“Phish Found in Environments Protected by SEGs” Microsoft EOP, FireEye, Proofpoint
By Elmer Hernandez, Cofense Phishing Defense Center
The Phishing Defense Center (PDC) has recently encountered persistent efforts from threat actors against German banking users. Our analysts have been tracking these campaigns over the last couple of weeks and encountered everything from FeedBurner abuse to the use of QR codes to deceive users and steal digital banking information. Two main financial institutions have been particularly targeted: Sparkasse and Volksbanken Raiffeisenbanken.
The pretences used in the emails vary. From supposed messages waiting in a user’s electronic mailbox (Figure 1), to asking for consent to changes implemented by the bank or requesting that users familiarize themselves with new security procedures (Figure 2). The end goal in any case is the same: Lure users to log into the banking website and provide their credentials to attackers.
Figure 1 – Sparkasse email 1
Figure 2 – Sparkasse email 2
Delivery tactics were just as varied. Most common was the use of compromised domains as redirection URLs and phishing sites. Attackers were also observed abusing Google’s feed proxy service FeedBurner for redirection as seen in Figures 3 and 4. More recently, however, attackers have been registering their own custom domains for both redirection and as final landing sites. If the user location is not in Germany, they will be redirected to a different page (Figure 5).
Figure 3 – Volksbanken Raiffeisenbanken email with FeedBurner redirect
Figure 4 – FeedBurner redirect to Malicious Site