Utilizing YouTube Redirects to Deliver Malicious Content

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) recently observed an increase in phishing attempts that deliver phishing pages via YouTube redirects.

Threat actors often use social media websites as redirectors to malicious pages. Most organizations allow the use of platforms such as YouTube, LinkedIn, and Facebook and whitelist the domains, allowing for potentially malicious redirects to open without any fuss. In this case, anyone who clicks on the phish is taken to a phony login page designed to steal credentials.

Figure 1: Email Header

The phishing email originates from a newly registered fraud domain sharepointonline-po.com. This domain was registered on February 19, 2020 through Namecheap.

The threat actor in this scenario has posed as SharePoint, indicating that a new file has been uploaded to the company’s SharePoint site. Although the email may appear illegitimate to a trained eye, a curious or unsuspecting end user may click the button expecting to see a legitimate file.

The link embedded in the email is: hXXps://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompanyname[.]sharepointonline-ert[.]pw

Users are redirected to YouTube that then redirects to companyname[.]sharepointonline-ert[.]pw, which in turn goes to the final landing page of the phish located at:

hXXps://firebasestorage[.]googleapis[.]com/v0/b/sharepointonline-fc311.appspot[.]com/o/Sharepoint2019427c31ba-0238-4747-bfd3-13369aa06b4d427c31ba-0238-4747-bfd3-13369aa06b4d427c31bb%2Findex[.]html

So far, all phishing links from this campaign utilize some variation on sharepointonline-ert[.]pw, specifically sharepointonline-xxx followed by a variation of 3 letters with the top-level domain always being .pw. Each of these fraud domains are quickly registered with Namecheap and used for this campaign, which suggests the possibility of bot automation. The SharePoint redirection domains collected so far include:

sharepointonline-eer[.]pw
sharepointonline-sed[.]pw
sharepointonline-ert[.]pw
sharepointonline-eyt[.]pw

With this trend of 3 letter variations in mind, the use of redirects means there’s at least 17,576 possible combinations of this domain. However, with some clever use of regular expressions, domains following this pattern can be blocked as well as the attack that follows.

Following both the YouTube and fraudulent SharePoint redirects, users are then taken to a Google Cloud page that is configured with the final page of this phish. Because the page is hosted on a legitimate Google site, googleapis.com, its certificate is verified by what appears to be Google itself, thus furthering the illusion of a legitimate page. Use of this legitimate website allows the threat actor to sneak by any Secure Email Gateways (SEGs) or other security controls.

Figure 3: Phishing Page

Once end users click on the link, they are presented with a typical Microsoft branded login page. Nothing appears amiss–in fact, it is almost a perfect replica. The main differences are: the box surrounding the login is black instead of white; the small detail of the banner at the bottom has different information than Microsoft’s actual login; and the copyright year is showing as 2019.

The recipient email address is appended within the URL, thus automatically populating the login box with the account name. Once users provide their password, it is sent to the threat actor.

Network IOCs
hXXps://www[.]youtube[.]com/redirect?v=6l7J1i1OkKs&q=http%3A%2F%2FCompany[.]sharepointonline-ert[.]pw%23john.smith@company.Com&=company=company&redir_token=-N5bmOAEmF36DCYcYY25tfVENgB8MTU4MjIwMTEyOEAxNTgyMTE0NzI4
hXXps://firebasestorage[.]googleapis[.]com/v0/b/sharepointonline-fc311.appspot[.]com/o/Sharepoint2019427c31ba-0238-4747-bfd3-13369aa06b4d427c31ba-0238-4747-bfd3-13369aa06b4d427c31bb%2Findex[.]html

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe. To remove the blind spot, get visibility of attacks with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36586.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

The Value of Human Intelligence in Phishing Defense

By Guest Blogger, Frank Dickson, Program Vice President, Cybersecurity Products, IDC

The value of humans, our fellow employees, in phishing defense has been a hotly contested topic for quite some time. Advocates say that end users play a role, be it innocent and unintended, in just about every phishing campaign. Proper behavior modification can ultimately solve the problem. Detractors only to need point to the consistent “clickiness” of end users to question that value. Yet the reality is that responsibility lies somewhere in the middle.

The detractors are indeed correct. Users do continue to click on malicious links and participate in other unintended ways. Training helps a lot, improving the effectiveness of a user’s ability to spot malicious email. Even though the human eye improves, cyber miscreants are clever, and even the best of us get tricked on an off day. However, what the detectors fail to acknowledge is that for a user to click on a link in a phishing email, the email first had to get past our messaging defenses—our organization’s security technology.

