A Not So Relieving Tax Relief Email: Threat Actors Take Aim at US Stimulus Efforts

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest a variety of email credentials specifically from United States citizens.

Countries all around the world are providing relief programs to their citizens to help alleviate the financial strain as a result of the COVID-19 pandemic. This threat actor, however, targets US relief efforts and the citizens who need it most. This email campaign uses the logo of the Internal Revenue Service (IRS) to bolster its credibility.

Figure 1: Email Preview

The threat actor made both the subject and sender information eye catching, as seen in Figure 1. The email appears to be from ‘IRS GOV’ regarding the subject “Tax Relief Fund,” which would be enough to gain the attention of anyone, especially those who may not have received their relief or need more. Upon clicking into the email, users are presented with the following message, as seen in Figure 2 below.

Figure 2-3: Email Body

Despite the image missing from this email sample, assumed to once have been a DocuSign logo based on the image description, the email may appear legitimate at first glance. The IRS has sent a secure document via DocuSign along with a security code to view it, but it must be used soon as it will “expire.” The email is also marked “High Importance.”

A closer look at the body of the email reveals many warning signs this email is a phish. Anyone acquainted with DocuSign would know this is not what an invitation from the service looks like. Not to mention there is odd spacing and capitalization found in the text – atypical for professional emails. There is also mention of a security code that must be used “before expiration,” a common social engineering tactic used to illicit a sense urgency.

The link found in the email, “View Shared Folder,” redirects users to the phishing site located at:

hxxp://playdemy[.]org/office/doc-new

Figures 4-5: Phishing Page and Confirmation Page

Figures 4-5 are examples of the first page users will see upon navigating through the link found in the email. The page is a simple DocuSign page prompting for the user’s email address in order to access the promised document. Visually there aren’t many differences compared to DocuSign’s website, other than the incorrect URL displayed in the address bar. However, the threat actor may have intentionally used a .org-based domain to make it appear safe, as many end users have heard .org top-level domains are “secure.”

Should a user proceed to enter their email address on this page, they are prompted once again to verify the information before being redirected to the next step of this attack.

Figures 6-7: AOL login page

The next step involves redirecting users to a phishing page based on their email provider. In Figures 6-7 above, we used a dummy AOL email and were redirected to an AOL phish. The attacker’s AOL login page rivals the look and feel of AOL’s — the only real difference is the incorrect URL in the address bar. The email entered in the first step is already pre-filled as well. This same occurs with other email providers inputted into the first step of the attack. Figures 8-10, for example, show the Gmail phish that users are redirected to if that was the email provider they entered.

Figures 8-10: Alternative Gmail Phish

Should a user enter an email address to proceed this far, the threat actor has made sure to ask for further compromising information, as seen in Figure 10: a recovery number or recovery email address per their back-up login information.

Figure 11: Final Destination

Regardless of the email address, and should the user enter this information, users are then redirected to an unexpected document; in lieu of the promised “Tax Relief Fund,” they see a completely unrelated academic paper hosted on Harvard Business School’s website. This is a common tactic, designed to confuse users into thinking there is nothing amiss, that perhaps this was a mistaken exchange or they received the wrong document in error and must wait for further contact.

Further analysis of the website utilized for this attack yielded further information on the attack and the actors behind it.

Figure 12: Open Directory

Upon navigating to the main domain, as shown in Figure 12, an open directory appears. While the file Chetos.php is password protected at present, the file 039434.php exposes a greater security threat that can be observed in Figure 13, a web shell.

Figure 13: WebAccess Shell

The beginnings of a malicious web shell start with an attacker methodically installing the malicious script for the shell on the targeted site, either by SQL injection or cross-site scripting. From there the web shell is utilized by attackers to maintain persistent access to a compromised website without having to repeat all the work of exploiting the same vulnerability they used the first time – generally, a backdoor. They can remotely execute commands and manage files that they abuse to carry out their attacks, such as a phishing attack.
As observed in Figure 13, investigation of the shell reveals files from the open directory are displayed, last modified 2020-04-24 by “owner/group” “njlugdc”, otherwise known as the attacker. The real guts of this attack, however, can be found within the directory path office/doc-new seen in Figure 14.

