“We’re Grateful For The Trust!”

By Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has found a phishing campaign that aims to yield users credentials by exercising references to DocuSign. At first glance, the email is kept short and sweet in a bid to lure the user into viewing the invoice. Proofpoint and Microsoft’s Secure Email Gateway (SEG) both detected and failed to stop the phishing campaign. It’s claimed that the success of this attack was the skillfully concealed legitimate links within the (.PDF) attachment.    

 Here’s what happened 

Figure 1: Email body 

The subject of this phish is vague “Invoice attached,” guiding the user to learn more. The senders display name is William G. Kern, however the email address begins to read as “bill.kern”; could this be a possible mistake from the attacker? One would expect the display name and email address to correspondingly match with one another. As we pan down, we note the name of the attachment is in numerical order, with no indication of a detailed transaction, calling the attention of inquisitive users.   

Following on from the above, the email features just two sentences, first thanking the user for their “business” and second, encouraging the user to contact the sender by means of telephone should there be any discrepancies. The norm would be to touch base with one another via email, providing full anonymity and leveraging their spoofing techniques, which is a perfect social engineering tactic from the attacker. 

Figure 2 – Attached PDF

The above screenshot displays what the attachment looks like when opened. Behind the “authentication required” message is a document with a substantial amount of text, including two bulky signatures. Perplexed users are led to suppose they are steps closer to unveiling the invoice.

It’s important to note the importance that the subdomain “myemail” plays in this attack, which is hosting the initial malicious webpage, rather than the compromised root domain “constantcontact[.]com.” Consider the social engineering dialect toward the end of the URL below. It’s a troubling yet effective methodology that attackers use to spread phishing sites.

“hXXps://myemail[.]constantcontact[.]com/The-latest-news-for-you.html?”

Figure 3 – Redirect Malicious DocuSign Link

Upon clicking the hyperlinked “Review” button in Figure 2, the website “myemail[.]constantcontact[.]com” opens up within the default browser. Because of the legitimate service, such campaigns almost certainly pass email authentication techniques such as DKIM/SPF. Better still, the built-in SSL certificates shown in the address bar allow the domain to become “trusted,” presenting the green padlock at the beginning of the URL. It appears the domain had been purchased and hosted from namecheap[.]com,  a web-hosting platform.

Figure 4 – Payload Phishing Site

The sequel to this campaign is a somewhat similar “DocuSign” phishing site inviting users to enter their credentials.had.

DocuSign does not require an account to log in. The document would be sent via email from dse@docusign[.]net, allowing recipients to review the document, implement a signature and complete the signing process.

Upon logging in, the user is under the impression he or she has been authenticated via a legitimate DocuSign. At this point, the user’s credentials are unfortunately in the hands of the threat actor.

Network IOCs

IPs

hXXps://myemail[.]constantcontact[.]com/The-latest-news-for-you.html

208[.]75[.]122[.]131

hXXps://domainnameonline[.]net/

199[.]188[.]200[.]202

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week ending October 23, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Credential Phish 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a Systel Inc-spoofing email to deliver credential phishing via embedded Canva links. The embedded Canva links redirect to phishing URLs that harvest email login credentials. 

TYPE: Agent Tesla Keylogger 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses the lure of a shipping document from Maersk to deliver the Agent Tesla keylogger via embedded Dropbox links. The links download a RAR archive that contains an Agent Tesla executable.    

TYPE: Remote Access Trojan 

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a finance-themed email to deliver Remcos RAT via XXE attachments. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending October 16, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Malware, BazarBackdoor

DESCRIPTION:  This phishing attack is seen in Proofpoint environments and uses the subject of a termination list to entice recipients click on a Google Docs link and deliver BazarBackdoor via PDF link.

TYPE: Remote Access Trojan

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses a Customer Complaint-themed email and HTML attachment to deliver a Remote Access Trojan.

