Cyber Gang Targets Users with Password Expiration Scam

By: Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) recently uncovered another dose of credential phishing attacks on consumers, whereby threat actors lure their victims with known social engineering tactics. Thanks to the widespread use of Microsoft Single Sign On (SSO), such as OAuth2, threat actors can use this to their advantage as a powerful means of harvesting credentials to compromise important services.

Figure 1: Email Body

The “From” address in Figure 2 uses a well-known fragrance company’s spoofed domain with an IP address of 40[.]107[.]220[.]139. Most likely for this reason, the email slipped past basic authentication checks, such as the sender policy framework (SPF). However, on further inspection, we see what is likely the actual sender’s address “Return-Path” from a compromised domain registered to a U.S. law firm, with an IP address of 10[.]217[.]135[.]43.

Attributes such as email address can be unreliable as indicators of compromise (IOCs) when creating Yara rules. Why? Because they are often quickly changed and have very brief time-to-live (TTL) periods. Strong IOCs identify repetitions and meaningful patterns, resulting in higher quality Yara rules and a lengthier period for tagging threats.

Figure 2: Header Analysis

Figure 1 shows the email body, which was found in environments protected by several secure email gateways (SEGs). We noted that the spoofed sender’s address remained static across the campaign, allowing for a high degree of signature-based detection efficacy. A bonus for defenders, this static sender address can be blocked by the endpoint detection team or even the SEG.

Threat actors sometimes use legitimate but compromised domain names to send out such phishing emails. Pivoting the domain led us to a legitimate law firm based in the United States that was registered in February 2015.

The longer a domain has been registered, the greater the chance the domain will be recognized as non-malicious. This may be a preferable approach for the adversary versus registering a new domain for the purpose of sending out credential phishing emails. That is not to say that the characteristic of being newly registered makes a malicious domain easily identifiable. Instead, it’s a combination of suspicious attributes that raises red flags.

Figure 3: Phishing Landing Page

The image in Figure 3 is what the recipient would see. It looks perfectly legitimate with all functionalities a legitimate Microsoft login page would have. At this stage, we have high confidence to state that the threat actor’s objective was to gain as many users’ credentials as possible at a given period of time.

Should the recipient provide their credentials, the web page would redirect seamlessly to the legitimate Microsoft login page, thereby deflecting suspicion.

How Cofense Can Help

Every day, the Cofense PDC analyzes phishing emails with credential phishing attacks and malware payloads that bypassed email gateways and were reported by well-conditioned users. Of the threats found, 100 percent were identified by the end user and mitigated by a human analyst. None were stopped by the endpoint detection technology.

Thanks to phishing training, users have the know-how to look out for evolving phishing attacks. Using Cofense Reporter, they can forward threats to the Cofense PDC for analysis. Cofense Triage reduces real-time exposure to threats, and combines with Cofense Vision to quarantine them.

Cofense Intelligence then protects your organization against emerging threats. Cofense Intelligence customers received additional information about this specific campaign in Active Threat Report (ATR) 222896. To learn more about what Cofense can do to protect your enterprise, contact us any time.

Indicators of Compromise

IOC IP
hXXps://ww3sXUcRltmd[.]asesiklimlendirme[.]com[.]tr/ 83[.]150[.]212[.]44
hXXps://production[.]passwordupdate00- 109[.]169[.]71[.]112
microsoftpasswordupdate00-odragrant-tooth- 104[.]21[.]75[.]60
3351[.]lllibby-webb6868[.]workers[.]dev 172[.]67[.]214[.]249
hXXps://smtpjs[.]com/v3/smtpjs.aspx

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Dept. of Labor Phish Appears for the Month of December

By Alex Geoghagan, Cofense Phishing Defense Center

Impersonating a government entity is a relatively common practice for threat actors to attempt. Through this impersonation a threat actor seeks to gain trust or authority in an interaction with a potential victim. Recently, the Cofense Phishing Defense Center (PDC) has analyzed a phishing campaign that impersonates the United States Department of Labor. In this specific campaign, the threat actor also tries to push a financial incentive with the lure of an “INVITATION FOR BID” through the Department of Labor.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the threat actor was able to spoof the dol.gov from address to increase the level of authenticity. Seen in the body, the email itself is structured to look like an RFP for “ongoing government projects.” The recipient is prompted to open a PDF attachment for information and directions for the bid invitation. A recipient who opens the attachment without realizing that this is not a legitimate government communication will be presented with a PDF document that contains a link to the phishing website.

Diagram Description automatically generated

Figure 2: PDF Attachment

The PDF, shown in Figure 2, is carefully crafted to lend credence to the scam, as well as to apply pressure with time sensitivity by reminding them of a “10:00 A.M.” deadline. It contains a list of instructions for filling out information that will allegedly be used to apply for the bid, however, this is simply done to make the phish appear to be more legitimate. The “BID” button contained within the PDF is the true goal of the threat actor, as clicking on it will direct the recipient to a fraudulent Department of Labor site.