Figure 14: office/doc-new Directory

Within the directory are the many steps in what appears to be a simple phish. There are multiple email branded folders such as “a0l”, “earthl1nk”, “gma1l,” all of which help the threat actor target email clients. Each of these email branded folders host a phish that is specifically tailored to that brand, allowing for a more “authentic” experience that lull users into a sense of security.

Figure 15: Code Behind the Attack

Figure 15 demonstrates the code behind the attack that sanitizes user input to determine which of these phish a user is redirected to, along with the associated email brand logo to display during the redirect process.

Figure 16: Threat Actor Emails Exposed

Within the files contained in this web shell, the threat actor’s emails are displayed. Figure 16 shows the code of the Email.php file and information exfiltrated from users during the phishing attack that are sent to:
techhome18[@]gmail[.]com
we.us1[@]protonmail[.]com

Although the identity of the attacker behind this IRS phish is unknown, it is evident they took care to carefully craft this attack and chose to exploit a current event that is closely followed by Americans in an attempt to successfully steal as many log-in credentials as possible.

Network IOC IP
hxxp://playdemy[.]org/office/doc-new 206[.]123[.]154[.]15

 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Continue to Spoof WebEx

By Kaleb Kirk, Cofense Phishing Defense Center

Last month, the Cofense Phishing Defense Center (PDC) observed a new phishing trend wherein threat actors spoofed WebEx pages to harvest Office365 (O365) credentials. Since the posting of the original blog, the PDC has seen an increase in the number of similarly themed WebEx phishing attacks, yet another example of attackers leveraging the rapid shift to remote work in light of COVID-19 concerns. As many organizations and their workforce are increasingly dependent on remote working tools and solutions, reducing the attack surface (the number of different approaches a threat actor can use to enter or extract data) of such online platforms and services is becoming even more critical.

Attackers know this and are constantly looking at ways to circumvent detection by secure email gateways and position themselves between users and legitimate services. The WebEx phishing campaign is a prime example, slipping past email protection to dupe users into providing their credentials out of fear they will be unable to use the service and perform their job otherwise.  It’s therefore not a surprise the PDC has seen an increase in phishing attacks that spoof legitimate, business critical services.

While this blog focuses on a new phishing campaign imitating WebEx, this style of attack can and has taken multiple forms, mimicking many different legitimate web services. Luckily however, once an end user knows some of the telltale signs,  it’s often easy to identify what is truly legitimate and what is fake.

Figures 1-2: Email Body

Upon an initial glance, this email may appear innocuous enough. It has the look and format one would likely expect when receiving an email from Cisco. The style is professional, the layout of the email isn’t mangled or chaotic, and it appears legitimate – an intentional and easy tactic to pull off. All the threat actor required was a real WebEx email to copy from in order to duplicate the style and alter select elements for nefarious purposes. The sender address appears to come from WebEx. However, this is what is known as the “friendly” from address – while the recipient sees the displaying address, which appears to be authentic, the email headers reveal a very different story. The problem with a “friendly” sender address is that it is easily spoofed by attackers; it’s a well-known, simple trick designed to convince the recipient that an email is legitimate.

Looking beyond simple aesthetics, however, other indicators of phishing are evident. The subject line indicates there is an issue with SSL certificates that requires the user to sign in and resolve. This is referenced further in the body of the email, providing a sense of legitimacy and enticing them to open the email and read it.

The wording of the email also employs scare tactics that are prevalent in phishing attacks. The recipient is informed there is a problem that has caused their service to become deactivated and the user must log-in and authenticate by clicking the link. Verbiage like this is often used to coerce the end user into clicking on a link or attachment in haste before they have time to fully think it through – a key tactic used by threat actors in phishing campaigns.

Finally, the link itself reveals something else is fishy about this alert. Hovering over the button shows the embedded link is not, in fact, a WebEx page, but a SendGrid link, a legitimate customer communication service used by marketing professionals. SendGrid links are commonly used in phishing attacks, as they require minimal effort.