TYPE: Credential Theft

DESCRIPTION: This phishing attack is seen in Proofpoint environments and uses an overdue invoice themed email to deliver a credential stealer via a PDF attachment.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Use Canva Templates for Credential Phishing

By Ala Dabat Cofense Phishing Defense Center

Over the past weeks, the Cofense Phishing Defense Center (PDC) has seen an increase in the number of attackers deploying Australian design platform Canva in their attempts to trick unwitting recipients into giving up their login credentials for a number of well-known email platforms. Canva lets users design and create graphically driven content such as presentations and other visual content, which has allowed malicious actors to move away from platforms such as Google Docs and Dropbox to harvest sensitive user data through powerfully driven phishing campaigns.   

Examples of these attacks vary, although we have seen an increase in the number of malicious PDF files with embedded links that redirect targets to phishing websites hosted on Canva. Canva is in turn used to host image files used as a launch pad, redirecting targets to malicious websites designed to harvest user credentials via cloned landing pages.  

We have noticed that this method of delivery has been employed by hackers to bypass traditional SEG filtering by keeping the content of the email very simple so as to fly under the radar of detection engines. This use of attachments and simply designed phishing emails is nothing new; however we are seeing an increase in the number of Canva hosted malicious images employing this method of delivery. 

Figure 1: Email with malicious PDF attachment 

The attachment is a malicious PDF file purporting to be from Microsoft, which then loads via the recipients browser as a local file with an embedded link redirecting the recipient to the malicious Canva image landing page. 

Figure 2:  Malicious PDF redirecting targets to Canva hosted malicious image

Once the recipient has clicked on the link, they are redirected to an image hosted on Canva, which includes a link directing to the phishing landing page. Note that as a method of garnering further legitimacy, the image claims to have been scanned by antivirus giving the recipient a further sense of security.   

Figure 3: “OneDrive” landing page hosted on Canva’s design platform 

Once the recipient clicks the link to view the bogus PDF document, they are then redirected to an official looking Microsoft webpage (Figure 4) where they are encouraged to enter sensitive data in order to view the document.  


Figure 4: Redirect to an official looking site purporting to be Microsoft OneDrive for business. 

Aside from attachments the PDC has also seen different variations in the methods of delivery, including phishing emails encouraging recipients to click on a malicious link to view documents; it redirects them to a malicious image hosted on Canva.  

 In the figure below, we can see an example phishing email without a malicious attachment. 

Figure 5:  A Canva hosted attack with embedded link claiming to be a new ‘Fax Document’ 

Once recipients click the malicious link, like the previous example, they are redirected to a Canva landing page with a malicious image.

Figure 6: Malicious landing page  

Canva is being used by malicious actors as the launchpad for common phishing tactics, applying well known attack vectors and convincing aesthetics for enhanced credibility. 

Figure 7: Multiple email provider login pages for credential harvesting 

In this instance we opted to log in via the bogus Microsoft Outlook login optionOnce the recipients have entered their credentials, the credentials are harvested to a database. 

Figure 8: Example login page, Microsoft Outlook, with credible aesthetics 

Canva is probably aware of the problem, removing malicious files as and when they’re found but, as our research has concluded, many of these malicious files have remained on Canva’s hosted platform for hours and even days at a time. Sites, such as Google where hackers have traditionally hosted their phishing emails, appear to be a lot faster in detecting and removing them, which is another reason threat actors have begun to exploit the Canva platform. 

Indicators of compromise:  

Network IOCs  IPs  
hXXps://9812343[.]fls[.]doubleclick[.]net/activityi;src=9812343;type=retar0;cat=flood0;ord=7358195098176  172[.]217[.]15[.]102 
hXXps://www[.]canva[.]com/design/DAEHygBxHno/INiENewnEJagw51VOIkz7w/view  104[.]18[.]215[.]67 

104[.]18[.]216[.]67 

hXXps://thelivingoodcenter[.]com/cs/office365-RD62/offaccess/  192[.]249[.]114[.]34 
hXXps://www[.]seoera[.]net/7hd7n3ydnbd734/Driveee/Drive/  192[.]254[.]138[.]161 
hXXps://saynodeserve[.]com/cardinal/m/f/  160[.]153[.]203[.]183 

 

 

“All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Security Awareness: Choosing Methods and Content that Work

Part 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here 

Last week we examined the importance of setting a strategy and goals for your security awareness program. 

Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors. 

We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that matter most. More than anything, your training must be simple and to the point. 

Simulations Are the Best Way to Teach the Right Behaviors 

Everyone has a different style of learning and consuming information – video, newsletters, blogs, computer based training modules (CBT), etc. According to the National Training Laboratories (see charts below) people retain more information from simulations than any other method. 

After years of enabling companies to run simulated phishing campaigns, we have a vast amount of data to support this method of learning. The experience of clicking and having that “Oh no, what just happened?” moment, is how the recipient learns. 

Running a simulated phishing attack IS the learning moment. It is not the education presented during the campaign on the website or attachment. This is also supported by the data we see over the years of capturing how long the user stays on the page to read the education. They don’t – the largest segment of users falls in the 0-9 seconds range for “time spent on education.” Yet the data indicates a reduction in susceptibility rate and increase in reporting rate. 

The data also supports the reduction in susceptibility as we look at the number of campaigns it takes to reduce that click rate. When you’re trying to address perpetual clickers, increase the number of campaigns while shortening the time between campaigns. When increasing the number of campaigns, focus on the active threats in order to reduce the risk faster. We first published the chart in our 2015 annual report. In 2019, we ran the numbers again to see if this trend was still the same. Sure enough, the graph still has the same curve. 

Source: Phishing Report 2019

Focus Your Training on Real Threats 

As you start to condition users to report real phishing emails, not just simulated phishes, you’ll want to focus on malicious emails that are getting through the spam filters. In other words, base your simulations on the real attacks your company sees. This will help your users quickly spot the real thing. The goal is to build a resilient workforce that can identify and report potential malicious emails quickly. This drives down the risk to the organization, allowing the security team to mitigate the risk and avoid an incident. 

You will never get to a zero click rate. Phishers are too smart. They craft their emails to look like they’re part of your normal business processes, especially financial transactions. They also constantly change techniques to avoid controls that block their messages. 

So, what does this all mean when we talk about educational content? If you’re focusing on behaviors that you’re looking to improve, you don’t want to hit users with content overload. Instead, create a plan for covering a theme to each quarter. Use this theme in your newsletters, videos, or learning modules. However, allow for flexibility to shift if a threat is now affecting your organization (HeartBleed, Meltdown, etc.). 

Let’s take one more example of using content to nudge the user to the right path. It’s the example used in last week’s blog on program design—how to change users browsing behaviors. Presenting the user with a simple banner at the moment they’re exhibiting the wrong behavior, we can direct them to take the right action. You can adjust this banner as the behavior changes. Once you curb their habits to click through to unknown sites, your metrics may reveal a category that needs to be addressed – such as software downloads.

Cofense recognizes that you have regulatory and compliance requirements to provide annual security awareness training to our organization. To help you focus your resources to elements of your program that actually make an impact, we provide a series of modules for FREE to any organization (even if you’re not a customer).   

In summary, keep your security awareness content simple with clear direction—and even better, fun and engaging—and you’ll soon be able to experience a shift in behavior! 

Recommended reading: If you’re looking to expand your knowledge on how to create content and simple messaging for your program, I suggest getting a copy of Made to Stick, Why Some Ideas Survive and Others Die, by Chip and Dan Heath. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Trump COVID-19 Diagnosis Leveraged in Campaigns

By Dylan Duncan and Max Gannon

Threat actors were quick to leverage the news that President Donald Trump tested positive for COVID-19. Cofense Intelligence has observed a recent COVID-19-themed campaign that successfully reached users in enterprise environmentsTaking advantage of recent headlines and the upcoming U.S. election, this campaign makes use of secure email gateway (SEG) evasion tactics and anti-analysis techniques to deliver advanced malware to end users protected by leading SEGs. The threat actors targeted multiple industries, reaching users across a variety of sectors in the United States and Europe. 