The Additive Factor

Here lies the crux of the argument: People are not perfect; but neither is technology. When you look at phishing, that pretty well sums up the problem. There’s so much complexity associated with IT architectures that, as of right now, the existing technology is:

A) clearly not getting it done, and
B) just too immensely complex to let any single technology fully cover it.

Malicious emails are getting through. Luckily though, technology defenses and human intelligence are not mutually exclusive. They are additive; both can be used together and, in fact, complement each other.

The factor that makes human intelligence so compelling is in the way it’s applied. As we look at layering technologies atop other technologies, we often wonder if we are indeed increasing our efficacy, or would less technology stop the same malicious emails? With human intelligence, it is only applied to emails that have gotten past our messaging security technologies. By default, human intelligence can only identify new threats.

Case in point: even if you do a great job taking out spam and malware, you still have malicious messages that get through. In the case of a compromised business email account, someone can grab credentials and take control of it. An email can appear to come from the CEO with a fictitious invoice sent to accounting saying, “Please pay this invoice.” The invoice gets paid—without the use of malware or a malicious link, right?

The email comes from a legitimate email box. Everything is “legitimate,” it’s just someone compromised the credentials. Dealing with that kind of use case is incredibly difficult. The long story short here is the complexity. Technology is great for dealing with standardized problems. When the complexity increases exponentially, however, human intelligence stands a better chance at inferring malicious intent.

Additionally, humans can scale, each applying a unique intelligence. If a malicious email gets past our technology defenses and into 10 inboxes, it only takes one out of those 10 people say, “Hmm, this doesn’t look right,” and report it. Essentially, security intelligence is crowdsourced.

The Feedback Imperative

Keep in mind, however, that human intelligence is neither free nor easy. It takes a commitment to make it work. Training users on what to look for is a good start. Users need background in terms of what’s in a malicious email, what does legitimate email look like, and what are the warning signs. You must give them the rudimentary training. That’s step one. Step two requires simulations, providing pop quizzes, for example, of obvious scenarios.

Training and simulations are great, but those by themselves are not the key. The key is the feedback loop. End users want to contribute. They want to be part of the solution. Sometimes IT thinks, “Ah, those silly end users. Easier not to keep them involved.”

But users want to know they are valued. They don’t want to feel like their time’s being wasted. If no one gets back to them and tells them that, hey, their feedback is important, then the user reasonably thinks, “I’m just wasting my time.” In addition to refining an end-user’s ability to detect malicious email, feedback from IT says, “Yes, your input was both considered and important.”

And that is the most effective security you can have.

Phish Fryday – Encrypted Loaders

With over 90% of malware being distributed by email (according to the 2019 Verizon DBIR), malspam is a serious concern for phishing defenders. Cofense has recently seen new methods used by attackers to make it even harder for researchers to analyze their malicious payloads. In this episode we speak with Cofense Cyber Threat Intelligence Analyst Max Gannon about what these new methods are, the challenges they present to defenders and researchers, and what we can do to protect ourselves.

Questions or comments? Reach us at phishfryday@cofense.com

Threat Actors Capitalize on Global Concern About Coronavirus in New Phishing Campaigns

By Kyle Duncan and Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in an environment protected by Ironport that aims to strike alarm and manipulate end users into clicking on a Microsoft-branded credential phish that prays on concerns surrounding the coronavirus.

The email appears to be from The Centers for Disease Control and the message is that the coronavirus has officially become airborne and there have been confirmed cases of the disease in your location. The email goes on to say that the only way to minimize risk of infection is by avoiding high-risk areas that are listed on a page they have personally hyperlinked to you – the recipient. The email is NOT from the CDC and the link to possible safe havens is actually malicious.

Since news of the coronavirus hit national headlines, many threat actors have played on its infamy to target unsuspecting users. While there are numerous phishing campaigns raving about the latest safety measures, all claiming to be reputable health organizations or doctors, this email differs in its methods, weaponizing fear to panic users into clicking malicious links.

Figure 1: Email Header

The following are snippets of the header information for the email. Looking at the first stop on the received path we see that the email originated from the domain veloxserv.net with an IP address of 193[.]105[.]188[.]10. This obviously has nothing to do with the Centers for Disease Control, as this is an IP located within the United Kingdom. However, the sender is issuing a HELO command which tells the email server to treat this email as if it were originating from the domain “cdc.gov”.

