Bah HumBUG: 5 Recent Holiday Phishing Samples You Need to Watch Out For

Along with more online shopping, correspondence, and travel, the holiday season sees an increase in phishing operators eager to capitalize on a more-active attack surface. With Thanksgiving tomorrow, Cofense Intelligence and the Cofense Phishing Defense Center have seen a bombardment of Thanksgiving-themed phishing lures this week. Threat actors use this inundation of emails to their advantage—hoping to trick anyone looking for a good deal or eager to partake in the season’s merriment.

These phishing emails typically come in variations with links or attachments, however, they generally attempt to steal banking information, login credentials, or other sensitive information. Phishers like their campaigns to look like something the end user might be expecting. During the holidays, subject line lures mention online shopping, e-gift cards, discounts, event invites, and order shipments. Spoofing brands is another common technique used to make emails seem legitimate.

Here are 5 examples of holiday phishing identified by our Cofense IntelligenceTM analysts who personally vet each active threat reported, and the Cofense Phishing Defense Center, a team of analysts who leverage Cofense Triage™ to stop phishing attacks in their tracks for our customers.

Figure 1 shows one of several Thanksgiving-themed phishing emails. This campaign has been sending tens of thousands variants this week,  weaponized to deliver the Geodo/Emotet banking trojan1.

Figure 1 shows one of many Thanksgiving themed phishing emails we analyzed, this one with a malicious .DOC attachment containing a Macro.

The second example uses a popular e-gift card lure with a link in the body of the email. The link in the body of the message downloads a Microsoft Office Word document that is weaponized with an Office macro. This Office macro, once executed, drops and executes a sample of—once again— the Geodo/Emotet banking trojan2.

Figure 2 shows the holiday themed email with a malicious link.

Figure 3 depicts a holiday discount email (this one’s from Easter, but the tactic could work for any holiday) that uses an attachment-based lure. The attached Microsoft Office Word document contained a malicious Office macro. This Office macro would drop and execute a sample of the Neverquest banking trojan3 as well as a sample of the Chanitor malware4 .

Figure 3 shows the holiday discount email with a malicious attachment.

Getting back to the winter holidays, Figure 4 shows a holiday party lure that plays to the victim’s sense of curiosity. Clicking on the form link leads to a credential phishing site.

Figure 4 shows the holiday party survey email with a malicious link.

Another common lure is the holiday order subject line. The narrative captures the curiosity of end users and entices them into interacting. Figure 5 shows this lure in action along with a malicious attachment. The malicious attachment is a Microsoft Office Word document that uses Object Relationship Abuse to drop a sample of the NetWire Remote Access Trojan5 (RAT).

Figure 5 shows the holiday order email with a malicious attachment.

These examples show that phishing operators don’t take the holidays off. In fact, the opposite is true. Holidays provide a ripe threat environment for phishing, so end users need to remain aware of these crafty and timely techniques to stay safe when sorting through their mountain of holiday emails.

Cofense can help. Cofense PhishMeTM offers phishing-simulation templates for each of the winter holiday scams illustrated above. Your employees can learn to spot and report phishing lures like Christmas orders, Thanksgiving e-cards, holiday gift cards, and Christmas parties. Learn more here.

Cofense Intelligence provides day-of reporting on active campaigns, and Intelligence customers can access this report and many more from our human-vetted Active Threat Reports found in the Cofense Threat HQ customer portal.  Intelligence customers consuming our threat feed have had a stream of these indicators flowing in this week.

Sample Thanksgiving phishing paylods:

  1. https://www.virustotal.com/#/file/d7c516b3fa4f45fbb35b43ee47b4bf05642f2245d6d2232b0e0273b04b043cf3/detection
  2. https://www.virustotal.com/#/file/a287e0b750e47ef82feb0504a4a1e3a7b09c440212bbb422a5e477b1296478fd/detection

Helpful Yara for fingerprinting Emotet/Geodo Thanksgiving documents:

/*
  Description:  Yara Rule for identifying emotet word docs with Macros
  Author: Darrel @ Cofense Intel
  Priority: 1
  Scope: Against Attachment
  Tags: office,word
  Created in Cofense Triage on November 19, 2018 11:49 PM
*/

rule PM_OOXML_Flat_Word_Document
{
  strings:
    $flat_doc=/<\?xml version=”\d{1,3}\.\d{1,2}” encoding=”[^”]+”
standalone=”yes”\?>\s+<\?mso-application progid=”word\.document”\?>/ nocase

  condition:
    all of them
}

Sample plain text email:

Subject: Thanksgiving eCard
Good Afternoon,
It’s a pleasure working with you. Happy Thanksgiving!
“Gratitude turns what we have into enough.” – Anonymous
File: Thanksgiving-Greeting-Card.doc
Subject: Congratulations on Thanksgiving Day
Good Morning,
Warm Thanksgiving wishes to our wonderful neighbors for happy little moments of gratitude this holiday season. Enjoy, share, remember!
“Thanksgiving after all, is a word of action.” – W.J. Cameron
File: Thanksgiving-Congratulation.doc
Subject: Congratulations on Thanksgiving Day
Good Morning,
Warm wishes for
A beautiful Thanksgiving season
With those you hold dear,
And may the joy
This day brings
Remain all through the year!
Greeting Card below.
“Celebrate the happiness that friends are always giving, make everyday a holiday in which you celebrate just living.” – Amanda Bradley
File: Filename: Thanksgiving-Greeting-eCard.doc
Subject: The Thanksgiving Day congratulation!
Morning,
God Bless you all on Thanksgiving day,
I hope all good things come your way.
Attachment: Greeting Card
“As we express our gratitude, we must never forget that the highest appreciation is not utter words, but to live by them.” – John F. Kennedy

Threat ID’s and Hashes of Associated Attachments relevant to each figure above

  1. PDC Report: 6912, MD5 hash 9c1d282f7c6e390f125c9917ac1c33e0
  2. Threat ID: 10535, MD5 hash 8786bfd6f656400b249ecf7a916781c5
  3. Threat ID: 3139, MD5 hash d5dcde27da872bb37cdb43177ab14385
  4. Threat ID: 3139, MD5 hash fc8fb7b95326ecb567eb0f0fe9f01a8b
  5. Threat ID: 15046 MD5 hash: 53160b1472ec316aae364ae62e630daa

The following phishing templates are now available in Cofense PhishMe:

  • Christmas Order – NetWire Remote Access Trojan
  • Thanksgiving Day eCard – Geodo / Emotet
  • Holiday Gift Card – Geodo / Emotet
  • Christmas Party Survey

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Mature Your Anti-Phishing Program to Reflect Active Threats
Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

Leave a Reply