Phish Found in Environments Protected by Proofpoint, Microsoft, Cisco, Mimecast and Symantec

By Mark Zigadlo, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) sees tens of thousands of phishing emails that bypass secure email gateways (SEGs) every month. The PDC is an advanced managed detection and response (MDR) service that can remediate these malicious emails from mail environments within minutes.   

A few examples of phishing emails found in environments protected by SEGs can be found here. The ineffectiveness of SEGs continue to increase business risk daily. And the solution is more than high production-value awarenesstraining modules. You need a combination of people and technology to combat the innovativeness of attackers to quickly reduce/remove the business risk. 

Here’s a recent and real story about a phishing campaign (and its quickly morphed successor) that bypassed SEGs from Proofpoint (PFPT), Microsoft (MSFT), Mimecast (MIME), Cisco (CSCO) and Symantec (SYMC).   

The suspicious email below arrived in my inbox. I reported it to the PDC using Cofense Reporter.

Figure 1 – Phishing Email 

I received a response eight minutes later saying the email was malicious (BazarBackdoor malware) and removed from my mailbox. Amazing speed, eight minutes to remove the threat and stop the attack!

Detection

Drilling down further, I saw Cofense’s network effect was in full action in the PDC. The network effect is the unique combination of people and technology that allows one participant in the network to benefit from threats found by another participant in the network. At Cofense, we have over 25 million people contributing to make the network effect an unparalleled security tool. In this case, the PDC had detected similar attacks for 15 other PDC customers (people in the network), which enabled the PDC to respond with lightning speed throughout the day.

Here is the kill chain/timeline for the first customer that received this phishing campaign.

Twelve minutes between the first report and removal of malicious emails from user mailboxes, but the story gets better.   

The PDC uses a key feature of Cofense Vision called Auto Quarantine which looks for new emails matching the ones just identified and quarantined. Over the next 24 minutes, 22 additional emails were detected and removed by Cofense Vision. 

Response & Remediation 

As we know, attackers are constantly innovating to bypass security technology. This is why you need the combination of people and technology to reduce/remove the risk. This case was no different. Two hours after the first phishing campaign was identified and stopped, a slightly modified campaign was launched against the same customer. The PDC jumped back into action again. 

More amazing results. Twenty-two minutes between the first report of the modified campaign and removal of malicious emails from user mailboxes through Cofense’s Phishing Defense Center.

The Phishing Defense Center harnesses phishing intelligence from the frontlines of the world’s most active phishing campaigns to quickly protect everyone in the network. 

To learn how you can efficiently identify and remove phish that have bypassed your SEG, click here for a free demo of the Phishing Defense Center. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Twelve Flavors of Phish: Canadian Workers Targeted With Fake Covid-19 Relief Deposits

By Jake Longden and Elmer Hernandez, Cofense Phishing Defense Center

Financial aid programs continue to be popular targets in the midst of the COVID-19 pandemic, with government relief grants a particularly great one to exploit.  

The Cofense Phishing Defence Center (PDC) has observed a recent phishing campaign in Canada that aims to harvest banking credentials and other personal information from 12 different banking institutions. This was achieved by preying on employees who were expecting COVID-19 relief grants in the form of the CERB (Canada Emergency Response Benefit). These funds are supposedly sent via an electronic transfer from Interac, a legitimate Canadian interbank network. 

With multiple world governments providing such grants, and millions of people relying on these as their main source of sustenance, adversaries will continue exploiting such dependence. 

CERB Deposit

The email purports to be a notification from Interac’s e-transfer service, indicating that the Canada Revenue Agency (CRA) has made a CERB deposit of $1,957.5 CAD (approx. $1,463 USD). A fictitious expiration date is included in an attempt to instill a sense of urgency.

The CERB scheme gives financial support to employed and self-employed Canadians who have been affected by the COVID- 19 pandemic. It offers $2,000 CAD (approx. $1,490 USD) for a four-week period.

Figure 1 – Email Body 

Header

The SPF fail in the headers (Figure 2) indicates that the email is likely spoofed, and the IP address suggests that it came from a potentially compromised device using the University of South Florida network (Figure 3). The choice of the name ‘cra-cerb’ in the address is used to add credibility to the email.

