URL shorteners are a great tool to share a web address without a lot of typing. PhishMe Intelligence™ recently observed malicious actors using these services to evade security controls. They use these services to conceal the actual URL and bypass controls put in place to block known malicious domains.
Phishing websites are designed to steal usernames, passwords, and additional PII when unsuspecting victims are enticed to log in. Credential phishing intelligence is used to hunt, detect, and block access attempts to spoofed sites as well as to raise awareness about the latest tactics, techniques, and procedures used with credential and malware phishing campaigns.
The new credential phishing feature from PhishMe Intelligence™ delivers additional information to help defend against credential-gathering attacks. The credential phishing intelligence is available via the PhishMe Intelligence API and portal.
This blog is the first in a series about credential phishing in the enterprise.
Credential Phishing and Office 365
Microsoft Office 365 was released in 2011 and the has become hugely popular among enterprises both large and small. For those in a workplace that has fully-integrated Office 365, it feels as if you use that one password to log in to just about everything using any device. It all just works seamlessly. This is what the Office 365 login page looks like on Microsoft’s site https://login.microsoftonline.com. (Figure 1).
Figure 1 – Real Office 365 Login Page
Outlook 365 users are reporting suspicious messages to PhishMe® that contain links a page that looks like figure 1, but are hosted on compromised or fraudulent sites. As seen below in figures 2-5, are some examples of the suspicious messages that enterprise employees are receiving:
Figure 2 – Suspicious O365 Message (1 of 4)
Figure 3 – Suspicious O365 Message (2 of 4)
Figure 4 – Suspicious O365 Message (3 of 4)
Figure 5 – Suspicious O365 Message (4 of 4)
All of these messages are designed to look legitimate – like something from IT – and mimic the Office 365 login page. But in reality, they deliver the unsuspecting user to a fraudulent site to steal their information. This type of phishing has been growing rapidly. The examples shown in Figures 2-5 were captured within only 90 minutes. Over the past month PhishMe has detected credential phishing pages hosted on over 1,100 hostnames, which have likely distributed via tens of thousands of email messages. Microsoft’s own Security Intelligence Report reveals that there has been a dramatic increase in the number of account sign-ins attempted from malicious IP addresses.
The fallout from a successful Office 365 credential-based attack is so large that measuring it has become a data analytics problem. Estimating the extent of the damage is near impossible. Because many of victims don’t know they have entered their credentials on a fake site. If compromised, a threat actor could be in your system for a long time before you discover a breach. The time between the initial intrusion and detection of compromise, known as dwell time, is currently estimated to be 49 days (seven weeks).
New and different
While the attacks described above have been appearing for years, we’ve seen some new examples that seem a bit different. In these examples, the attackers are exploiting features of Office 365 as part of their phishing campaign.
Office 365 Forms
In the first example an attacker uses the Office 365 Forms app to create realistic phishing pages that are hosted on a Microsoft domain. Figure 6, below, shows a message linked to Google.com to redirect to Forms[.]Office.com:
Figure 6 – Message contains link to Google.com URL
When that link is clicked, the phishing form is displayed (figure 7) on a domain that just about any IT department would be reluctant to block.
Figure 7 – Office.com form reached from link in phishing message
To make things more confusing, consider that Microsoft conducts URL shortening using the domain name 1drv[.]ms. PhishMe customers are reporting phishing messages that contain URLs on that domain that then redirect to Onedrive[.]Live.com to load a PDF document that contains yet another link. As you can see in figure 8, this message contained a shortened link that slipped through technological defenses:
Figure 8 – OneDrive Shortened Link
The resulting PDF (figure 9) can open in the browser and deliver a link to a compromised site that hosts a phishing page.
Figure 9 – PDF from OneDrive with Malicious Link
By the time the victim reaches the somewhat-generic page below (figure 10), they have clicked through at least three trusted services.
Figure 10 – Final Destination from Original OneDrive Link
Many of the phishing messages are created using a template that inserts the recipient’s email address into the URL that the victim is enticed to click. Seeing a personalized link, the victim is made to feel that the message was built just for them so that they can log in as normal and resolve the supposed problem with their account. Other, similar functionality can extract the domain name from the recipient’s email address and display it in a large type, with an uppercase letter, to further spoof a login page for that company.
To reach the page in figure 11, we clicked a link containing the test email address ???email@example.com’ in the query string, as follows:
Though the landing page was on a different domain, the address was passed along so that it remained a part of the URL and was displayed on the page, already conveniently completing half of the form:
Even though the above example above does not represent a spear phish per se, we do see soft targeting and targeting of employees at specific large companies. Soft targeting involves the use of social media or public information about a company to tailor the recipients, the message templates, and the landing pages to be attractive to those in certain roles at a company.
What can you do?
- Use PhishMe Simulator™ and the PhishMe Reporter® plugin for Outlook to condition your employees to recognize and report suspicious messages to your incident response team.