Figure 2: Email Body

The subject of the email is “COVID-19 – Now Airborne, Increased Community Transmission” followed by a spoofed display name, CDC INFO, and from address, CDC-Covid19@cdc.gov, thus making it appear as if the sender is really the CDC. Despite odd capitalization on some words in the email, it is a rather good forgery which, when combined with the high stress situation it presents, may cause most users to overlook those details and click the link immediately.

Users are led to believe they are clicking a link to:
hxxps://www[.]cdc[.]gov/COVID-19/newcases/feb26/your-city[.]html

However, embedded behind that link is the following malicious redirect:
hxxp://healing-yui223[.]com/cd[.]php

Which in turn goes to the final landing page of the phish located at:
hxxps://www[.]schooluniformtrading[.]com[.]au/cdcgov/files/

Upon further research, there were two additional compromised sites set up with this same phishing kit.

Additional redirecting URLs found were:
hxxps://onthefx[.]com/cd[.]php

Additional phishing pages:
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files
hxxps://gocycle[.]com[.]au/cdcgov/files/

In each of these three unique attacks, the URLs used to redirect the victim to the credential phishing site are of Japanese origin. All use the file cd.php, which forces the redirection to the phish. The phishing pages themselves have the same Top-Level Domain, .com.au, and each has a SSL certificate. These clues point to a single threat actor carrying out these attacks. Further observation may soon reveal the actor’s identity or at least a general attack vector that can be monitored for and blocked by network firewalls.

Figure 3: Phishing Page

Users will be presented with a generic looking Microsoft login page upon clicking the link.

The recipient email address is appended within the URL, thus automatically populating the login box with their account name. The only thing for the user to provide now is their password. Upon doing so, the user is sent to the threat actor.

Once users enter their credentials, they are redirected to a legitimate website of the CDC:

hxxps://www[.]cdc[.]gov/coronavirus/2019-ncov/php/preparing-communities[.]html

Indicators of Compromise:

Network IOC IP
hxxps://healing-yui223.com/cd[.]php 150[.]95[.]52[.]104
hxxps://www.schooluniformtrading[.]com[.]au/cdcgov/files/ 118[.]127[.]3[.]247
hxxps://onthefx[.]com/cd[.]php 153[.]120[.]181[.]196
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files 112[.]140[.]180[.]26
hxxps://gocycle[.]com[.]au/cdcgov/files/ 13[.]239[.]26[.]132

 

Spoofed World Health Organization Delivers Agent Tesla Keylogger

In addition to the spoofed CDC message discovered by the Cofense Phishing Defense Center, Cofense Intelligence also recently identified a phishing campaign spoofing the World Health Organization (WHO) to deliver the Agent Tesla keylogger. The phishing campaign is designed to invoke fear and curiosity of the intended recipient with the subject “Attention: List Of Companies Affected With Coronavirus March 02, 2020.”

The attachment accompanying the phishing email spoofing the WHO is labeled ‘SAFETY PRECAUTIONS’ and has a .exe extension. The icon of this executable is that of a Microsoft Office Excel file, intending to fool the end user into believing that the attachment is indeed an Excel document, listing the infected companies. The attachment is in fact an .exe, delivering a sample of Agent Tesla keylogger. The email body can be seen below.

Figure 4: The phishing email spoofing the World Health Organization

 

Filename MD5 Hash
SAFETY PRECAUTIONS.rar 05adf4a08f16776ee0b1c271713a7880
SAFETY PRECAUTIONS.exe ef07feae7c00a550f97ed4824862c459

Table 1: Agent Tesla Keylogger Attachments

 

Agent Tesla C2s
Postmaster[@]mallinckrodt[.]xyz
brentpaul403[@]yandex[.]ru

Table 2: Agent Tesla Keylogger Command and Control (C2) Locations

 

YARA Rules
PM_Intel_AgentTesla_36802

 

Given the levels of concern associated with the COVID-19 outbreak, such phishing themes will almost certainly increase, delivering a broader array of malware families.

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actor Uses OneNote to Learn Credential Phishing and Evade Microsoft and FireEye Detection

By Max Gannon

Cofense Intelligence recently uncovered a long-term phishing campaign wherein a threat actor experimented with a OneNote notebook hosted on OneDrive to deliver both malware and credential phishing. Thanks to the ease of use and accessibility of OneNote, the threat actor was able to update a “phishing notebook” multiple times a day, experiment with various intrusion methods, and improve the odds to successfully evade email security controls. Numerous Agent Tesla Keylogger payloads as well as links to different credential phishing websites were included in the campaign. By using a public repository, the threat actor left an easily trackable trail, giving crucial insight into the process and planning involved in abusing trusted cloud hosting sources.