Figure 2 – SPF Fail 

Figure 3 – USF IP Address 

A Phish of 12 Different Flavors

The first landing page the phish visits is an impersonation of the CRA. It has working links in both French and English like a legitimate site from the Canadian government. Once the user has selected their language choice, they will be redirected to an impersonated Interac e-transfer site in said language.

Figure 4 – CRA Spoofed Site  

Once in the spoofed Interac e-transfer site (Figure 5)the user must choose their personal bank from twelve different options in order to receive the deposit. All of these banks are actual members of the Interac network, which suggests attention to detail from adversaries: 

  • ATB Financial 
  • Bank of Montreal (BMO) 
  • Canadian Imperial Bank of Commerce (CIBC) 
  • Desjardins 
  • Laurentian Bank 
  • Meridian 
  • National Bank of Canada 
  • Royal Bank of Canada (RBC) 
  • Scotiabank 
  • Simplii Financial 
  • Tangerine 
  • TD Canada Trust 

Figure 5 – Spoofed Interac Page 

Next, the recipient is taken through a series of spoofed pages for the corresponding bankwith some offering both English and French versionsAll pages reside within compromised website of a Washington, DC area businessThe URL paths vary depending on the bank, but follow the following format:  

hxxps://lincolnrestaurant-dc[.]com/interca/{unique 32 character string}/bank/{bank name}/{html or php file} 

Although no two options are identical, most of the twelve spoofed banks ask for similar details: 

  • Usernames 
  • Card Numbers 
  • Passwords 
  • Security Questions and Answers 
  • Personal Information (PI) (Full Name, Date of Birth, Email, etc) 

Scotiabank (English) was chosen to showcase an example of the entire phish process. The initial page the user is presented with is a standard login page asking for credentials, notice the slight typo of the word “sign” on the “Sing in button (Figure 6). 

Figure 6 – Scotiabank Sign in 

The next page asks for sensitive PI and card information (Figure 7). The user is then asked for Security questions and answers (Figure 8), which might falsely provide the reassurance that some form of multi-factor authentication is being employed. The combination of PI such as a Social Insurance number, credit card numbers and MFA questions could form a fairly solid base for identity theft/impersonation. Once submitted a final page confirms the funds will be deposited in 48 hours (Figure 9).

Figure 7 – Scotia PI and Card Info 

Figure 8 – Scotia MFA Security Questions 

Figure 9 – Deposit Successful 

Figures 10 through 20 show the login pages for the remaining eleven spoofed banks.  

Figure 10 – ATB 

Figure 11 – BMO 

Figure 12 – CIBC  

Figure 13 – Desjardins  

Figure 14 – Laurentian  

Figure 15 – Meridian  

Figure 16 – National Bank 

Figure 17 – RBC  

Figure 18 – Simplii  

Figure 19 – Tangerine  

Figure 20 – TD  

Indicators of Compromise

Malicious URL:

hxxps://lincolnrestaurant-dc[.]com/interca

Associated IP:

108[.]167[.]182[.]39

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense PhishMe Achieves Agency ATO

Today, we are delighted to announce that Cofense PhishMe has received Agency Authority to Operate (ATO) from the US Department of Health and Human Services (HHS). This is an important milestone in the Authorization Process of the Federal Risk and Authorization Management Program (FedRAMP) Agency Authorization Process. Now the FedRAMP PMO will begin their review of our ATO package. We are getting closer to completing Phase 3 (Authorization Process) in pursuit of our FedRAMP ATO.

Check back for any updates on our FedRAMP Authorization journey.

Learn More

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Trend: Credphish Links Stuffed in Benign Attachments Are on the Rise

By Kian Mahdavi, Cofense Phishing Defense Center

While it’s true that most enterprise-directed phishing is credential phishing, that doesn’t mean attackers have completely abandoned attachments. The days of malware-laden attachments are dwindling. You’re not going to find dangerous embedded macro or .VBS in 2020 at the same frequency observed in 2016. Attackers are using attachments, more now than ever, to deliver embedded URLs. Why? Because secure email gateway (SEG) vendors have emphasized auto-scanning and wrapping URLs in the body of emails.