- Employees can also fall victim to phishing attacks that compromise PCs with malicious software. Use PhishMe Intelligence™ to identify when users go to credential phishing sites or their machines exhibit indicators of compromise with malware.
- Enable two-factor authentication on all employee accounts.
- Once a credential phishing message is detected:
- Delete other related messages received within your enterprise
- Check perimeter devices for connections to the phishing URL
- Adjust controls to block similar messages by the URL and its host and/or domain, by the subject line, and/or by the sending IP address
- For employees who fell victim to a credential phish, force password re-sets and provide additional training about phishing attacks. Consult Microsoft’s technical support pages “How to determine whether your Office 365 account has been compromised” and “How to fix a compromised (hacked) Microsoft Office 365 account“.
Don’t miss out on another threat! Sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
Recently, PhishMe® recorded suspicious messages that spoofed bnm.gov.my, the domain for the central bank of Malaysia, Bank Negara. The emails concerned a Funds transfer.
Figure 1 Initial phishing message
Red Flags Right Away
The spoofed sending address belongs to a U.S.-based employee account on a high-reputation .ORG domain. (Red Flag number 1: The friendly portion of sender name does not match the email address.) Addresses on .ORG and addresses on university (.EDU) domains are frequently used to bypass spam filters that are set to allow messages through only when they appear to be coming from a sending domain with a good reputation.
However, the email headers reveal that the messages originated from the Chinese IP addresses 113.0.71[.]105 (Unicom) and 183.166.66[.]188 (Chinanet).
The brief message suggested that the recipient view the attached Word document. (Red Flag number 2: The recipient is not expecting a file from this sender.) But the attached document delivered a URL shortener link to verify an account credit over $10,000. (Red Flag number 3: We know that phishers try to appeal to our emotions, including greed.)
Figure 2 PDF document attached to the phishing message
Which Bogus Site Would You Prefer?
Because the URL was shortened using the Bit.ly service, some brief statistics are publicly-available that reveal over 8,000 clicks on the link since it was established on October 23rd at approximately 3pm Malaysia Time, about 3.5 hours before sending the phishing messages.
Figure 3 Statistics viewable at hxxps://bit[.]ly/2z0apph+
Oddly, less than 5% of the clicks recorded by Bit.ly were made by Malaysians, and about one-fourth of the clicks were made in the Czech Republic.
The link led to a landing page (see Figure 4 below) on the compromised domain polymaxtpe[.]com  spoofs the central bank of Malaysia and allows the victim to click on their preferred bank. This is what some researchers call an all-in-one phish.
Figure 4 Landing page of the phishing scam
Each of the bank links initially led to customized phishing pages on the domain techliveassist[.]com , but later redirected to pages on the compromised domain missmmarketing[.]com[.]au, like the one below for victims who select the Standard Chartered link.
Figure 5 Standard Chartered branch of larger scam impersonating several banks with users in Malaysia
Just the Latest in a Series of Malaysian Banking Scams
This is not the first time we have seen such an all-in-one phish that apparently targets Malaysians with links to several phishing pages for various banks with a presence in Malaysia. The bank selection this time included Affin Bank Berhad, Agro Bank, Alliance Bank, AmBank, Bank Islam, Bank Rakyat, CIMB Bank, Citi, Hong Leong Bank, Bank Muamalat, Kuwait Finance House, Maybank, OCBC Bank, Public Bank Berhad, RHB Bank, Standard Chartered, and United Overseas Bank.
PhishMe analysts recorded every step for one of the banks and noted that the criminals are collecting several pieces of personally identifiable information (PII), including online banking username and password, date of birth, mobile phone number, the concurrently-generated one-time PIN, and email address. The final step warns the victim not to try to log in for the next 24 hours while the database is being updated.
Banks whose customers are being targeted by these phish can examine their logs for attempts to access multiple bank accounts online from one IP address in a short time frame. Enterprises can check logs to identify whether employees may have visited these phishing sites by looking for connections to the hosts previously mentioned and to the URLs of the 17 bank logos.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
 “BNM.docx” MD5 hash value: 43e6ec275168125ce334a253831316d6
 In dynamically-generated directories under hxxp://polymaxtpe[.]com/LNcNFsKg
 In bank-specific directories under hxxps://www.techliveassist[.]com/NXYu3qQR This domain also hosted an Apple phish three days prior. The Apple phish was reached from a redirector on the host www.clubrougeva[.]com.
 In bank-specific directories under hxxps://missmmarketing[.]com[.]au/wip/mLwMY8uM This domain also hosted a Wells Fargo phish four days prior.
 Bank logo URLs:
Recently, CNBC reported on phishing scams in real estate, following up with an interview of PhishMe® CEO and Co-founder Rohyt Belani. Real estate is a bullseye for enterprising phishers. Often, the scammer is attempting wire fraud, trying to induce someone to make an electronic transfer of funds.