We investigated the experiments housed in this OneNote notebook and found multiple sites and templates the threat actor tested. Figure 1 shows an example email delivered by this threat actor, which was found in an environment protected by Microsoft EOP and FireEye enterprise gateways.

Figure 1: Original email with link to OneNote, leading to a tiny[.]cc link

Cybercriminals can leverage a wide array of trusted cloud hosting sources for credential phishing. Most commonly, a convincing page contains a link to a malicious external website that houses the actual forms used to harvest information. This kind of page can be an image or document hosted on Microsoft Sway, Microsoft SharePoint, Google Docs, or even Zoho Docs. An example from the OneNote was hosted on Zoho Docs, as shown in Figure 2. Note that when looking to download the invoice, the threat actor used the SmartURL link shortening service to circumvent security scanners and trick end users.

Figure 2: Document hosted on Zoho Leads to credential phishing website

The OneNote also housed an example demonstrating how threat actors take direct advantage of a trusted service. In Figure 3, Office 365 credentials are phished through Google Forms, which threat actors can access in their Google accounts. Having a readily accessible service that requires no maintenance and effectively acts as a free database significantly lowers the upkeep needed for the credential phish. A downside is that these services have evolved to look for nefarious activity, and Google displays a warning at the bottom of the form that warns the user to “never submit passwords through Google Forms.” Other services such as Microsoft Forms and survey sites can also enable this type of attack.

Figure 3: Google forms credential phish

Another less common, yet noteworthy, technique is to host a document on a file-sharing site and entice end users to download and open the file. Files housed on DropBox, OneDrive, Google Drive, Box, and other popular services lure email recipients into clicking a link or entering credentials into a form that exfiltrates back to the threat actor. Ultimately, users face some spoof or bait that exploits innate trust for nefarious purposes.

On one end, legitimate cloud hosting services continue to improve their defenses against some of these attacks. Even if only used as an intermediary, takedown requests and scanning solutions aim to remove malicious content as quickly as possible. This response is usually in the case of malware or well-defined phishing portals, which do account for the bulk of the abuse. However, multiple exceptions exist, such as the use of Microsoft OneNote. Given that an operator can update OneNote notebooks at any time, takedowns become more difficult as the threat is harder to track. In this particular case we investigated, OneNote was updated ten or more times a day, consisting not only of changes to the links leading to external credential phishing pages but also to the makeup and “template” of the page itself. OneNote has a version history tool that enables some limited forensics for investigators, but it is relatively easy for a threat actor to remove prior versions. In this instance, the actor did not remove the version history until later in the experimentation process.

Cofense Intelligence tracked content updates by this threat actor over the span of two weeks. Examining the “version history” of these pages over time revealed numerous progressions in the layout, malware, and credential phishing pages. The threat actor went through four templates that delivered a credential phishing portal and unique malware samples. Figure 4 highlights the evolution cycle, as each template underwent several revisions and variations.

  1. In the first template, the operator chose to send two URLs: one with an Office 365 credential phishing site, and another that downloaded malware. Both links were later changed to download malware samples instead of the lure portal.
  2. The second template offered a single link, directly straight to the same Office 365 credential phishing site but on a different URL path.
  3. No credential phishing link was found in the third template, offering a link to different malware versions that the threat actor updated several times.
  4. The fourth template features a phish-only link yet again that alternated between providing one of several different Office 365 credential harvesting portals.

Figure 4: OneNote template progression

In all cases where malware was delivered, the malware was a “first stage” downloader, attempting to download an encrypted binary that then decrypted and ran in memory. This binary proved to be the Agent Tesla Keylogger, tasked with collecting and exfiltrating stored logins and keystrokes. Initially, the two “first stage” malware downloaders had their encrypted payloads stored on Google Drive. Newer loaders attempted to fetch payloads from a compromised host, the same host that provided the malware downloaders. The newer loaders did, however, fail to accomplish their tasks due to improper customization by the threat actor. Such error is indicative of a less-capable operator who leverages premade kits but falls short on modifying them.