During the last few weeks, the Cofense Phishing Defense Center (PDC) has observed a significant uptick in credphish URLs stuffed in attachments successfully bypassing several commercial SEGs. The attachment types are varied, but many are commonly used in normal business communications – .DOC .HTML, .HTM, .XLSX, .PDF, etc. Check out our REAL phishing threats samples here for a complete list.

If you think stuffing credphish URLs in attachments to sidestep automated URL scanning is a no-brainer for attackers, we agree. You’d be surprised at the number of SOAR vendors demoing automated-phishing-analysis playbooks that fail due to this simple attacker adaptation. This phenomenon isn’t going to slow down.

Here’s a common example of a campaign reported to the PDC by a vigilant user:

Figure 1: Email Body

There has been a recent rash – 500 variants – of this campaign reported from our users via the Cofense Reporter Button. The campaign originated from an assumed compromised account from a legitimate business. Originating from a legitimate business surely added to a sense of legitimacy. Luckily, the recipient asked themselves: “Am I expecting to receive a document from this sender?”

Upon opening the attached .XLSX document, Microsoft Excel loads, prompting the user to click an embedded image using “trusted” brands to spruce up the legitimacy of the ruse. Once clicked, the attack redirects to the phishing landing page requesting the user’s credentials.

Figure 2 – The underlying “Open” link doesn’t take the victim to OneDrive

Once credentials have been supplied, the phishing website redirects the user to the authentic “office[.]com” to make the victim feel like the whole experience was legit.

Figure 3 – Phishing landing page 

Figure 4  Redirect to authentic office[.]com webpage 

Figure 5 below displays the HTML source code with POST command when a user types in their credentials and attempts to login. In fact, their personal data gets forwarded to the attacker via a pre-configured PHP script.    

Figure 5 – POST command forwards users’ credentials to the above URL 

Slipping credential phish URLs into innocuous attachments is going to frustrate SEGs for years to come because of the endless file formats that support HTML, compounded by all the clever ways attackers can obfuscate those URLs from automated analysis. Cofense customers avoided a disaster because of their commitment to upgrading their wetware.

Indicators of Compromise: 

Network IOC   IP 
hxxps://noshgosh[.]com/9833636833/mau [.]html  192[.]185 [.] 181 [.] 28 
hxxps://runyourrideonwater[.]com/a1/shareaumine/login[.]php  192 [.] 185 [.] 148 [.]151 

 

File name:  Copy of mstglobal.xlsx  
MD5:  519615b29249d944f7564eb4f2d1feac 
SHA256:  ff9f56c61230a45ab662e7e2b650ec834ba4194cbcbc7cfcbdd06c0b046b64f6 
File Size:   36.2 KB 

Want to know the breakdown of phishing attacks by type? Make sure you look out for our annual report.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

 

Phish Fryday – Phishing Threats with Palo Alto Unit 42

Phishing threats take many forms and are used to deliver malware, steal credentials, and entice recipients into taking actions they will later regret. Despite advances in technology, these threats continue to reach inboxes and continue to succeed. In this episode, we speak with Ryan Olson of Palo Alto’s Unit 42 and Cofense Intelligence Product Manager Mollie MacDougall.

Learn more:

Phish Fryday – Emotet Returns

Coronavirus InfoCenter

COVID-19: The Cybercrime Gold Rush of 2020

Emotet Thread Hijacking, an Email Attack Technique

Questions or comments? Reach us at phishfryday@cofense.com

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending September 27, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week we see a plethora of links – most of them using trusted services – reach customer inboxes. When technology is unable to block phish because of the risk of blocking legitimate emails, it’s well-trained users that detect and report threats.

sample phish spoofs the irs to deliver a link to buer loader

TYPE: Malware – Buer Loader

DESCRIPTION: This phish uses the element of surprise and urgency with a tax theme to lure the recipient into clicking the link. The link looks trustworthy, since it’s hosted in Google Docs. It leads, however, to an install of the Buer Loader. Cofense has been writing about the use of Google Docs in phishing attacks since 2017.

sample phish uses a payment theme to deliver a link to credential theft

TYPE: Credential Theft

DESCRIPTION: Leveraging a finance theme, this phish uses trustworthy Microsoft OneDrive URLs. Okay, so they’re not quite trustworthy, since they’ll lead the recipient to a Microsoft OneNote document that redirects to a credential harvesting site. Where did you want to go today?

