URL shorteners are a great tool to share a web address without a lot of typing. PhishMe Intelligence™ recently observed malicious actors using these services to evade security controls. They use these services to conceal the actual URL and bypass controls put in place to block known malicious domains.
Phishing websites are designed to steal usernames, passwords, and additional PII when unsuspecting victims are enticed to log in. Credential phishing intelligence is used to hunt, detect, and block access attempts to spoofed sites as well as to raise awareness about the latest tactics, techniques, and procedures used with credential and malware phishing campaigns.
The new credential phishing feature from PhishMe Intelligence™ delivers additional information to help defend against credential-gathering attacks. The credential phishing intelligence is available via the PhishMe Intelligence API and portal.
This blog is the first in a series about credential phishing in the enterprise.
Credential Phishing and Office 365
Microsoft Office 365 was released in 2011 and the has become hugely popular among enterprises both large and small. For those in a workplace that has fully-integrated Office 365, it feels as if you use that one password to log in to just about everything using any device. It all just works seamlessly. This is what the Office 365 login page looks like on Microsoft’s site https://login.microsoftonline.com. (Figure 1).
Figure 1 – Real Office 365 Login Page
Outlook 365 users are reporting suspicious messages to PhishMe® that contain links a page that looks like figure 1, but are hosted on compromised or fraudulent sites. As seen below in figures 2-5, are some examples of the suspicious messages that enterprise employees are receiving:
Figure 2 – Suspicious O365 Message (1 of 4)
Figure 3 – Suspicious O365 Message (2 of 4)
Figure 4 – Suspicious O365 Message (3 of 4)
Figure 5 – Suspicious O365 Message (4 of 4)
All of these messages are designed to look legitimate – like something from IT – and mimic the Office 365 login page. But in reality, they deliver the unsuspecting user to a fraudulent site to steal their information. This type of phishing has been growing rapidly. The examples shown in Figures 2-5 were captured within only 90 minutes. Over the past month PhishMe has detected credential phishing pages hosted on over 1,100 hostnames, which have likely distributed via tens of thousands of email messages. Microsoft’s own Security Intelligence Report reveals that there has been a dramatic increase in the number of account sign-ins attempted from malicious IP addresses.
The fallout from a successful Office 365 credential-based attack is so large that measuring it has become a data analytics problem. Estimating the extent of the damage is near impossible. Because many of victims don’t know they have entered their credentials on a fake site. If compromised, a threat actor could be in your system for a long time before you discover a breach. The time between the initial intrusion and detection of compromise, known as dwell time, is currently estimated to be 49 days (seven weeks).
New and different
While the attacks described above have been appearing for years, we’ve seen some new examples that seem a bit different. In these examples, the attackers are exploiting features of Office 365 as part of their phishing campaign.
Office 365 Forms
In the first example an attacker uses the Office 365 Forms app to create realistic phishing pages that are hosted on a Microsoft domain. Figure 6, below, shows a message linked to Google.com to redirect to Forms[.]Office.com:
Figure 6 – Message contains link to Google.com URL
When that link is clicked, the phishing form is displayed (figure 7) on a domain that just about any IT department would be reluctant to block.
Figure 7 – Office.com form reached from link in phishing message
To make things more confusing, consider that Microsoft conducts URL shortening using the domain name 1drv[.]ms. PhishMe customers are reporting phishing messages that contain URLs on that domain that then redirect to Onedrive[.]Live.com to load a PDF document that contains yet another link. As you can see in figure 8, this message contained a shortened link that slipped through technological defenses:
Figure 8 – OneDrive Shortened Link
The resulting PDF (figure 9) can open in the browser and deliver a link to a compromised site that hosts a phishing page.
Figure 9 – PDF from OneDrive with Malicious Link
By the time the victim reaches the somewhat-generic page below (figure 10), they have clicked through at least three trusted services.
Figure 10 – Final Destination from Original OneDrive Link
Many of the phishing messages are created using a template that inserts the recipient’s email address into the URL that the victim is enticed to click. Seeing a personalized link, the victim is made to feel that the message was built just for them so that they can log in as normal and resolve the supposed problem with their account. Other, similar functionality can extract the domain name from the recipient’s email address and display it in a large type, with an uppercase letter, to further spoof a login page for that company.
To reach the page in figure 11, we clicked a link containing the test email address ???email@example.com’ in the query string, as follows:
Though the landing page was on a different domain, the address was passed along so that it remained a part of the URL and was displayed on the page, already conveniently completing half of the form:
Even though the above example above does not represent a spear phish per se, we do see soft targeting and targeting of employees at specific large companies. Soft targeting involves the use of social media or public information about a company to tailor the recipients, the message templates, and the landing pages to be attractive to those in certain roles at a company.
