Phishing Attack Targets Microsoft Users Via HTML Attachment

Email Gateways Bypassed:


By Amy Griffiths, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has analyzed a phishing campaign that is aimed to harvest an employee’s Microsoft credentials via a malicious HTML attachment. The attached file includes spliced code when it’s executed it scrapes for the employee’s credentials.

Figure 1: Email Body

As seen in Figure 1, the subject of the email “Reminder for…” gives the employee a sense of urgency, something they may have missed or overlooked previously. Perhaps not so urgent, but does have an interesting object within the body, an attached HTML file named “Secureproofpoint[.]html[.]”

The attachment name could refer to the trusted vendor Proofpoint Secure Share a cloud-based solution that enables enterprise users to exchange large files in a secure and compliant manner to enterprise policies.

Figure 2: Malicious code

The several lines of code seen in Figure 2 can be found within the HTML file and are used to run JavaScript code to decode strings and a malicious URL. To summarize the code, the ‘encdStr’ string is the encoded subdomain ‘primeaco[.]com[.]br’ which is followed by the targeted users email address that is stored as the string named ’emma’. The function ‘atob(encdStr)’ is followed by a linked set of variables that sets the URL to “hxxp://SILENTCODERSLIMAHURUF[.]primeaco[.]com[.]br/<recipient name or identifiable information>”. Finally, the last line of code calls the function ‘window[.]location[.]href’. This function returns a string containing the whole URL and allows the hyperlink reference to be updated. At this point the browser is updated from the HTML file to the malicious URL.

Figure 3: Pick an Account

Once the completed URL is executed in the browser the user is presented with the page seen in Figure 3. This gives the user a false sense of security by masquerading as a trusted brand, Microsoft. It fools the user into thinking they can pick the account; however, we know from analyzing the code the user’s details are already set as a variable.

Figure 4: Phishing Page

Once the employee clicks on their user account, they are then presented with the phishing page seen in Figure 4, where they are prompted to enter their credentials which are finally scraped by the threat actors.

IOC(s) Description
PM_Intel_CredPhish_283847 Cofense Triage YARA Rule
hxxp://silentcoderslimahuruf[.]primeaco[.]com[.]br/ Phishing URL
216[.]172[.]172[.]168 IP Address for shared hosting node

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Wins 5 FISSEA Top Security Awareness Training Awards

by Beth Ohrnberger

We are thrilled to announce that Cofense’s security awareness content was recognized at this year’s FISSEA Fall Forum. This gave us an opportunity to showcase our innovative approach to security awareness training.

Awareness Website Award: Choose Your Phish – Comprehensive

Cofense’s adaptive HTML web-series—Choose Your Phish—provides relatable, personalized experiences for learners. In this adaptive education, the learner experiences a day in the life of a payroll administrator. Throughout the story, they are presented with a series of choices, and the story is tailored according to their choices. “Choose Your Phish – Comprehensive” includes the topics of credential phishing, BEC, VPNs, vishing, and smishing.

When the story concludes, the learner is presented with their score and personalized training based on the choices they made.

Choose Your Phish – Comprehensive is part of an ongoing “Choose Your Phish” series. Additional Choose Your Phish content is available for Cofense customers:

  • Choose Your Phish – 90 Days of BEC
  • Choose Your Phish – Behind the Phish
  • Choose Your Phish – Credential Phishing
  • Choose Your Phish – Government Contracting
  • Choose Your Phish – World Cup

Localized versions are also available.

The malicious emails in these exercises are real phish identified by Cofense Intelligence that Cofense leverages as the center of the lessons. The modules build resiliency by contextualizing real phish in a relatable and highly memorable learning experience.

Click here to view the trailer for Choose Your Phish – Comprehensive:

Training Awareness Award: 3 Tips Animated Microlearnings

Our 3 Tips Animated Microlearning series educates learners on critical cyberthreats in under 1 minute. Each video concisely explains the threat or topic and provides 3 tips to remember.

All emails in this series are based on real phishing emails identified by Cofense Intelligence that have bypassed Secure Email Gateways. With upbeat music and memorable animations, this series was designed to engage learners and provide practical takeaways.

Click here to view the trailer for 3 Tips Animated Microlearnings:

Also check out 2 examples from the series:

But wait, there’s more!

FISSEA is the premier organization for federal employees and vendors seeking information, community and insight into how to build and run the best cybersecurity training programs possible. This year’s Fall Forum was another great opportunity to meet (virtually) and exchange ideas, best practices, and hold discussions that foster innovation and improvement in the security awareness space. An exciting vehicle for this community dialogue was the FISSEA Awareness and Training Contest.

The contest was broken out into eight categories:

  1. Awareness Poster
  2. Awareness Website
  3. Awareness Newsletter
  4. Awareness Video
  5. Cybersecurity Blog
  6. Cybersecurity Podcast
  7. Training Awareness
  8. Innovative Solutions

The FISSEA Awareness and Training contest also had a “People’s Choice” category, and Cofense won three out of eight categories! This recognition helps to cement the position Cofense has at the top of the cybersecurity training-and-resiliency pyramid.

Choose Your Phish and the 3 Tips Animated Microlearnings are available to Cofense customers in PhishMeSCORM, and the Cofense LMS. Cofense PhishMe simulations are based on the latest threats known to bypass secure email gateways (SEGs), empowering your users to become human threat detectors. With resilient users attuned to the latest phishing threats, you have the best organizational defense. With Cofense’s Learning Management System (LMS), you can easily zero in on the security and compliance issues that are important to your company. And LMS perfectly complements the behavioral conditioning and experiential learning of Cofense PhishMe.

We’re always available to answer your questions. Contact us at any time for a demo and more information.