Figure 3: Phishing Page, Step 1

Upon clicking the SendGrid link, the user is redirected to a phishing page, as seen in Figure 3. The only difference between a legitimate WebEx login page and this phishing page is the URL itself, suggesting the attacker conducted some form of web scraping to create an intentionally benign looking and familiar login page for the end user. Web scraping, essentially, is the practice of using a tool to automatically copy data from a website and create a convincing copy.

Figure 4: Phishing Page, Step 2

Deception quickly falls apart when reviewing the URL, however; while designed to look like the actual URL, there actually isn’t a portion that includes ‘webex.com’. The numerous dashes, coupled with one very long word followed by ‘index.php’ is not reflective of a professional link, suggesting the phishing URL was registered to appear legitimate at first glance. While phishers commonly make a valiant effort for their pages to look legitimate, looking at the address bar generally reveals if it’s legitimate. Misspelling, similar looking words and strange top-level domains are common tricks used by attackers to guile end users for just long enough to not question it.

While the initial phishing page only requests the user’s email address, the following page then changes URLs from “index.php” to “step2.php” and asks for the user’s password- this is another indicator the site is not legitimate, as the specific internals of which php file is being invoked for this webpage would be usually be hidden to the user.

Figure 5: Final redirect to official WebEx login page

As the final stage of attack, when the user enters their credentials on the page shown in Figure 5 above, the user is then redirected to WebEx’s real sign-in page. At this point, the malicious actor now has the user’s credentials, but it is in their best interest to ensure the user is unaware that a successful credential phishing attack occurred, giving the threat actors time to make use of newly stolen log-in details. The final redirect to WebEx’s legitimate log-in page may make the end user believe there was a log-in error and they need to log-in again. A common theme in a many phishing attacks is appealing to and preying on the feeling that nothing is amiss and there is nothing to question about the experience. In the meantime, threat actors gain precious time to do damage while the end user moves on with his or her workday.

Figure 6: Open Directory

A final interesting finding about this phishing campaign is the main domain itself, which reveals an open directory. This open directory shows the files included in the phishing page: images, fonts, .css files, and more. Although finding this directory was easy, it isn’t necessary to hide it, as most end users will only go through to login rather investigating into the internals of the site. However, it must be noted no professional website allows access to its file directories in this way. If reached, it is an almost sure-fire way of immediately identifying a phish.

Network IOC IP
hXXps://cert-ssl-global-prod-webmeetings[.]com/da4njy=/idb/saml/jsp/index[.]php 137[.]135[.]110[.]140

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Staff Members’ Inbox Positive for Coronavirus Themed Phish

By Ashley Tran, Cofense Phishing Defense Center

From prime ministers, members of congress to celebrities and staff of nursing homes — many have been affected by COVID-19. And the worst part? Threat actors know this and are heavily weaponizing this pandemic, exploiting the fears and concerns of users everywhere. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in environments protected by Microsoft and Symantec that not only impersonates a company’s management but also suggests that a fellow employee has tested positive for the disease, urging users to read an enclosed malicious attachment posed as “guidelines” or “next steps.”

As we have seen before and noted in previous Cofense blogs and media stories, Coronavirus themed phishing attacks are running rampant and attacking users across all industries. Although the attacks vary in method, the main takeaway is the same: all users must exercise the utmost caution and restraint in the face of emotionally jarring emails.

Figures 1-3: Email Bodies

The PDC has found multiple instances of this attack and a trend among them all. As demonstrated in Figures 1-3, the email subject lines are relatively similar: “Staff Member Confirmed COVID 19 Positive ID,” followed by a random string of numbers and that day’s date. The emotion these subject lines evoke in users are also the same: fear and curiosity. Emails appearing to be a “Team Update on COVID 19” and bearing their company’s name can convince end users to believe the email was sent internally. However, the true senders are revealed via the return paths:

Maga[@]tus[.]tusdns[.]com and ungrez[@]ssd7[@]linuxpl[.]com

Admittedly these emails would appear suspicious to most, but the threat actor is relying on the emotional subject line to overcome logic and push users to read just the first line of the sender information and nothing more.

