By: Kian Buckley Maher, Cofense Phishing Defense Center
The Phishing Defense Center (PDC) has observed an increase in the number of invoice impersonation phish reported by well-conditioned users. They imitate legitimate system login pages for invoice processing with the goal of harvesting credentials from unsuspecting users. These emails utilize vague language and generic email styles to push the user toward navigating to the malicious link provided to review the request.
This type of phish is becoming increasingly common as its use of simplistic language, generic email formats and color schemes help it avoid detection by secure email gateway (SEGs). These tactics also increase the likelihood that the user will interact through the entire phishing process which is kept as generic as possible.
Because invoicing systems can be so varied in their email format and content, these emails don’t change significantly from recipient to recipient. The goal is for the suspicious email to replicate internal processes to a point that it becomes highly unlikely the affected users will be able to determine that they are interacting with a non-legitimate request.
As we can see, the email itself is very generic. It uses phrases such as, “You have received an Invoice,” “View Document” and “Generated by Accounting,” all of which would also appear in legitimate invoice-review requests. As such, they’re not likely to raise suspicion. The color scheme follows what would commonly be seen in official automated update emails generated from invoicing systems, furthering the malicious actors’ chances of successfully engaging the recipient.
Figure 1: Email Body
The landing page seen after moving past the email is a similarly basic webpage, once again staying as generic as possible in its design.
The URL should be another red flag:
These URLs should be seen as suspicious but, in relation to internal verification systems, it’s common to see a URL that utilizes an IP that occupies one of the internal IP ranges. To an untrained user, the distinction is less apparent. Additional education should be provided to ensure that such a potential red flag is recognized.
A text message informs the user that they have been logged out, possibly due to a time-out or other security protocol. The site itself is cleanly designed, and its simplicity allows a user to enter their credentials without particular reservations.
While this page does not contain branding that would generally be seen in most internal credential-verification systems, its style is plain enough that – with a large enough campaign – it will hit on common points seen in many companies’ systems.
Figure 2: Phishing Landing Page
Generic attacks such as this one are designed to take advantage of gaps in SEGs and lure users into a false sense of security through unremarkable branding, colors and text in their primary attack vectors. In addition, these generic styles allow threat actors to adapt their campaign to business processes familiar to users.
As these can be so difficult to prevent via traditional means, a combination of improved education about true internal systems standards and procedures, and an effective use of the Cofense suite of phishing defense and response products allows for effective prevention and remediation with these types of attacks.
|Indicators of Compromise|