon examination, we see that the link is wrapped by a URL filtering service.

href="hxxps://clicktime[.]symantec[.]com/3AuyExDNpRSjkQbgT2gXygH6H2?u=hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/" target="_blank" rel="noopener"><span class="ox-dad7652f0e-m_609589041267919212link-blue ox-dad7652f0e-m_609589041267919212MsoHyperlink ox-dad7652f0e-m_609589041267919212MsoHyperlinkFollowed">SIGN
INTO YOUR ACCOUNT

Fig 2. Email Body in Plain Text

 

Email Headers:

Analysis of the headers indicates that the “from” address is spoofed; the “reply to” field contains the address ‘no-reply[@]creativenepal[.]org’, which does not match ‘no-replays[@]multitravel.wisata-islam[.]com’.

Research on the ‘multitravel.wisata-islam’ domain failed to produce relevant data and reinforces the suspicion that the address is spoofed. At the time of analysis, we were unable to resolve an IP address, or load the domain.

From: <no-replays[@]multitravel[.]wisata-islam[.]com>
To: <[email protected]>
Subject: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make sure
 you complete the form correctly.
Thread-Topic: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make
 sure you complete the form correctly.
Thread-Index: AQHVIXUk7CjiCOKjHEyntcvh4etMFg==
Date: Wed, 12 Jun 2019 23:18:17 +0000
Message-ID: <[email protected]>
Reply-To: <“:no-reply”[@]creativenepal[.]org>

Fig 3. Email Headers

Phishing Page:

Once the user clicks on the “Sign into your account” hyperlink, they are redirected to a convincing imitation of the true Argos login page requesting the victims’ Username and Password.

This then leads the user to a second page, where the user is requested to supply details for their Argos store credit card account. This page follows the standard format for regular credit/debit cards with one key difference: the additional request for a ‘Card Amount’. This request is specific to the Argos Card as referenced in the copy: “The Argos Card lets you shop at Argos, with flexible payment plans that give you longer to pay” (see: https://www.argos.co.uk/help/argos-card/apply). This deviates from standard forms by asking the user for their credit limit.

 

 

Fig 4. Phishing Page

Gateway Evasion:

This campaign has been observed to pass through the ‘Symantec Messaging Gateway’.

We can see the influence of the Email gateway which injected ‘Warning Suspected Spam’ headers to the Subject Line and incorrectly presented this phish as a benign marketing email, and not a phishing attempt.

Conclusion:

To help protect against this type of credential phish, Cofense PhishMe™ offers a template called “Account Limitation” in order to improve phishing awareness training.

This credential phish eluded gateways and was actually mis-identified as harmless marketing spam. In fact 75% of threats reported to the Cofense Phishing Defense Center are Credential Phish. Protect the keys to your kingdom – condition end users to be resilient to Credential Harvesting attacks with Cofense PhishMe.

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

i Google Search “Argos Data Breach 2018”

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley

The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

John Podesta’s Phish Foreshadows Doom for 2020

If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

By Milo Salvia and Kamlesh Patel

The Cofense Phishing Defense CenterTM has observed a phishing campaign that masquerades as a voicemail message from a well-known company. The goal is to steal your domain credentials by mimicking the Outlook Web App (OWA). 

Email Body: 

The message body is designed to mimic your typical VOIP missed call message delivered via email when a user misses a call. A simple HTML box appears with a blue hyperlink, Play Voice. One would assume it was meant to say Play Message or Play Voice Message. This could indicate that English is not the threat actor’s first language and the original message was mistranslated. It’s the first indicator that something is not quite right about this message. 

Fig 1. Email Body

Message body in HTML:  

If you look at the message body in HTML, you can see that the embedded hyperlink redirects to www[.]lkjhyb[.]com_dg[.]php=”. As you can tell, the URL has been wrapped by a URL filtering service. 

 

<Div align=”center” style=”text-align: center;”> 

<a href=”hxxps://urldefense[.]proofpoint[.]com/v2/url?u=hxxps-3A__www[.]lkjhyb[.]com_dg[.]php=“>Play Voice</a></div> 

</span></font></div>* 

 

Fig 2. Email Body in Plain Text  

Email Headers: 

A closer look at the header information reveals that the threat originates from the domain “protogonay.com. Further research into this domain suggests that it could be a throwaway domain—no company or website can be found that is directly linked to the name 

ext-caller108[@]progonay[.]com.” The threat source itself uses ext-caller108 to add legitimacy to the voicemail ruse. 