The bodies of the emails have more variety and are worded differently, but the same main point: a fellow employee has the virus, so read this guideline we’ve attached to get more details or at least learn the “next steps” to take. To top it off the email is signed by “Management.”

The true part of this attack lies within the HTML file found in the email.

Figure 4 shows that the attachment has been detected as malicious by a multitude of services, however users won’t see this when they read the email.

Figure 4: VirusTotal Analysis

Figure 5: Phishing Page

Upon opening the attachment users are presented with a generic Microsoft login page, a frequently targeted brand. The difference with this phish, however, is the threat actor has superimposed the login box over a blurred document that may appear to users as the previously mentioned “guidelines” lending an even greater sense of legitimacy.

The email of the recipient is automatically appended to the username field via code in the HTML. In fact, the threat actor has painstakingly put the base64 for each of the recipient’s email addresses, which is then translated to a readable format when interacting with the phish. This snippet of code can be observed in Figure 6.

Figure 6: Email Bodies

Once a user navigates to the next page and inputs their password, the information is then sent to the compromised site:

hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423

This exchange of information can be viewed by opening developer tools on any browser and navigating to the networking tab as shown in Figure 7.

Figure 7: Phishing Page

The code found within the HTML file that hosts the phishing content employs typical malicious tactics. For example, as seen in Figure 8, the code does not look like a typical HTML code. This is because the threat actor has attempted to obfuscate their code, to make analysis as well as detection harder. However, this is nothing new for phishing campaigns that choose to utilize a HTML file. De-obfuscating the code and revealing some its methods is not difficult.

Figure 8: Obfuscated Code

To begin, the code is notably broken into different parts. Each of these parts may stand out to anyone with an eye for encoding as being Hex text and base64. These both can easily be decoded back into their original form, the true HTML code, by utilizing tools such as RapidTables and Base64 Decode.

Figure 9: De-obfuscated Code

After de-obfuscating the code, the true HTML is seen in Figure 9, revealing the threat actor has compromised, or at the very least utilized, a compromised site to host the style sheet for their phish:

hxxp://ibuykenya[.]com/vendor/doctrine/styles[.]css

Figure 10: Open Directory with Phish Resource Files

The following is the directory which the threat actor has used to store the style sheet for the phish, along with what appears to be two additional files, based on their last modified dates.

Within the code, the image seen in the background of the document can also be recovered. The image is hosted on ImgBB, yet another relatively benign image hosting site to which threat actors flock to host images for their attacks.

hxxps://i[.]ibb[.]co/dMcjCWC/image[.]png

Figure 11: Document Preview from Phish

Upon closer observation, the title of the document can be obtained. With a quick search, the image the threat actor has used to further legitimize this login page in the eyes of the user can be linked back to the legitimate document found in Figure 12.

Figure 12: Legitimate Document Utilized by Threat Actor

All these steps – the social engineering, the obfuscated code, use of official COVID health advisories and more-are designed to ensure users don’t detect the phishing attack is in progress. This phish also demonstrates the attacker’s need to employ layered techniques designed to avoid detection by email gateways, as well as the incident responder’s need for the right investigative tools to properly analyze, detect and quarantine this threat.

Network IOC  IP
hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423 150[.]60[.]156[.]116

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns. (edited) 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 3, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint, which were detected by humans, analyzed with Triage, and quarantined by Vision.  

TYPE: Credential Theft 

DESCRIPTION: Phishing campaign spoofs the South African Revenue Service delivering embedded links to an illegitimate banking site established to steal credentials. 

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing campaign related to N95 masks delivering embedded links leading to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Quote Request-themed phishing campaign redirecting the victim to a Microsoft OneDrive page that led to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Purchase Order-themed phishing campaign redirecting the victim to a Dropbox page that led to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Invoice-themed phishing campaign delivering embedded links that lead to a website established to steal Outlook login credentials.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing campaign delivering an embedded link to a Microsoft SharePoint-hosted OneNote document that leads to a website established to steal Office365 credentials.

TYPE: Malware – Banload

DESCRIPTION: Finance-themed phishing campaign delivering an embedded link to a Microsoft OneDrive-hosted .zip archive containing Banload malware.

