Phish Found in Environments Protected by Proofpoint, Microsoft, Cisco, Mimecast and Symantec

By Mark Zigadlo, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) sees tens of thousands of phishing emails that bypass secure email gateways (SEGs) every month. The PDC is an advanced managed detection and response (MDR) service that can remediate these malicious emails from mail environments within minutes.   

A few examples of phishing emails found in environments protected by SEGs can be found here. The ineffectiveness of SEGs continue to increase business risk daily. And the solution is more than high production-value awarenesstraining modules. You need a combination of people and technology to combat the innovativeness of attackers to quickly reduce/remove the business risk. 

Here’s a recent and real story about a phishing campaign (and its quickly morphed successor) that bypassed SEGs from Proofpoint (PFPT), Microsoft (MSFT), Mimecast (MIME), Cisco (CSCO) and Symantec (SYMC).   

The suspicious email below arrived in my inbox. I reported it to the PDC using Cofense Reporter.

Figure 1 – Phishing Email 

I received a response eight minutes later saying the email was malicious (BazarBackdoor malware) and removed from my mailbox. Amazing speed, eight minutes to remove the threat and stop the attack!

Detection

Drilling down further, I saw Cofense’s network effect was in full action in the PDC. The network effect is the unique combination of people and technology that allows one participant in the network to benefit from threats found by another participant in the network. At Cofense, we have over 25 million people contributing to make the network effect an unparalleled security tool. In this case, the PDC had detected similar attacks for 15 other PDC customers (people in the network), which enabled the PDC to respond with lightning speed throughout the day.

Here is the kill chain/timeline for the first customer that received this phishing campaign.

Twelve minutes between the first report and removal of malicious emails from user mailboxes, but the story gets better.   

The PDC uses a key feature of Cofense Vision called Auto Quarantine which looks for new emails matching the ones just identified and quarantined. Over the next 24 minutes, 22 additional emails were detected and removed by Cofense Vision. 

Response & Remediation 

As we know, attackers are constantly innovating to bypass security technology. This is why you need the combination of people and technology to reduce/remove the risk. This case was no different. Two hours after the first phishing campaign was identified and stopped, a slightly modified campaign was launched against the same customer. The PDC jumped back into action again. 

More amazing results. Twenty-two minutes between the first report of the modified campaign and removal of malicious emails from user mailboxes through Cofense’s Phishing Defense Center.

The Phishing Defense Center harnesses phishing intelligence from the frontlines of the world’s most active phishing campaigns to quickly protect everyone in the network. 

To learn how you can efficiently identify and remove phish that have bypassed your SEG, click here for a free demo of the Phishing Defense Center. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Twelve Flavors of Phish: Canadian Workers Targeted With Fake Covid-19 Relief Deposits

By Jake Longden and Elmer Hernandez, Cofense Phishing Defense Center

Financial aid programs continue to be popular targets in the midst of the COVID-19 pandemic, with government relief grants a particularly great one to exploit.  

The Cofense Phishing Defence Center (PDC) has observed a recent phishing campaign in Canada that aims to harvest banking credentials and other personal information from 12 different banking institutions. This was achieved by preying on employees who were expecting COVID-19 relief grants in the form of the CERB (Canada Emergency Response Benefit). These funds are supposedly sent via an electronic transfer from Interac, a legitimate Canadian interbank network. 

With multiple world governments providing such grants, and millions of people relying on these as their main source of sustenance, adversaries will continue exploiting such dependence. 

CERB Deposit

The email purports to be a notification from Interac’s e-transfer service, indicating that the Canada Revenue Agency (CRA) has made a CERB deposit of $1,957.5 CAD (approx. $1,463 USD). A fictitious expiration date is included in an attempt to instill a sense of urgency.

The CERB scheme gives financial support to employed and self-employed Canadians who have been affected by the COVID- 19 pandemic. It offers $2,000 CAD (approx. $1,490 USD) for a four-week period.

