“Phish Found in Environments Protected by SEGs” Microsoft Symantec
By Abhiram Jayakumar, Cofense Phishing Defense Center
For the past many months, covid-themed phishing emails have convinced users to relinquish valuable credentials. Phish impersonating major banking firms have been around for quite some time, but they are always evolving. The Cofense Phishing Defense Center (PDC) has observed a recent phishing campaign that focused on harvesting New Zealand’s ASB banking credentials via covid-themed lures. The pandemic is affecting the lives of everyone in the world and threat actors are attempting to hook their targets by relying on changes in banking practices related to the pandemic.
Figure 1: Email Body
Seen in Figure 1, the first flaws evident with this phish is that the email is obviously not from an official ASB address. The body of the email seems somewhat legitimate at first glance with a convincing email signature and an apparent reference ID. The most telling sign that this email is a phish is how the link within the body is weirdly formatted. The email prompts the user to click on the URL so they can update the so-called covid “Code of Banking Practices.” Hovering over the link will reveal the embedded malicious URL with the domain cleusbmontreal[.]ca.
Figure 2: Phishing Page
Upon clicking the link, the user is directed to the webpage in Figure 2. It’s a near-exact replica of the legitimate ASB login page. All the icons, with the exception of the login button, redirect to legitimate ASB webpages. This is a simple – but often effective – trick implemented by the threat actor.
Figure 3: OTP Page
Once the login button is clicked, the target is taken to the page shown in Figure 3 where they are prompted for a one-time password (OTP). The threat actor may have tools to automatically use this information in real time. It may also be possible that the user received an OTP triggered by the attacker’s tools during a legitimate transaction initiated by them after harvesting credentials through the malicious webpage. Once the target provides their credentials, and OTP, they are then redirected to the authentic ASB home page.
This is another example of attackers leveraging covid and a well-designed phishing page to launch a dangerous campaign, one that found its way into inboxes under SEG (secure email gateway) protection. Cofense, and well-conditioned users, contained what standard security controls couldn’t. Contact us to learn how we can help to better protect your organization.
| Indicators of Compromise | IP |
| hxxps://cleusbmontreal[.]ca | 104[.]21[.]46[.]246 |
| hxxps://conz-aso-7725[.]heavy[.]jp | 118[.]27[.]125[.]223 |
| hxxps://photos[.]azyya[.]com/.co.nz/.respond[.]abs[.]co[.]nz-NZ70194135/auth[.]php | 95[.]216[.]33[.]120 |
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
