“Missed Voice Message,” the Latest Phishing Lure

By Adam Martin, Cofense Phishing Defense Center

Recently, the Phishing Defense Center (PDC) has observed a trend relative to a phishing tactic involving missed voicemail messages. As illustrated below in figure 1, the end user is notified about a missed voice message from a British Telecom landline. The link directs the recipient to a website that isn’t in any way associated with BT or any other legitimate telecom service.

Graphical user interface, text, application Description automatically generated

Figure 1: Initial Email

Once this malicious link is accessed, the recipient is directed to the landing page seen in figure 2. This page purports to be the BT sign-in page, spoofing the BT logo and reminding the recipient of their missed messages. One minor detail worth noting is that the number of voice messages pending has changed from one to three. This is likely due to the same mass phishing mail being sent out with the parameter of one voice message, and the pre-set HTML code in the phishing page being set to three. A slight oversight on the part of the threat actor, but the page remains convincing, nevertheless.

Once the recipient has entered their details, this information is exfiltrated to an external private address. As is observable from the URL bar of figure 2, the corresponding URL could hardly be more clearly not the BT sign-in page.

Graphical user interface, application Description automatically generated

Figure 2: Landing Page

As with many phishing landing pages, regardless of the details entered, the page will redirect back to the target companies’ home page. This event campaign is no different. Once credentials are entered and data stolen, the recipient is directed straight to the official BT help page. This is done to boost perceptions of “legitimacy.”

Graphical user interface, text, application, Teams Description automatically generated

Figure 3: BT Homepage

Graphical user interface, text, application, email Description automatically generated

Figure 4: Landing Page as it stands

Missed voice messages as a phishing tactic continues to be a trend, leads to one conclusion: A high success rate. The landing page or provider will change depending on the targeted region but one thing remains certain. The tactic will continue in tandem with the threat actor success.

Cofense is here to help with our analysts and technology to enable users to quickly identify validated or newly observed threats. We have the necessary products to help your SOC team isolate threats to reduce risk and further leverage the IOCs to mitigate a potential incident. Contact us to learn more.

Indicators of Compromise

http://n5vxdrhwohgzy3gzy3gjft2xruwhe7zmquok80.Irxi.com 144.76.162[.]245
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cybersecurity Career Awareness

By Tonia Dudley

With the large gap in the cybersecurity workforce, it’s not surprising that the Cybersecurity and Infrastructure Security Agency (CISA) advocated to reserve week 3 of Cybersecurity Awareness Month for this theme. This week ‘s theme is in coordination with the NIST National Initiative for Cybersecurity Education (NICE). If you’re looking to move into one of these roles, throughout this week there won’t be any shortage of resources, many of these free, to help you navigate this journey.

You have skills. Needed skills. The first step to identifying how you can move toward a cybersecurity role is taking a look at the NICE framework. Using this framework, you’ll be able to assess the skills you already have to identify how those align to roles for you to make that step. Then start looking for job titles or descriptions that match. Leverage your network to see who might already be doing that job you desire, how they got there and if they know of others that have an opening.

For organizations looking to build out their InfoSec teams, the NICE framework is also a great resource when it comes to writing job descriptions, certification requirements, salaries or career development paths.

As someone who started a career in finance (several different roles), migrating to IT then onto information security (InfoSec), I can tell you it’s not impossible. Here are a few tips I can offer if you’re looking to make this change:

  • Making a career change to a completely different role is easiest in your current organization. Build relationships with individuals and hiring managers in your future role or department.
  • Look for shadowing opportunities. As you build your internal network, inquire if they allow “shadowing” of entry level roles so you can get an idea of what it would be like to sit in that seat.
  • Volunteer to work on special projects. This can get you exposure to the people making hiring decisions and visibility into your skills.
  • If you’re looking for a more technical role, build your “home lab.” It’s not uncommon for a leader interviewing for a technical role to ask what you are working on in your spare time. This is a great way to demonstrate your ability to learn and grow.
  • Don’t be afraid to make a lateral move. Career progression isn’t linear; it’s a wide and winding path.
  • Join industry organizations that sponsor certifications, even if you don’t yet qualify for those certs (number of years’ experience). These organizations will often provide ongoing training opportunities for free to members.

When you’re searching for your next role, don’t forget to look at cybersecurity vendors or service providers. We need individuals with your skills too! Check out our career page to openings in Sales, Software Engineering, Customer Support and several others.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Taliban Takeover in Afghanistan Provides Fodder for Advance-Fee Phishing Lures

By Dylan Duncan

Threat actors are well known for developing campaigns based on world events; the Taliban takeover in Afghanistan is no exception. In the past two months, the Cofense Intelligence team has observed a steady stream of Afghanistan-themed phishing emails in the wild.

We are seeing an assortment of advance-fee and inheritance scams using the newsworthy events in Afghanistan as a means of targeting victims’ emotions and financial interests. Common themes include CEOs of Afghan companies needing to liquidate assets before funds are taken, emails attempting to exploit religious and humanitarian tendencies, and various other proposals. It is likely we will see changes in campaign volume and themes as the situation in Afghanistan changes.

Classic Scam Emails Capitalize on Afghanistan Crisis

Advance-fee scams are old tricks that are still used by threat actors and are often popular among business email compromise (BEC) operators. In this type of fraud, it is common practice to target a victim’s emotions in order to get a payment upfront in hopes of later receiving a much larger sum of money. As with various forms of BEC, the emails in these campaigns may have an easier time reaching end users because there is no malicious attachment or URL that delivers malware or attempts to harvest credentials. This technique relies heavily on the end user’s lack of understanding of the phishing threat landscape.

Within emails we saw, the Cofense Intelligence team recognized a significant increase in uses of recent events in Afghanistan as a theme. Figure 1 below shows the volume of relevant emails by month over the past year. Not every email in this data set is definitively an advance-fee scam (some may be inheritance or romance scams), and a miniscule percentage may be commercial or political spam. The chart shows how much the relevant email volume has increased during the latter part of the Taliban offensive in comparison to the rest of the year. There was a short-lived volume increase in February, but that increase was still modest compared to the much larger spike occurring in the last two months.

Figure 1: Volume by month of likely scam emails using Afghanistan themes

Phishing campaigns using the Taliban takeover in Afghanistan as a theme have taken a variety of styles. Two primary styles are represented by the emails in Figure 1 and Figure 2.

Figure 2 is a business-themed email claiming to be sent by a bank CEO who needs to liquidate assets before the Taliban siphon all their assets. This email appears to be targeting organizations as it mentions investing the funds into the target’s business. With large sums of money offered for transfer, the “transfer fees” threat actors are seeking would be substantial, even if only a small percentage of the total.