sample phish uses a shipment theme to deliver a link to netwire rat

TYPE: Malware – NetWire RAT

DESCRIPTION: Spoofing a logisitics company, this phish promises shipping information but hides malicious links behind innocent-looking images. Clicking the link leads the recipient to install GuLoader, which installs the NetWire Remote Access Trojan.

sample phish delivers a google doc link to buer loader that installs bazarbackdoor

TYPE: Malware – Buer Loader

DESCRIPTION: If you’re thinking this phish looks awfully familiar, it’s not you. Aside from the change to an employee termination theme, this attacks leverages the exact same tactic as our first example – a Google Docs-hosted threat. In this case, the Buer Loader goes on to install the BazarBackdoor malware. These attacks should get you all fired up.

sample phish delivers xlsx attachment leading to agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Using a purchase theme, this phish offers to place an order for seafood but delivers a malicious Microsoft Excel spreadsheet with a CVE-2017-0199 to CVE-2017-11882 download chain to the Agent Tesla Keylogger. I wonder if they wanted that seafood shipped COD?

sample phish delivers credential phishing link using a document theme

TYPE: Credential Theft

DESCRIPTION: Spoofing a healthcare organization, this document-themed phish delivers a link to a credential harvesting site. Although redacted to protect the innocent, this sample used a very legitimate-looking message with signature block and legal disclaimer.

sample phish spoofs salesforce to deliver credential phishing link

TYPE: Credential Theft

DESCRIPTION: This phish uses urgency and the trappings of a popular SAAS platform to lure the recipient into clicking the link. In this case, the links lead to a credential harvesting site. Although not a panacea, Multi Factor Authentication (MFA) is still an effective way to protect your organization.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

101 Credential Phishing for Observant Employees

By Luis Raul Parra, Cofense Phishing Defense Center

Asome point in your (digital) life you have received annoying notifications about unexpected signin attempts to one of your accounts/services, and you have ignored them. After all, it was just an attempt – no one was able to access anything. Yet, if you are vigilant enough, you would report this unauthorized attempt to the service provider and contribute to enhancing security. Well done! But keep reading; this article is for you.  

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials of “vigilant” users who want to act on unrecognized sign-in attempts to their accounts.  

The campaign was reported by users in several companies across Englishspeaking countries including the United States, England and Scotland. The message was carefully crafted to pass as a real alert of an unexpected sign-in on the recipient’s corporate account. It urged immediate action. 

Figure 1: Email Body

All reported emails used the same technique to customize the attack: The “From” field contained the address “postmaster@COMPANYDOMAIN.cpasurveys.com” in order to convince the end user that this was a valid alert notification from their company’s email security system.  

Figure 2: Email Header

The subject of the email states that there was a sign-in attempt to the user’s account from an unrecognized device, specifying the name of the user and claiming to come from “COMPANYNAME Mail Service”. The content of the body states the timestamp, location, IP address and device where the (false) attempt was performed. In all cases, the IP address shown in the body was 194[.]209[.]77[.]62.  

To make the email even more credible, the attackers included a confirmation code stated to be valid for 24 hours with aims of pressuring the recipient to act within that time. They were thoughtful enough to add the message “if this was you, you’re all set!” 

Furthermore, there was the option to click on the “Unsubscribe” button in order to stop receiving future messages like these. The URL behind a link of the type hxxps://tracking[.]mail[.]netflix[.]tshirtsintaramerica[.]com/click/* is possibly just a tracker that then redirected to the official company website.

The credential phishing attempt was done through an HTML file attached to the email. Images and CSS styles were pulled from a different website: hxxps://youmustlast[.]website/wassets/: 

Figure 3: CSS Style 

The HTML file already contained the user’s email address in the email account address field: 

Figure 4: Phishing Page

Should the recipient enter the corporate credentials into the attached HTML page, a POST action sends the username and password to the threat actor and the URL hxxps://sharepreview[.]site/win/next[.]php

Figure 5: POST Action

Credential phishing done. At the same time, you’ve been made to feel vigilant at having spotted something untoward happening with your account. That’s how the attackers attempt to trip up alert and conscientious users.  