TYPE: Credential Theft 

DESCRIPTION: Finance-themed phishing campaign delivering a .htm file crafted to look like an online document and prompting for email credentials to confirm the victim is not a robot.

TYPE: Malware – QakBot

DESCRIPTION: Response-themed phishing campaign delivering embedded links to VBS scripts that download the QakBot banking trojan.

TYPE: Credential Theft 

DESCRIPTION: Information-themed phishing campaign delivering embedded links to Google-hosted pages leading the victim to a page established to steal Office365 credentials.

TYPE: Malware – NanoCore

DESCRIPTION: Document-themed phishing campaign delivering embedded links to Microsoft OneDrive-hosted pages hosting GuLoader, which downloads the NanoCore Remote Access Trojan from Google Drive.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing campaign spoofing a construction design and build organization delivering embedded Microsoft OneNote links that lead to a website crafted to steal email credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack.

We typically find 1 out of 7 employee-reported emails to be malicious.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Targeted Attack Uses Fake EE Email to Deceive Users

By Kian Mahdavi and Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a spear-phishing campaign designed to defraud corporate executives’ payment details by spoofing EE, a well-known UK-based telecommunications and internet service provider.  These spear phishing messages were reported to the Cofense PDC by end users whose email environments are protected by Microsoft 365 EOP and Symantec. This new, targeted campaign shows that while exploiting well-known telecommunications brands is nothing new, such phishing emails continue to go undetected by popular email gateways designed to protect end users, leading to possible theft of prized corporate credentials

Figure 1: Email Body

Threat actors sent a targeted email to a few executives, including one at a leading financial firm, with the subject line reading ‘View Bill – Error’ from a purchased top-level domain (moniquemoll[.]nl). These details in and of themselves may raise red flags to eagle-eyed recipients, as EE’s trademarked name isn’t included in any part of the full email address.

The malicious URL inserted within the text is:

hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo

The vague email indicates ‘we’re working to get this fixed’. At no point does the email give an indication what this error is. As we read on, the second hyperlink states ‘view billing to make sure your account details are correct’ to entice the recipient to click the phishing link.

The threat actor fails to include the correct registered office address, evident towards the bottom of the email. Once the threat actor’s social engineering does the trick and the user clicks one of the links, they are redirected to a phishing page.

Noted in Figure 2 below is the trusted HTTPS protocol (also displayed as the green padlock) within the URL, giving false hope to the user that network traffic is being encrypted, ensuring all data transferred between the browser and website is secure and not being eavesdropped on.

However, the threat actor even went to the trouble of obtaining SSL certificates for the domain to further gain end users’ trust. In fact, it has become much easier for site owners, including fraudsters, to obtain these certificates.

Figures 2 and 3: First and second phishing pages

The peculiar aspect is the message in which the threat actor included: ‘You will not be charged’ to reassure recipients and trick them into providing their payment information.  The user is then automatically redirected to the legitimate EE website, as displayed below in Figure 4, to avoid suspicion. This is a common tactic to make the user believe the session timed out or their password was mistyped.

Figure 4: Legitimate Redirect Login Page

At the time of writing, the phishing page is still live and active. To further validate the analysis of the investigation, we decided to input some fake credentials, allowing us to verify the transmitted TCP requests and redirects to the fraudster’s domain at hXXps://kbimperial[.]com/data[.]php.

Figure 5: TCP Retransmission Packets

Indicators of Compromise:

Network IOC IP
hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/
hXXps://kbimperial[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/logins
hXXps://kbimperial[.]com/data[.]php?
104[.]31[.]82[.]7
104[.]31[.]83[.]7
35[.]208[.]71[.]62

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Announces Additional Investment by BlackRock and Appointment of Tom McDonough to Board of Directors

LEESBURG, Va. – April 28, 2020 – Cofense®, the global leader in intelligent phishing defense solutions, today announced the appointment of Tom McDonough to its Board of Directors as well as an additional investment from funds managed by BlackRock Private Equity Partners to support Cofense’s growth strategies. Initially inked in 2018 and expanded in 2019, Cofense’s continued partnership with BlackRock provides additional growth capital to advance research and development as well as further the company’s global expansion.

