By Max Gannon, Brad Haas
Exceptionally high demand in the housing market has created the opportunity for a timely new lure in a credential phishing campaign. Emails in this campaign reached users in a variety of sectors and arrived in environments protected by several different secure email gateways (SEGs). The emails purport to contain a link to home purchase closing documents from First American, a company whose services include real estate title and settlement. If users click the embedded links, they arrive at phishing pages attempting to steal Office 365 credentials.
As shown in Figure 1, the threat actors paid great attention to detail in the emails, with authentic-looking subject lines, formatting and signature blocks.
Figure 1: One of the emails spoofing First American in these campaigns.
The links in the messages led to one of several different credential phishing pages. One of these was a simple login screen (Figure 2) designed to mimic the real First American login page (Figure 3), but with a simple text line instructing users to enter their Office 365 credentials.
Figure 2: A phishing page closely resembling the real login page.
Figure 3: The real First American login page.
Another page simulates a document-sharing service displaying the first page of a commitment for title insurance (Figure 4) for several seconds. If the user attempts to go any further in the document, they are prompted to enter their email address (Figure 5); they are then taken to a fake Microsoft login screen and prompted to enter their password (Figure 6).
Figure 4: A fake document title page.
Figure 5: The login dialog on the fake document.
Figure 6: The fake Microsoft login page displayed if a user tries to unlock the document.
Two other variations (Figures 7 and Figure 8) appear to be login pages, again prompting for Office 365 login information.
Figure 7: An imitation of a different First American login page.
Figure 8: Another fake login page seeking Office credentials.
In all cases, the pages incorporate convincing styles and effects to appear genuine. Users probably have not interacted with the real First American pages very often, so the high level of detail is even more likely to deceive them. The campaign demonstrates how threat actors can create realistic lures and phishing pages combined with timely topics to increase the effectiveness of their attacks.
As this campaign demonstrates, threat actors will use every means at their disposal – and go to great lengths – to infiltrate inboxes in ways that email filters and costly frontline technologies can’t prevent. A last line of defense, a network of human sensors reporting on phish found in environments protected by SEGs, can save enterprises time and the enormous costs associated with attacks built to subvert traditional technical controls. Cofense’s Managed Phishing Detection and Response platform is equipped to provide enterprises with a clear view of attacks like these, and ways to quickly mitigate them. Contact us to learn more, and to get started.
| Network IOC |
| hxxps://alwood[.]us/gofirstam/gofirstam[.]htm |
| hxxps://beachedgepools[.]com/ex[.]first/airy/index/authenticate[.]php |
| hxxps://beachedgepools[.]com/ex[.]first/airy/index/index[.]html |
| hxxps://davidhughes[.]com/CD/Borrower/Borrower%27s-details[.]shtml |
| hxxps://directorybudge[.]com/gofirstam/gofirstam[.]htm |
| hxxps://ertugrulhub[.]com/Borrower/Borrower%27s-details[.]shtml |
| hxxps://futurethreaten[.]com/Borrower/Borrower%27s-details[.]shtml |
| hxxps://gamewardff[.]com/gofirstam/gofirstam[.]htm |
| hxxps://gemthigh[.]com/Borrower/Borrower%27s-details[.]shtml |
| hxxps://goldaffoffer[.]com/gofirstam/gofirstam[.]htm |
| hxxps://grpfab[.]com/ClosingCD/gofirstam/gofirstam[.]htm |
| hxxps://landonarmstrong[.]us/CD/gofirstam/gofirstam[.]htm |
| hxxps://moveready[.]co[.]uk/Borrower/Borrower%27s-details[.]shtml |
| hxxps://s[.]alchemer[.]eu/s3/firstam |
| hxxps://satoshisafes[.]com/gofirstam/gofirstam[.]htm |
| hxxps://zaikakababandcurry[.]com/CD/gofirstam/gofirstam[.]htm |