Network IOC   IP   
hXXps://sharepreview[.]site/win/next[.]php  23[.]254[.]130[.]108 
hXXps://youmustlast[.]website/wassets/statuspage[.]css  63[.]250[.]38[.]73 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

You Can Respond to Phishing Threats in Seconds with Cofense and Cyware: Here’s How

Targeted and relentless. Threat actors pinpoint organizations to steal credentials, infect endpoints, encrypt data for ransom, or exfiltrate intellectual property or non-public information.

All organizations will be phished, but they don’t have to experience a reputation-damaging breach. The best defense is a combination of aware employees, purpose-built phishing solutions, automated incident analysis and response playbooks, and a repeatable process that scales as fast as attackers innovate.

Cofense and Cyware have partnered to provide organizations with the resources to collect phish that evade secure email gateways (SEGs), automate the analysis, and determine threat severity in seconds.

The security workflow is preceded by conditioning employees to recognize suspicious email and report to their security team. What happens next is a blend of technology and intelligent analysts who have the right information to make an informed decision without negatively impacting the business.

The use case is simple, and the process is effective:

  • Phish evade the SEG
  • Employees report the suspicious email
  • Cofense TriageTM ingests and analyzes one or more email clusters with similar tactics
  • Cyware CSOL (security orchestration platform) ingests indicators from Cofense Triage
  • Cyware CTIX (threat intelligence platform) enriches indicators from Cofense Triage with Cofense IntelligenceTM and other premium intelligence sources
  • Cyware CSOL runs a complete response playbook which may include blocking a URL at the network gateway to protect employees from reaching the external phishing site

Let’s look at the sequence of events and how the response is carried out.

  1. Phisher crafts their email (figure 1) and in this case is attempting to direct the employee to a malicious site where a payload could infect the endpoint.

Figure 1. Malicious link within a company-wide email portraying to be from HR

2. A conditioned employee reports the email that evaded the SEG to a predetermined abuse mailbox monitored by the SOC. Purpose-built Cofense Triage ingests all emails from the abuse mailbox and automatically analyzes to quickly remove benign reports while at the same time highlight real threats.

Figure 2. Reported email ingested into Cofense Triage for automated analysis

3. Upon ingestion into Cofense Triage, out-of-box phishing rules are applied, and automated analysis categorizes the email as ‘advanced threats’, matching Emotet indicators and tactics. Benign emails are not impairing the view and the SOC can focus on credible phishing threats from a highly reputable reporter (in this case, a VP within the company).

Figure 3. Processed email matching advanced threats Emotet rules

4. Knowing this email is dangerous, the URL is designated malicious by an analyst

Figure 4. SOC analyst verifying malicious threat indicator

5. Additional validation within Cofense Intelligence further confirms the URL is malicious and delivers analysts related phishing indicators that, in this example, are part of the Emotet malware family. Other domains, files, and URLs are returned from knowing just one threat indicator.

Figure 5. Cofense Intelligence JSON output snippet with additional threat indicators

6. Once Cofense has confirmed that the URL is malicious, the analyst can leverage the orchestration capabilities of the Cyware Security Orchestration Layer (CSOL) to take action and begin remediation and triage efforts. CSOL gives users the ability to create automated, customizable workflows that easily integrate with the other tools in their security stack.

In this example, the analyst initiated the Cofense Triage Playbook to ingest the data it received from the Cofense Triage API. The playbook parsed the available data from Cofense to find the associated indicators, and then leveraged integrations with their other enrichment tools to fully enrich all associated indicators.

Figure 6. CSOL ingests Cofense Triage phishing data

7. Once enriched, the CSOL Playbook automated the mitigative action. The sender of the malicious email was automatically blocked at the email gateway and a confirmation notification was sent to the analyst.

Figure 7. CSOL runs through remediation to block sender at the email gateway

8. In addition, the malicious IOCs were sent to the SIEM to perform a historical lookup. If any of the malicious IOCs were previously seen in the organization’s environment, an alert was created and sent to the SOC team.

Figure 8. CSOL runs through additional steps from data received from Cofense

9. Finally, proactive defensive action was taken. The malicious URL was automatically blocked at the firewall, and all associated indicators were added to CTIX, Cyware’s Threat Intelligence Platform. Adding these indicators to CTIX ensures that this intelligence is memorialized and can be used at a later time for analytics, enrichment, and further correlation by the threat intel team.