“We are pleased to build upon our relationship with BlackRock following one of our strongest quarters in company history,” said Rohyt Belani, Cofense co-founder and chief executive officer. “Combined with recent enhancements to Cofense’s leadership structure and the addition of Tom to our board of directors, the company is well positioned to meet growth and profitability targets in the coming year.”

Cofense’s security operations offerings, Cofense Triage and Cofense Vision, help organizations stop phishing attacks in their tracks by detecting, identifying, and rapidly quarantining malicious emails that evade secure email gateways (SEGs) every day. Cofense has close to 2,000 enterprise clients in over 150 countries, representing every major vertical from energy, financial, healthcare to manufacturing and high technology. Since January 2020, Cofense has achieved the Federal Risk and Authorization Management Program (FedRAMP) In Process designation, launched a COVID-19 phishing resource center to help protect organizations and end users during this public health emergency, and expanded its leadership team with key executive additions from organizations such as Proofpoint. Poised for its next phase of growth, Cofense will continue investing in R&D to provide their customers with peak phishing defense across the organization.

As the newest member of Cofense’s board of directors, McDonough brings a proven track record of building and optimizing the performance of highly motivated teams that generate predictable revenue and profitable growth. During his career as an experienced board member and operating executive, including roles with Cisco and Sourcefire, he has managed private, early stage and public companies through international expansion, venture financing, IPOs, acquisitions and integration. McDonough’s extensive experience leading cyber security companies through hyper growth and major market transitions has contributed to the creation of more than $5B in shareholder wealth through two IPOs and four acquisitions at four different companies.

“It is truly an honor to join Cofense’s team as a board member,” said McDonough. “By putting the customer and innovation front and center, Cofense has developed and sustained a strong portfolio of solutions and established its position as a global leader in intelligent phishing defense. Looking ahead, I am very confident that Cofense’s vision, focused execution, expert team and robust product pipeline will enable the company to add to its history of growth and development.”

###

About Cofense
Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence on phishing threats that have evaded perimeter controls and were reported by employees, with best-in-class security operations technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact
press@cofense.com

This Phish Uses Skype to Target Surging Remote Workers

By Harsh Patel

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users’ inboxes.

With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Figures 1 and 2: Email Body

For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address in the form of 67519-81987[@]skype.[REDACTED EMAIL]. While the sender address may appear legitimate at first glance, the real sender can be found in the return-path displayed as “sent from,” which also happens to be an external compromised account. Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend.

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

Upon clicking ‘Review’ users will be redirected via an app.link:

hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5

Finally, to the end phishing page:

hxxps://skype-online0345[.]web[.]app

The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.

Figure 3: Phishing Page

Clicking the link in the email, the user is shown an impersonation of the Skype login page. If a well-trained user inspects the URL, they will see that the URL contains the word Skype (hxxps://skype-online0345[.]web[.]app). To add even further sense of authenticity, the threat actor adds the recipient’s company logo to the login box as well as a disclaimer at the bottom warning this page is for “authorized use” of that company’s users only. The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.

 

Network IOCs
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
hxxps://skype-online0345[.]web[.]app

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Available Today: The Cofense Intelligence Q1 2020 Phishing Review

By Mollie MacDougall, Cofense Intelligence

Today, Cofense Intelligence released its Q1 2020 Phishing Review. This report highlights key phishing trends uncovered by Cofense Intelligence analysts, who spend every day analyzing current phishing campaigns and producing actionable phishing intelligence. This intelligence keeps our customers proactively defended against emerging phishing tactics, techniques and procedures (TTPs). Our analysts focus on campaigns that reach enterprise user inboxes, and report on the TTPs designed to evade secure email gateways (SEGs) and other network defense technology.

Report Highlights

The first quarter of 2020 began with a continued seasonal lull in malware volume and ended with a drastic spike in the quarter’s last six weeks, as the COVID-19 virus evolved from emerging crisis to global pandemic. While Emotet volume overall was lower than expected, phishing campaigns leveraging COVID-19 and remote work themes surged in March 2020.