What can you do?
- Use PhishMe Simulator™ and the PhishMe Reporter® plugin for Outlook to condition your employees to recognize and report suspicious messages to your incident response team.
- Employees can also fall victim to phishing attacks that compromise PCs with malicious software. Use PhishMe Intelligence™ to identify when users go to credential phishing sites or their machines exhibit indicators of compromise with malware.
- Enable two-factor authentication on all employee accounts.
- Once a credential phishing message is detected:
- Delete other related messages received within your enterprise
- Check perimeter devices for connections to the phishing URL
- Adjust controls to block similar messages by the URL and its host and/or domain, by the subject line, and/or by the sending IP address
- For employees who fell victim to a credential phish, force password re-sets and provide additional training about phishing attacks. Consult Microsoft’s technical support pages “How to determine whether your Office 365 account has been compromised” and “How to fix a compromised (hacked) Microsoft Office 365 account“.
Don’t miss out on another threat! Sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
Recently, PhishMe® recorded suspicious messages that spoofed bnm.gov.my, the domain for the central bank of Malaysia, Bank Negara. The emails concerned a Funds transfer.
Figure 1 Initial phishing message
Red Flags Right Away
The spoofed sending address belongs to a U.S.-based employee account on a high-reputation .ORG domain. (Red Flag number 1: The friendly portion of sender name does not match the email address.) Addresses on .ORG and addresses on university (.EDU) domains are frequently used to bypass spam filters that are set to allow messages through only when they appear to be coming from a sending domain with a good reputation.
However, the email headers reveal that the messages originated from the Chinese IP addresses 113.0.71[.]105 (Unicom) and 183.166.66[.]188 (Chinanet).
The brief message suggested that the recipient view the attached Word document. (Red Flag number 2: The recipient is not expecting a file from this sender.) But the attached document delivered a URL shortener link to verify an account credit over $10,000. (Red Flag number 3: We know that phishers try to appeal to our emotions, including greed.)
Figure 2 PDF document attached to the phishing message
Which Bogus Site Would You Prefer?
Because the URL was shortened using the Bit.ly service, some brief statistics are publicly-available that reveal over 8,000 clicks on the link since it was established on October 23rd at approximately 3pm Malaysia Time, about 3.5 hours before sending the phishing messages.
Figure 3 Statistics viewable at hxxps://bit[.]ly/2z0apph+
Oddly, less than 5% of the clicks recorded by Bit.ly were made by Malaysians, and about one-fourth of the clicks were made in the Czech Republic.
The link led to a landing page (see Figure 4 below) on the compromised domain polymaxtpe[.]com  spoofs the central bank of Malaysia and allows the victim to click on their preferred bank. This is what some researchers call an all-in-one phish.
Figure 4 Landing page of the phishing scam
Each of the bank links initially led to customized phishing pages on the domain techliveassist[.]com , but later redirected to pages on the compromised domain missmmarketing[.]com[.]au, like the one below for victims who select the Standard Chartered link.
Figure 5 Standard Chartered branch of larger scam impersonating several banks with users in Malaysia
Just the Latest in a Series of Malaysian Banking Scams
This is not the first time we have seen such an all-in-one phish that apparently targets Malaysians with links to several phishing pages for various banks with a presence in Malaysia. The bank selection this time included Affin Bank Berhad, Agro Bank, Alliance Bank, AmBank, Bank Islam, Bank Rakyat, CIMB Bank, Citi, Hong Leong Bank, Bank Muamalat, Kuwait Finance House, Maybank, OCBC Bank, Public Bank Berhad, RHB Bank, Standard Chartered, and United Overseas Bank.
PhishMe analysts recorded every step for one of the banks and noted that the criminals are collecting several pieces of personally identifiable information (PII), including online banking username and password, date of birth, mobile phone number, the concurrently-generated one-time PIN, and email address. The final step warns the victim not to try to log in for the next 24 hours while the database is being updated.
Banks whose customers are being targeted by these phish can examine their logs for attempts to access multiple bank accounts online from one IP address in a short time frame. Enterprises can check logs to identify whether employees may have visited these phishing sites by looking for connections to the hosts previously mentioned and to the URLs of the 17 bank logos.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
 “BNM.docx” MD5 hash value: 43e6ec275168125ce334a253831316d6
 In dynamically-generated directories under hxxp://polymaxtpe[.]com/LNcNFsKg
 In bank-specific directories under hxxps://www.techliveassist[.]com/NXYu3qQR This domain also hosted an Apple phish three days prior. The Apple phish was reached from a redirector on the host www.clubrougeva[.]com.