Like many other phishing sites hosted on OneNote, this threat actor’s primary objective was to steal credentials. A short experiment of delivering Agent Tesla Keylogger proved lackluster, leading the operator to shun malware use in the long-term. This particular threat actor likely decided against using Agent Tesla due to a lack of experience, indicated by the several improperly configured versions of the malware. However, if threat actors continue to use a source typically exploited for credential phishing to deliver malware, this could quickly become problematic. Based on the inherent risk posed by trusted sources, traditional protections trained against OneNote and similar services may prove ineffective. If not properly addressed, this could pave the way to a prolific infection vector for malware.

Table 1: Indicators of Compromise

Description Indicator
Cofense Intelligence™ ATR ID 35838
Cofense Triage™ YARA Rule PM_Intel_AgentTesla_35838
URLs Embedded in Email hxxp://tiny[.]cc/5n9wiz
hxxp://tiny[.]cc/fo9wiz
Destination URL Hosting OneNote Notebook hxxps://1drv[.]ms/o/s!Ap0JWbG5JDSSgQhsghgIsxdnVKZi
Phishing URLs hxxps://correlimmigration[.]com/wp-content/plugins/office_support
hxxps://relife-neiro[.]org/wp-content/Office_Mail/
hxxps://theloghomeshows[.]com/wp-content/Office_Support
hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/Office/
Malware Download URLs hxxps://www[.]farcastbio[.]com/wp-content/invoice%20file[.]pif
hxxps://www[.]hbyygb[.]cn/wp-content/file[.]ace
hxxps://www[.]hbyygb[.]cn/wp-content/File[.]iso
hxxps://www[.]hbyygb[.]cn/wp-content/invoice[.]ace
Malware Payload URLs (From Malware Downloader) hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/file1_encrypted_9099BFF[.]bin
hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/file1_encrypted_B73A83F[.]bin
hxxps://drive[.]google[.]com/uc?export=download&id=1esad4jMAIdWBj8XwsKCpjULr_9WHLURU
hxxps://drive[.]google[.]com/uc?export=download&id=1FwNTU5RN6QOQzvolLFC5ipjsf1a88457
Malware C2 (From Agent Tesla Keylogger) mail[@]winwinmax[.]xyz

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and the “Order Invoice-Agent Tesla Keylogger” template based on this threat, and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

Update March 5, 2020: FireEye provided the following statement after reviewing our blog post: “As a member of the research community, FireEye extensively tracks campaigns targeting SaaS providers and end users in order to keep up with new adversary techniques. The company first saw this OneNote campaign on January 20th, 2020 and quickly deployed temporary protections. By February 7th, FireEye had added a new OneNote detection capability to FireEye Email Security, a service that is capable of preventing the attacks referenced in this blog post, in addition to new OneNote-based campaigns.”

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – 2019 Q4 Malware Trends – Part 2

Cofense Intelligence recently released their strategic analysis of malware trends of the last quarter of 2019, along with some predictions for the coming year. In our previous episode, we looked at some of the trends seen at the end of last year. In this second part, we speak with two key contributors on the report, Cofense Cyber Threat Intelligence Analyst Max Gannon and Senior Intelligence Specialist Alan Rainer as they look ahead as to what organizations should be anticipating in the threat landscape and how to prepare for them.

For more information on topics mentioned in this episode, please visit:

Q4 2019 Malware Trends Report

Questions or comments? Reach us at phishfryday@cofense.com

Learn more about how phishing awareness training can help your organization defend against changing phishing threats.

Cofense to Host Fifth Annual Phishing Defense and User Conference

LEESBURG, Va. – Feb. 12, 2020 – Cofense®, the global leader in intelligent phishing defense solutions, today announced registration is open for the fifth annual Submerge phishing defense and user summit. Taking place at the JW Marriott Orlando, Grande Lakes on November 16-17, Submerge 2020 is the premier showcase for phishing defense and incident response professionals, providing two full days of training, technical deep dives and educational sessions led by industry leaders and cyber security experts.

This year’s conference promises more engaging hands-on content including dozens of sessions covering the latest phishing defense strategies and tactics, case studies presented by the industry’s leading experts and ample networking opportunities with peers from across the world. As with previous years, there will also be a wealth of speaker tracks, truly plunging attendees into the latest anti-phishing best practices and how they can unlock the power of collective human intelligence to defend against advanced cyber threats.

