How the Nuclear Decommissioning Authority Leverages Cofense Email Security Solutions

How the Nuclear Decommissioning Authority Leverages Cofense Email Security Solutions

The Nuclear Decommissioning Authority is a non-departmental public body made up of 26,000 members across the Department for Business, Energy, and Industrial Strategy. With limited resources to dedicate to anti-phishing education and awareness, as well as limited time for quick-response threat identification and removal, NDA worked closely with Cofense to build a proper tech stack to enhance their email cybersecurity posture.  

We asked Neil Kendall, CTI/CYAS Manager at the NDA, during a recent fireside chat to discuss the relationship and how Cofense solutions not only play a critical role in thwarting potential attacks at NDA, but also provide a continuum of educational resources for identification and reporting of phishing emails.

Click here to view the fireside chat video. 

EXECUTIVE SUMMARY

Customer: Nuclear Decommissioning Authority, a non-departmental public body made up of 26,000 members across the Department for Business, Energy and Industrial Strategy. 

Challenges: Executives fear that their teams are being targeted for hours when using traditional SEGs, AND there is a lack of communication regarding phishing.  

Solutions: Cofense PhishMe, Cofense Triage, Cofense Vision 

Results: Educating employees with real phishing simulations as well as spreading awareness by stopping attacks using crowdsourced intelligence. 

On education and awareness, NDA wanted to prevent attacks from entering the office, but realized education had to be about all devices and environments, and that crowdsourced reporting was just as important as initial identification.  Kendall explains the need to “really spread the word to report, even if the person is on the fence and they’re not sure is this malicious, is it non-malicious? Report it. Being able to look at that, identify it as being malicious and then spreading the word around the rest of our group, is vitally, vitally important.”  

He further expands on education and the use of Cofense PhishMe, stating “We can use things like the PhishMe scenarios to be able to test our defenses, test our staff, and we can look to where our soft spots are so we can harden them, and we can then look to bolster them.” 

For the security team, it was time to move beyond dependence on their Secure Email Gateway and add Cofense solutions Triage and Vision to find, prioritize and eliminate what SEGs do not. Kendall explains, “It’s that second line again, it’s that defense in depth, it’s the layered approach that we are not just relying on one technology and what their map of the world is.” Cofense Triage helps the NDA team prioritize the threats so remediation can happen faster, and more time can be returned to security team members to focus on more important issues.  

Going one step further, they paired Triage with Cofense Vision to auto-quarantine phishing threats lurking in their email environment. They can also configure auto-quarantine to look for any new phishing campaigns automatically and continuously and to proactively stop attacks in their tracks. 

“We get that straight into Vision because we know there's that lag between Microsoft Safe Links doing its thing and will we know Vision will do its thing pretty much straight away. For us it's really, really important.” 

We encourage you to watch the entire chat to hear additional thoughts from Neil Kendall on the need for a multi-layered approach to email security and how NDA’s partnership with Cofense has significantly enhanced their security posture.  

Cofense Email Security Review: Q3 2022

The phishing threat landscape never stops transforming itself, and Q3 2022 has been another illustration of this. Emotet, despite changing tactics back to using macro laden Office documents for its delivery mechanism, drastically decreased in volume and then ceased activity in early Q3. However, because of the change in tactics by Emotet (even for a short period), macro laden Office documents became the top delivery mechanism for this quarter. All the top malware families from last quarter have found a place among the top families this quarter, although there was an overall increase in volume for Keyloggers and Remote Access Trojans. QakBot is the top malware family reaching enterprise users, which has led to a spike in volume for the banker malware type starting in late Q3.

In our strategic analyses during Q3, Cofense investigated both new and long-standing phishing trends. We delineated threat actors’ abuse of legitimate services such as Dropbox, DocuSign, and other legitimate and trusted domain names in order to ensure that malicious emails would reach inboxes. We investigated a long-standing activity set, which we first reported in 2019, outlining its evolution over time as it targeted government contractors. We also sought to provide readers with a broad,introductory understanding of malware types in the phishing threat landscape, as well as baseline reports on specific malware families, such as Snake Keylogger. In addition to providing these baseline reports, Cofense also gave readers an insight into the continuation of the improving services through the Intelligence product update report.

In our Q2 Trends Review, Cofense Intelligence identified QakBot as the malware family to watch during Q3, and QakBot has not disappointed. Despite not showing high on the charts in terms of overall volume across the quarter, a few significant developments and new, successful TTPs have given QakBot the limelight again at the tail end of Q3. QakBot is still our Malware Family to Watch for the foreseeable future, and each of our projections for Q4 touch on QakBot developments to some extent.

Overall Activity

Once again, the overall observed malware-delivery activity decreased significantly over the course of the quarter, largely due to Emotet volume dropping off completely in mid-July. The volume for Q3 remained steady after July’s drop

Figure 1: Volume of phishing emails delivering malware in Q3 2022.
 

Prevalent Malware in Q3

Each of the five most common malware types and the top families for each type from Q2 found a place on the charts in Q3, although the order of the malware types differed slightly due to changes in volume. Notably, there was an increase in position for Keyloggers and Remote Access Trojans.

Table 1: Top five malware types with the top family of each type.
The continued position of Emotet (and consequently Loaders) at the top of the list is a testament to its extreme outscaling of all other malware-delivery campaigns, even as it decreased in July. The chart in Figure 2 has been capped to show distinguishable volumes of other phishing activity.

Keyloggers saw the largest increase in volume between Q2 and Q3, with malware families like Agent Tesla and Snake Keylogger both being popular in the phishing threat landscape. The Remote Access Trojans (RATs) malware type passed Banker types due to a lower volume of QakBot phishing emails during a large portion of the quarter. However, the Banker malware type threatens to increase significantly and overtake other malware types, with the return of QakBot in late Q3. Remcos RAT continues to be the top RAT, followed by NanoCore RAT.

Figure 2: Top five malware types in Q3 2022 and Q2 2022, by volume of emails.
 

Delivery Mechanism Rundown

OfficeMacros have become the top delivery mechanism, overtaking LNK Downloaders as malware families like Emotet dropped the delivery type. However, the volume for Office macros has not been consistent across the quarter, as it decreased significantly with the cessation of Emotet activity. With the removal of LNK downloaders from the Top Malware Delivery Mechanisms chart, malicious HTML files increased significantly in volume, overtaking both DotNETLoader and the CVE-2017-11882 vulnerability. This is due to QakBot returning in late Q3, utilizing malicious HTML attachments to deliver the malicious payload. The volumes for the DotNETLoader and CVE-2017-11882 delivery mechanisms appear minute when compared to that of Emotet delivery using OfficeMacro, or even QakBot via malicious HTML, but still pose a credible threat. Other noteworthy delivery mechanisms seen delivering malware in Q3 are DBatLoader, and PDF droppers. The top delivery mechanism for this quarter is once again heavily influenced by Emotet volume (despite its short period of operation), and the chart shown in Figure 3 has accordingly been capped, to make other mechanisms perceptible.

Figure 3: Top Malware Delivery Mechanisms by Email Volume in Q3 2022 and Q2 2022.
 

TLDs and Domains Used in Credential Phishing

For Q3 2022, Cofense Intelligence analyzed URLs used in credential phishing emails that reached users in environments protected by SEGs, to identify the top-level domains (TLDs) and domains that were most prominent. The URLs analyzed are split into two categories: Stage 1 and Stage 2. Stage 1 URLs are embedded in the phishing emails and are the first step in the infection chain, whereas Stage 2 URLs can only be reached if the user acts with the embedded URL.

When both stages are combined, the volumes associated with most TLDs are largely comparable between Q2 and Q3, although some changed significantly, and a new TLD joined the list. Domains using the .com TLD accounted for approximately 53% of the total, a slight decrease from Q2. The .net TLD increased once again, now amounting to 9.60% of the total. Other notable TLDs that were also top 10 for Q3 are .com.br, .org, .io, .co, .page, .xyz. .in, and .me. The only new addition for this quarter was the. page TLD.

Figure 4: Top 10 TLDs in Q3 2022 compared with Q2 2022.
The majority of top 10 TLDs for Stage 1 URLs remained consistent with those of Q2, although two of the top 10 were eclipsed. The TLDs .site, and .ly are now top 10 Stage 1 TLDs, replacing .ms, and .app from Q2. The differences among all Q3 TLDs are negligible, ranging from a fraction of a percent to near 2% positive and negative delta.

Table 2: Stage 1 TLDs in credential phishing during Q3 2022
The top 10 Stage 2 TLDs for this quarter saw multiple changes outside of the top three. The top three Stage 2 TLDs remain mostly consistent with the largest change being the volume of .me domains decreasing dropping off the list and .org taking its place. The number of URLs with the .co.uk, .online, and .live TLDs increased this quarter, replacing .app, .io, and .ru for this chart.

Table 3: Stage 2 TLDs in credential phishing during Q3 2022.
The 10 most common .com domains used in both stages combined are represented below. Of the domains, several trusted cloud platforms can be identified, showing a continued use for credential phishing threat actors.

Compared to the previous quarter, the top 10 most common .com domains had multiple changes. Adobe.com remains the top spot for this quarter, while the Sharepoint, Evernote, and Canva .com domains increased in volume. The Amazonaws, Petanitest, Axshare, and Clickfunnels .com domains replaced Backblazeb2, Weebly, Live, and Digitaloceanspaces .com domains. Myportfolio.com remained on the list, although it has decreased in volume.

File Extensions of Attachments

The chart below represents the distribution of filename extensions on email attachments that reached users in SEG-protected environments in Q3. PDF attachments remained the top extension analyzed, and saw another large increase compared to the previous quarter, growing by approximately 7% and now making up over 48%. This continues to be more than the combined percentage of the next two extensions, .html and .htm, which together make up 36%. These file extensions are more commonly associated with credential phishing attacks, and delivery of QakBot in late Q3.

Office files like .docx, .xlsx, and .doc continue to be top 10 file extensions on phishing email attachments. These files are used for a variety of purposes such as delivering credential phishing, malicious Office macros, and exploit vulnerabilities. Notably, the .xls and .lz extensions disappeared from the Top 10, being replaced by .shtml and .rpmsg, while several other extensions switched positions due to changes in volume.

Figure 5: Top 10 most common attachment file extensions found in environments protected by SEGs.
 

Command and Control Server Locations

Tracking Command and Control (C2) servers provides insight into a range of malicious cyber activities across the globe. These C2 nodes can deliver phishing campaigns or command malware, and often receive information and exfiltrated data from infected hosts. The top five locations for this quarter were very similar to that of Q2, except that servers in Great Britain increased in usage to replace the usage of servers in the Netherlands. The other four countries remained the same and even held similar percentages with a slight increase in usage. These statistics do not directly correlate with the full range of infrastructure threat actors use, and they should only be interpreted as C2 locations, rather than where operations originate

Table 4: Q2 2022 and Q3 2022 percentages for C2 sources by IP address geolocation.
 

Figure 6: Global heatmap of C2 sources. Darker shades reflect more IP addresses.
 

Finished Intelligence: Topics and Trends

Throughout Q3 2022, Cofense Intelligence performed in-depth analysis on various threats to provide you with a strategic understanding of the phishing threat landscape and notify you of sudden or upcoming developments. Below, we summarize finished intelligence reports and flash alerts that Cofense Intelligence produced on notable topics and trends identified during this period. Along with these, Cofense Intelligence customers will also find a brief overview of the highlights among Cofense Intelligence product updates for the first half of 2022!

The Tactics of a Prolific Phishing Campaign Abusing Dropbox

During August and September of 2022, Cofense has observed an effective credential phishing campaign abusing Dropbox and reaching end users across many industries. The threat actor(s) behind the campaign have put in a considerable amount of effort to increase the chances of successfully stealing the email login credentials of enterprise users. By utilizing various tactics, techniques, and procedures (TTPs), the phishing emails have been very successful at reaching inboxes. These phishing emails reached inboxes in August at a volume far outscaling any other campaign that Cofense has seen effectively abuse Dropbox this year. However, monthly volume from this phishing campaign has been inconsistent, dropping drastically from August to September.

Credential Phishing Targeting Government Contractors Evolves Over Time

Threat actors are running a series of campaigns spoofing several departments of the United States government. The emails claim to request bids for government projects but lead victims to credential phishing pages instead. These campaigns have been ongoing since at least mid-2019 and were first covered in our Flash Alert in July 2019. These advanced campaigns are well crafted, have been seen in environments protected by secure email gateways (SEGs), are very convincing, and appear to be targeted. They have evolved over time by improving the email contents, the PDF contents, and the appearance and behavior of the credential phishing pages.

Snake Keylogger – Phishing Malware Baseline

Snake Keylogger, a staple in the phishing threat landscape throughout 2021 and 2022, is a keylogger written in .NET. It can monitor a user’s keystrokes, scan applications to steal saved credentials, and exfiltrate this data through a variety of protocols. Although it is not as popular as other malware families such as FormBook or Agent Tesla, it does maintain a significant presence, and its usage is increasing. In this report, we take an in-depth look at Snake Keylogger, including background information, Snake Keylogger’s capabilities, its behavior observed in the wild, and some characteristics that can help with mitigation

Top Domain Names in Evasive Credential Phishing Attacks

A domain name is an essential part of a malicious URL used in a credential phishing attack. Following on our research into the most-used top-level domains (TLDs) in credential phishing threats, we analyzed recent data to look for trends in full domain names. We found that no single domain name appeared in more than a relative handful of campaigns. The only domain names that are both consistently reused by threat actors and consistently reach inboxes are those that belong to legitimate, implicitly trusted services.

DocuSign-Spoofing Campaign Heavily Targets Executives

Cofense Intelligence has identified an ongoing credential phishing campaign that spoofs DocuSign and has bypassed secure email gateways. Through initial collaboration with Cofense Intelligence customers and subsequently with the Cofense Phishing Defense Center (PDC), we determined that the campaign was almost exclusively targeting executive-level employees, primarily CFOs.

An Introduction to Phishing Malware Types

This Cofense Intelligence report is part of a small group of reports that are intended to provide introductory understanding of the phishing threat landscape. With very few exceptions, the malware that Cofense Intelligence finds being delivered through phishing campaigns generally falls into one of the following malware types: Banker, Information Stealer, Keylogger, Loader, Ransomware, and Remote Access Trojan (RAT). These malware types are important to track because they can provide valuable insight into the landscape. For example, Information Stealers becoming more common than Keyloggers in 2021 could provide some indication of a shift in focus on the part of the threat actors. In this report, we explain each of the types, some of the challenges they present, how they apply, and why using them is valuable.

Projections for Q4 2022 and Beyond

Qakbot Still the Malware Family to Watch, with Version 5 and New Tricks.

Qakbot continues to be the top malware family seen in phishing emails reported to the Cofense Phishing Defense Center from users in environments protected by SEGs. The success rate of the phishing emails reaching enterprise inboxes can be attributed to the use of hijacked email threads and embedded URLs, among other TTPs that are known to aid in bypassing security. In late Q3, threat actors using the new version 5 of QakBot have been seen making several changes to their phishing tactics. The most notable new tactic employs attached malicious HTML files to deliver the payload. This new tactic does not utilize an embedded payload or redirect URL, as typical of most malicious emails delivering via HTML file attachments. Instead, the malicious payload is hardcoded into the HTML file, dropping when the HTML is executed inside the browser. This makes the delivery mechanism versatile (since every browser can read and execute HTML files) and stealthy (since the HTML file drops the payload locally without having to reach out to an external resource). QakBot continues to evolve defensive mechanisms against malware analysis, and phishing emails delivering QakBot continue to successfully reach inboxes. This makes QakBot the malware family to continue to watch as we enter Q4 2022, especially since a successful QakBot infection can lead to more costly threats like ransomware.

Other Malware Delivery Campaigns Copycatting Successful Tactics of QakBot.

Threat actors are known for collaborating, sharing, or even just taking successful ideas from others in their practice. One way this is apparent is that successful TTPs used in phishing campaigns entering the wild tend to emerge in other campaigns later on. During Q2 and continued into Q3, phishing campaigns delivering QakBot started using malicious HTML attachments as the first step of the infection chain in their highly successful and prolific phishing emails. Since this tactic emerged at such a large scale and had success reaching end users, other malware campaigns have been seen utilizing this tactic. Campaigns using malicious HTML files to download archives have emerged, delivering a variety of information stealers and RATs, most notably including a large NetSupport Manager RAT campaign. We anticipate this type of TTP to continue to be adopted by other malware delivery campaigns due to its versatility, stealth, and success in reaching inboxes protected by SEGs.

Emotet is Missing, What’s Next?

In the beginning of Q3, we continued to see large volumes of Emotet emails, until about mid-July when Emotet phishing activity ceased. Following a spike in Emotet C2 traffic observed by Cofense on Oct. 10, 2022, it is plausible that Emotet itself will recommence sending malicious emails at some point in the coming quarter. However, for as long as this lull lasts, other malware families have an opportunity to step in and fill the void. With the high-volume return of QakBot in late Q3, along with its continual evolution of analysis evasion and TTPs, we may see a significant increase in QakBot volumes across Q4 to make up for the current lack of Emotet distribution.

Cancer-Themed Gift Card BEC Attacks Targeting Victims in the United Kingdom

By Ronnie Tokazowski

Gift card scams are one type of Business Email Compromise attacks that frequently gets disregarded or glossed over due to complexities of tracing the fraud and the lack of visibility into how the money is used. Individuals inside of an organization don’t want to come forward and claim they were a victim, law enforcement doesn’t have these relatively smaller dollar amount cases of fraud, and the reality is there is virtually zero insight or tracing of gift cards when it comes to how or where they have been used. It is a crime that can fly under the radar or is not focused on, even though everyone knows it happens, but no one can do anything about it.

This is why we are going to cover one of the latest trends in gift card scams … using cancer patients as excuses on why you should send gift cards to strangers. To note, the samples included in this write up are ones that Cofense has seen and identified in actual enterprise environments after they were missed by existing standard email security controls. These are not hypothetical, but actual emails that made it to an employee’s mailbox after bypassing Secure Email Gateways (SEGs).

In today’s gift card attack, the scammers started with a phishing email just like any other gift card BEC. “Just wondering if i can get a quick favour from you.”

Image 1. Cofense response

Next, we received a response from the actor that they needed us to purchase an Apple gift card for a friend’s daughter who is suffering with liver cancer. To play up on the emotions, the actor tells us that they promised the card for her birthday but are having trouble getting the card for her.

Image 2. Lure asking for gift cards

We responded accordingly and said that yes, we could purchase the gift card for the daughter and asked what stores we could use to make the purchase. Purchasing gift cards is something that most people don’t normally do, which often leads to more questions from suspicious employees. While attackers are happy to walk potential victims through the steps, it’s easier to provide the stores up front with where they can purchase the cards. In this attack, Morrisons, Waitrose, Sainsbury’s, Argos, ASDA, and John Lewis were provided, most of which are grocery stores located in the United Kingdom. This helps provide more evidence that their initial target (or who they think they’re targeting) is more than likely in the UK.

Image 3. Listing of stores provided by attacker

We told the actor that we would be willing to run to the store, and they looked forward to hearing from us. Once we were “at the store,” we clarified what type of card they needed and let us know that they needed an Apple gift card totaling £200 GBP in £100 denominations. Once acquired, we were instructed to scratch off the back of the card to reveal the pin and take a snapshot and send it via email.

Image 4. Confirmation of what cards are needed

At this point, we stopped conversing with the scammer. This is a highly typical sequence for how gift card scams work. Please stay vigilant and be on the lookout for these types of BEC attacks.

For more insights on BEC attacks and gift card scams, here are more resources:

Scammers Are Targeting Hurricane Relief Funds Through FEMA

Scammers Are Targeting Hurricane Relief Funds Through FEMA

By: Ronnie Tokazowski

Just like with other natural disasters, scammers are trying to utilize these terrible situations to their advantage. In the wake of Hurricane Ian many Floridians are displaced, just like those in Louisiana and Mississippi after Hurricane Ida in 2021, with both storms responsible for billions of dollars in damages as well as loss of life.

There is now evidence that shows scammers are going after relief funds available to those in need from FEMA. Scammers are actively sharing tutorials and documents with criminal networks on how to steal relief funds for those in need.

Here’s what we know.

Recently, a Nigerian colleague shared screenshots which were circulating different hacker WhatsApp groups about disaster relief assistance. While these may appear to be simple screenshots of someone filling out a regular form with DisasterAssistance.gov, the context of these images is something that scammers can use to file fraudulent claims. In the first image, scammers instruct other scammers to select the option of “Hurricane/Hail/Rain/Wind Driven Rain” as what type of damage occurred, and to select the option of “Tornado/ Wind” damage.

Image 1. Screenshot of fraudulent loan application filed by scammers as a tutorial to commit fraud
 

In total, the documents and images shared by scammers are a total of 23 different steps, each of which details what to say, how to fill out the application, and what type of information can be used to file a fake claim.

Image 2. Application instructing user to fill out hotel accommodations
 

Image 3. Entering address of where damage happened
 

Image 4. Confirming name, birthday, social security number, and email account
 

The intent of these fake returns is to make claims to FEMA that appear real and get accepted, in order to steal money from the government. While these screenshots were taken in response to Hurricane Ida, our source in Nigeria says that scammers are actively using this tactic to steal funds from FEMA. To note, the social security numbers that are being used could be stolen, bought from the internet, or a variety of either.

Image 5. Reference of Hurricane Ida
 

In addition, one of the screenshots shows a submitted FEMA application with a reference to “ssn-check.org”, a website which can be used to verify the existence of a social security number. In addition, ssn-check shows a timeframe that the SSN was created, allowing the attackers another form of verification when they’re filing these false claims.

And as proof of success of this scam, the scammers also provided the criminal network with a final screenshot showing the submitted application.

Image 6. Successful FEMA application
 

While it may be difficult to identify fraudulent returns simply by how the forms are filled out, scammers routinely come from the same IP address, use the same email accounts, or make use of the Google dot bug to register multiple claims from the same account.

And as horrible as it sounds, scammers are quick to jump on the bandwagon when other humans are in need. FEMA is aware that scammers are targeting their platforms with fraud, however they need to increase vigilance as scammers are actively moving to steal funds as quickly as possible. In addition, users may receive mail to their address stating that they received funds. If you didn’t file, tell FEMA! Be on the lookout for other types of FEMA fraud and if you see anything, make sure to report it to FEMA.

The Tactics of a Prolific Phishing Campaign Abusing Dropbox

Cofense Intelligence™ Strategic Analysis

During August and September of 2022, Cofense has observed an effective credential phishing campaign abusing Dropbox and reaching end users across many industries. The threat actor(s) behind the campaign have put in a considerable amount of effort in order to increase the chances of successfully stealing the email login credentials of enterprise users. By utilizing various tactics, techniques, and procedures (TTPs), the phishing emails have been very successful at reaching inboxes. These phishing emails reached inboxes in August at a volume far out scaling any other campaign that Cofense has seen effectively abuse Dropbox this year. However, monthly volume from this phishing campaign has been inconsistent, dropping drastically from August to September.

Figure 1: Overall Volume of Phishing Emails Abusing Dropbox and Successfully Reaching Inboxes.
 

Compared to other campaigns abusing Dropbox, the volume of phishing emails within this campaign that are reaching end users attained a peak that we haven’t seen since early 2021. Figure 1 shows a comparison of phishing emails that are reaching users’ inboxes and abusing Dropbox from June 2020 to September 2022. February 2021 marks the highest peak in volume. This particular campaign emerged in early August 2022, resulting in a spike in volume that nearly surpassed the previous high. While it now appears to be tapering off, it is worthwhile to look back and consider the components of a campaign that reached inboxes so effectively.

Evasive TTPs

This campaign utilizes multiple TTPs known to increase the likelihood that the phishing emails reach the intended targets

  • Trusted Domains – By abusing a well-known file hosting service like Dropbox, threat actors are able to host malicious content on a “trusted” domain. A domain is considered trusted when its primary use is legitimate. The use of these URLs can disrupt security measures that rely on automation, since the domain cannot be blocked outright, and every URL must be analyzed individually. The use of Dropbox URLs can also create a sense of legitimacy for end users, making the phishing attempt all the more convincing.
  • URL Redirection – The use of multi-layered links and redirection, multi-layered compression, and multi-layered encoding has become a common anti-analysis tactic. SEGs have the ability to follow redirections and do analysis on multi-step phishing campaigns, but there are usually limits set on the number of redirections a SEG will follow. This campaign combines the abuse of a trusted platform with multiple redirections. The embedded Dropbox link is not outright malicious, but it does start a redirection chain ending with a phishing page that harvests email login credentials.
  • Blob URLs – Threat actors for this campaign have included an additional step within the URL redirection to create a Blob (Binary Large Object) for the phishing URL. A Blob URL allows Blob and file objects to be used as a URL source for data, images, etc. This step is not used for every email within the campaign, but when it is, it may be utilized as an anti-analyses and evasion technique. The first redirect starts the process of creating the Blob and uses JavaScript code to build it. This process is not likely to be noticed without tracking network traffic, meaning an everyday user is unlikely to notice. The key indicator that this process has occurred is that the phishing URL will have “blob:” in the address bar of the browser.

The combination of these tactics can disrupt security analysis, and often results in the phishing email reaching the end user. Compromising employee credentials can lead to more high-level threats, potentially resulting in broader organizational compromise and financial loss.

Breakdown of the Phishing Campaign

This phishing campaign is well crafted and widespread, reaching enterprise users in many industries. The threat actors behind the phish have put in significant effort compared to ordinary phishing campaigns. The phishing emails tend to vary, as there seems to be multiple email templates used for this campaign. From an end user point of view, some of the more convincing email themes being used are e-sign documents, fax notifications, project acknowledgements, and themes spoofing legitimate Dropbox emails.

Figure 2 and Figure 3 below are both phishing emails from this campaign that were found in environments protected by SEGs. The first email (Figure 2) is convincing, appearing similar to a legitimate Dropbox shared file email. Employees that use Dropbox regularly may recognize this template and even feel safe interacting with it. Figure 3 is an example of an email spoofing Adobe Acrobat e-sign, suggesting that the recipient has financial documents that need to be signed. These are two of several email templates that have been seen within this campaign. At first glance, they appear to vary greatly. However, both contain Dropbox links that lead to a similarly hosted file which, when interacted with, will redirect to a credential phishing page.

Figure 2: Dropbox-spoofing phishing email with embedded Dropbox link.
 

Figure 3: Fax-themed phishing email with embedded Dropbox link.
The threat actor’s use of such a wide variety of email templates can make it difficult to educate just on email appearance. While this is true, and education should be focused on the phishing tactics being used, it is important to understand the lure within the phishing emails.

Table 1 shows some of the commonly seen subjects in this phishing campaign. The subjects almost always reference a shared file, which complements the threats actors use of Dropbox links. They also include some reference to the recipient’s name, employer, or other identifiable information to add a more legitimate appearance to the emails.

Table 1: List of commonly seen email subjects in Dropbox phishing campaign.

Commonly Seen Email Subjects in Dropbox Phishing Campaign
Shared Files with ‹recipient name or identifiable information›
DISITRUBUTED PROJECT FILES FROM ‹recipient name or identifiable information›
Distributions Acknowledgement from ‹recipient name or identifiable information›
Acknowledgement Project From ‹recipient name or identifiable information›
Acknowledgement For Project #55627 From ‹recipient name or identifiable information›
Acknowledgement Project For ‹recipient name or identifiable information›
Project Files From ‹recipient name or identifiable information›
Statement From ‹recipient name or identifiable information›
‹recipient name or identifiable information› shared “‹filename›.paper” with you

Figure 4: Common words in email subjects of Dropbox phishing campaign.
The embedded Dropbox links in these emails follow 1 of 2 Dropbox URL directory paths, /scl/fi/ and /l/scl/. These links can be created by manually uploading files to Dropbox and sharing the links, or by using the Dropbox API. The directory paths alone can’t be used as indicators of compromise (IOC) because they are also found in legitimate Dropbox URLs. However, as commonalities in this campaign, they may be useful in separating it from other campaigns that abuse Dropbox. For instance, a standard PDF uploaded to Dropbox and shared will have a directory path of /s/, which is not used in this campaign. Below are two examples of full IOCs from this campaign:

hxxps://www[.]dropbox[.]com/scl/fi/tz8lf0mlh36qk3imtvree/Your-mail-Password-is-set-to-expire-today[.]paper?dl=0&rlkey=6x59wvwcr6yggtbnz6eh2wmpe

hxxps://www[.]dropbox[.]com/l/scl/AADV6XwJtJ583LJwbC9ucdLRsjs52-St6LI

These links are often hidden in the email behind anchor text that follows the email theme, like “view file” or “see agreement”. Once a user interacts with the link, they will be brought to a file hosted on Dropbox like the one shown in Figure 5. This page in turn contains a clickable link that will start the redirection process, taking the user to a well-crafted credential phishing page like the one in Figure 6. These phishing sites are most often hosted on compromised domains and exfiltrate credentials to a PHP panel hosted on another compromised domain.

Figure 5: Dropbox site that redirects to phishing page.
 

Figure 6: Phishing page used to harvest email login credentials.

Scammers Utilize Wufoo for Vacation Request Phish

Scammers Utilize Wufoo for Vacation Request Phish

As holiday season ramps up, an increase in phishing scams related to PTO expected to increase.

Missed By: Microsoft

Industry: Mining and Heavy Industries

By Kian Buckley-Maher, Cofense Phishing Defense Center

A phish recently noted by the Phishing Defence Center (PDC) utilizes the online form builder Wufoo, a tool commonly associated with easily created surveys and online registration forms. Threat actors have used Wufoo to create simplistic but effective credential stealing vectors.

Phishing Email

The email, in Figure 1, itself uses basic language informing the user that they need to save a copy and submit any further time-requests, which enables the threat actor to gain credentials after any future mandatory password resets, a common feature seen in many organisations.

To instill a sense of urgency it states all request for the subsequent two months need to be submitted through this method, so any users planning anything in the next few months will be compelled to download and input all the required information. As we head into the holiday season, these becomes even more timely. In addition, the user is requested to keep a copy of the form for any future time-off requests, as the requests are to be submitted during a two-month period. This also aligns with the typical 90-day password reset policies enabled in many organizations and as such the threat actors will ensure access to accounts even if the password reset has occurred.

Scammers Utilize Wufoo for Vacation Request PhishFigure 1: Email Image
 

Looking at the header, we see the sender is utilising a generic alias to impersonate ‘Human Resources’, a typical naming convention used by organizations for company-wide communications such as this one.

Phishing Page

As seen in Figure 2, the form itself contains very little identifiable markings such as branding or company logos, in most cases threat actors use in order to increase the potential of interaction from the recipient. The simplicity of this time request forms allows this phish to be used to reach further than most with little modification needed between phishing campaigns as it would be required for a more stylised and complex corporate communication.

After entering the required fields, the user is required also enter their email address in order to submit the form. Most organizations today utilize their self-service Payroll or HR portal to collection this information. This was most likely an indicator to the recipient that the email was suspicious and reported it via the Reporter button in Outlook

Screenshot of vacation request phishFigure 2: Main Phishing Page
Once the user has provided all the required information, they will be presented with a page to input their account password to send the request, and the users account credentials will be compromised.

Conclusion

The PDC continues to observe these kinds of phishing emails over the summer months, and as we look toward the end of year and the upcoming holiday season, we expect these campaigns to increase once again.

Due to the nature of these campaigns and its relative simplicity, it can be expected that these will be successful in organisations without proper phishing training and adequate phishing defences.

 

Indicators of Compromise IP
hXXps://xhrreview[.]wufoo[.]com/forms/m1cgigu51jrr9hf/

Threat actors abuse LinkedIn slink (Smart Link) to bypass Secure Email Gateways (SEGs)

Industry: Insurance and Finance

By Tej Tulachan, Cofense Phishing Defense Center

A noteworthy phishing campaign that abuses LinkedIn smart links redirects was recently observed by the Cofense Phishing Defense Center. This new, targeted campaign illustrates that while exploiting a well-known postal brand is nothing out if the ordinary, such phishing emails continue to go undetected by popular email gateways designed to protect end users.

Threat actors attempt to entice users into believing that the Slovakian Postal Service is requesting pending shipping costs. This is a very adaptable strategy due to LinkedIn’s slinks features and the variety of postal brands available. Threat actors abuse legitimate LinkedIn features with added unique alphanumeric variables at the end of the URL to redirect users to malicious websites. This is a clever tactic to bypass secure email gateways by abusing a commonly trusted source and falling for this attack can be avoided with users checking the embedded hyperlinks with extra precaution.

Email Body

Figure.1: Phishing Email

Translation:

The shipment is waiting for delivery

Slovak Post took the initiative and sent you this e-mail to inform you that your shipment is still waiting for your instructions.

Ref. C.: SK66902371WS

Shipping costs: €02.99

Confirm payment of shipping costs by clicking on the following link:

Confirm here

As seen in Figure 1, the email was sent in Slovakian. Although we can see that the recipient has a shipment waiting to be delivered, the order can only be fulfilled with payment. Threat actor even added features to the email, including the fictitious reference number, to give the impression of legitimacy.

When the header information is examined more closely, it becomes clear that the threat comes from sis[.][email protected] The threat actor is spoofing Slovenská Posta to appear authentic to the recipient.

As we examine more closely, we can notice that the message content contains the embedded smart link URL<hxxps://www[.]linkedin[.]com/slink?code=g4zmg2B6/> under “Confirm here”.

The LinkedIn “smart Link” feature allows users to redirect to legitimate websites to promote their website or advertisements. Threat actors, however, have different ideas and redirect users to malicious sites in an attempt to steal personal information. The threat actor’s choice of LinkedIn smart links is an effective way to get past the secure email gateway; many security protection tools are unlikely to block the URL. At the time of writing, the malicious URL in question is still live.

Phishing Page

Users are taken to the initial phase of this attack when they click the “Potvrd’te tu” button, as seen in Figure 1. The users are enticed to enter their bank card information to finalize the shipment order when they get to the payment page as seen in Figure 2.

Figure.2: Phishing page
 

In the final stage of the attack, the card details are entered and posted to the following address: hXXps://sk-1-b9833c[.]ingress-florina[.]ewp[.]live/login/cc/6c0924840f28f96026147e2cde8420af/card[.]php the user is redirected with a message informing them that their payment has been received and asking for a fake SMS code sent to their telephone number as illustrated in figure 3 (translated). Whatever digits are introduced in this page, the user will be redirected to a final fake confirmation page (figure 4), thereby deflecting suspicion.

Figure.3: Submit Telephone number
Figure.4: Fake confirmation
 

The phishing landing page was intended to resemble the authentic Slovakian post, however, upon further examine, we found that the given URL does not correspond to the legitimate Slovakian Post URL https://tandt.posta.sk/en, as shown in Figure 5.

Figure.5: Legit Slovak Post
 

Due to a threat actor exploiting the official LinkedIn smart link service, the phishing page is still up and running. This campaign serves as an example of how secure email gateways can potentially be out maneuvered in the absence of an extra layer of defence provided by human sensors who can identify and report any odd emails and links that land in their inboxes.

 

Indicators of Compromise IP
hXXps://www[.]linkedin[.]com/slink?code=g4zmg2B6
hXXps://sk-1-b9833c[.]ingress-florina[.]ewp[.]live/login/cc/6c0924840f28f96026147e2cde8420af/index[.]php?id=BO0uBtRF3f7 63[.]250[.]43[.]136
hXXps://sk-1-b9833c[.]ingress-florina[.]ewp[.]live/login/cc/6c0924840f28f96026147e2cde8420af/card[.]php 63[.]250[.]43[.]137

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Credential Phishing Targeting Government Contractors Evolves Over Time

By: Cofense Intelligence

Threat actors are running a series of campaigns spoofing several departments of the United States government. The emails claim to request bids for government projects but lead victims to credential phishing pages instead. These campaigns have been ongoing since at least mid-2019 and were first covered in our Flash Alert in July 2019. These advanced campaigns are well crafted, have been seen in environments protected by secure email gateways (SEGs), are very convincing, and appear to be targeted. They have evolved over time by improving the email contents, the PDF contents, and the appearance and behavior of the credential phishing pages.

Email Contents: More Convincing, More Evasive

Figure 1: Initial Email of Most Recent Campaign
The campaigns targeted companies across a variety of sectors but focused most heavily on the energy and professional services sectors, including construction companies. The attackers likely targeted companies which could credibly receive invitations to bid from the relevant government department. The emails spoofed the U.S. Departments of Labor, Commerce, or Transportation. This was evident in the sender’s name and email address (as seen in Figure 1) as well as in the email signature. Sender email addresses for these campaigns originally appeared to be hosted on [.]us domains such as openbids[@]dol-gov[.]us, but towards the end of 2021, the addresses were more consistently spoofed as coming from a [.]gov email address like no-reply[@]dot[.]gov. These emails were typically sent from IP addresses hosted by the Hivelocity Inc ASN. In some cases, the service located at the sending IP address identified itself as a Microsoft IIS Windows server. Early emails had more simplistic email bodies without logos and with relatively straightforward language. The more recent emails made use of logos, signature blocks, consistent formatting, and more detailed instructions. Recent emails also include links to access the PDFs rather than directly attaching them.\

 

PDF Contents: Lures Appear More Authentic

Figure 2: First Page of an Attached PDF

PDFs attached to these emails have changed over time. Within recent emails, the first page (seen in Figure 2) is typically the logo of the spoofed government department with additional information about the bid. The second page (shown in Figure 3) typically contains information about the process and will lure victims into clicking the link. In older versions, the PDFs were usually 1 or 3 pages. They contained more technical information about the bidding process, a signature of the spoofed sender, and a watermark of the spoofed department.

 

Figure 3: Second Page of an Attached PDF with Embedded Link to Credential Phishing Page
 

Figure 4: Targeted Sector by Spoofed Department
The metadata of the PDFs provides additional interesting information, as well as evidence of advancements in the threat actor’s TTPs. Older PDFs had little customization, and all listed the same “edward ambakederemo” as the author of the document. In the most recent PDFs, both the attached and downloaded versions, there is spoofed information more relevant to the recipient. The author is listed as “WisDOT”, the company is listed as “Wisconsin Department of Transportation”, and the subject, title, and description are all listed as “WisDOT Procurement – Invitation for Bid Toolkit”. The new information is an almost exact match with the metadata associated with an authentic invitation-for-bid toolkit PDF published by Wisconsin DOT. The change from using PDFs with consistent meta data for multiple campaigns to using customized meta data that appears authentic and is relevant to the specific campaign shows clear advancement in the TTPs of the threat actor.

 

Credential Phishing Page: Improved “Login” Process

In each case, the initial page of the phish is a copy of the home page of the spoofed department with the addition of a single red button encouraging victims to click it in order to bid. In cases spoofing the Department of Labor, the spoofed page (Figure 6) is a near duplicate of the legitimate DoL page (Figure 5) from about a year ago, but shows the added button. When victims click the link, they are taken to a different page on the same malicious domain (Figure 7), or in the case of some of the older pages, a popup window showing a page still on the same domain. The use of HTTPS ensures that a green padlock will appear, further giving the page a sense of
legitimacy. The domains used for the phishing pages and for the links embedded in the PDF are specifically chosen to emulate government-bid-related themes. Therefore, they often include the department spoofed (such as dol) and “bid”. In addition to the URL seen in Figure 5, there were also URLs including .gov in the subdomain such as transportation[.]gov[.]bidprocure[.]secure[.]akjackpot[.]com, which has a purposefully long subdomain that could make only the part of the URL with .gov in it appear in the URL bar in smaller browser windows.

Figure 5: Legitimate Department of Labor Website from July 2021

Figure 6: Spoofed Department of Labor Home Page with Additional Button
 

Figure 7: Credential Request Form
The page helpfully informs victims that the page will accept Microsoft Office (i.e., corporate) credentials. This would appear in a popup window in some of the older pages. This initial page is consistently hosted on “/bidwindow.htm”. Subsequent pages (consisting of the URL paths “/openbid.php” and “/completegen.html”) ask victims to reenter credentials.

Figure 8: Captcha Challenge After Credentials Are Entered
Victims are then prompted with a captcha to verify that they are indeed human. This captcha is always hosted at “/bidwindowverify.htm”. After the captcha is complete and the credentials are exfiltrated, victims are redirected to the legitimate page of the relevant government department. After being redirected to the relevant government department’s website, victims are left to wonder if their credentials were accepted for the bid or if something else entirely happened. Specific instructions in the PDF inform victims that submitting twice is likely going to cause the whole process to fail, discouraging victims from trying again. The original credential phishing pages lacked multi step processes, captcha checks, and had limited interactions. Instead, the credential harvesting form was hosted on the initial landing page. The improvements over time have made the pages more likely to trick victims into entering credentials and less likely to realize after the fact that they have fallen for a phish.

 

Results of The Campaign

These campaigns are convincing from start to finish and make use of preexisting data copied from legitimate sources in order to mislead victims. The consistent impersonation of a United States federal department is carried out each time with updated information including watermarks on PDFs and information on the credential phishing pages. The only place where the threat actors fall slightly behind is their spoofed pages can be out of date, which will likely go unnoticed by most victims. Given the advancements seen in each area of the phishing chain, it is likely the threat actors behind these campaigns will continue to innovate and improve upon their already believable campaigns. The first step towards defending against these kinds of attacks is ensuring that employees do not click malicious links. The next step is ensuring that employees realize this applies to attachments just as much as it does to links directly embedded in emails. Training employees to be suspicious of emails and carefully examine both links and sender information can also help here. An observant employee might notice that sometimes the sending email address, such as Figure 1, is not in fact a .gov address, and the embedded links are not in fact .gov domains. Cofense Intelligence will continue to track these campaigns and provide up to date IOCs and rules allowing customers to track and predict similar campaigns. In fact, Cofense Intelligence recently posted about a campaign which used similarly advanced emails and copies of legitimate websites with an embedded “click to bid” link.

To download this report, click here.

Lampion Trojan Utilizes New Delivery through Cloud-Based Sharing

By Andy Mann and Dylan Main, Cofense Phishing Defense Center

Analysts at the Cofense Phishing Defense Center (PDC) have recently analyzed an email asking users to download a “Proof of Payment” as well as other documents. While it is important to never click on the link(s) or download the attachment(s) of any suspicious email, if the recipient interacts with the link, it downloaded the malware Lampion.

The Lampion banking trojan has been around since 2019, but this is the first time it has been analyzed by the PDC. While it has not yet been determined who exactly is behind the malware, it is known for using a VBS loader. Fortunately, threat actors have been spotted by PDC analyst using a new form of delivery for that very VBS file. Using the trusted cloud platform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the service provided by the popular site. By leveraging a trusted payment site, it’s not surprising to see threat actors align their email message for this process. A well-conditioned user quickly reported this email that mitigated the threat of the malware infection.

Figure 1: Email Body

English translation: Good afternoon, I send proof of payment and documents on the link: hXXps://we[.]tl/t-pNvQIG8UJS I subscribe with high esteem and best regards

In Figure 1, the threat actor used a very simple email message to engage the recipient. The strongest tactic taken would is spoofing a legitimate company, which could potentially be a result of compromised credentials. The email sent to the recipient is sent a proof of payment and other documents, which are accessible at the URL hXXps://we[.]tl/t-pNvQIG8UJS. When the recipient interacts with the URL they are directed to the page where they can download a ZIP file containing the documents referenced in the email.

Figure 2: Contents of the ZIP File
Figure 3: Strings from the First Wscript Process
Once the ZIP file is downloaded, its contents can be extracted to reveal a folder containing the two files seen in Figure 2. The VBS file, Comprovativo de pagamento de fatura_517-TEG_22-08-2022 20-09-24_28.vbs, is the file of concern as this launches the script, to lead the malicious process. Next, it will initiate a wscript process. Analyzing the strings in the memory of this process will result in finding references to two different VBS files, seen in Figure 3. This initial process created these files in the AppData\Local\Temp and AppData\Roaming directories. There are four VBS files created in total, each with random letters as a filename. The scripts in AppData\Roaming are less relevant. One file appears to be empty or was deleted during the process while the other is small with minimal functionality. The script, xjfgxhakusp.vbs, in AppData\Local\Temp is far more important.

 

Figure 4: URLs Leading to DLLs
While there are two VBS files in AppData\Local\Temp, the smaller script is only meant to initiate the other, larger script, xjfgxhakusp.vbs. It is a strange extra step taken by the threat actor. Upon running the larger script, another wscript process is initiated. This second wscript process reaches out to the two payload URLs in Figure 4. Both download the final DLL files. The bottom URL will download a password protected ZIP which holds the DLL, but the password is hardcoded into the malicious process itself. The DLLs are then finally injected into the memory. As a banking Trojan, the Lampion mainly looks to steal the targets valuable information.

While email security continues to evolve to protect the organization, threat actors are constantly looking for opportunities to land in the inbox. This is why it is critical to provide your users with simulations aligned with the latest threats. Customers of the Cofense PDC can ease or confirm their suspicions by reporting suspicious emails to the PDC where an analyst will analyze the email for emerging threats. Contact us to learn more.

 

Indicators of Compromise IP
hXXps://we[.]tl/t-pNvQIG8UJS 13[.]249[.]39[.]48
hXXps://wetransfer[.]com/downloads/d8c6430f0c15ee79cb72ea2083f4a07420220830135534/b872b1 108[.]128[.]47[.]24
hXXps://aculpaedopt[.]s3[.]us-east-2[.]amazonaws[.]com/soprateste.zip?=ttvuawzgbpiqawlaarfnlxatyebabbwpriceiqupxmmzuix 52[.]219[.]104[.]24
hXXps://aculpaedopt[.]s3[.]us-east-2[.]amazonaws[.]com/oftvwaiyg?=wiyjxpnveuzmgakjpgcjitnjwxaizzzbzmibklzkokxitcgpmso 52[.]219[.]177[.]178

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.