** From: Voice Ext <ext-caller108[@]progonay[.]com> 

To: <dxxx.mxxx@axxxx.com> 

Subject: Voice call from ******* (39 seconds) 

Date: Wed, 22 May 2019 08:23:33 -0700 

Message-ID: <[email protected]> 

Content-Type: text/html; charset=”iso-8859-1″ 

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-05-22_08:,, 

 signatures=0 

X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 priorityscore=1501 malwarescore=0 

 suspectscore=2 phishscore=0 bulkscore=0 spamscore=1 clxscore=-94 

 lowpriorityscore=0 mlxscore=1 impostorscore=0 mlxlogscore=206 adultscore=0 

Fig 3. Email Headers

Phishing Page:  

Once the user clicks on the “Play Voice (sic)” hyperlink, it redirects to what looks like the default corporate Outlook Web App (OWA) login page. This page is designed to steal your O365 domain credentials. As we can see, it asks the victim to supply domain/username:  and password.  

Fig 4. Phishing Page 

Gateway Present:  

This threat was found in an environment running Proofpoint Email Gateway and URL filter. 

Conclusion:  

Threat actors pull out the stops to deliver malicious messages to users’ inboxes. This “voice mail” message is yet another creative example.  

To help protect against this type of credential phish, Cofense PhishMeTM offers a template called “Play Voice Message.” 

Learn more about evolving phishing tactics and techniques—view the Cofense Phishing Threat and Malware Review 2019. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways

By Kaustubh Jagtap

Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up.  The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response.

Credential Phish Are the Most Common Threat

90% of verified phishing emails were found in environments using email gateways. This included over 23k credential phishing emails and approximately 5k emails that delivered dangerous malware. The Cofense Research and Cofense IntelligenceTM teams also noted a change in tactics with Business Email Compromise (BEC) attacks. Threat actors are now targeting payroll administrators, as compared to the usual CEO/CFO targets. Our teams also found an increase in extortion tactics including sextortion and bomb threats to create urgency and panic.

Threat Actor Tactics Are Evolving

As they shifted malware delivery mechanisms, threat actors showed a strong preference for the exploitation of CVE-2017-11882, an older Microsoft Equation Editor vulnerability. Over 45% of all malicious attachments over the past year exploited this CVE to deliver malware.

Between August 2018 and February 2019, Cofense observed malicious .ISO files bypassing gateways, indicating the use of novel file types to escape detection. There were also significant developments in Installation-as-a-service (IaaS). Emotet embraced the IaaS business model in 2018 to deliver other malware like TrickBot, IceID, and QakBot. Cofense Research observed 678k unique Emotet infections through April 2019.

Cloud Filesharing Services Are Being Badly Abused

Cofense saw widespread abuse of cloud filesharing platforms to host and spread malicious content, including “legitimate” links to the content embedded in the phishing email. We found 9445 phishing emails that abused cloud filesharing services to deliver a malicious payload. Threat actors preferred SharePoint (55%) and OneDrive (21%) over other cloud filesharing providers.

How to Protect against Phishing and Malware

The report details numerous ways to defend against email threats. They include:

  • Educate users – Train and condition users to spot phishing emails. Faster incident response begins with better human intelligence.
  • Focus education on new TTPs – Make sure to educate your SOC team and end users on emerging threats and phishing tactics. Threat actor TTPs are constantly evolving. Complacency can breed painful consequences.
  • Train users to spot credential phish – Pay special attention to phishing scenarios where users are asked to login and supply credentials.
  • Enable multifactor authentication- It’s especially urgent if you have single sign-on.

To see more tips and the full story on phishing and malware threats, download your copy of the Cofense Phishing Threat & Malware Review 2019.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Using Windows 10? It’s Becoming a Phishing Target

CISO Summary

Cofense IntelligenceTM has recently seen a complex phishing campaign that delivers a simple payload, FormGrabber keylogger malware. The targets are Windows 10 operating systems running Windows Anti-malware Scan Interface (AMSI). The phishing emails deliver a Microsoft Excel Worksheet containing a MS Word macro that initiates infection.

