Share:

By Kian Mahdavi and Geraint Williams, Cofense Phishing Defense Center 

The Cofense Phishing Defense Center (PDC) is seeing continued growth in business email compromises (BECs)This is fueled by government grants that have recently been set in place and, as a result, enable SMBs to access finance faster than usual, particularly during the coronavirus pandemic.  

Quite often such attacks tend to target senior executives within organizations, typically due to the authority they have in getting employees to quickly respond to the request. This is completed by using a combination of social engineering tactics, such as urgency to forward confidential data and fear of work suspension (should the employee not do as instructed).

Figure 1  Body of email showcasing interaction  

The email body within Figure 1 reads: “Please get this information, followed by display name of an executive at a global financial firm, with the spoofed emailThis itself may raise red flags to eagle-eyed recipients as the company’s trademarked name is not included in any part of the full email address. Solid social engineering tactics have been utilized, with the attacker providing support to assist with the success of this attack – “can be found on any documents from HMRC …”

The attacker has spoofed law firm located in  North CarolinaSince the TLD is from a legitimate source, not only does it pass basic email security checks, such as SPF, but more importantly it evades existing security measures protected by Microsoft 365 EOP and Proofpoint.  

Furthermore, the opening of the email directly addresses the recipient by first name, as opposed to a generic opening such as, “Good Morning” or “Dear…”, indicating that this is a spear-phishing email that has been hand selected to target one individual.  

Figure 2 – Email header analysis 

If we dive further into the headers as shown above in Figure 2the “reply to” address is actually{redacted}@chckl[.]co[.]uk. chckl – a purchased top-level domain – in an attempt to draw full attention to the innocent law firm. This further provides evidence that the law firm may have had its email servers compromised. In this way, the attacker is filtering out their actual location.   

Typically, such emails target employees within financial departments, simply because of the data they can access. This particular attack does exactly that by harvesting the necessary sensitive information to be used for financial crime.

One can understand how easy it is to fall for such attacks, particularly for individuals who would expect to receive such emails. Attackers are using this to their advantage.  

Indicators of compromise   

Network IOC   IP 
{redacted}@chckl[.]co[.]uk 

{redacted}@{redacted }[.]com 

31[.]54[.]174[.]55 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.