Products
Products
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Can genericization become a credential-theft threat? Beware of phish in plain email wrappers.

By: Kian Buckley Maher, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) has observed an increase in the number of invoice impersonation phish reported by well-conditioned users. They imitate legitimate system login pages for invoice processing with the goal of harvesting credentials from unsuspecting users. These emails utilize vague language and generic email styles to push the user toward navigating to the malicious link provided to review the request.

This type of phish is becoming increasingly common as its use of simplistic language, generic email formats and color schemes help it avoid detection by secure email gateway (SEGs). These tactics also increase the likelihood that the user will interact through the entire phishing process which is kept as generic as possible.

Because invoicing systems can be so varied in their email format and content, these emails don’t change significantly from recipient to recipient. The goal is for the suspicious email to replicate internal processes to a point that it becomes highly unlikely the affected users will be able to determine that they are interacting with a non-legitimate request.

As we can see, the email itself is very generic. It uses phrases such as, “You have received an Invoice,” “View Document” and “Generated by Accounting,” all of which would also appear in legitimate invoice-review requests. As such, they’re not likely to raise suspicion. The color scheme follows what would commonly be seen in official automated update emails generated from invoicing systems, furthering the malicious actors’ chances of successfully engaging the recipient.

Figure 1: Email Body

The landing page seen after moving past the email is a similarly basic webpage, once again staying as generic as possible in its design.

The URL should be another red flag:

hXXp:/ /50[.]87[.]194[.]137/

These URLs should be seen as suspicious but, in relation to internal verification systems, it’s common to see a URL that utilizes an IP that occupies one of the internal IP ranges. To an untrained user, the distinction is less apparent. Additional education should be provided to ensure that such a potential red flag is recognized.

A text message informs the user that they have been logged out, possibly due to a time-out or other security protocol. The site itself is cleanly designed, and its simplicity allows a user to enter their credentials without particular reservations.

While this page does not contain branding that would generally be seen in most internal credential-verification systems, its style is plain enough that – with a large enough campaign – it will hit on common points seen in many companies’ systems.

Figure 2: Phishing Landing Page

Generic attacks such as this one are designed to take advantage of gaps in SEGs and lure users into a false sense of security through unremarkable branding, colors and text in their primary attack vectors. In addition, these generic styles allow threat actors to adapt their campaign to business processes familiar to users.

As these can be so difficult to prevent via traditional means, a combination of improved education about true internal systems standards and procedures, and an effective use of the Cofense suite of phishing defense and response products allows for effective prevention and remediation with these types of attacks.

Indicators of Compromise
hXXp:/ /50[.]87[.]194[.]137/
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.