What’s notable: threat actors are hitting Windows 10 instead of Windows 7, a more common target. Expect to see greater abuse heaped on the newer version as more businesses adopt it. No one aspect of this campaign is novel, but the attackers easily assembled a complex infection chain using multiple obfuscation and evasion techniques—another sign of how quickly criminals innovate when motivated.

 Full Details

Cofense Intelligence recently observed a campaign where threat actors targeted Windows 10 operating systems and used a complex multi-stage campaign to deliver the relatively simple FormGrabber keylogger. The emails utilized a Microsoft Office Excel Worksheet with an Office Word macro to initiate the infection. If macros were enabled, this macro would execute a PowerShell script that compiled embedded C# code content into a .NET dll. The .NET dll was loaded as a PowerShell module that then downloaded and executed the FormGrabber keylogger. The code used in the PowerShell module specifically targets Windows 10 computers which have the Windows Anti-malware Scan Interface (AMSI) installed.

Initiation

Each email identified within this campaign had two attachments: the first was a Microsoft Office Excel Worksheet, the second was an RTF document. This RTF document contained five embedded copies of the same Excel Worksheet, as shown in Figure 1.

Figure 1: Copies of the same embedded Worksheet object

When the document is opened, the victim is prompted five times (once for each of the embedded worksheets) to enable macros. After all the prompts have been responded to, the RTF document will be opened. The method used to embed the worksheet objects into the RTF document requires that the worksheet objects be displayed in some form or fashion. In most cases, threat actors will carefully attempt to hide the object to avoid tipping off victims. As shown in Figure 2, in this case the threat actors simply let the default primary worksheet display in the footer section of the document.

Figure 2: The image displayed in the footer of the RTF document

Here the threat actors repurposed a legitimate example worksheet from Carnegie Mellon University to hide malicious content. The file size and macro run by the attached and embedded Excel worksheets are different, however the end result and final payload location are the same, indicating that the two attachments were likely used for redundancy.

Worksheets

Automated systems often examine the macros in documents in an attempt to determine their intentions. Even if the macro is encoded or obfuscated, modern anti-virus should be capable of reversing the changes or at least detecting key malicious components without running the macro. The macros in these worksheets used a simple technique that may have allowed the threat actors to avoid some automated defenses, crafting a macro that decoded content stored in a cell on a seemingly empty page of the worksheet, as shown in Figure 3. Note that the macro (one line of which appears at the top of the image) references cell “J106” on sheet “RPNLU.” All cells in sheet “RPNLU” appear to be empty and the default page view has cell “J106” out of view, ensuring that even if manually opened, the only obvious discrepancy between the original legitimate worksheet and the malicious one is the addition of the sheet “RPNLU.”

Figure 3: Disguised data used by macro (top of image)

Once decrypted, this macro then launches a PowerShell process which contains another subsection of encrypted data, as shown in Figure 4.

Figure 4: Second stage of the PowerShell script

This PowerShell command takes the encrypted content and decrypts it into C# code, which is then compiled into a .NET dll and loaded as a PowerShell module.

Bypassing

The compilation and multiple layers of encryption involved in this process are all used to “bypass” AMSI. AMSI is a Windows 10 exclusive feature intended to help detect and prevent scripts and “fileless threats.” In order to “bypass” AMSI, the threat actors avoid downloading files and perform other obviously malicious activity in the code that runs in the PowerShell console. Instead they focus only on disabling AMSI by adjusting where it looks for malicious content. The code used for this is similar and almost identical in some places to the proof of concept described in this blog post. Once AMSI is properly disabled, the threat actors then load in the C# code including the explicitly malicious code compiled in a .NET dll as a PowerShell module. A relevant portion of this code can be seen in Figure 5.

Figure 5: A modified version of the original POC code to bypass AMSI

Results and a Look Ahead

Threat actors used a complex infection chain that specifically targeted a key component of Windows 10 operating systems, rather than the more common Windows 7-focused malware, to deliver FormGrabber keylogger. As more businesses switch to the Windows 10 operating system, threat actors, like the ones seen here, can be expected to switch their targets to Windows 10 as well. Although none of the techniques used in this campaign were particularly novel, the fact that it utilized multiple obfuscation and evasion techniques and was so easily assembled from already created work indicates how quickly and significantly threat actors can improve, given the proper impetus. As is usually the case when it comes to vulnerabilities in key components, a patch to prevent this method of AMSI bypass exists. However, businesses first need to be aware of the problem. Knowledge of the evolving threat landscape and the different ways that it can affect a company are key to promoting a secure environment. To improve your security posture, take preventative action by patching systems and training employees to recognize and prevent the first stage in an infection chain.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The Zombie Phish Is Back with a Vengeance

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard.

Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

Cofense Report Reveals Weaknesses in Secure Email Gateways, Illustrates Critical Role of Human Intelligence in Phishing Defense

2019 Phishing Threats and Malware Review highlights the latest evolutions to threat actor campaigns and enhanced capacity for malware to evade perimeter controls and penetrate user inboxes.

Leesburg, Va. – June 04, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, today released the findings of their report, “2019 Phishing Threats and Malware Review”, which reveals key insights about how threat actors are evolving phishing campaigns, and provides direction to everyone from network defenders to CISO’s on how to prepare for the unknown. Despite significant investments in next-gen technologies, phishing threats continue to become more sophisticated and effective. The report uncovers how dangerous threat actors, armed with an ever-growing arsenal of tactics and techniques, continue to tweak their campaigns and enhance their capacity to deliver malware, ultimately getting more messages past perimeter controls to user inboxes.

The report features real and simulated threat findings generated from the Cofense Phishing Defense Center (PDC), Threat Intelligence and Research teams, and across a sampling of their global customer base; including real data from 1,400 customers in 50 countries and 23 major industries, and half of the Fortune 100. Specifically, between October 2018 and March 2019, the Cofense PDC verified over 31,000 malicious emails, 90 percent of which were found in environments running one or more secure email gateways (SEGs).

Key findings from the 2019 report include:

  • Between October 2018 and March 2019, 31,429 total threats were reported by end users after delivery to the inbox, which included 23,195 via credential phishing; 2,681 via business email compromise (BEC); 4,835 via malware deliver; and 718 via other scams.
  • Ninety percent of the malicious emails verified by the Cofense PDC during this period were found in environments running one or more SEG.
  • Threat actors are innovating relentlessly and are constantly refining their tactics, techniques, and procedures (TTP’s) as they develop new delivery mechanisms, phishing techniques, and ways to get around network defense technologies. Cofense is seeing activity such as the use of public, open source tools to evade detection and the leveraging of genuine O365 accounts to harvest credentials to increase the odds of reaching the inbox and delivering malware. The report outlines that sextortion and bomb scare extortion pay off significantly when utilized by threat actors.
  • Technologies like email gateways can’t keep pace with the speed of threat actors’ “product development”. SEG’s play a key role in phishing defense, but they are not infallible. The report identifies SharePoint, OneDrive and ShareFile as some of the most abused cloud providers and states that threat actors use geo-location to help prevent analysis by security tools or human researchers; enabling malware to slip through a SEG’s defenses.
  • Collective human intelligence is vital to phishing defense. When the phishing and malware threats analyzed in this report land in users’ inboxes, the human factor becomes decisive. It’s imperative to educate users through a phishing awareness program, focusing on threats that utilize the latest TTP’s. Both user education and incident response thrive when fed by threat intelligence on emerging TTP’s.

“Adversaries are constantly evolving their techniques and changing their infrastructure to complicate detection, meaning that indicators of compromise (IOCs) can grow stale extremely quickly. For holistic defense, users need to be prepared to identify and report any threats that do reach their inbox,” said Aaron Higbee, Co-Founder and CTO, Cofense. “Automated technical defense controls must be blended with a human element in today’s threat landscape. While timely threat intelligence helps head-off attacks and drown out the noise so that SOC teams can prioritize and focus on the most pernicious threats, Cofense is observing an ever-increasing surge of malicious emails that reach user inboxes daily. Once a message reaches an inbox, that end user is your last line of defense.”

Cofense is the only phishing defense company that holistically confronts phishing threats, looking at both the phishing tactics and techniques used to bypass perimeter controls to reach users inboxes, as well as how the malware is executed after delivery. Cofense’s multi-dimensional intelligence enables customers to prioritize and understand threats to mitigate phishing attacks faster.

To download the full report, please visit https://cofense.com/phishing-threat-malware-review-2019

About Cofense
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact
[email protected]