Those interested in sharing their knowledge and expertise at the event can submit a presentation abstract for consideration through the Call for Speakers submission form, focusing on one of four topics: Innovation in Phishing Awareness; Aligning Phishing Defense to the Business; Phishing Incident Response; or the Phishing Threat Landscape.

“The threat landscape continues to shift rapidly, with attackers innovating their way past Secure Email Gateways every day,” said Rohyt Belani, chief executive officer and co-founder, Cofense. “Cyber security professionals need to stay ahead of the latest attack vectors and be prepared for threats heading their way. With overwhelmingly positive feedback from previous attendees, we’re thrilled to bring organizations, partners and industry leaders the tools and knowledge they need to ramp up their phishing defense programs once again this year.”

Ideally suited for cyber security professionals, operators, and decision makers who focus on email security and phishing defense, Submerge 2020 is open to existing Cofense customers and non-customers alike. Attendees can also make Submerge 2020 an extraordinary business trip by relaxing in the Florida sunshine at the impressive outdoor pool complex or by playing a challenging 18-hole golf course designed by PGA great Greg Norman.

Early bird pricing of $249 for Submerge 2020 is available until August 1, 2020. Those interested in attending can register here and find further information on the event and venue.

###

About Cofense

Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com

Phishers Are Using Google Forms to Bypass Popular Email Gateways

By Kian Mahdavi

Over the past couple of weeks, the Cofense Phishing Defense Center (PDC) has witnessed an increase in phishing campaigns that aim to harvest credentials from innocent email recipients by tricking them into ‘Updating their Office 365’ using a Google Docs Form.

Google Docs is a free web-based application, allowing people to create text documents and input and collect data. It is an enticing way for threat actors to harvest credentials and compromise accounts. Here’s how it works:

Figure 1 – Email Header

The phishing email originates from a compromised financial email account with privileged access to CIM Finance, a legitimate financial services provider. The threat actor used the CIM Finance website to host an array of comprised phishing emails. Since the emails come from a legitimate source, they pass basic email security checks such as DKIM and SPF. As seen from the headers above in figure 1, the email passed both the DKIM authentication check and SPF.

This threat actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company. However, they are instead linked to an external website hosted by Google, such as

hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform.

Figure 2 – Email Body

The email masquerades as a notification from “IT corporate team,” informing the business user to “update your Office 365” that has supposedly expired. The “administrator” claims immediate action must be taken or the account will be placed on hold. The importance of email access is key to this credential phish, leading users to panic and click on the phishing link, providing their credentials.

Figure 3 – Phishing Page

Upon clicking the link, the end user is presented with a substandard imitation of the Microsoft Office365 login page, as seen in figure 3, that does not follow Microsoft’s visual protocol. Half the words are capitalized, and letters are replaced with asterisks; examples include the word ‘email’ and the word ‘password.’ In addition, when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real. Once the user enters credentials, the data is then forwarded to the threat actors via Google Drive.

 

Network IOC IP
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform 172[.]217[.]7[.]238

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe through the “Account Security Alert” or “Cloud Login” templates and get visibility of attacks with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36388.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phish Fryday – 2019 Q4 Malware Trends – Part 1

Cofense Intelligence recently released their strategic analysis of malware trends of the last quarter of 2019, along with some predictions for the coming year. In this 2-part episode, we speak with two key contributors on the report, Cofense Cyber Threat Intelligence Analyst Max Gannon and Senior Intelligence Specialist Alan Rainer. In part 1, we’ll discuss the evolutionary nature of attacks at the end of 2019, including 4 key pieces of malware of note. In part 2, we’ll look ahead as to what organizations should be anticipating in the threat landscape and how to prepare for them.

For more information on topics mentioned in this episode, please visit:

Q4 2019 Malware Trends Report

Questions or comments? Reach us at phishfryday@cofense.com

Phish Fryday – Agent Tesla

Agent Tesla appeared on the malware scene in 2014 as a simple keylogger. We’ve seen this malware expand capabilities over the years, making it still one of the more popular types of malware distributed in phishing attacks. In this episode, we speak with Cofense Cyber Threat Intelligence Analyst Aaron Riley about the history of Agent Tesla, how it evolved, and how to defend against it.

For more information on topics mentioned in this episode, please visit:

Agent Tesla is a Top Phishing Threat

Krebs on Security – Who Is Agent Tesla?

CVE-2017-11882 – Microsoft Equation Editor Vulnerability

Questions or comments? Reach us at phishfryday@cofense.com

Learn more about how phishing awareness training can help your organization defend against changing phishing threats.