Microsoft Customer Voice URLs Used In Latest Phishing Campaign

Found in Environments Protected By:
Microsoft, Proofpoint

By Brooke McLain, Cofense Phishing Defense Center

Analysts at the Cofense Phishing Defense Center (PDC) see all sorts of tactics being used by threat actors to make their phishing campaigns more effective. Recently the PDC has observed phishing campaigns abusing Microsoft Customer Voice URLs, similar to the campaign reported in August. While Microsoft Customer Voice is a customer engagement/survey service that is used for plenty benign and useful reasons, threat actors are always trying to abuse such avenues. Figure 1 is an example of such an attempt.

Figure 1: Email Body 

As seen in Figure 1, the body of this email attempts to appear legitimate due to the use of the Microsoft SharePoint logo, as well as the simple formatting of the body which convinces the user receiving the email that this is an authentic document being delivered through SharePoint. In the message itself, the threat actor is trying to persuade the recipient to click “Go To Document >>,” leading to the first page of the phishing attack at a Microsoft Customer Voice URL. By using such a Microsoft URL, the user can be tricked into believing this is a legitimate email.

Figure 2: Phishing Page 

Once at the Microsoft Customer Voice page seen in Figure 2, the user is informed that they have to “preview” the document. This is an example of threat actors using stolen credentials to build a page that the user wouldn’t know exists and difficult for the recipient to know. Once opening the hyperlink nested in the “CLICK HERE TO PRINT | PREVIEW DOCUMENT” section of the page, the user is redirected to the final phishing page.

Figure 3: Phishing Page 

The second malicious URL, hxxps://fghdfghdf-g0ej-5r90hngt-w9rnef-w9nejrf-9wenjf-efdewd[.]obs[.]ap-southeast-2[.]myhuaweicloud[.]com/sx-3rg-0o-j-hq-enjf-0whbnr-0fnjqe-0fcdhnwq-enc-0enf[.]htm, seen in Figure 3, takes the recipient to the landing page of the phish where they are prompted to enter their Microsoft login credentials. The appearance of the page closely resembles that of a legitimate Microsoft login page.

In the end, this campaign used to abuse Microsoft Customer Voice services by threat actors has given them another way to get their phishing landing pages to users. Luckily for the client in this example, they had Cofense Vision so any other instances of this specific campaign in their email environment can be quarantined. Couple that with the knowledge of the PDC analyst, and enterprises can enjoy adaptive and responsive protection. Contact us to learn more.

Indicators of Compromise IP

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

See Something, Say Something – The Importance of Employee Reporting in Cybersecurity

By Dave Alison, Senior Vice President of Products 

With an estimated 40% of ransomware attacks starting through email, and phishing attacks accounting for 80% of reported security incidents, it’s no secret that email security is a top concern for businesses these days. To take it a step further, RiskIQ reports that $17,700 is lost every minute due to phishing attacks – you read that right, every minute!  

So, what are you to do?  How do you keep up? How do you stop these threat actors whose sole reason for existence is to find new ways to penetrate even the best security systems?   

You train your employees. Groundbreaking, right? You’ve heard that before. But not just train your employees to spot suspicious or malicious emails, you need to take it a step further. 

What’s needed is for humans to report the emails you’ve trained them to spot. Employees need to be empowered, encouraged, and even motivated to report suspicious activity. 

Why? Because they can be the force multiplier.  We know because we see it every day. 

According to Cofense Intelligence, for every one email reported by a user, an average of 20 additional malicious emails are removed from inboxes around the world.  Yes, one reported email is a 20X multiplier. 

Oh, and those 20 additional emails, they come from an average of four other companies in the Cofense Global Intelligence Network who would have been impacted. With over 35 million reporters worldwide, you can begin to see the impact your employees can have.  

It’s no longer “good enough” to just recognize questionable cybersecurity activity that may threaten the organization. If all we focus on is recognizing suspicious or malicious emails, we are basically setting up an ineffective neighborhood watch program. What’s the point of seeing something suspicious if you don’t report it?  As one of the most important lines of defense, employees must learn to not only identify but report questionable activity as it benefits their organization and all those around them. 

Sure, technology plays a role in helping organizations defend against cyberattacks like phishing, business email compromise (BEC), and ransomware. However, technology alone isn’t good enough, and anyone who says it is, well, is frankly, short-sighted.  It only takes one breach to damage a company’s financial status, brand reputation, and/or relationship with its employees and customers.  “Good enough” is a risky strategy when it comes to cybersecurity.   

The industry has made significant progress with all the work being done around artificial intelligence (AI) and machine learning (ML).  Both AI and ML are helping to create automation, lightening the load of security operations center analysts who are often overwhelmed by massive amounts of alerts, notifications, and investigations.  The reality is that technology can only take us so far because the threat actors are always evolving their techniques and finding new ways to penetrate these systems.   

As a matter of fact, we know that even today, on average almost 50% of URL attacks that are presented to the most respected secure email gateways (SEGs) in the industry are getting through that technology and reaching employees’ inboxes.  

That is why a strong employee reporting culture is critical to a successful security strategy.  There hasn’t been an AI system built to detect something strange, targeted at an employee, better than a trained human.   

Most awareness training, as well as pretty much every SEG vendor out there, claim people are the issue and many organizations are taking that cue and treating employees as risks to be mitigated, as opposed to assets to be trained and empowered.  Through positive reinforcement, real-life simulation, and by creating a culture where employees embrace their important role in defending the organization, employees can serve as a force multiplier in your battle against cyberattacks.   

It truly is a better-together story.  Technology isn’t as agile as humans, and humans aren’t as fast as technology in sharing.  We firmly believe that operationalizing human-discovered, crowdsourced intelligence and positively reinforcing a reporting employee culture is the only way to be successful in defending your organization against these criminal actors.  