Figure 9. CSOL blocks URL at the firewall and ingests other indicators into CTIX

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

End of Support for Windows 7 Means Beginning of Upgrade-Themed Phishing Campaigns

By Kaleb Kirk, Cofense Phishing Defense Center  

Over the last few years, businesses have been getting serious about updating their corporate desktop images. For quite some time, Windows 7 has been the predominant operating system (OS) for many workplaces and environmentsWindows 10 was released in 2015yet many companies are just now making the transition. With that comes the pains of upgrading end users machines. Standardizing a corporate desktop image is arduous with complicated edge cases that must be considered for all the hardware variants. The job is further complicated when thirdparty software has yet to officially support a new OS. This explains why enterprises wait, sometimes for years, before taking the plunge. Unfortunately, these delays give the bad guys time to refine exploitation techniques on older operating systems lacking the latest architecture.  

The phishing lure below preys on the victim’s anxiety about losing productivity while their computer is upgraded. Comically, the attacker uses a colorful list of benefits the end user receives to get them to take the baitWill we see an uptick in this phishing lure? It will depend on the success rate of this theme. Time will tell.   

Figure 1-2: Email Body

The subject references a Windows upgrade, but there is also something else manipulative: the inclusion of the “RE:” before the rest of the subject. Internal email about company meetings, news and IT upgrades are common. Prefixing the “RE:” may instill a sense of urgency by leading the user to believe they have missed a prior communication about the upgrade.

We look at phishing emails that bypass commercial gateways all day, every day. Most of them are hastily slapped together. This lure needs improvement, but it’s not completely awful. We give this threat actor two gold stars for the table with made-up laptops, fake serial numbers, building, etc. It applies a good sense-of-urgency ploy using the highlighted “Today,” and the body doesn’t have obvious grammar or spelling errors. Again, not completely awful.

How can this attacker upgrade this lure from a C- to a B+? This email would be more believable if the sender were more generic. “Helpdesk,” for example. We obfuscated the From: line of the compromised account  “Genadiy” which was not from the intended victim’s company domain, and certainly not from their IT department. The intended victim unfortunately doesn’t have a clean way to easily know the true underlying URL because it’s annoyingly masked by Proofpoint’s URL Defense (which, ironically, would not have defended the user because, once clicked, the phishing page loaded instantly).

Figure 3: Credential Phishing Page

Figure 3, above, shows the loaded credential phishing page. This page gets a D- for lack of effort. They wasted a valid SSL certificate on a terrible version of an OWA login page.

This phish closes out cleanly by redirecting the intended victim to a Microsoft page about the discontinued support of Windows 7 (but still leaves the target worried about their OS upgrade).

Figure 4: Final Redirect

Attackers have been using the “time to upgrade your out-of-date software” ploy for years. With Windows 7 ending official support, it won’t be surprising if we see a flurry of better versions of this phish in the future. Hopefully your vigilant users know that “Genadiy” (from a company that isn’t yours) doesn’t upgrade an operating system “Today,” and via email. Cheers.

Network IOC IP
hXXps://app[.]getresponse[.]com/site2/ken23456789765?u=w3DxF&webforms_id=hlvzr 104[.]160[.]64[.]9
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Virtual Submerge – excitement and a consensus:

We‘ve closed the curtain on Virtual Submerge 2020, but our collective work is nowhere near done. The engagement in our breakout sessions and solutions center demos, as well as the feedback we receivedclearly conveyed that enterprises are continuing to struggle identifying and removing phish from their environments. 

During the event we received questions from, and chatted with, security experts from around the globe, including representatives of governments, security firms, nonprofits and enterprises. Take a look at a sampling of the comments, below, and in the social images in the sidebar.

  •  “I just wanted to pass along my compliments to Rohyt Belani and Aaron for the Keynotes…the Keynotes were both awesome! Great information and great styles from both.”
  • “I really liked the presentation on ‘How to Reach a 0% click rate.’…top notch job.”
  • “I am interested in catching phish that get by our secure email gateway, especially those leveraging O365 framework…tell me what we need…”

Virtual Submerge 2020 on Social

The Virtual Submerge sessions will be available for the next 30 days. If you’d like to view sessions again, or know others that might be interested, you can register here.

Thanks to everyone who joined. We look forward to the next time!

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.