Graphical user interface, website Description automatically generated

Figure 3: Phishing Page

The fraudulent page, Figure 3, is almost a 1:1 of the legitimate Department of Labor’website at dol.gov. Even with the domain, openbid-dolgov[.]us, the threat actor crafted it to be believable to the untrained eye. Upon reaching this page there will be a small popup that reiterates the instructions that are contained in the PDF. This page also contains a “Click here to bid” button that takes the recipient to the phishing page requesting their credentials, as seen in Figure 4.

Figure 4: Phishing Page

Oddly enough, the threat actor has specifically asked for either their Microsoft Office 365 credentials OR their business email credentials (widening the net to collect anything the user might be willing to divulge). Once the credentials are submitted, the user is redirected to practically the exact same page, but it is asking the user to solve a captcha instead of signing in. An interesting note added to the page is reassuring the recipient their data will be cleared within five minutes, most likely mimicking the legitimate bidding site.

A communication appearing to come from a government source may also be seen as more official, especially if the attacker is able to spoof a .gov email address. With how carefully crafted it is, this phish can pose a threat to any email environment, even ones protected by a secure email gateway (SEG). With the help of watchful users reporting suspicious email, analysts at the PDC can quickly identify threats like this one, and enterprises can benefit from our entire view of the threat. Reach out to us to learn how we can help you.

Indicators of Compromise IP
hXXps://openbid-dolgov[.]us 199.231.162.106

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Campaign Leverages Covid-Induced Adjustments to Banking Practices

By Abhiram Jayakumar, Cofense Phishing Defense Center

For the past many months, covid-themed phishing emails have convinced users to relinquish valuable credentials. Phish impersonating major banking firms have been around for quite some time, but they are always evolving. The Cofense Phishing Defense Center (PDC) has observed a recent phishing campaign that focused on harvesting New Zealand’s ASB banking credentials via covid-themed lures. The pandemic is affecting the lives of everyone in the world and threat actors are attempting to hook their targets by relying on changes in banking practices related to the pandemic.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the first flaws evident with this phish is that the email is obviously not from an official ASB address. The body of the email seems somewhat legitimate at first glance with a convincing email signature and an apparent reference ID. The most telling sign that this email is a phish is how the link within the body is weirdly formatted. The email prompts the user to click on the URL so they can update the so-called covid “Code of Banking Practices.” Hovering over the link will reveal the embedded malicious URL with the domain cleusbmontreal[.]ca.

A screenshot of a computer Description automatically generated with medium confidence

Figure 2: Phishing Page

Upon clicking the link, the user is directed to the webpage in Figure 2. It’s a near-exact replica of the legitimate ASB login page. All the icons, with the exception of the login button, redirect to legitimate ASB webpages. This is a simple – but often effective – trick implemented by the threat actor.

A screenshot of a computer Description automatically generated with medium confidence

Figure 3: OTP Page

Once the login button is clicked, the target is taken to the page shown in Figure 3 where they are prompted for a one-time password (OTP). The threat actor may have tools to automatically use this information in real time. It may also be possible that the user received an OTP triggered by the attacker’s tools during a legitimate transaction initiated by them after harvesting credentials through the malicious webpage. Once the target provides their credentials, and OTP, they are then redirected to the authentic ASB home page.

This is another example of attackers leveraging covid and a well-designed phishing page to launch a dangerous campaign, one that found its way into inboxes under SEG (secure email gateway) protection. Cofense, and well-conditioned users, contained what standard security controls couldn’t. Contact us to learn how we can help to better protect your organization.

Indicators of Compromise IP
hxxps://cleusbmontreal[.]ca 104[.]21[.]46[.]246
hxxps://conz-aso-7725[.]heavy[.]jp 118[.]27[.]125[.]223
hxxps://photos[.]azyya[.]com/.co.nz/.respond[.]abs[.]co[.]nz-NZ70194135/auth[.]php 95[.]216[.]33[.]120

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Continue to Leverage Pandemic Relief Plans

By Kyle Duncan, Cofense Phishing Defense Center

Threat actors continue to be a thorn in the side of business owners everywhere as evidenced in a recent phishing campaign observed by the Cofense Phishing Defense Center (PDC). With the effects of covid still disrupting lives and businesses, this campaign attempts to exploit anxieties of those anxiously awaiting government aid. Attackers pose as representatives of the United States Small Business Administration (SBA). By offering fake grant applications through illegitimate forms presented via Google Docs, these threat actors hope to sneak away with victims’ private information.

Graphical user interface, text, application Description automatically generated