Cisco IronportBy Ashley Tran, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) team has identified a phishing campaign that attempts to harvest Webex credentials. This is not the first time we have seen an active Webex campaign, however, as we have noted before. It is actually an attack method that became increasingly common as non-essential workers were pushed into remote working conditions due to the pandemic. The previous Webex phish utilized implications of vulnerabilities and SSL certificate fixes for Webex, but this one takes a more subtle approach: acting as a Webex event invite.
Figure 1: Email Body
The email shown in Figure 1 looks like a relatively normal Webex event invite at a glance. This email is a simple Webex invite that anyone who uses Webex may be accustomed to. This invite says that the user has been invited to the event “Leadership&Muscles,” the host is “Online Leader” and, although it is vague, the mentions of “Leadership” and “Online Leader” may have most users determine this has to do with work and – without typical phishing language urging them to join – many may not feel so threatened; they may opt to join the meeting out of curiosity.
And should a user think to hover-check the button to “join a meeting,” the URL that will show as a preview will be: hxxp://idbrokerwebex[.]com
Despite the threat actor’s attempts to make this email seem legitimate, however, the subject of the email already appears off compared to what is seen in the body – a Portuguese subject paired with an English body? If that does not reveal the true nature of this email then the threat actor’s carelessness with the From and Sender fields will. Although it is obvious there was an attempt to make the email appear as though it is coming from Webex with the inclusion of “[email protected],” the real sender email is next to it: americacentral02[@]eliteddi[.]com.
Looking into the domain eliteddi.com, we can see that it was recently registered, as seen in Figure 2.
Figure 2: Domain Registration Information for eliteddi.com
This was perhaps done in a bid to give themselves a domain to use for sending emails. When utilizing their own registered domains, this gives the threat actor a legitimate DKIM, SPF and DMARC to bypass resources. This domain was presumably also used as practice in setting up this attack because, as noted in Figure 3, the domain is also the host to the same Webex phish. Because the domain eliteddi[.]com is not part of the actual email itself, and isn’t actually a part that a user would typically interact with, it can be assumed that this domain was part of the threat actor’s practice attempt before launching this attack.
Figure 3: Webex phish found on the sender domain eliteddi[.]com
Taking a look at the URL found embedded into the email itself we can see that this URL looks much more legitimate than the one seen in the threat actor’s practice attempts. This fraudulent domain was also recently registered according to information found on its corresponding WhoIs record, as seen in Figure 4.
Figure 4: Domain information for idbrokerwebex[.]com
One thing to note for this fraudulent domain is that the threat actor has tried to mimic a real Webex URL, one that is typically just a quick redirect when logging into Webex Teams, but would still be a familiar site to users. The small difference between the legitimate and the phishing URLs, though, is a simple “.” separating idbroker from webex – a small mistaken mistype of a user trying to get to this domain can lead to a huge mistake in this case.
The phish itself can be noted in Figure 2.
Figure 5-6: Phishing Page
The Webex phish similar to this has utilized the same template when phishing for credentials, essentially a perfect copy of Webex’s login page. This page does not have any noticeable flaws in grammar anywhere or weird formatting. In fact, even the URL in the address bar does not give anything away immediately should a user glance at it for any sort of validation.
Compared to the phishing page seen hosted on the threat actor’s “practice” domain noted above, this one actually has a certificate for the site that, in turn, adds a lock in the address bar which, to most, indicates that a site is “secure.” This is a relatively common addition, especially with the use of website builders that give creators a certificate to work with. However, as noted numerous times in other blogs, threat actors are using that perception to trick users into trusting their phishing attacks.
The second step of this attack can be noted in Figures 7-8. This step acts more as a distraction mechanism, as the page looks like any other Webex event registration page. Here the user would input any amount of information as long as the fields are required, then move on to the final confirmation page. While this page is more than likely just an attempt to put any suspicions the user had initially to rest, this page also has the potential to garner more information about the user.
Figure 7-8: “Event” Registration
Indicators of Compromise