Phishing Campaigns Abusing Web3 Platforms Increases 482% in 2022

The term “Web3” refers to a set of technologies intended to decentralize common internet and computing activity. Proponents of decentralization tout the ability to host content without the need for large technology companies. In short, anybody can publish any content, avoiding technical problems like server management as well as legal problems or censorship. Unfortunately, these features make the technologies attractive to threat actors seeking easy, robust hosting for malicious content. Analyzing credential phishing campaigns that reached inboxes during the first three quarters of 2022, we found massive growth in the abuse of Web3 platforms for phishing during the first three quarters of 2022. In this report, we explain the utility of Web3 platforms for phishing threat actors and analyze the growth and other trends in malicious Web3 usage.

Why Web3 Is Good for Phishing Threat Actors

Threat actors are regularly abusing several similar Web3 platforms. Each platform has two essential characteristics that make them useful to phishing threat actors:

  • Anyone can host content within the platforms simply by running the relevant software. No central servers are involved. Instead, content is collaboratively hosted by the platforms’ users. From a threat actor’s perspective, the users unwittingly provide free, anonymous, no-questions-asked hosting.
  • No company or governing organization moderates hosted content. While some measures are available to limit access to malicious content, it’s impossible to prevent it from being hosted within the platforms or to remove it once it has been hosted. The lack of oversight gives malicious content a longer lifespan, saving threat actors the trouble of finding new hosting.

Generally, the platforms are designed to make content hosting more available to individuals, evade censorship, and guarantee access to published content. But these features also make the platforms attractive for threat actors seeking to host malicious content.

Each platform is designed with different underlying technologies and use cases in mind, yielding differences in the ways threat actors can abuse them. For more details on the platforms and protocols involved, see Appendix A.

Malicious Use of Web3 Exploded in Q2, Still Increasing Steadily

Web3 platforms are an increasingly common method of hosting malicious content for phishing campaigns, as Figure 1 shows. Although a few malware campaigns have recently started to use Web3 platforms to host their payloads, credential phishing constitutes nearly all of the abuse so far. Our analysis in this report covers credential phishing emails found in users’ inboxes during Q1 to Q3 2022. Web3-hosted content was involved in 1.5% of credential phishing campaigns reaching inboxes in Q1. During Q2, that figure more than quintupled, accounting for an 8.0% share of campaigns reaching inboxes. In Q3, the share increased to 8.8%, with the number of campaigns abusing Web3 platforms being 482% of the number observed in Q1.

Figure 1: Emails found in commercial inboxes that included Web3-hosted malicious content. The graph shows each month’s share of the total number of emails from Q1 to Q3 of 2022.

Several services allow for easy use of Web3 technologies, including the generation of gateway URLs that can be accessed with a web browser. The URL’s domain reflects which service was used to create it. Fleek ( was the most popular service for threat actors, accounting for almost half of the URLs in the campaigns we analyzed.

Figure 2: Share of URLs from each Web3-related service in credential phishing emails, Q1 to Q3 of 2022.

The second most common service, Skynet Labs (, announced recently that it is shutting down, effective November 15, 2022. Skynet Labs URLs have not declined meaningfully in October, but the shutdown will almost certainly affect the distribution of Web3 URLs in November and beyond.

How Web3 URLs Are Used in Phishing Emails

As in our past analyses of domains used in credential phishing emails, we divide malicious URLs into two stages. Stage 1 URLs are embedded into the email itself, but rarely go directly to the credential phishing page. Stage 2 URLs include any that are involved after the user has opened the link embedded in the email.

Only 21% of Web3 URLs are used in Stage 1. Since Web3 platforms lack content censorship by design, organizations are more likely to block emails linking to them. Threat actors continue to prefer abusing well-known services like Adobe, Google, and Microsoft, which organizations are essentially unable to block.

Figure 3: A fax-themed email linking to a fraudulent page hosted on the Microsoft Customer Voice service. 

Figure 4: The fraudulent page linked in the email from Figure 3. It leads to a phishing page hosted on Skynet. 

By contrast, Web3-hosted content is well suited to threat actors’ needs in subsequent stages of the phishing campaign. Broadly speaking, content published on Web3 platforms is permanent. Moreover, Web3 publication removes the need for creating or stealing accounts, compromising websites, or registering new domains to host a credential phishing page. Threat actors can continuously publish new phishing pages to stay ahead of countermeasures.

Figure 5: The Skynet-hosted phishing page linked by the campaign in Figure 3.

Although Web3 platforms may be a good hosting solution for threat actors, they cannot perform data exfiltration on their own. None of the Web3 technologies can receive input from a user and send it to an exfiltration service. Instead, threat actors still rely on embedded forms or JavaScript code, so that the victim’s browser sends captured login credentials to endpoints under threat actor control.


Web3 technology offers little downside to threat actors at present. In the near future, there is no reason to doubt that Web3 abuse will continue to increase in both credential phishing and malware.

Over the longer term, if Web3 technology gains adoption in the everyday life of users and organizations, the opportunity for abuse will only grow. For example, most browsers currently need gateway services to create URLs for them to access decentralized content using the InterPlanetary File System (IPFS–see Appendix A for more details). Those services can disable a URL if it is reported as malicious. But if browsers receive native IPFS support in the future, then opening an IPFS link will be similar to opening a saved file from the user’s hard drive.

By design, decentralization technology puts all the responsibility for publishing and for consuming content on individual users. For network defenders, that prospect involves a significant amount of risk. Short of outright blocking all Web3 gateway services (for those companies that have no need for legitimate access to such services), keeping users educated and vigilant remains the best feasible preventive measure for the foreseeable future.

Appendix A: Description of Web3 Technologies Used for Phishing

Gateway URLs

Each of the Web3 technologies covered in this report creates a network of many different computers working together to host content or applications. They include protocols that allow users to access the content or applications, but in most cases, those protocols are not currently supported directly by web browsers. To make the services more usable, the protocols also include a way to create “gateway URLs,” which allow browsers to open Web3-hosted content or applications as though they were hosted on a traditional server. These are the services threat actors use to send links to the phishing pages they host using Web3 technologies.

