Proofpoint By Ala Dabat, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) team has seen the continued exploitation of the current COVID–19 health crisis as an effective attack vector across all industries.
A common theme seen is the use of cloned Dropbox landing pages requesting that users log in via well-known email service providers in order to view “important” documentation relating to COVID–19.
One such instance had escaped Proofpoint’s secure email gateway (SEG), having bypassed spam filtering due to the benign appearance of the email, and the lack of spammy characteristics. Also bypassed were Microsoft’s EOP and ATP.
Figure 1 – Original body of the email urging the target to download urgent information relating to COVID–19
The origin of the email appears to be a legitimate sender. It passed SPF checks, which also helped the email appear legitimate. It is likely that the campaign was launched from a compromised email account and that is why it was able to bypass SPF checks. Despite the message failing DKIM checks due to a difference of the value stored in the DKIM’s txt record bh=, it was not enough to raise any red flags because of the weighted system used to verify whether the email was malicious.
As per the email headers we can see that the email did not contain enough spammy characteristics to meet the threshold required by Proofpoint’s Secure Email Gateway (SEG) to be categorised as being malicious.
Figure 2 – Email originated from a legitimate sender and passed SPF record checks
Microsoft’s EOP and ATP also miscategorized this email due to the lack of spammy characteristics and gave it a spam score of 0:
Figure 3 – Microsoft EOP spam score of 0
Once the target has clicked on the link, they are redirected to a landing page masquerading as Dropbox using original logos and fonts to fool the target.
Figure 4 – a Dropbox themed landing page with convincing logos and fonts
The target is then prompted to authenticate against several email service providers to access the document. This method of Phishing widens the net for the attacker to harvest more credentials.
Figure 5 – Login page for Gmail
Figure 6 - Fraudulent login page for Yahoo
Once the target has entered their credentials using one of the login options, their credentials are sent to a database via HTTP POST to a PHP script, which then stores all the credentials that have been harvested by the attacker. Although this attack is not as technically sophisticated as other more targeted attacks, it exploits a number of key vulnerabilities:
- Exploits the COVID–19 pandemic
- Uses aesthetics that look and feel convincing to the target
- Bypasses spam filtering by limiting the characteristics of the email body that would be considered spammy by most spam filters
Once the target has entered their credentials, they are redirected to a legitimate landing page owned by Accenture, and then to a document that is completely unrelated to the COVID–19 crisis.
Figure 7 – Landing page targets are redirected to after they authenticate