Figure 1: Credential phishing campaign that leveraged COVID-19

While the widespread use of ransomware has not returned to its peak, Cofense Intelligence analyzed targeted ransomware campaigns using themes that leveraged the global pandemic. Ransomware operators have also upped the ante on several campaigns, combining ransomware infection with a data breach and releasing sensitive data if ransom is not paid. This strategy has garnered a great deal of attention in recent headlines, as it further extorts organizations who are prepared to recover from ransomware campaigns and otherwise would not pay off their attackers.

Several campaigns discovered by Cofense Intelligence last quarter used trusted sources to evade perimeter defenses. Organizations rely on trusted platforms and services to conduct efficient business operations, and threat actors are eager to abuse these trusted services to compromise users. Cofense Intelligence has analyzed multiple campaigns that have used trusted sources as a part of the infection chain. These sources include, but are not limited to, cloud services, customer/employee engagement surveys, and third-party connections.

Read our Q1 2020 Phishing Review for more detailed trends identified by Cofense Intelligence and to see our phishing predictions for the  months ahead. Spoiler alert: phishing campaigns are likely to increasingly focus on the upcoming United States general election as well as the global pandemic and the work and lifestyle shifts it has precipitated. We also assess that ransomware campaigns will very likely continue to increase. Finally, we predict that Emotet will again resume phishing campaigns in Q2.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

By: Kian Mahdavi, Cofense Phishing Defense Center

With the escalation of COVID-19, organizations are rapidly adjusting as they move their workforce to work from home; it’s no surprise that threat actors have followed suit. Over the past few weeks, the Cofense Phishing Defense Center (PDC) has observed a notable uptick in phishing campaigns that exploit the widely used Microsoft Sway application to steal organizational credentials and to host phishing websites. Sway is a free application from Microsoft that allows employees to generate documents such as newsletters and presentations and is commonly used by professionals to conduct their regular day to day work tasks.

In a new campaign, threat actors send emails with subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access.’

Figure 1: Email body

The sender in Figure 1 claims to come from ‘Human Resources.’ Closer inspection, however, reveals the actual sender’s address – a purchased domain address ‘chuckanderson.com’ with no association to the HR team or the organization’s official mailing address.  The attack includes carefully thought out trigger words, such as ‘expected’ and ‘selection/approval,’ language that often trips up employees who are accustomed to receiving occasional emails from their local HR team, especially during this pandemic. Should users hover over the link within the email, however, they would see ‘mimecast.com’ along with ‘office.com,’ potentially and mistakenly deeming these URL(s) as non-suspicious.

By using trusted sources such as Sway to deliver malware or steal corporate credentials, such campaigns often evade Secure Email Gateways (SEGs) thanks to the trusted domains, SSL certificates and URL(s) used within the email headers.

Figure 2: Cofense PDC Triage flagging the known malicious URL

Numerous employees across a variety of departments within the same company received and reported this email to the Cofense PDC, with each email consistently redirecting users to similar Sway URLs.  These URLs were already known by our Cofense Triage solution and were identified as malicious, providing valuable context for our PDC analysts when they commenced their investigation.

As previously discussed, as legitimate domains and URLs were used, these campaigns remained undetected for longer periods of time, likely leading to a higher number of compromised account credentials. On the other hand, malicious content hosted on purpose-built phishing sites usually gets flagged much quicker, taken down earlier, and therefore leading to a much shorter ‘time to live’ period. In short, this attack was easy to execute, required minimal skill, and remained undetected by security technologies.

Figure 3: Virus Total URL Analysis  

Upon conducting a web search using reliable threat intelligence feeds, as shown above in Figure 3, the authenticity of URLs can be verified against trusted security vendors that have recently detected the attack, flagging them as ‘malicious/phishing’. Displayed in the top right-hand side of Figure 3 is the timestamp revealing the latest known update from a security vendor.

Figure 4: First phase of phishing page

Awaiting the user is the bait on a generic looking page, a ‘BEGIN ENROLLMENT’ button and once clicked, redirects to a document hosted on SharePoint as seen below in Figure 5.