Services that provide gateway URLs are operated by a mix of commercial and community organizations. Gateway services can help speed up the adoption of Web3 technology by making it more usable by current browsers. However, they also effectively centralize access to Web3-hosted content because they can choose to disable a gateway URL that points to malicious or illegal content. All the operators of gateways we found in our data have a way for users to report malicious content.

InterPlanetary File System (IPFS)

IPFS is a protocol for decentralized storage and serving of content. An IPFS user wishing to publish a piece of content can choose to make it available from their computer. Initially, other IPFS clients download the content from the original publisher’s computer. When they do, they also start to make the content available to more clients. This way, IPFS essentially serves as a content distribution network, ensuring that content remains available–and from one or more nearby hosts, which improves performance.

Protocol Labs, the organization responsible for IPFS development, operates a few gateway URL services for IPFS. Others are operated by commercial entities attempting to utilize and enhance IPFS for their customers.

Sia / Skynet / Skynet Labs

Sia is a blockchain project that utilizes users’ empty disk space to act as part of a distributed file storage platform. It has its own cryptocurrency, Siacoin, which is used to “rent” disk space on computers running the Sia software. Skynet is a technology built on top of Sia intended to be used for web and application hosting. The organization behind it, Skynet Labs, operates a gateway service ( that has been popular with threat actors. That gateway service will be shut down in November 2022, but Skynet will still be accessible using other gateway services.

Internet Computer

The Internet Computer is a general-purpose blockchain designed to run apps, similar the smart contracts of the Ethereum blockchain. Serving content directly to a web browser is a unique ability of apps running on the Internet Computer. Dfinity, the organization that developed the Internet Computer, operates the domain, serving a similar purpose as the gateway services mentioned above. Dfinity maintains a code of conduct specifying several prohibited categories of content. If an app is serving malicious content, Dfinity will disable the public URL on the domain, leaving the app inaccessible (even though it is still running).

To download a PDF of the report, click here.

This is what happens when you give scammers $500 worth of gift cards.

By: Ronnie Tokazowski

Executive Summary

Over the last few months, analysts at Cofense have been trying to gain more insights into the world’s most lucrative cybercrime, Business Email Compromise. In July, the team set out to see how many responses a scammer would engage with from a potential victim before making their ask.

This time, Cofense analysts purchased $500 worth of trackable gift cards to intentionally give to scammers in the hopes of discovering what happens once scammers receive these funds. With gift cards continuing to be one of the more difficult cash-out methods to track, due to the complexity and locality of the information, we had no idea what we would find.

Something that stood out through this research was how quickly these scammers move funds.

In all but one case each gift card was stolen, re-sold, and used for purchases within 24 hours. And while scammers do have preferences for the brand of cards they target, they are willing to pivot depending on the cards available. Based on the research, scammers prefer to use in-store cards over credit card gift cards.

So, from counterfeit toys sold in Myanmar to digital greeting cards to companies that don’t appear to exist and purchases for energy companies, let’s dive into the report.


Business Email Compromise (BEC) continues to make headlines with arrests across the world and losses in the billions. The roots of BEC originated from Nigerian prince scams (419 scams), where attackers found new, creative, and innovative ways to target consumers each day. Attackers are constantly adding new types of fraud to their arsenal as security practitioners, law enforcement, and organizations change their defenses against these tactics. While many of these scammers operate in small groups, many are part of larger organized crime groups, international gangs, and criminal syndicates.

While the machinations on how dozens of tactics and objectives of these attacks are well known, one of the biggest “unknown” aspects of BEC is a deeper understanding into how gift card fraud fully works.

Based on empirical evidence captured by defenders around the world, we know that once gift cards are stolen, they are sold locally or remotely via gift card exchanges. For gift cards sold remotely, many appear to be sold on cryptocurrency exchanges, where cards can be sold for Bitcoin, Ethereum, or other forms of digital payments. While many of the remotely sold gift cards are exchanged for 80-85% of the face value, cards can be purchased locally for around 50% of the face value, depending on the country. While a fuller picture of how gift card fraud works is limited to the organizations and institutions who manage this infrastructure, we do know current losses are in the hundreds of millions of dollars.

The concept of our research project was based on a simple premise. What gift cards can be purchased, tracked, and used to engage with these attackers to help identify how, where, and when they’re used? With these concepts in mind, we purchased $500 in gift cards and engaged with 54 live BEC attacks over the course of 5 weeks to evaluate what type of insight and usage patterns we could uncover.

In addition, we discovered that most cards were used on the same day they were stolen, making the mitigation of this type of attack extremely difficult. Many financial institutions have anti-money laundering (AML) controls in place so that money can be reversed and recovered under certain circumstances. This normally results in a 72-hour “safety window” of asset recovery, however that window is closing, and scammers are aware of our inefficiencies. While it’s quick and easy to write the losses off, this does nothing to address the root cause and simply perpetuates the issue.

Going into this project we didn’t know what we would expect to see or ended up with more questions than answers. Let’s look at the fraud.

What Does BEC and Gift Cards Have to do With Each Other?

Traditionally, Business Email Compromise (BEC) is straight forward. In these attacks, a scammer impersonates a C-level executive within the company to convince unsuspecting users to make urgent wire transfers to vendors, organizations, and other accounts that they control. As awareness of this tactic grew, organizations adapted and increased their diligence against these types of attacks. Attackers took notice and started to adjust their attack methods to include payroll diversion, invoice fraud, check fraud, and the topic of this research: gift cards.

Gift card scams play out like other types of BEC scams. Scammers ask unsuspecting employees to run tasks or errands under the guise of “helping out.” Within Cofense, we have seen dozens of different email lures such as holiday surprises for employees, rewards for employee performance, or gifts for the CEO’s family members. We have also seen templates including a forgotten birthday or one last gift card for a sick and dying relative. While many of these attacks stay within email, some scammers will ask for the phone number of the victim to converse with them while they are purchasing the cards or even start as SMS text messages.

