Products
Products
Detection
Intelligence
About Cofense
About Cofense
Leadership
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Scammers Utilize Wufoo for Vacation Request Phish

As holiday season ramps up, an increase in phishing scams related to PTO expected to increase.

Missed By: Microsoft

Industry: Mining and Heavy Industries

By Kian Buckley-Maher, Cofense Phishing Defense Center

A phish recently noted by the Phishing Defence Center (PDC) utilizes the online form builder Wufoo, a tool commonly associated with easily created surveys and online registration forms. Threat actors have used Wufoo to create simplistic but effective credential stealing vectors.

Phishing Email

The email, in Figure 1, itself uses basic language informing the user that they need to save a copy and submit any further time-requests, which enables the threat actor to gain credentials after any future mandatory password resets, a common feature seen in many organisations.

To instill a sense of urgency it states all request for the subsequent two months need to be submitted through this method, so any users planning anything in the next few months will be compelled to download and input all the required information. As we head into the holiday season, these becomes even more timely. In addition, the user is requested to keep a copy of the form for any future time-off requests, as the requests are to be submitted during a two-month period. This also aligns with the typical 90-day password reset policies enabled in many organizations and as such the threat actors will ensure access to accounts even if the password reset has occurred.

Scammers Utilize Wufoo for Vacation Request PhishFigure 1: Email Image
 

Looking at the header, we see the sender is utilising a generic alias to impersonate ‘Human Resources’, a typical naming convention used by organizations for company-wide communications such as this one.

Phishing Page

As seen in Figure 2, the form itself contains very little identifiable markings such as branding or company logos, in most cases threat actors use in order to increase the potential of interaction from the recipient. The simplicity of this time request forms allows this phish to be used to reach further than most with little modification needed between phishing campaigns as it would be required for a more stylised and complex corporate communication.

After entering the required fields, the user is required also enter their email address in order to submit the form. Most organizations today utilize their self-service Payroll or HR portal to collection this information. This was most likely an indicator to the recipient that the email was suspicious and reported it via the Reporter button in Outlook

Screenshot of vacation request phishFigure 2: Main Phishing Page
Once the user has provided all the required information, they will be presented with a page to input their account password to send the request, and the users account credentials will be compromised.

Conclusion

The PDC continues to observe these kinds of phishing emails over the summer months, and as we look toward the end of year and the upcoming holiday season, we expect these campaigns to increase once again.

Due to the nature of these campaigns and its relative simplicity, it can be expected that these will be successful in organisations without proper phishing training and adequate phishing defences.

 

Indicators of Compromise IP
hXXps://xhrreview[.]wufoo[.]com/forms/m1cgigu51jrr9hf/