Figure 5: Second phase of phishing page

Once employees enter their credentials and hit the ‘Submit’ button, their log-in information is sent to the threat actor – the end user is none the wiser that they have been successfully phished.

As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalize on the COVID-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future.

Indicators of Compromise:

First Hosted URL IP Address
hXXps://sway[.]office[.]com/5CgSZtOqeHrKSKYS?ref=Link 52[.]109[.]12[.]51

 

Second Hosted URL IP Address
hXXps://netorgft6234871my[.]sharepoint[.]com/:x:/r/personal/enable_payservicecenter_com/_layouts/15/WopiFrame[.]aspx 13[.]107[.]136[.]9

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Announces Key Additions to Leadership Team Including Former Proofpoint Executive

Brandi Moore Appointed as Chief Operating Officer
Mark Small Joins as Senior Vice President of Worldwide Sales
Carolyn Merritt Joins as Vice President of Customer Experience

LEESBURG, Va. – April 9, 2020 – On the heels of one of the strongest quarters in company history, Cofense® , the global leader in intelligent phishing defense solutions, today announced enhancements to its leadership structure to further position the business for its next phase of growth. Brandi Moore, previously Chief of Staff at Cofense, has been appointed Chief Operating Officer (COO), reporting directly to Chief Executive Officer, Rohyt Belani. Former Proofpoint executive Mark Small joins the company as SVP of Worldwide Sales, and Carolyn Merritt joins as VP of Customer Experience, both reporting to Moore.

“During the first quarter of 2020, strong demand for Cofense’s phishing defense solutions drove the highest gross margins and EBITDA[1] since reaching scale in 2015,” said Belani. “With more than 22 million people across the globe actively flagging potential attacks, and record-breaking adoption of our security operations offerings – Cofense Triage and Cofense Vision – we empower thousands of organizations to stop phishing attacks in their tracks by detecting, identifying, and rapidly quarantining the malicious emails that continue to slip past email gateways. As we position Cofense for its next phase in market leadership, our streamlined organizational structure will help further advance our strong go-to-market strategy and global adoption of our portfolio of products and services.”

Moore brings more than 20 years of industry experience managing technical, strategic and sales teams in cybersecurity. As COO, Moore is responsible for driving further operational excellence across the company’s sales, marketing, customer experience and professional services functions, as well as the Cofense Phishing Defense Center. She began her career in cybersecurity at America Online (AOL) in the 1990’s as it brought the internet into the fabric of everyday life, working in a variety of technical and privacy roles to secure networks and customer financial information. After leaving AOL, she took her cyber background to the revenue generating side of the business, driving sales at Mandiant (acquired by FireEye), Ounce Labs (acquired by IBM) and Trustwave (acquired by Singtel).

As SVP of Worldwide Sales, Small leads the company’s global sales, sales engineering, sales operations and enablement, and channel teams to equip organizations across the globe with Cofense’s innovative phishing defense solutions. Bringing a strong pedigree of sales management and business acumen with more than two decades of cybersecurity leadership experience, Small most recently led Proofpoint’s Digital Risk Worldwide Sales and Technical teams where he played a pivotal role in steering the company’s sales teams to continued growth. Small’s background also includes senior sales and management roles at Websense, McAfee, and Oracle.

Merritt oversees the company’s technical support, client success and PhishMe professional service teams as VP of Customer Experience. With the amalgamation of these teams, Merritt’s leadership serves customers with a proactive and unified experience post-purchase. Merritt brings decades of experience in similar executive leadership roles at various technology companies including Dataprise, Metalogix Software and Cision.

“Brandi, Mark and Carolyn’s respective track records of success and combined entrepreneurial mindsets make them critical assets to Cofense’s executive leadership team,” added Belani. “We are thrilled to foster their insights and demonstrated strategic approach to continue to build high-performance teams to support our strong growth and near-term profitability targets.”

###

About Cofense
Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence on phishing threats that have evaded perimeter controls and were reported by employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact
press@cofense.com

 

[1] Earnings before interest, tax, depreciation and amortization