Figure 1 – Email Body 

Header

The SPF fail in the headers (Figure 2) indicates that the email is likely spoofed, and the IP address suggests that it came from a potentially compromised device using the University of South Florida network (Figure 3). The choice of the name ‘cra-cerb’ in the address is used to add credibility to the email.

Figure 2 – SPF Fail 

Figure 3 – USF IP Address 

A Phish of 12 Different Flavors

The first landing page the phish visits is an impersonation of the CRA. It has working links in both French and English like a legitimate site from the Canadian government. Once the user has selected their language choice, they will be redirected to an impersonated Interac e-transfer site in said language.

Figure 4 – CRA Spoofed Site  

Once in the spoofed Interac e-transfer site (Figure 5)the user must choose their personal bank from twelve different options in order to receive the deposit. All of these banks are actual members of the Interac network, which suggests attention to detail from adversaries: 

  • ATB Financial 
  • Bank of Montreal (BMO) 
  • Canadian Imperial Bank of Commerce (CIBC) 
  • Desjardins 
  • Laurentian Bank 
  • Meridian 
  • National Bank of Canada 
  • Royal Bank of Canada (RBC) 
  • Scotiabank 
  • Simplii Financial 
  • Tangerine 
  • TD Canada Trust 

Figure 5 – Spoofed Interac Page 

Next, the recipient is taken through a series of spoofed pages for the corresponding bankwith some offering both English and French versionsAll pages reside within compromised website of a Washington, DC area businessThe URL paths vary depending on the bank, but follow the following format:  

hxxps://lincolnrestaurant-dc[.]com/interca/{unique 32 character string}/bank/{bank name}/{html or php file} 

Although no two options are identical, most of the twelve spoofed banks ask for similar details: 

  • Usernames 
  • Card Numbers 
  • Passwords 
  • Security Questions and Answers 
  • Personal Information (PI) (Full Name, Date of Birth, Email, etc) 

Scotiabank (English) was chosen to showcase an example of the entire phish process. The initial page the user is presented with is a standard login page asking for credentials, notice the slight typo of the word “sign” on the “Sing in button (Figure 6). 

Figure 6 – Scotiabank Sign in 

The next page asks for sensitive PI and card information (Figure 7). The user is then asked for Security questions and answers (Figure 8), which might falsely provide the reassurance that some form of multi-factor authentication is being employed. The combination of PI such as a Social Insurance number, credit card numbers and MFA questions could form a fairly solid base for identity theft/impersonation. Once submitted a final page confirms the funds will be deposited in 48 hours (Figure 9).

Figure 7 – Scotia PI and Card Info 

Figure 8 – Scotia MFA Security Questions 

Figure 9 – Deposit Successful 

Figures 10 through 20 show the login pages for the remaining eleven spoofed banks.  

Figure 10 – ATB 

Figure 11 – BMO 

Figure 12 – CIBC  

Figure 13 – Desjardins  

Figure 14 – Laurentian  

Figure 15 – Meridian  

Figure 16 – National Bank 

Figure 17 – RBC  

Figure 18 – Simplii  

Figure 19 – Tangerine  

Figure 20 – TD  

Indicators of Compromise

Malicious URL:

hxxps://lincolnrestaurant-dc[.]com/interca

Associated IP:

108[.]167[.]182[.]39

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Trend: Credphish Links Stuffed in Benign Attachments Are on the Rise

By Kian Mahdavi, Cofense Phishing Defense Center

While it’s true that most enterprise-directed phishing is credential phishing, that doesn’t mean attackers have completely abandoned attachments. The days of malware-laden attachments are dwindling. You’re not going to find dangerous embedded macro or .VBS in 2020 at the same frequency observed in 2016. Attackers are using attachments, more now than ever, to deliver embedded URLs. Why? Because secure email gateway (SEG) vendors have emphasized auto-scanning and wrapping URLs in the body of emails.

During the last few weeks, the Cofense Phishing Defense Center (PDC) has observed a significant uptick in credphish URLs stuffed in attachments successfully bypassing several commercial SEGs. The attachment types are varied, but many are commonly used in normal business communications – .DOC .HTML, .HTM, .XLSX, .PDF, etc. Check out our REAL phishing threats samples here for a complete list.

If you think stuffing credphish URLs in attachments to sidestep automated URL scanning is a no-brainer for attackers, we agree. You’d be surprised at the number of SOAR vendors demoing automated-phishing-analysis playbooks that fail due to this simple attacker adaptation. This phenomenon isn’t going to slow down.

Here’s a common example of a campaign reported to the PDC by a vigilant user:

Figure 1: Email Body

There has been a recent rash – 500 variants – of this campaign reported from our users via the Cofense Reporter Button. The campaign originated from an assumed compromised account from a legitimate business. Originating from a legitimate business surely added to a sense of legitimacy. Luckily, the recipient asked themselves: “Am I expecting to receive a document from this sender?”

Upon opening the attached .XLSX document, Microsoft Excel loads, prompting the user to click an embedded image using “trusted” brands to spruce up the legitimacy of the ruse. Once clicked, the attack redirects to the phishing landing page requesting the user’s credentials.

Figure 2 – The underlying “Open” link doesn’t take the victim to OneDrive

Once credentials have been supplied, the phishing website redirects the user to the authentic “office[.]com” to make the victim feel like the whole experience was legit.

Figure 3 – Phishing landing page 

Figure 4  Redirect to authentic office[.]com webpage 

Figure 5 below displays the HTML source code with POST command when a user types in their credentials and attempts to login. In fact, their personal data gets forwarded to the attacker via a pre-configured PHP script.    

Figure 5 – POST command forwards users’ credentials to the above URL 

Slipping credential phish URLs into innocuous attachments is going to frustrate SEGs for years to come because of the endless file formats that support HTML, compounded by all the clever ways attackers can obfuscate those URLs from automated analysis. Cofense customers avoided a disaster because of their commitment to upgrading their wetware.

Indicators of Compromise: 

Network IOC   IP 
hxxps://noshgosh[.]com/9833636833/mau [.]html  192[.]185 [.] 181 [.] 28 
hxxps://runyourrideonwater[.]com/a1/shareaumine/login[.]php  192 [.] 185 [.] 148 [.]151 

 

File name:  Copy of mstglobal.xlsx  
MD5:  519615b29249d944f7564eb4f2d1feac 
SHA256:  ff9f56c61230a45ab662e7e2b650ec834ba4194cbcbc7cfcbdd06c0b046b64f6 
File Size:   36.2 KB 

Want to know the breakdown of phishing attacks by type? Make sure you look out for our annual report.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

 

101 Credential Phishing for Observant Employees

By Luis Raul Parra, Cofense Phishing Defense Center

Asome point in your (digital) life you have received annoying notifications about unexpected signin attempts to one of your accounts/services, and you have ignored them. After all, it was just an attempt – no one was able to access anything. Yet, if you are vigilant enough, you would report this unauthorized attempt to the service provider and contribute to enhancing security. Well done! But keep reading; this article is for you.  

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials of “vigilant” users who want to act on unrecognized sign-in attempts to their accounts.  

The campaign was reported by users in several companies across Englishspeaking countries including the United States, England and Scotland. The message was carefully crafted to pass as a real alert of an unexpected sign-in on the recipient’s corporate account. It urged immediate action. 

Figure 1: Email Body

All reported emails used the same technique to customize the attack: The “From” field contained the address “postmaster@COMPANYDOMAIN.cpasurveys.com” in order to convince the end user that this was a valid alert notification from their company’s email security system.  

Figure 2: Email Header

The subject of the email states that there was a sign-in attempt to the user’s account from an unrecognized device, specifying the name of the user and claiming to come from “COMPANYNAME Mail Service”. The content of the body states the timestamp, location, IP address and device where the (false) attempt was performed. In all cases, the IP address shown in the body was 194[.]209[.]77[.]62.  

To make the email even more credible, the attackers included a confirmation code stated to be valid for 24 hours with aims of pressuring the recipient to act within that time. They were thoughtful enough to add the message “if this was you, you’re all set!” 

Furthermore, there was the option to click on the “Unsubscribe” button in order to stop receiving future messages like these. The URL behind a link of the type hxxps://tracking[.]mail[.]netflix[.]tshirtsintaramerica[.]com/click/* is possibly just a tracker that then redirected to the official company website.

The credential phishing attempt was done through an HTML file attached to the email. Images and CSS styles were pulled from a different website: hxxps://youmustlast[.]website/wassets/: 

Figure 3: CSS Style 

The HTML file already contained the user’s email address in the email account address field: 

Figure 4: Phishing Page

Should the recipient enter the corporate credentials into the attached HTML page, a POST action sends the username and password to the threat actor and the URL hxxps://sharepreview[.]site/win/next[.]php

Figure 5: POST Action

Credential phishing done. At the same time, you’ve been made to feel vigilant at having spotted something untoward happening with your account. That’s how the attackers attempt to trip up alert and conscientious users.  

Network IOC   IP   
hXXps://sharepreview[.]site/win/next[.]php  23[.]254[.]130[.]108 
hXXps://youmustlast[.]website/wassets/statuspage[.]css  63[.]250[.]38[.]73 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

End of Support for Windows 7 Means Beginning of Upgrade-Themed Phishing Campaigns

By Kaleb Kirk, Cofense Phishing Defense Center  

Over the last few years, businesses have been getting serious about updating their corporate desktop images. For quite some time, Windows 7 has been the predominant operating system (OS) for many workplaces and environmentsWindows 10 was released in 2015yet many companies are just now making the transition. With that comes the pains of upgrading end users machines. Standardizing a corporate desktop image is arduous with complicated edge cases that must be considered for all the hardware variants. The job is further complicated when thirdparty software has yet to officially support a new OS. This explains why enterprises wait, sometimes for years, before taking the plunge. Unfortunately, these delays give the bad guys time to refine exploitation techniques on older operating systems lacking the latest architecture.  

The phishing lure below preys on the victim’s anxiety about losing productivity while their computer is upgraded. Comically, the attacker uses a colorful list of benefits the end user receives to get them to take the baitWill we see an uptick in this phishing lure? It will depend on the success rate of this theme. Time will tell.   

Figure 1-2: Email Body

The subject references a Windows upgrade, but there is also something else manipulative: the inclusion of the “RE:” before the rest of the subject. Internal email about company meetings, news and IT upgrades are common. Prefixing the “RE:” may instill a sense of urgency by leading the user to believe they have missed a prior communication about the upgrade.

We look at phishing emails that bypass commercial gateways all day, every day. Most of them are hastily slapped together. This lure needs improvement, but it’s not completely awful. We give this threat actor two gold stars for the table with made-up laptops, fake serial numbers, building, etc. It applies a good sense-of-urgency ploy using the highlighted “Today,” and the body doesn’t have obvious grammar or spelling errors. Again, not completely awful.

How can this attacker upgrade this lure from a C- to a B+? This email would be more believable if the sender were more generic. “Helpdesk,” for example. We obfuscated the From: line of the compromised account  “Genadiy” which was not from the intended victim’s company domain, and certainly not from their IT department. The intended victim unfortunately doesn’t have a clean way to easily know the true underlying URL because it’s annoyingly masked by Proofpoint’s URL Defense (which, ironically, would not have defended the user because, once clicked, the phishing page loaded instantly).

Figure 3: Credential Phishing Page

Figure 3, above, shows the loaded credential phishing page. This page gets a D- for lack of effort. They wasted a valid SSL certificate on a terrible version of an OWA login page.

This phish closes out cleanly by redirecting the intended victim to a Microsoft page about the discontinued support of Windows 7 (but still leaves the target worried about their OS upgrade).

Figure 4: Final Redirect

Attackers have been using the “time to upgrade your out-of-date software” ploy for years. With Windows 7 ending official support, it won’t be surprising if we see a flurry of better versions of this phish in the future. Hopefully your vigilant users know that “Genadiy” (from a company that isn’t yours) doesn’t upgrade an operating system “Today,” and via email. Cheers.