 In bank-specific directories under hxxps://missmmarketing[.]com[.]au/wip/mLwMY8uM This domain also hosted a Wells Fargo phish four days prior.
 Bank logo URLs:
Recently, CNBC reported on phishing scams in real estate, following up with an interview of PhishMe® CEO and Co-founder Rohyt Belani. Real estate is a bullseye for enterprising phishers. Often, the scammer is attempting wire fraud, trying to induce someone to make an electronic transfer of funds.
Cybercriminals continue to successfully hack and spoof emails to impersonate supervisors, CEOs, and suppliers and then request seemingly legitimate business payments. Because the emails look authentic and seem to come from known authority figures, many employees comply. But later they discover they’ve been tricked into wiring money or depositing checks into criminals’ bank accounts.
It’s easy to believe that phishing only happens to people who aren’t smart enough to detect it. This simply isn’t true. As the tech-savvy developers at software company a9t9 have indicated in their statement about a phishing incident last week, even smart developers can be fooled with a phish.
As reported by Tripwire, a Chrome plugin developer fell for a phishing attack that allowed the threat actor to take control of a9t9’s account in the Chrome Store. This means that the Copyfish plugin built by a9t9 was no longer under its control. Meanwhile, the plugin has already been used to “insert ads/spam into websites” according to the statement by a9t9.
The original phishing message that lured the developer carried a link on the URL shortening service called Bit.ly. As Tripwire explained, the victim did not notice the odd link because he was viewing the message in webmail. However, in the screenshot of the message in its text format, the Bit.ly link is clearly-visible. One of the great features of Bit.ly for those creating “bitlinks” is that you can view statistics about the locations and user agents of who clicks on your link. Others can also see a few stats by appending a plus (+) sign to the end of the URL. Below is what we saw when we did this:
The stats tell us that the bitlink was created on July 28th and leads to a URL on rdr11.top, a domain first registered on that same day via NameCheap but under privacy protection. Once the victim clicked on the link, he was redirected to the rdr11.top URL which itself then redirected to a URL on chrome-extensions.top, to the page seen below:
The domain chrome-extensions.top was also registered via NameCheap using privacy protection on July 28th.
The rdr11.top and chrome-extensions.top hosts resolve to Saint Petersburg, Russia, IP address 220.127.116.11, part of a /23 net block owned by Moscow Selectel Service.
Also known to resolve to have resolved to 18.104.22.168 is the domain chrome-extensions.pro, registered July 21st with NameCheap, using privacy protection.
A third resolution to the same IP, 22.214.171.124, was the phishy-sounding domain cloudflaresupport.site, also registered via NameCheap under privacy protection, on July 18th. A similar domain, cloudflaresupport.info, was registered with NameCheap on June 21st and even used the Cloudflare service for phishing Cloudflare accounts, but it is now under Cloudflare’s control. See the tweet below that included screenshots of the phishing message and spoofed Cloudflare login page:
— Lawrence Abrams (@LawrenceAbrams) June 21, 2017
In the Comments of that tweet are screenshots showing further redirection to a Google login phishing page on webstoresupport.top, registered with NameCheap using privacy protection on June 20th. Other comments reveal that on June 21st CloudFlare actively engaged the customer support software ticketing service being used by the threat actor to send the phishing messages, FreshDesk. However, a9t9’s statement mentions that FreshDesk was still being used on July 28th when the a9t9 developer was lured in by a phishing email message.
There are some lessons that can be learned about two factor authentication for such important accounts as your Chrome Store or Cloudflare logins; however, the main issue here is that the victim was not even thinking about the possibility of phishing while responding to his email messages. Phishing, now commonly used against all types of accounts and for increasingly-creative purposes, is known to be the number one way that attackers breach our critical processes, steal our intellectual property, and bring businesses to a screeching halt. We can also thank a9t9 for owning up to its mistakes so that we can all learn from them. Their share helps us to connect the dots and discover more about the phisher and his methods and infrastructure.
You can use PhishMe to make sure your employees know how to recognize, report, and respond to these growing threats.
Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam. Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.
Just last week, yet another phisher tried to phish PhishMe. Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.
Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani. These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer. Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works. It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.
With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills. But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button. The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages. We knew that we should have a look right away at her report, shown in Figure 1 below. The subject line of the message was the accountant’s first name, and the salutation included her first name.
Figure 1 Initial message from BEC phisher
Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition. (Ah! The Intrigue!)
Figure 2 BEC phisher makes plea for a wire transfer
In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.” She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher. Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.
Figure 3 The BEC phisher sends wire transfer instructions
Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location. From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.
The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more. In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.
Figure 4 The BEC phisher returns the next day to request more money
The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.
Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity. It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address firstname.lastname@example.org. When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.
We took the list of domain names and guessed at which real company each domain was meant to imitate. We then notified the administrative contacts of record for those legitimate domain names. Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.
We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains. We notified 1&1 on December 19th and requested that all the names be de-activated. (see list at this link)
Though the song remains the same, phishers are constantly evolving their tactics to lead to more success. In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message. He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured. Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.
We also want you to understand that this does not just affect large companies. Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons. And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.
PhishMe also wants everyone to understand how simple but effective these scams can be. Learn how to spot them, and make sure your employees are great reporters. Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.
I had a dream, a crazy dream, that we stopped responding to ridiculous email messages demanding that a wire be sent immediately. Also in that dream, all the bad guys were caught and had to pay restitution and go to jail.
While that second part may never happen, there has been definite progress toward the dream goal and there are definite steps to take to ensure that you – and others in your company – do not fall victim to a BEC email.
Coordinated by the National Cyber-Forensics & Training Alliance (NCFTA), contact information and incident details are being swapped quickly in the business and financial communities, allowing wires to be successfully recalled from far-flung places, facilitating the identification of fraudster activity, and preventing additional victimizations. However, the typical scenario involves the disappearance of money into the hands of criminals much faster than the victim realizes that they have made a grave mistake in acting upon a fraudulent email message.
The FBI has now released three major advisories* regarding the Business Email Compromise scam. The below charts illustrate how the estimated number of victims and the estimated volume of dollar losses have increased dramatically with each Public Service Announcement.
And, though the Internet Crime Complaint Center (IC3) first noticed an uptick in related complaints in October 2013, the ruse has been a common one in Europe for even longer. A fellow security researcher in France, where they call this ‘The President’s Scam’, has been closely tracking a certain group since 2011.
The most common sequence of events is that a C-level employee email address is either compromised or spoofed in order to send a convincing message to someone in the company with the authority to send a wire. It appears that oftentimes the fraudsters have done their homework on who’s who also, gleaning names, titles, and even travel schedules of executives from social media accounts. We have shared examples before; just over a year ago, PhishMe CTO, Aaron Higbee, described an attempt against PhishMe.
Also around this same time last year, Centrify CEO, Tom Kemp, detailed EIGHT different attempts against his company, which itself provides multi-factor authentication services.
Unfortunately, the number of victims continues to rise. Think about it…every business is a potential victim; so, until everyone knows how to spot this scam, we will keep hearing more horror stories.
The following are some things to keep in mind when you review an email asking you to move money on behalf of your company:
- Is the message really from the person that it appears to be from? Review the headers carefully. What is the reply-to address? Was the message actually sent from a lookalike domain name, such as PHlSHME.com with the letter L in place of the letter I?
- Does the tone and writing style of the author match what you know of the purported sender of the message?
- Are you being asked to reply directly to the message, instead of crafting a new email message? Are you being pressured to keep the transaction to yourself for some reason? Does the email message have a strong sense of urgency?
- Is there a link to click or an attachment to open, supposedly containing the wire instructions? As part of this scam, wiring instructions are typically sent to the victim in a subsequent message, after they have initially hooked you into responding. Usually they are in the body of the follow-up message, but sometimes they are in a PDF attachment.
- Don’t think that the receiving bank will necessarily be overseas. Money mules in the United States are operating domestic bank accounts, helping to launder the money while sometimes thinking they are performing a legitimate work-from-home service.
- Be willing to stand your ground when something seems ‘off’ about a request. Demand that you personally speak to the person requesting the urgent wire transfer. When you save the company millions, the CEO will be glad you bugged her for a moment.
And below are some Action Items that you can take today to help prevent becoming the next victim:
- Enable two-factor authentication on your email account. If your email provider does not offer this, change providers.
- Establish a DMARC record on your company domain so that messages spoofing your real domain do not get delivered.
- Use different passwords for each online service; use a password manager if needed.
- Require dual approval and out-of-band authentication for all wires. Understand that wire transfers are one of the most risky transactions and usually cannot be recalled because they are designed to provide immediate access to and an irrevocable settlement of funds.
- The PhishMe Simulator/Reporter combination conditions your employees to spot and submit fraudulent email messages. Contact PhishMe to sign up for Simulator and Reporter so that you can start shoring up your first line of defense.
If you realize that you may have fallen for this scam, call your bank immediately. Also call your local FBI office and ask for assistance (Find contact information here.) Even if you never wired the money, report the attempt by filing a complaint form with IC3 because this helps the NCFTA track and correlate attacks, improving the likelihood of an eventual prosecution.
*Links to the full FBI PSAs: