Phish Found in Proofpoint-Protected Environments – Week Ending August 9, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week sees a variety of the same ol’, same ol’. Logistics spoofs, trusted cloud storage, and finance themes. Good thing humans can be trained to detect these things.

phishing example delivers a zipped jnlp java downloader to then deliver ursnif banking trojan

TYPE: Malware – Ursnif

DESCRIPTION: Threat actors in this connected age love to spoof logistics companies. This example warns of a package being returned to the sender. The attached, zipped .jnlp shortcut file leads to a JAR Downloader that runs the Ursnif malware. This is one package you do not want to receive.

phishing example of credential theft using dropbox link

TYPE: Credential Theft

DESCRIPTION: Cloud storage is certainly convenient for sharing files with friends and colleagues. Attackers think so, too. This one uses Dropbox to deliver a credential phishing page to the recipient. How convenient is that?

phishing example uses a delivery spoof with a link to credential theft page

TYPE: Credential Theft

DESCRIPTION: These attackers really stepped up their game with a convincing looking phish mimicking another logistics company. If only it hadn’t come from a Hotmail account.

phishing example uses an image link to direct the recipient to the pyrogenic stealer

TYPE: Malware – Pyrogenic

DESCRIPTION: It may look like a PDF, but this finance-themed phish actually delivers a linked image that appears to be an attachment. The link leads to the Pyrogenic Stealer.

phishing example of OneDrive link to download agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Here’s your quote for the day: beware of emails bearing malware. This attack identifies as a quote but delivers the Agent Tesla Keylogger via an embedded URL.

phishing example uses a coronavirus theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: They say rest and exercise are good for you, but this exercise starter kit from HR is really at the other end of the scale. The provided link takes the recipient to a web page designed to steal their credentials. That’s sure to get your heart rate up.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 2, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We note quite a bit of spoofing this week. Attackers know if they can get their phishing attacks into a user’s inbox, they still need to convince the user to click. If you need help raising the awareness of your users, check out some of our free resources.

phishing example invoice theme delivers pyrogenic stealer with embedded link

TYPE: Malware – Pyrogenic

DESCRIPTION: For such a polite email is carries an awfully impolite payload, as this finance-themed phish uses an embedded URL disguised as a PDF to deliver the Pyrogenic Stealer.

phishing example uses PDF attachment to perform credential theft.

TYPE: Credential Theft

DESCRIPTION: Spoofing an international logistics company, this phish delivers an attached PDF with embedded links to a credential phishing site.

phishing example of a purchase order link that delivers nanocore remote access trojan

TYPE: Malware – NanoCore

DESCRIPTION: Everyone knows Dropbox is a legitimate cloud storage provider so, when we get a purchase order hosted on Dropbox, we click it. At least, that’s what the attacker hopes. In this attack, an archive holding the NanoCore Remote Access Trojan is downloaded. We’ve been discussing the use of Dropbox in phishing attacks for over 5 years.

phishing example spoofs logistics company to deliver avaddon ransomware and raccoon stealer

TYPE: Malware – Avaddon

DESCRIPTION: Another spoof of a major logistics company. This one really delivers. Using an embedded URL it delivers the Smoke Loader that then downloads Raccoon Stealer and Avaddon Ransomware. Read more about ransomware trends.

phishing example spoofs a voicemail delivers htm attachment to perform credential theft

TYPE: Credential Theft

DESCRIPTION: Stop me if you’ve heard this one. A spoofed voicemail notification uses an attached .htm file to mimic a Microsoft page to steal credentials. Voicemail notification phish are nothing new, but still reach users regularly.

phishing example delivers remcos rat using an xxe archive

TYPE: Malware – Remcos

DESCRIPTION: Self-quarantines and remote work arrangements seem like a recipe for increased deliveries and this phish takes advantage of that. Another logistics company spoof offers an invoice as a lure. In a rare twist, the attack delivers a .xxe archive that contains GuLoader, which will install the Remcos Remote Access Trojan.

phishing example uses box.com to deliver ursnif malware

TYPE: Malware – Ursnif

DESCRIPTION: Another attack relying on trust in a popular cloud storage provider. This one includes a link to a .js file that downloads and executes Ursnif. Are we having trust issues?

phishing example delivers password-protected zip to install icedid banking trojan

TYPE: Malware – IcedID

DESCRIPTION: If it is protected by a password, it must be secure. That’s the lure this attacker uses to convince the recipient to open the attached .zip archive, enable the macros in the provided Microsoft Office document, and install the IcedID trojan. It’s a blast from the past, as we wrote about password-protected ZIP files in phishing attacks way back on 2011.

phishing example spoofs small business administration sba with coronavirus theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: While we hoped to get through an entire week’s blog without a COVID-19 example, it wasn’t meant to be. This phish pretends to be from the US Small Business Administration with details about an approved funding request. The embedded URL leads to a credential phishing page. Recipients should keep their mouse at least 6 feet away from the link.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Twitter Announces Hackers Gained Access via Phishing Attack

By Aaron Higbee

On July 15, 2020 a small number of Twitter employees were duped in a successful spear phishing attack which Twitter is now calling a “phone spear phish”. There is a mention of a phone, but Twitter didn’t elaborate on what role a phone played. (SIM swap? Misleading link via SMS to a credential phishing page?) Regardless, phishing resulted in stolen Twitter employee credentials. Attackers used the stolen credentials to access internal systems and gain information about Twitter processes, then targeted additional employees to breach account support tools. Scam tweets were sent from dozens of major accounts and the hackers quickly received hundreds of bitcoin transfers worth over $115,000. This type of attack is not unusual as 74% of real phish are credential phish.

Human Vulnerabilities

Twitter has now provided limited detail about the specific technique used in the spear phishing attack and has not disclosed how many employees or contractors have access to its account support tools. Broad levels of access can pose challenges to defending against phishing. Twitter shared, “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” and called the incident “a striking reminder of how important each person on our team is in protecting our service”. The attack resulted in:

  • 130 accounts targeted
  • 45 accounts had Tweets sent by attackers
  • 36 accounts had the DM inbox accessed
  • 8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified
  • Crypto transfers exceeding $115,000.
  • Untold brand damage to Twitter

Human Informants?

In the blog post, Twitter didn’t mention how many Twitter employees were targeted in the phishing campaigns, how many of those employees reported the phishing attempts, and whether or not Twitter security operations were tooled up to act on employee reports of phishing.

In the Cofense annual report on employee phishing resiliency, you might be surprised to see that Technology companies tend to be on the lower end of industry benchmarks.

Too Much Access?

Twitter admits concern around their tools and levels of employee access, yet goes on to claim that access to proprietary tools is “strictly limited and only granted for valid business reasons”. Twitter advises that they have now “significantly limited access to our internal tools and systems” while they complete their investigation, citing “we have teams around the world” that help with account support. Users with account support needs, reported Tweets and applications to Twitter’s developer platform can expect delays. Twitter is focused on restoring access for all account owners who may still be locked out.

Portrait of a Phish

Whether the hackers gained access via phone, a personal device, or office computer, the aim of the attack was to obtain employee credentials. Twitter advises that although their tools, controls, and processes are constantly being updated and improved, they are now “taking a hard look” at how they can make them even more sophisticated.

The specifics of the phish that evaded security controls are vague. Spear phishing tends to be more targeted and dangerous than a typical phishing attack, because the phishing emails are highly believable when tailored to individuals or small, specific groups of people. “Phone phishing” is messy infosec jargon that tends to be a catch-all for all things social engineering that involve a mobile device. A phish via phone could appear to be many things: a message from support requesting credentials for an update, an SMS phish linking the user to a false company login page, or an actual phone call from a friendly colleague requesting login information.

If employees are unaware of the role they play in data breaches, they are more likely to fall for these scams. No amount of security controls can fully secure a network unless employees are also seen as the frontline in phishing defense. Twitter needs to consider building employee resilience to phishing in their plan to become more sophisticated.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

GuLoader Rises as a Top Malware Delivery Mechanism in Phishing

By Brad Haas, Cofense Intelligence

There’s a new malware delivery mechanism in town, and it’s competing in volume with the most tried-and-true delivery methods like malicious Microsoft Office macros.

GuLoader, a small but dangerously sophisticated loader, emerged early this year and rapidly became one of the most popular delivery mechanisms, used by numerous threat actors to deliver a wide assortment of malware. Its popularity can be explained by its simplicity and sophistication—it is both easy to use and extremely effective, designed to evade multiple security measures and then download and execute malware while going undetected. A recent report indicates that it is sold openly, making it easier for threat actors to obtain. As long as GuLoader is profitable, its authors will have an incentive to continue to improve it, making it a potential long-term threat.

GuLoader’s Meteoric Rise

GuLoader was first seen in the wild near the beginning of 2020. As discussed in the Cofense Q2 2020 Phishing Review, it surged in popularity during the second quarter particularly in the month of May. Several other delivery mechanisms dropped off almost entirely as GuLoader increased. It became nearly as common as each of the Microsoft Office document delivery mechanisms: CVE-2017-11882 and Office Macros, which have been dominant for months. GuLoader is most commonly used to deliver remote administration tools, but has also been observed delivering keyloggers, credential stealers, and other malware phenotypes.

Figure 1: During May 2020, GuLoader was briefly the most popular delivery mechanism.

Why GuLoader?

The most successful delivery mechanisms go undetected as they arrive in a victim’s inbox. This is likely why Office documents remain so popular; they are less obviously malicious than executable binary or script files. GuLoader is an executable file, but it uses sophisticated techniques (discussed below) to go unnoticed during delivery and during its execution. GuLoader has also been changed and updated with new features over time, making it increasingly useful as a delivery mechanism.

Advanced Evasion Features

GuLoader uses advanced techniques at every stage of execution to try to evade network, email, and host-based security technology:

  • Email attachment scanning: Obfuscation and encryption hide GuLoader’s actual functions. Without executing at least a portion of it, an antivirus product cannot detect what it does.
  • Dynamic or sandbox analysis: GuLoader contains false code instructions designed to thwart analysis tools and a wide array of tricks to avoid executing in virtual or sandbox environments.
  • Domain and network controls: Threat actors using GuLoader store their malicious payloads on cloud platforms like Google Drive and Microsoft OneDrive. These platforms are often treated as trusted assets in every organization and thus are not frequently subjected to comprehensive analysis or blocking.
  • Network-based scanning: Each malicious payload is encrypted with a key unique to its campaign, so neither the cloud services nor a network traffic analyzer is able to tell what it is.
  • Endpoint security products: GuLoader can start up legitimate Windows programs and inject itself into their memory space, giving the malicious payload cover from endpoint analysis.

Figure 2: Shipping-themed phish with GuLoader in an ISO attachment

Cofense Intelligence customers can find more details and associated indicators of compromise in our 23 July 2020 Strategic Analysis. Not a customer? Learn how our phishing alerts help mitigate today’s dynamic threats.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Adding a Human Layer of Defense to Email Security

Guest Author: Edward Amoroso, Chief Executive Officer & Analyst, TAG Cyber

For over a decade, a quantitative index hosted at NYU’s Center for Cyber Security (CCS) has been used to measure the sentiment of expert practitioners across a range of cyber threat and enterprise security issues. While the index value has increased continually over the years, which indicates growing concern among the participating experts that threats are increasing, significant spikes in any measured attribute have rarely occurred – until recently.

Since early 2020, the NYU research team has measured increased concerns regarding email security risk, and, in particular, with phishing messages reaching user in-boxes. This result might seem somewhat expected, given the increased number of people working from home during the COVID-19 pandemic. But enterprise teams routinely include world-class commercial security solutions such as secure email gateways (SEGs), so this seemed inconsistent with the sentiment spike.

Working with the phishing defense experts from Leesburg-based Cofense, Dr. Edward Amoroso, head of research advisory company TAG Cyber, which helps to administer the NYU CCS index, sought to investigate what was going on. A brief survey was constructed and shared with a dozen experts operating secure email infrastructure. Each was asked whether, and how frequently, phishing attacks were finding their way past their existing email defenses, all of which included a SEG.

The results were interesting: fully half reported that potentially dangerous phishing messages reached employee in-boxes roughly once per week, and the other half reported not having sufficiently accurate data to even answer the question. Frankly, both of these answers seemed disturbing – even though they helped to explain the spike in the NYU index. Clearly, something troublesome has been going on recently with email security.

Aaron Higbee, Cofense CTO and Co-Founder, and Tonia Dudley, Cofense Security Solutions Advisor, shared their own approach to this growing problem during a recent webinar jointly hosted by TAG Cyber. In short, the Cofense solution introduces a human layer of protection to complement existing defenses to create a more defense-in-depth model for addressing phishing risk. The human aspect is enhanced in the Cofense approach using crowdsourced support, which results in complementary intelligence about email threats. It seems a sensible addition.

What you’ll find from the discussion during this recent webcast is that while traditional firewalls and other security gateway devices are important parts of a layered defense, they are obviously nowhere near sufficient to protect an enterprise. The Cofense team believes, and makes the strong case, that SEGs also benefit from the introduction of additional complementary protections – which involve the human-oriented controls mentioned above.

If you’re like the experts who respond to the NYU CCS index, then you are feeling increased stress about phishing risks to your enterprise. This suggests that adding some sensible security controls into a multilayered protection solution would be advised.

Learn more about how Cofense helps organizations by combining the power of human detection with automated response, enabling your teams to stop phishing attacks in minutes.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Bypass Gateways with Google Ad Redirects

By Dylan Main and Harsh Patel, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to steal Office 365 login credentials by luring employees to accept a new Terms of Use and Privacy Policy. This new campaign has been seen across multiple organizations and uses advanced techniques to garner employee login credentials, including a Google Ad Services redirect to fool email gateways.

Figure 1: Headers

The originating IP in the headers of this email proved its source was coming from a legitimate account with the ‘from’ address “info@jtpsecurity[.]co[.]za” It appeared as though this email address was compromised and then used to send the phish to multiple employees. The word “security” in the from address could potentially lull the user into trusting the email’s origin.

Figure 2: Email Preview

At first glance, the user will see “This message was sent with High Importance.” Again, the from address contains the word security and the subject talks about a “Recent Policy Change,” creating urgency to click and handle the matter immediately.

The email body talks about accepting the newly updated “Terms of Use & Privacy Policy.” Also, it notes how this new policy will affect personal data and discontinue all active services on the user’s account. Curious users will likely want to “Learn More.”

Figure 3 shows the URL embedded in both buttons, “Accept” and “Learn More”:

Figure 3: URL redirect of the buttons

As seen in the above figure, the threat actor has utilized a Google Ad Services redirect to pilot users to their phish. This suggests that the threat actor(s) may have paid to have the URL go through an authorized source. In turn, this easily bypasses secure email gateways and exposes employees to the phish.

Upon clicking on either button, users are redirected to a duplicate of the real Microsoft page at the URL:

hXXps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/common/oauth2-authorize

 On this page users are presented with a pop up of the privacy policy the email mentions. In this window there are two notable logos as well, a Microsoft logo and the user’s company’s logo, in a bid to make this page appear that much more legitimate. Scrolling through the text box you can see the Privacy Statement was taken from Microsoft’s website.

Figure 4: First Page of the phishing attack

After accepting the updated policy, the user is then redirected to a Microsoft login page, which impersonates the Office 365 login page. An employee who enters their credentials and clicks “Next” will have sent the Threat Actor(s) their Microsoft credentials and compromised their account.

Figure 5: Second Page (The actual phishing)

Following the login page, users find further reason to believe the update is legitimate, one more box saying, “We’ve updated our terms.” Upon clicking the “Finish” button, they’ll be all set.

Figure 6: Third Page (Post entering credentials)

Last step: users are redirected to the legitimate Microsoft page, their Service Agreement, to complete the scam. Nothing malicious here!

Figure 7: Final Page (Official Microsoft site)

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

Indicators of Compromise:

Network IOCs IP  
hxxps://www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=C3seiJpC5XstooZGJBrPArsADp__a3lyH_4PTjAqoqKfonA8QASC7-_keYISV7IXcHaABzavQ-gPIAQmpAt6UwcHeNU0-qAMByANKqgTEAU_Q2dNvWCQ_LtumFUNLEz16PFVhg8cC3HmYEdlxma4KWUfGkvbdLFpKvCC92odSoiBTw9idw1iHRgreOTD1xyzoBBif4axm3JFTnekl_2_OeuLDQv0U_HzVVt10Iu5SkzsX6nGWyfUgPHIgJkxJqY4me8SG8d0nlmJ8PumQhJhze02bPmqEr4puzh2awPAoHoVPQ7QaXlbeJvf4W7Wexg1RGQ0EqMY8Z7YLfyh6tceagXiYGwWU1r3H9HuiISfj4G-RYYTABM-Sru2hAsAFBfoFBgglEAEYAJAGAaAGLoAHm9SvBYgHAZAHAqgHjs4bqAeT2BuoB7oGqAfw2RuoB_LZG6gHpr4bqAfs1RuoB_PRG6gH7NUbqAeW2BuoB8LaG9gHAMAIAdIIBggAEAIYGoAKAZALA5gLAcgLAYAMAeAS_6jY_crtxomjAdgTDg&ae=1&num=1&cid=CAMSeQClSFh3L5xTIDfFt35D8xjVEHFCYXr5NOlTRany4t_BBsFsAp3b7XCD0nSBKDirzhPVamy0H75uzx6gQxh5_rKDAlBAJWTUCf1Tqi6saFbojDtHd_R8dtCePj4ZvH0zHZWyRITLXvztggY2ibrWY9oLm5X8Wcuetvk&sig=AOD64_0L9hd4oCjDoroDTf6-7Fkon2bwsw&ctype=5&client=ca-pub-1169945711933407&adurl=https%3A%2F%2Fmicrosoftoffice-servicepolicy-onlineserver[.]comisys[.]host172[.]217[.]7[.]226
hxxps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/198[.]23[.]137[.]146
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 26, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Reply chain attacks are of particular note this week, as attackers use existing email discussions to lend a sense of legitimacy to their phish. Cofense saw these Zombie Phish last year and they continue to find success.

phishing example of a voicemail theme credential theft

TYPE: Credential Theft

DESCRIPTION: Here’s a voicemail-themed attack that includes a partial transcript – just enough to lure the recipient into clicking. Doing so leads to a Google Forms page that captures and exfiltrates login credentials. Voicemail spoofs aren’t new. Cofense has been blogging about them for some time

example phish spoofing tax forms for credential theft

TYPE: Credential Theft

DESCRIPTION: With due dates for taxes extended thanks to the COVID-19 situation, tax-themed phish are still effective. Posing as a Human Resources representative, this phish uses Infogram URLs to capture email login credentials.

phishing example of a reply chain attack using emotet to download qakbot

TYPE: Malware – QakBot

DESCRIPTION: Over a year ago, Cofense wrote about Emotet and its use of compromised emails to perform reply-chain attacks. This example uses an attached PDF with links to a macro-laden Microsoft Office document to deliver first Emotet and then QakBot.

phishing sample poses as an invoice but links to the pyrogenic stealer malware

TYPE: Malware – Pyrogenic

DESCRIPTION: Another example of reply-chain tactics to trick a recipient into following the embedded links to the Pyrogenic Stealer malware. This one uses a finance theme spoofing an Accounts Payable department.

sample phish uses an image link to deliver agent tesla malware

TYPE: Malware – Agent Tesla

DESCRIPTION: No one wants to miss a sale, and the attackers know it. They use a quotation theme to lure the recipient into clicking the image link to download the Agent Tesla keylogger, a piece of malware we covered last year.

phishing example of a quarantine theme credential theft

TYPE: Credential Theft

DESCRIPTION: Knowing users are becoming better trained to detect phishing attempts and to rely on existing security mechanisms, the attackers behind this phish spoof an email quarantine service to encourage the recipient to click and give up their credentials. Can your users tell the difference between your organization’s quarantine and a fake?

phish sample uses covid-19 pandemic theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: This last example for the week spoofs the Human Resources department using a Coronavirus theme to encourage the recipient to click the link and give up their credentials. Cofense put together a Coronavirus InfoCenter with numerous resources to help educate your organization on these threats.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 19, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Phishing threat actors continue to rely on tried-and-true methods to get their attacks into user inboxes. We discussed the latest trends recently on our Phish Fryday podcast.

example phish delivers LolKek ransomware with an xlsb attachment

TYPE: Malware – LolKek

DESCRIPTION: This phish uses an order theme spoofing Salesforce.com to deliver a Microsoft Excel Binary attachment (.xlsb). Within this file, macros are designed to download and install a recently discovered form of ransomware called LolKek. Excel Binary documents aren’t as common in general usage, but come in handy when working with large files. Or malicious attachments.

sample phish delivers Remcos remote access trojan via image link

TYPE: Malware – Remcos

DESCRIPTION: This contract-themed phish delivers an image link designed to look like an attached Microsoft Office document. Instead, it downloads a document crafted to exploit CVE-2017-11882, download a VBS script, which downloads a PowerShell script. That script then unpacks and loads a DotNET Loader that runs the Remcos Remote Access Trojan. That’s a long way of saying system compromise.

phishing example spoofs world health organization to deliver credential theft link

TYPE: Credential Theft

DESCRIPTION: Taking advantage of the current pandemic, this phish spoofs the World Health Organization to convince the recipient to click the link. Doing so prompts for credentials including “Gmail, Office, Yahoo, AOL, Outlook, and ‘other’” and then directs to a Google Drive-hosted PDF. Despite the official looking sender and logo, the body is rife with grammatical errors.

phishing example performs credential theft via image link

TYPE: Credential Theft

DESCRIPTION: Claiming to provide an attached statement, this phish uses a linked URL masquerading as a PDF attachment to direct the recipient to a Microsoft SharePoint-hosted page designed to steal credentials. Cofense continues to cover the use of trusted cloud services for untrustworthy purposes.

phishing sample delivers dridex malware via zipped attached word document

TYPE: Malware – Dridex

DESCRIPTION: This invoice-themed phishing attack promises a booking invoice but delivers a macro-enabled Microsoft Word document inside a ZIP archive. Those macros lead to the installation of the Dridex malware.

phish example spoofs HR to deliver credential theft via embedded link to sharepoint

TYPE: Credential Theft

DESCRIPTION: Still getting used to remote work? Attackers hope so, attempting to trick recipients into following their trusted Microsoft SharePoint links to a nasty end. In this case, a credential harvesting page. Cofense has put together a number of tips to help you defend your remote workers.

example phish with fax theme delivers credential theft with an htm attachment

TYPE: Credential Theft

DESCRIPTION: Just the fax, ma’am. This fax-themed phish encourages the recipient to open the attached .htm file. The file is designed to look like a Microsoft login page. The attacker is hoping to capture the login credentials of the recipient.

example phish that delivers an embedded URL for credential theft

TYPE: Credential Theft

DESCRIPTION: The Coronavirus theme is still getting some mileage among attackers. This one includes an embedded URL that will try and steal credentials for “Outlook, Office365, Gmail, Yahoo, and ‘other’” services. After providing credentials, the recipient is sent to a legitimate-looking PDF in an attempt to reduce suspicion.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

FedRAMP Authorization: Why ‘Moderate’ Matters

By Rose Ryan, Cofense Product Marketing Manager

FedRAMP, the federal program created to assess the security of cloud service providers (CSPs), saves time and cuts costs for U.S. government agencies that would otherwise conduct their own assessments. CSPs are granted authorizations at three impact levels: low (includes low-baseline and low-impact SaaS “li-SaaS”), moderate, and high, aligned to the impact levels based on NIST guidelines. While the high-impact level protects the most sensitive government data, the moderate-impact level meets the needs of many agencies. And the gaping chasm in requirements between moderate and low is revealing.

Why Cofense Didn’t Take the Low Road

Why make the financial commitment, endure a rigorous authorization process and establish a continuous monitoring program when we could have simply self-attested our security controls for a li-SaaS classification? Because Cofense is a security company that prioritizes providing the highest level of protection to our customers, and a low-level certification just wasn’t good enough. That is why Cofense PhishMe is in the process of achieving FedRAMP moderate status.

Moderate vs. Low Impact Levels

Got PII? Cofense Has You Covered

Cofense recognizes that our products and services handle our customers’ personally identifiable information (PII). That’s why we went all in to certify at the FedRAMP moderate level, complying with 325 stringent controls to secure our customers’ data according to confidentiality, availability, and integrity. A moderate FedRAMP authorized CSP has a far more stringent set of controls as compared to CSP with a low or li-SaaS ranking. See a list of controls here.

The impact level of a moderate service offering is based on the sensitivity of the data that an information system processes, stores, and transmits. Cofense opted for moderate FedRAMP compliance for our PhishMe solution. This required the establishment and documentation of a highly secure environment that will withstand comprehensive, rigorous review before we may engage with Federal agencies as a FedRAMP CSP.

Controls: The Numbers Say It All

Additional security controls are added as the levels progress to ensure that government data is adequately protected. High-level systems have 421 baseline controls, moderate-level systems have 325 controls, while low-level systems have only 125 controls and li-SaaS require a minimal 36 controls. Cofense opted for the moderate level, which will allow us to support a mass of government agencies.

Additional security controls are added as the levels progress to ensure that government data is adequately protected.

Continuous Assurance with Cofense

With a moderate FedRAMP authorized solution, there is a strict security implementation as well as operational requirements that PII data be protected. With a li-SaaS implementation, there is no such assurance. And it doesn’t end there. FedRAMP requires that authorized CSPs engage in continuous monitoring after authorization is achieved. The authorization can be revoked if the CSP is found to be at any point in non-compliance with FedRAMP requirements. Cofense opted for a moderate FedRAMP authorization embracing these strict requirements and ongoing monitoring to meet our customer’s security needs and assure their peace of mind. Cofense PhishMe just completed the security assessment review with the sponsoring agency and FedRAMP PMO and we are now in the final stages of the authorization process.

Learn moresee how Cofense is participating in the FedRAMP program.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Invoice Themed Phishing Emails Are Spreading from Trusted Links

By: Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) is seeing continued growth in phishing attacks which harvests users’ credentials via genuine file-sharing websites, which are found in environments protected by Proofpoint’s Secure Email Gateway (SEG). A huge factor in this campaign is the confidence users have in emails containing the “trusted” Dropbox reference.

It is tricky for SEGs to keep up with attempts to spread phishing attacks and malware via sharing services such as Dropbox, ShareFile, WeTransfer, Google Docs, Egnyte and even SharePoint. Fortunately, a few of our clients’ users reported the phishing emails via the Cofense Reporter button.

The “traditional” methodology for attackers was to “break in.” Nowadays, they easily can “login,” thanks to sharing sites.

Figure 1 – Body of email showcasing the victory of this attack tying in with user interaction

The spear phishing attack sends a link requesting users to access a purchase order form with a (.pdf) extension. Upon clicking, the attack automatically redirects the user to their default web browser, requesting to click the “Download” button. The website will begin the download inside the “Downloads” folder. Nothing sinister going on, right?

The ‘sent addresses’ TLD – “actionsportsequipment[.]com” – coincidentally relates to the nature of the client’s industry; this demonstrates the extent the attackers went to, in a bid to slip through the “secure” environment. One must question themself: “Was I expecting this transfer?” and “Am I expecting to receive a purchase order from this sender?”

Moreover, since the emails have been authenticated against Dropbox’s internal servers, the emails pass basic email security checks such as DKIM and SPF.

Figure 2 & 3 – Downloadable purchase order file

Once the download has been completed, the user is prompted to open the (.html) link assuming the “purchase order” form would appear, however upon clicking, the campaign redirects the user to a supposed “Microsoft” login page.

In this case, the attackers used the free website builder “Weebly.com” … yet another legitimate source, further deceiving the security measures in place with trusted redirect domains and IPs which will naturally continue to be white-listed and deemed “safe” since millions of users share data with one another on a daily basis.

For this reason, the presence of the padlock appears, adding not only security on both parties, but also the illusion that the website is “secure.”

Figure 5 – Phishing site built by Weebly

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Figure 6 – Redirect to Microsoft Office webpage  

Indicators of Compromise:

Network IOC IP
hXXps://www[.]dropbox[.]com/l/AADOPQGXtuDK03QYuvJqI0MbDlDxBTV28Cs
hXXps://www[.]dropbox[.]com/l/AAAtWq-LVZcqXBnFLinUi9rB3LpEijuPo78
162[.]125[.]6[.]1
hXXps://helpsupport0ffice20[.]weebly[.]com/ 199[.]34[.]228[.]53
199[.]34[.]228[.]54

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.