Network IOC IP
hXXps://app[.]getresponse[.]com/site2/ken23456789765?u=w3DxF&webforms_id=hlvzr 104[.]160[.]64[.]9
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Spoofed Training Email from Phishing Simulator Company

By Max Gannon and Brad Haas, Cofense Intelligence

Cofense Intelligence has analyzed a security awareness training-themed campaign that spoofs a training reminder email from KnowBe4. Embedded links in the email direct victims to a credential phishing page targeting both Microsoft Outlook credentials and personal information. The phishing kit is hosted on compromised sites and has been used on at least 30 domains since mid-April 2020, as detailed below.

The emails used in this campaign attempt to pressure recipients into clicking the link by warning that the user only has one day left to complete a required training. They also discourage recipients from browsing directly to legitimate company training pages with the following statement: “Please note this training is not available on the employee training Portal. You need to use the link below to complete the training[.]”

Figure 1: Phishing email spoofing a KnowBe4 notification

The phishing kit used in this attack first collects Outlook credentials, then loads another page soliciting several pieces of personal information.

Figure 2: First page of the credential phishing kit

Figure 3: Second page of the credential phishing kit

As noted, the campaign’s credential phishing kit has been hosted on at least 30 other sites since mid-April 2020. The kits all used the same exfiltration methods and files as the spoofed KnowBe4 campaign, targeting Outlook credentials. Previous campaigns using this kit had a sexual harassment training theme rather than a security training theme. Those campaigns redirected to a legitimate page related to sexual harassment, shown in Figure 4, after the credentials requested in Figure 2 and Figure 3 were entered. The credential phishing kit linked in the spoofed KnowBe4 campaign has already been taken down, but it is very likely that the threat actors redirected from it to a security training-related page instead.

Figure 4: The credential phishing kit from previous campaigns redirected to this page

After additional analysis, we discovered that several of the compromised sites, many of which run WordPress, had recently been used to host a specific web shell, “CHips L MINI SHELL.” The shell has a relatively small feature set, allowing attackers to upload and edit files on a compromised site. It has already been removed from the sites in most instances. However, it was installed on some of them in a way that made it publicly visible, so cached Google search results show that it had been present, as shown in Figure 5.

Figure 5: Web shell on compromised site hosting the credential phishing kit

The indicator of compromise (IOC) table below includes the phishing kit URLs mentioned above.

Table 1: IOCs

Associated Credential Phishing URLs
hxxps://2014[.]digitree[.]co[.]kr/samhwa/lib/bid/login[.]php
hxxps://acertijos[.]com[.]ar/Blog/wp-includes/bid/login[.]php
hxxps://avellanoeuropeo[.]ufro[.]cl/wp-content/plugins/bid/login[.]php
hxxps://breckinridgecounty[.]net/[.]well-known/acme-challenge/bid/login[.]php
hxxps://docentes[.]uto[.]edu[.]bo/dmoyaa/wp-includes/bid/login[.]php
hxxps://g5lab[.]com/aspera/uploads/bid/login[.]php
hxxps://greenup[.]co[.]in/wp-includes/bid/login[.]php
hxxps://kikihalekararlari[.]com/assets/plugins/flot/bid/login[.]php
hxxps://mobiletradesman[.]co[.]uk/wp-admin/bid/login[.]php
hxxps://modoou[.]net/wp-content/bid/login[.]php
hxxps://msk[.]turbolider[.]ru/wp-includes/bid/login[.]php
hxxps://niceoldtownapartment[.]com/wp-content/plugins/fusion-core/tinymce/bid/login[.]php
hxxps://otorrinosensantafe[.]com[.]mx/[.]well-known/pki-validation/bid/login[.]php
hxxps://pandeyize[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://plazaempresarial[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://propertyask[.]com/[.]well-known/pki-validation/bid/login[.]php
hxxps://rashifal[.]com/img/bid/login[.]php
hxxps://rotularltda[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://skinnyontherunapp[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://somelit[.]org/wp-content/plugins/bid/login[.]php
hxxps://tcvsat[.]com/tcvsat-respnov19/wp-includes/IXR/bid/login[.]php
hxxps://thegsmshop[.]com/wp-includes/css/bid/login[.]php
hxxps://www[.]aajtaknews[.]in/wp-content/cache/all/bid/login[.]php
hxxps://www[.]auntynise[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://www[.]happychappybrands[.]com/wp-includes/bid/login[.]php
hxxps://www[.]healthfavour[.]com/wp-includes/css/bid/login[.]php
hxxps://www[.]mvoguesalon[.]com/bootstrap/cache/bid/login[.]php
hxxps://www[.]samicultura[.]com[.]br/includes/bid/login[.]php
hxxps://www[.]search4blog[.]com/wp-content/plugins/bid/login[.]php
hxxps://digitalprakhar[.]com/wp-content/uploads/2016/08/bid/login[.]php

Recommendations

Educating your workforce to identify these threats is key. Organizations can also stay on top of today’s dynamic threat landscape using Cofense Intelligence. Phishing causes nine out of ten data breaches. With Cofense Intelligence, you’ll get access to preemptive phishing alerts you can act on before you’re attacked.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Message Quarantine Campaign with Overlying Potential

By Dylan Main, Cofense Phishing Defense Center 

Message quarantine phish are back, this time with a new tactic utilizing the targeted company’s homepage as part of the attack. The Cofense Phishing Defense Center (PDC) has identified this campaign which attempts to steal employee credentials by posing as a message quarantine email. Using an overlay tactic to disguise itself, this attack is an example of how threat actors are using more advanced techniques to make these malicious emails appear as though they are from a trusted source. 

Figure 1: Phishing Email

This campaign attempts to imitate the technical support team of the employee’s company and makes it appear as though the company’s email security service has quarantined three messages, blocking them from entering the inbox. It claims these messages failed to process and need to be reviewed in order to confirm validity. It even states that two of these were considered valid and are being held for deletion. This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails. Another social engineering technique the threat actor uses to lure the employee into interacting with the email is giving the messages urgency, asking the recipient to review them or they will be deleted after three days. Potential loss of important documents or emails could make the employee more inclined to interact with this email.

Figure 2: Phishing Email 

As seen in Figure 2, hovering over “Review Messages Now” shows the malicious URL. However, upon interacting with the link, the user will be directed to a phishing page unique to the employees’ company. Here is where this campaign uses advanced mechanics to make it appear even more legitimate. 

Figure 3: Cofense Phishing Page 

After interacting with the email, the employee will then be redirected to what appears to be a login screen on the company website (Fig 3). However, further analysis has determined that the page shown is actually the company’s website home page with a fake login panel covering it. This gives the employee a greater comfort level, by displaying to  a familiar page. It is also possible to interact with this page by moving outside of the overlay, showing that it is the actual page they have seen and used before. The overlay itself is attempting to prompt the user to sign in to access the company account. The entered credentials are then sent to the threat actor, giving them access to the target’s company account. 

Figure 4: Microsoft Phishing Page

Based on the analysis performed by the PDC, it was determined that each link, while still going to the same base domain, uses specific parameters to determine which web page pull, then overlays the fake login panel on top. Depending on what company the threat actor is targeting, the link will populate the address of the original recipient of the email. Figures 3 and 4 are examples provided by entering an address, in this case Cofense or Microsoft.  After the equal sign, the link will look at the domain of that address and pull the homepage. This campaign shows that threat actors can and will use any resource available to compromise business accounts.  

HOW COFENSE CAN HELP 

Cofense Resources 

Cofense PhishMeTM offers a simulation template named Email Quarantine Report – Alternate. 

Network IOC IP   
hxxp://google[.]com@ashousingcompany[.]com/www/?email=  104[.]27[.]158[.]208 
hxxp://traximgarage[.]com/www/webmail-std/appsuite/1ogin/mai1/  185[.]68[.]16[.]137 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Threat Preys on Desperate Business Owners

By Kyle Duncan and Noah Mizell, Cofense Phishing Defense Center

For the past few months, businesses across the nation have suffered from the financial strain brought on by COVID-19. Government relief has become a major concern as businesses struggle to stay afloat. The Cofense Phishing Defense Center (PDC) has taken notice of a new phishing campaign that once again aims to abuse Covid-related fear and uncertainty. This campaign imitates the U.S. Small Business Administration (SBA) to harvest the credentials of business owners who may be expecting the administration’s assistance.

While the spoofed address for this attack is one the SBA uses and is even listed on their website, one brief look at this example’s “Received” path shows it did not originate from the SBA.

Figure 1-2: Email Header

These first four stops on the email’s Received path indicate that the email originated from Japanese email servers. This can not only be seen in the Received path but also in other fields of the header information. The Japanese IP address is seen in the Authentication-Results-Original and the Japanese domain can be seen in the Message-ID in some cases.

Figure 3-4: Email Body

The email body of this phish is very clean and well-constructed. Barring the excessive use of commas, the email looks legitimate at a glance. The threat actor has even compiled legitimate logo images and contact information to help sell the deception. Small business owners who have applied for federal aid would be hopeful and relieved to see this message in their inbox.

When you hover over the “Review and Proceed” button, however, the facade falls. Instead of sending users to SBA.gov, this button will redirect to the phishing page:

hXXps://ion-homes[.]com/sba/covid19relief/sba.gov/

The phishing page at this URL redirects to an SBA phishing login page with similar logo, positioning, and details to the real site. While the phishing domain differs, the threat actor has notably attempted to mirror the URL structure from the legitimate SBA’s login URL by tossing in ‘covid19relief’ into the directory name.

Figure 5: Phishing Page

Upon entering their login credentials, users are then redirected to the official SBA website, specifically the login page as seen in Figure 5.

Figure 6: Official Small Business Association Page

Instead of receiving aid, business owners who fall for the scam give away their credentials—adding insult to injury.

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops phishing attacks that elude email gateways.

Network IOC  IP  
hXXps://ion-homes[.]com/sba/covid19relief/sba.gov/ 173.231.209.178
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Twitter Announces Hackers Gained Access via Phishing Attack

By Aaron Higbee

On July 15, 2020 a small number of Twitter employees were duped in a successful spear phishing attack which Twitter is now calling a “phone spear phish”. There is a mention of a phone, but Twitter didn’t elaborate on what role a phone played. (SIM swap? Misleading link via SMS to a credential phishing page?) Regardless, phishing resulted in stolen Twitter employee credentials. Attackers used the stolen credentials to access internal systems and gain information about Twitter processes, then targeted additional employees to breach account support tools. Scam tweets were sent from dozens of major accounts and the hackers quickly received hundreds of bitcoin transfers worth over $115,000. This type of attack is not unusual as 74% of real phish are credential phish.

Human Vulnerabilities

Twitter has now provided limited detail about the specific technique used in the spear phishing attack and has not disclosed how many employees or contractors have access to its account support tools. Broad levels of access can pose challenges to defending against phishing. Twitter shared, “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” and called the incident “a striking reminder of how important each person on our team is in protecting our service”. The attack resulted in:

  • 130 accounts targeted
  • 45 accounts had Tweets sent by attackers
  • 36 accounts had the DM inbox accessed
  • 8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified
  • Crypto transfers exceeding $115,000.
  • Untold brand damage to Twitter

Human Informants?

In the blog post, Twitter didn’t mention how many Twitter employees were targeted in the phishing campaigns, how many of those employees reported the phishing attempts, and whether or not Twitter security operations were tooled up to act on employee reports of phishing.

In the Cofense annual report on employee phishing resiliency, you might be surprised to see that Technology companies tend to be on the lower end of industry benchmarks.

Too Much Access?

Twitter admits concern around their tools and levels of employee access, yet goes on to claim that access to proprietary tools is “strictly limited and only granted for valid business reasons”. Twitter advises that they have now “significantly limited access to our internal tools and systems” while they complete their investigation, citing “we have teams around the world” that help with account support. Users with account support needs, reported Tweets and applications to Twitter’s developer platform can expect delays. Twitter is focused on restoring access for all account owners who may still be locked out.

Portrait of a Phish

Whether the hackers gained access via phone, a personal device, or office computer, the aim of the attack was to obtain employee credentials. Twitter advises that although their tools, controls, and processes are constantly being updated and improved, they are now “taking a hard look” at how they can make them even more sophisticated.

The specifics of the phish that evaded security controls are vague. Spear phishing tends to be more targeted and dangerous than a typical phishing attack, because the phishing emails are highly believable when tailored to individuals or small, specific groups of people. “Phone phishing” is messy infosec jargon that tends to be a catch-all for all things social engineering that involve a mobile device. A phish via phone could appear to be many things: a message from support requesting credentials for an update, an SMS phish linking the user to a false company login page, or an actual phone call from a friendly colleague requesting login information.

If employees are unaware of the role they play in data breaches, they are more likely to fall for these scams. No amount of security controls can fully secure a network unless employees are also seen as the frontline in phishing defense. Twitter needs to consider building employee resilience to phishing in their plan to become more sophisticated.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Adding a Human Layer of Defense to Email Security

Guest Author: Edward Amoroso, Chief Executive Officer & Analyst, TAG Cyber

For over a decade, a quantitative index hosted at NYU’s Center for Cyber Security (CCS) has been used to measure the sentiment of expert practitioners across a range of cyber threat and enterprise security issues. While the index value has increased continually over the years, which indicates growing concern among the participating experts that threats are increasing, significant spikes in any measured attribute have rarely occurred – until recently.

Since early 2020, the NYU research team has measured increased concerns regarding email security risk, and, in particular, with phishing messages reaching user in-boxes. This result might seem somewhat expected, given the increased number of people working from home during the COVID-19 pandemic. But enterprise teams routinely include world-class commercial security solutions such as secure email gateways (SEGs), so this seemed inconsistent with the sentiment spike.

Working with the phishing defense experts from Leesburg-based Cofense, Dr. Edward Amoroso, head of research advisory company TAG Cyber, which helps to administer the NYU CCS index, sought to investigate what was going on. A brief survey was constructed and shared with a dozen experts operating secure email infrastructure. Each was asked whether, and how frequently, phishing attacks were finding their way past their existing email defenses, all of which included a SEG.

The results were interesting: fully half reported that potentially dangerous phishing messages reached employee in-boxes roughly once per week, and the other half reported not having sufficiently accurate data to even answer the question. Frankly, both of these answers seemed disturbing – even though they helped to explain the spike in the NYU index. Clearly, something troublesome has been going on recently with email security.

Aaron Higbee, Cofense CTO and Co-Founder, and Tonia Dudley, Cofense Security Solutions Advisor, shared their own approach to this growing problem during a recent webinar jointly hosted by TAG Cyber. In short, the Cofense solution introduces a human layer of protection to complement existing defenses to create a more defense-in-depth model for addressing phishing risk. The human aspect is enhanced in the Cofense approach using crowdsourced support, which results in complementary intelligence about email threats. It seems a sensible addition.

What you’ll find from the discussion during this recent webcast is that while traditional firewalls and other security gateway devices are important parts of a layered defense, they are obviously nowhere near sufficient to protect an enterprise. The Cofense team believes, and makes the strong case, that SEGs also benefit from the introduction of additional complementary protections – which involve the human-oriented controls mentioned above.

If you’re like the experts who respond to the NYU CCS index, then you are feeling increased stress about phishing risks to your enterprise. This suggests that adding some sensible security controls into a multilayered protection solution would be advised.

Learn more about how Cofense helps organizations by combining the power of human detection with automated response, enabling your teams to stop phishing attacks in minutes.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.