Once the unsuspecting victim has taken the bait and responded to the scammer, they will be asked to go to a local store to purchase gift cards, often in $100 or $500 dollar denominations. After the cards have been purchased, the scammers ask the victims to scratch off the back code and send them pictures of the cards. Once received, the scammers confirm receipt and pushes the victim to send more cards or money over time.

Engaging With Scammers to Get Information from Them

The key to having successful scammer engagement is to respond to the initial email as if you had no idea you were about to be scammed. The actual context is dependent on what type of scam they are attempting, and what angle they are playing to entice their victim.

Most gift card scams start out with the CEO or another person in authority asking for help running a “task,” however scammers withhold the task until their email is acknowledged. Once a response is received, the scammer divulges what the “task” is, why they are asking for help, and why they can’t do it themselves.

Based on the knowledge of how these scams work and the communication patterns that these attackers are used to seeing from actual victims, we can socially engineer the scammers in an unsuspecting manner. For example, if a scammer is expecting a response to the question “do you have spare time at the moment?” we would provide a simple answer like “Sure, how can I help?”

Image 1. Screenshot of BEC engagement 

And just like clockwork the scammers respond right back.

Image 2. Actor response 

Cards Scammers Want vs. Cards Scammers Get

In order to conduct our research, we used general branded credit cards which can be used as gift cards. As strange as it may sound, scammers were extremely hesitant to take these cards and would often push for store-specific cards, such as Apple, Steam, or Google Play cards. It took a surprising amount of work to make them pivot from their “normal” methods of gift card fraud. However, we were able to get a surprising number of them to accept our trackable gift cards.
In addition, we do not have full visibility into what happened to the gift cards after they were sent to the scammers. The gift card can take many routes after being sent, and here are a few possible scenarios.

  1. They are sold on gift card to cryptocurrency exchanges. Buyers could be legitimate persons looking to save a couple dollars on cards or criminal syndicates who are using cards as a way to launder stolen cryptocurrencies. Both have been publicly observed.
  2. Stolen cards could be sold locally for a smaller percentage, as many people don’t fully understand cryptocurrency. In one of our engagements, we know the card was sold locally.
  3. If scammers are part of larger groups, they may have ways to launder specific cards, thus turning larger profits.

While we focus on one small piece of gift card fraud, we acknowledge that there are many other areas of gift card fraud that are not fully understood. We know cryptocurrency theft, re-shipping scams, in-person purchases, and many other angles of gift card fraud exist. In addition, a fuller scope view of how gift card fraud works is held with card distributors and brokers, and more extensive collaboration is necessary in order to facilitate a better understanding of the gift card ecosystem.


First Engagement (GC1) 

For this engagement, the attacker assumed multiple identities throughout our correspondence with them. Initially, the actor assumed the identity of “Ian William” and later pivoted to the display name “Ian Foy.” This happens frequently with scammers as they engage with multiple targets during a specific engagement. Both accounts will be described as “Ian.”

In the initial phish, Ian asked if we could do something for them right away. Ian was in a meeting with limited connectivity and asked if we could purchase 5 Steam gift cards, an online platform for purchasing video games, for a total of $1,000 (5x$200). To set up the bait, we told Ian that Visa cards were the only ones we could purchase and asked if we could use those instead of the requested Steam gift cards. Ian confirmed, and we provided a single $25 dollar gift card. Ian kept asking if there was something wrong with the transaction as they were expecting multiple cards, however we only provided one gift card in this engagement. The total interaction and engagement lasted two days.

We do not have visibility into how the card was laundered, however the gift card was later used at Amtrak, a railway company, on June 29, 2022. Since this card would have been considered “stolen” under normal circumstances, we provided Amtrak with the card details. No further information was provided by Amtrak as to what the purchase was for.

Image 3. Amtrak purchase from gift card 

Second Engagement (GC5) 

In this engagement, the BEC actor impersonated our CEO, Rohyt Belani, and attempted to steal funds from one of our senior researchers. The specific researcher targeted has spent the last 7 years raising awareness around how all things Business Email Compromise works and instantly knew it was a scam. Instead of letting the scam play out, Cofense used this as a chance to gain more information from the scammers and see if more information about the attacker could be found.  

While the scammer initially tried to scam the researcher, they quickly turned the engagement back on the scammer and converted the scam attempt into an interview opportunity. After providing enough insights to the scammer that Cofense was well aware of how these scams worked, the scammer decided to open up and went off-script. We do acknowledge that it’s entirely possible that the attacker was still lying to us, however they did confirm that yes, they were in Nigeria. The scammer went into further detail about how he became a scammer, with one of the primary reasons being limited opportunities in Nigeria. Based on extensive research into Nigerian culture, economy, geopolitical status, and unemployment, this is an accurate sentiment shared by local sources. 

Prior to scamming, he was a tailor and did other odd jobs just to survive. As a tailor he made shirts, and for the shirts he made, he would profit around #500 Naira, or $1.20 USD for each shirt. He also mentioned that he was 50, did not have an easy life in Nigeria, and all of those things combined led him down the path of scamming. And while many choose the scamming life as a way to make quick or fast money, there is much more going on than an over-simplification of “bad people doing bad things.” 

We didn’t want to leave the scammer empty handed as he provided insights into the underlying ecosystem for us, so we provided them with a gift card to them for their efforts and purported honesty. He mentioned that he would be selling the card locally because he didn’t have access to any other exchanges, where he could have gotten a higher dollar amount.  

After selling the card, it was used to purchase five instances of TikTok Live via the Google play store. The information was passed over to TikTok in case the card was used as part of another fraud scheme and no further information was provided to Cofense.  