Cybercriminals continue to successfully hack and spoof emails to impersonate supervisors, CEOs, and suppliers and then request seemingly legitimate business payments. Because the emails look authentic and seem to come from known authority figures, many employees comply. But later they discover they’ve been tricked into wiring money or depositing checks into criminals’ bank accounts.
It’s easy to believe that phishing only happens to people who aren’t smart enough to detect it. This simply isn’t true. As the tech-savvy developers at software company a9t9 have indicated in their statement about a phishing incident last week, even smart developers can be fooled with a phish.
As reported by Tripwire, a Chrome plugin developer fell for a phishing attack that allowed the threat actor to take control of a9t9’s account in the Chrome Store. This means that the Copyfish plugin built by a9t9 was no longer under its control. Meanwhile, the plugin has already been used to “insert ads/spam into websites” according to the statement by a9t9.
The original phishing message that lured the developer carried a link on the URL shortening service called Bit.ly. As Tripwire explained, the victim did not notice the odd link because he was viewing the message in webmail. However, in the screenshot of the message in its text format, the Bit.ly link is clearly-visible. One of the great features of Bit.ly for those creating “bitlinks” is that you can view statistics about the locations and user agents of who clicks on your link. Others can also see a few stats by appending a plus (+) sign to the end of the URL. Below is what we saw when we did this:
The stats tell us that the bitlink was created on July 28th and leads to a URL on rdr11.top, a domain first registered on that same day via NameCheap but under privacy protection. Once the victim clicked on the link, he was redirected to the rdr11.top URL which itself then redirected to a URL on chrome-extensions.top, to the page seen below:
The domain chrome-extensions.top was also registered via NameCheap using privacy protection on July 28th.
The rdr11.top and chrome-extensions.top hosts resolve to Saint Petersburg, Russia, IP address 220.127.116.11, part of a /23 net block owned by Moscow Selectel Service.
Also known to resolve to have resolved to 18.104.22.168 is the domain chrome-extensions.pro, registered July 21st with NameCheap, using privacy protection.
A third resolution to the same IP, 22.214.171.124, was the phishy-sounding domain cloudflaresupport.site, also registered via NameCheap under privacy protection, on July 18th. A similar domain, cloudflaresupport.info, was registered with NameCheap on June 21st and even used the Cloudflare service for phishing Cloudflare accounts, but it is now under Cloudflare’s control. See the tweet below that included screenshots of the phishing message and spoofed Cloudflare login page:
— Lawrence Abrams (@LawrenceAbrams) June 21, 2017
In the Comments of that tweet are screenshots showing further redirection to a Google login phishing page on webstoresupport.top, registered with NameCheap using privacy protection on June 20th. Other comments reveal that on June 21st CloudFlare actively engaged the customer support software ticketing service being used by the threat actor to send the phishing messages, FreshDesk. However, a9t9’s statement mentions that FreshDesk was still being used on July 28th when the a9t9 developer was lured in by a phishing email message.
There are some lessons that can be learned about two factor authentication for such important accounts as your Chrome Store or Cloudflare logins; however, the main issue here is that the victim was not even thinking about the possibility of phishing while responding to his email messages. Phishing, now commonly used against all types of accounts and for increasingly-creative purposes, is known to be the number one way that attackers breach our critical processes, steal our intellectual property, and bring businesses to a screeching halt. We can also thank a9t9 for owning up to its mistakes so that we can all learn from them. Their share helps us to connect the dots and discover more about the phisher and his methods and infrastructure.
You can use PhishMe to make sure your employees know how to recognize, report, and respond to these growing threats.
Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam. Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.
Just last week, yet another phisher tried to phish PhishMe. Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.
Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani. These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer. Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works. It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.
With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills. But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button. The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages. We knew that we should have a look right away at her report, shown in Figure 1 below. The subject line of the message was the accountant’s first name, and the salutation included her first name.
Figure 1 Initial message from BEC phisher
Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition. (Ah! The Intrigue!)
Figure 2 BEC phisher makes plea for a wire transfer
In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.” She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher. Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.
Figure 3 The BEC phisher sends wire transfer instructions
Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location. From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.
The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more. In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.
Figure 4 The BEC phisher returns the next day to request more money
The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.
Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity. It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address firstname.lastname@example.org. When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.
We took the list of domain names and guessed at which real company each domain was meant to imitate. We then notified the administrative contacts of record for those legitimate domain names. Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.
We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains. We notified 1&1 on December 19th and requested that all the names be de-activated. (see list at this link)
Though the song remains the same, phishers are constantly evolving their tactics to lead to more success. In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message. He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured. Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.
We also want you to understand that this does not just affect large companies. Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons. And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.
PhishMe also wants everyone to understand how simple but effective these scams can be. Learn how to spot them, and make sure your employees are great reporters. Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.