Image 4. TikTok Live purchases 

Third Engagement (GC7) 

In this engagement, the attacker assumed the identity of “Andrew Quinton.” Andrew requested 5 AMEX gift cards to the tune of $500 each and asked if we could leave for the store soon. Once it was verified that a Mastercard gift card could be purchased, a card was sent to Andrew. Andrew asked “What’s going on” when no more cards were sent, however the attacker still successfully cashed out the card.  

While researching the origins of the purchase on this card, we were quite surprised with what we uncovered. To get started, the retailer’s name for this gift card was “BKIDZ” in Sheridan, WY. $25 was directly purchased emptying the balance of the card. 

Image 5. Purchases to unknown retailer “BKIDZ” 

When researching the brand BKIDZ, limited information was available for the origins of the transactions in Sheridan, Wyoming, and found no references online that led us to a solid company. However, during our research we did find branded children’s toys using the “BKIDZ” logo for the online marketplace KhitZay, an online store front that sells counterfeit toys in the currency of Myanmar Kyat.  

Image 6. Logo used on ”KhitZay” store using the” BKIDZ” branding 

One instance of counterfeit goods being sold directly under the BKIDZ brand was Marvel toys from Habsoro, with the item number E4353. While some of these counterfeit items are being sold on eBay and Ali Express, many of the counterfeit items are being resold on KhitZay.  

Image 7. Logo used on ”KhitZay” store using the” BKIDZ” branding 

One instance of counterfeit goods being sold directly under the BKIDZ brand was Marvel toys from Habsoro, with the item number E4353. While some of these counterfeit items are being sold on eBay and Ali Express, many of the counterfeit items are being resold on KhitZay.  

Image 8. Unknown purchase at Constellation Energy in Chicago, IL 

Fifth Engagement (GC11) 

In this engagement, the attacker used the name “Amanda Johnson,” and the scammer wanted 10 pieces of Amazon gift cards for $200 each ($2,000 total). Initially, the scammer came from a sudenlink[.]net account, however after the initial email the scammer switched to a Gmail account with the display name of “Mary Webre.” We are unsure as to why the scammers decided to change the display name mid campaign. 

After verifying that a Visa gift card could be used, one $25 dollar card was provided to the scammers, with the scammer confirming the receipt with an “Alright.” When no card was sent the scammer bumped the thread multiple times, and the following day they responded in a formal manner asking for a follow-up on the gift card. This was the last response from the scammer.  

On August 6th, 2022, this card was used at “PF GSHOP” in New York.  

Image 9. Purchase at OneUp Trader  

Sixth Engagement (GC14) 

In this engagement, scammer “David Johnson” asked if we had some spare time and we said of course, how could we help. David mentioned that a client needed iTunes gift cards of any denomination for a total of $1,000. David’s instructions were that once the cards were purchased, to gently scratch off the back of each card, to take a picture of the cards, and email a clear picture to the client at a different Gmail account, which we will refer to as “Lim.”  

At this point we had CC’d Lim on the email thread, and the scammer was now going under the name of Lim, different from the initial name of David. We tried to convince the scammer that all of the stores were sold out of iTunes cards, and they instructed us to instead purchase Amazon, iTunes, or Google Play gift cards. After telling them that four stores were sold out, David still insisted on purchasing iTunes gift cards online.  

Finally, after convincing the scammer that we were only in possession of cash, Lim “asked their superior” and was instructed that Visa cards would be acceptable. After sending only $25 dollars, Lim asked if there were any bitcoin vendors in the area, as we only sent $25 of the $1,000 requested. Lim later bumped the thread asking if we could load the $25 dollar card with $900, and this was the end of our contact with the scammer.  

For the gift card in this transaction, unknown persons purchased $25 worth of products with GivingLi, a greetings and gift card company. While we do not have visibility into the product or good that was purchased, historically we have seen Yahoo Boys and other scammers sending cards and flowers to romance victims to keep them in the scheme for longer periods.  

Image 10. GivingLi transaction 

Seventh Engagement (GC15) 

In this engagement, the scammer assumed the fake persona of Jared Russel. Jared said that he trusts he can count on us to keep gift card purchases as a surprise because he wanted to surprise the staff. Keeping this between us and Jared, he wanted to know how quickly we could purchase the cards and what local store could be used to make the purchase. Jared suggested Walmart Visa cards, American Express, or Vanila Visa gift cards “since we can use them almost everywhere.” After conversing back and forth to confirm what should be purchased, Jared confirmed that four pieces of Visa prepaid gift cards at the value of $500 ($2,000) should be purchased.  

One of the interesting things we noticed is that we purchased the gift cards prior to the engagement and the scammer was quick to identify this discrepancy, however we just said that the credit card machines were giving the incorrect dates on the receipts, and this was enough for the scammer to accept the difference. 

For this credit card transaction, unknown persons purchased $25 dollars of something from a company under the name “DEBEBTECH LLC.” At the time of writing no information about DEBEBTECH exists, even on Google or Bing.  

Image 11. DEBEBTECH LLC purchase 

Eighth Engagement (GC16) 

While most scammers assume one persona during an engagement, this scammer went through four different names for the entirety of the campaign. John Slattery, Jerry Williams, Roger Jenkins, and Stephen Timm all asked about gift cards in the same exact thread. This commonly happens when scammers get confused and use different display names during engagements, as they will sometimes engage with multiple companies per account. In addition, the scammer used six different subject lines during this engagement.  

In this campaign, Jer..Rog….the scammer asked us to head to the nearest store to find and purchase gift cards. The cards were for their presentation on data analysis and evaluation and wanted to know how quickly we could get this done. After confirming that we could run to the store and pick them up, the scammer asked if we could purchase Target or Google Play gift cards. There was a lapse of 30 minutes between our next response to the scammer, which led to the scammer asking if we were there, if we were talking to them, and what was up. They were extremely pushy, and after saying that we didn’t like being yelled at, Jerry came back and said that he wasn’t yelling, and just that he didn’t have much time on the presentations.  

Once a single card was provided back to the scammer, they continued being pushy, asking how many of the $25 dollar cards were able to be purchased.  

After the card was provided to the scammer, the card was used at a company called FLUZ AWAY. Fluz is an application that runs on your phone that allows you to receive points and cash back on products and services that you use. Money can be loaded into the app then used at these locations for purchasing products. 

Image 12. Fluz Away purchase 

While researching the retailer “FLUZ AWAY,” it appears that the company has many complaints with the Better Business Bureau (BBB) about multiple values of gift cards being purchased and funds being stolen. Based on comments from BBB, victims of puppy scams, car rentals, and check fraud.  

Ninth Engagement (GC18) 

In our 9th and final engagement, the email came from CHIEF EXECUTIVE OFFICER (caps included) where the scammer asked if we had anything on our plate, as they had a task for us. They wanted us to “drop your phone number so I can concise you about it.” After telling the scammer that we didn’t have our phone with us, they asked if we could purchase an eBay gift card for a business prospect. After “running to the store,” we informed the scammer that they didn’t have any eBay gift cards, and the scammer asked if they had Steam or Apple gift cards. We denied their request, telling them that they did not have these cards. The scammers asked for a Visa Vanilla gift card, and we provided a Vanilla Mastercard to the scammer. Eventually the scammer confirmed the receipt of the $25 dollar gift card, and after ignoring a few more emails they lost connection.

And contrary to every other transaction previously discussed, the transaction on this gift card was the most normal. Unknown people purchased $25 worth of goods on Amazon. 

Image 13. Amazon purchase 

Other Findings and Conclusion 

When we decided to kick off this research, we had no idea what direction this was going to take. Using gift cards to purchase things on Amazon seemed like a normal expense, however stumbling onto counterfeit toys sold in Myanmar, digital greeting cards, companies that don’t appear to exist, and purchases for energy companies were not even considered. While we did find some very interesting things about what happens to gift cards once they’re stolen in BEC attacks, we ended up with many more questions than answers.  

And as counter intuitive as it may sound, it was especially difficult to convince scammers to take the gift cards that we had. They had pre-defined scripts in $100 dollar denominations, and if something deviated out of that it really seemed to throw them for a loop. In addition, timing of the receipts was also another metric that scammers looked for, and if something was outside the scope of the normal time frame scammers were very hesitant to use them.  

For more insights on Business Email Compromise, including the first part of this study, view the resources below: 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.  

All names shown above have been changed to protect the privacy of the user. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

New Phishing Campaign Leverages Income Tax Refunds

Found in environments protected by:

By Adam Martin & Janos Torok, Cofense Phishing Defense Centre

The Phishing Defensce Center (PDC) recently detected a campaign leveraging the theme of income tax refund, a topic anyone would be intrigued to engage. As illustrated below, the initial email is mirroring an email notification from the German federal government, shown in Figure 1.

Figure 1 Initial Email Body

Figure 2: English Translation 

This campaign is an income tax refund of 268.85 euro with instructions given to the recipient on how to claim this rebate. The typical trope of a time limit is used with a 4-day timer placed, the recipient is redirected to a spoofed page that redirects to a malicious page once accessed. It’s recommended the recipient access the site via their mobile phone under the guise a further layer of confirmation will be given via SMS.

The initial landing page, in Figure 3, is quite well put together with a host of different banking institutions listed: PostBank, ING, Volksbank & Deutsche Bank amongst others. What’s clever about this landing page is the fact that all the “clickable” brand logos all redirect back to the official Bundesegierung page. Adding a confidence boost of legitimacy is given to the user with the mention of further verification methods mentioned in the below paragraph.

Figure 3 First Landing Page 

What makes this Phishing attempt very convincing, is the absence of a generic “please input details here” box that tends to be paired with typical attempts at credential theft. Instead, each banking institution listed has its own customised landing page accompanied by the logos, banners & replicated login information input boxes.

Figure 4Fake Santander Page 

Figure 4 is an example of a crafted Santander Bank login page asking for account details to access online banking. While the overall looks of the page might be convincing, there is an obvious indicator that this is a spoofed page. The URL, which is a generic hosted domain, not mentioning Santander anywhere. This indicates that the domain is not owned or associated with Santander. The sole purpose of this site is to get the user’s online bank credentials.

Figure 5 Fake Deutsche Bank Page 

In Figure 5 we see another example, a spoofed page for the Deutsche Bank online banking page. This is again a well-crafted site mirroring the exact login steps of the real login page.

Again, we see It is clearly visible that the URL is the same generic host which is not linked to Deutsche Bank, with the intent to steal banking credentials.

Overall, this example of credential phishing is building on two main principles which make it dangerous to the unexperienced eyes. The first is creating a false sense of excitement of unexpected funds, with reasonable, realistic amounts, that gives the impression that it can be true. It also builds a feeling of urgency, so that the recipient act quickly not to miss out on the free money. This is only meant to lower the victim’s guard and blind them with false hope.

The second is the quality of these crafted sites, which look legitimate at first, therefore reinforcing a sense of false security and convincing the user into going through with the attack.

As phishing attempts are becoming more sophisticated, potential victims need to be more vigilant and look for the signs that indicate this might be.


Indicators of Compromise IP
hXXps://security-de[.]ddns[.]net/root/index[.]php 91[.]218[.]67[.]101


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.  

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

How The Mayo Clinic Utilizes Cofense’s Email Security Education, Response, & Defense Solutions

The Mayo Clinic is a $10.3 billion nonprofit American academic medical center based out of Rochester, MN. With more than 63,000 employees who use email throughout the business day. The Office of Information Security wanted to ensure all employees can recognize and report upon a phishing attempt when one crosses their inboxes. In addition, they turned to Cofense to boost their security posture with the addition of Triage and Validator to their stack.

We recently sat with Mayo Clinic’s Kimberly Wanek. As the Senior Manager of Information Security, Kimberly has utilized Cofense to build a very successful education program and we wanted to find out a bit more about her education programs and Mayo’s relationship with Cofense email security intelligence and solutions.

Click here to view the fireside chat video.


Customer:  Mayo Clinic is a $10.3B nonprofit American academic medical center with 63,000+ employees

Challenges: Executives and employees being unable to properly recognize and report phishing emails and unsatisfactory traditional SEG performance

Solutions: Cofense PhishMe, Cofense Reporter, Cofense Triage, Cofense Validator

Results: Delivering a customized phishing education program to reduce the vulnerability rates of employees and providing a multi-platform reporting mechanism. Enhancing security posture with SEG validation, supplemental third-party analysts, and email security intelligence tools.

With the increase in phishing attacks over the last few years, and the steady increase in the number of employees (10,000+ work from home), they found it difficult to manage the number of attacks being reported. As its employment base began to expand, Wanek knew the organization needed the right vendor to provide a scalable phishing solution.  

“A lot of security controls we always think of are the technical controls, but we have to think about the human factor. [For instance,] we didn't have it on mobile devices, and a bigger chunk of our employees were accessing their email primarily on mobile.”

The Mayo Clinic has been able to take advantage of Cofense Reporter and Reporter for Mobile to increase the reporting rate of phishing attempts and Cofense PhishMe for anti-phishing simulation training, bad email flagging and overall cybersecurity awareness.

To enhance their solution suite, the Mayo Clinic added Cofense Triage to “scale all of the training and education that had been put in place, scale our responsiveness to it, so that we could deal with getting back to people as quick as possible and reinforcing that they were doing the right thing.” This enabled them to better analyze incoming threats using Cofense Intelligence, while also reporting back to the threat reporters – effectively ‘closing the loop’ so employees know which action was taken.

Lastly, the Mayo Clinic utilizes the Cofense Phishing Defense Center and Cofense Validator to catch, prioritize and respond to threats that perimeter technology misses.

“[Validator] was giving us insight into how strong our SEGs were, our gateways, how effective they were. So not only could we see how our gateways were performing, but it would give us opportunities, some intelligence on how to strengthen them. [The PDC] allowed our SOC to focus on the next tier of risk. So PDC not only tells us these are malicious, but they give us another category that says these are scams.” 

Many Cofense clients utilize the PDC to supplement their own security teams. The PDC will identify and prioritize threats, provide actionable intelligence, and keep abreast of changing tactics, so security team members can focus on stopping the most prevalent and dangerous attacks.

We encourage you to watch the entire chat to hear additional thoughts from Kimberly Wanek on the need for a multi-layered approach to anti-phishing education and cybersecurity and how Mayo Clinic’s partnership with Cofense has significantly enhanced their security posture.

How the Nuclear Decommissioning Authority Leverages Cofense Email Security Solutions

How the Nuclear Decommissioning Authority Leverages Cofense Email Security Solutions

The Nuclear Decommissioning Authority is a non-departmental public body made up of 26,000 members across the Department for Business, Energy, and Industrial Strategy. With limited resources to dedicate to anti-phishing education and awareness, as well as limited time for quick-response threat identification and removal, NDA worked closely with Cofense to build a proper tech stack to enhance their email cybersecurity posture.  

We asked Neil Kendall, CTI/CYAS Manager at the NDA, during a recent fireside chat to discuss the relationship and how Cofense solutions not only play a critical role in thwarting potential attacks at NDA, but also provide a continuum of educational resources for identification and reporting of phishing emails.

Click here to view the fireside chat video. 


Customer: Nuclear Decommissioning Authority, a non-departmental public body made up of 26,000 members across the Department for Business, Energy and Industrial Strategy. 

Challenges: Executives fear that their teams are being targeted for hours when using traditional SEGs, AND there is a lack of communication regarding phishing.  

Solutions: Cofense PhishMe, Cofense Triage, Cofense Vision 

Results: Educating employees with real phishing simulations as well as spreading awareness by stopping attacks using crowdsourced intelligence. 

On education and awareness, NDA wanted to prevent attacks from entering the office, but realized education had to be about all devices and environments, and that crowdsourced reporting was just as important as initial identification.  Kendall explains the need to “really spread the word to report, even if the person is on the fence and they’re not sure is this malicious, is it non-malicious? Report it. Being able to look at that, identify it as being malicious and then spreading the word around the rest of our group, is vitally, vitally important.”  

He further expands on education and the use of Cofense PhishMe, stating “We can use things like the PhishMe scenarios to be able to test our defenses, test our staff, and we can look to where our soft spots are so we can harden them, and we can then look to bolster them.” 

For the security team, it was time to move beyond dependence on their Secure Email Gateway and add Cofense solutions Triage and Vision to find, prioritize and eliminate what SEGs do not. Kendall explains, “It’s that second line again, it’s that defense in depth, it’s the layered approach that we are not just relying on one technology and what their map of the world is.” Cofense Triage helps the NDA team prioritize the threats so remediation can happen faster, and more time can be returned to security team members to focus on more important issues.  

Going one step further, they paired Triage with Cofense Vision to auto-quarantine phishing threats lurking in their email environment. They can also configure auto-quarantine to look for any new phishing campaigns automatically and continuously and to proactively stop attacks in their tracks. 

“We get that straight into Vision because we know there's that lag between Microsoft Safe Links doing its thing and will we know Vision will do its thing pretty much straight away. For us it's really, really important.” 

We encourage you to watch the entire chat to hear additional thoughts from Neil Kendall on the need for a multi-layered approach to email security and how NDA’s partnership with Cofense has significantly enhanced their security posture.