The emails entice recipients by leveraging the president’s health status mere weeks before the election and claiming to provide “secret” information on COVID-19. Threat actors have created multiple phishing emails based on these themes, similar to Figures 1 and 2. 

Figure 1: Phishing email leveraging the president’s medical condition.  

Figure 2: Phishing email leveraging COVID-19. 

Anti-analysis Malware in Secure Environments  

These phishing emails deliver embedded Google Docs URLs that are often permitted by SEGs. The URL leads to a document with another link rather than directly downloading malicious content. While Google is quick to remove directly hosted malware, it is often much slower to remove content that provides a link to malicious content. The Google doc (Figure 3) displays an image of the Google logo with a hyperlink that redirects to a Google wrapped payload URL. This wrapping is important, as threat actors can use it to prevent analysts from downloading malware directly from the threat actor-controlled page. If certain conditions are met, the payload URL then downloads a password-protected XLS file. This password protection ensures that, without access to the original email, any downloaded files are not revealed to reverse engineers. The password-protected Microsoft Excel Worksheet abuses an organization’s reliance on Microsoft Excel macros to download and execute BazarBackdoor or ZLoader once macros are enabled.

The choice between BazarBackdoor or ZLoader is determined by the initial link embedded in the email. Both of these malware families feature extensive anti-analysis functionality. BazarBackdoor is a stealthy malware downloader commonly affiliated with the developers of TrickBot. It uses specialized network communications to avoid detection, and to contact its command and control locations. ZLoader is a banking trojan that uses web injects to steal credentials and sensitive information. 

Figure 3: Google Document from the embedded URLs.

Threat actors continue to adapt phishing campaigns to reflect currentaffairs themes, and turn to the tactics, techniques and procedures that yield success in delivering phish to targets in environments protected by SEGs. Once a phishing email successfully reaches an inbox, the human factor is the final defense against compromise. Cofense Intelligence will continue to report on phishing campaigns reaching end users and the tactics, techniques and procedures that evade modern SEGs.  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs salesforce to deliver credential phishing link

Phish Found in Proofpoint-Protected Environments – Week Ending October 4, 2020

100% of the phish seen by the Cofense Phishing Defense Center® (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage 

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes. 

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense PDC in environments protected by Proofpoint. 

TYPE: Malware, ZLoader 

DESCRIPTION: This phish plays on the sensitive idea of insider details.  When a recipient clicks on the Google Docs link ZLoader is delivered via an Office macro- laden spreadsheet downloaded from an embedded URL. 

TYPE: Malware, AZORult Stealer 

DESCRIPTION: This phish relies on the familiarity people have with order confirmations sent through email.  In this case, an Excel document is used to deliver the AZORult Stealer via an embedded URL. 

TYPE: Quaverse Remote Access Trojan 

DESCRIPTION: This is another example of using an order hook to have someone open the order information in a zip file.  This attachment delivers the Quaverse Remote Access Trojan. 

TYPE:  Malware, Bazar Backdoor 

DESCRIPTION: This phish conveys there is important financial information that needs to be viewed.  When the Google Doc is clicked the BazarBackdoor is delivered via embedded URLs. 

TYPE:  Keylogger, Agent Tesla Keylogger 

DESCRIPTION: Another finance-themed phish in Spanish entices the recipient to click on the link where the Agent Tesla Keylogger is delivered via an embedded URL. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Building a Security Awareness Program? Start with Strategy and Goals

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of Cybersecurity Awareness Month. #BeCyberSmart 

I’ve been with Cofense for two and a half years now interacting with several groups internally, but there are plenty of moments when I still get to chat with Awareness professionals. It’s in these moments that I realize there’s still some passion for helping others with their programs. I wrote this series early in my first few months of joining the organization and find these are still the recommendations I provide to others building or maturing their programs. 

In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent five years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director who owned the role, “Compliance focus is wrong –you have to market to the users.”  

Seven years later, I have a few tips to share about creating a security awareness program. The first tip might sound obvious, but how many times have you seen it ignored? Make sure you have a strategy. And while you’re strategizing, remember to set some goals. 

Ask your SOC for help. 

Before you can begin to build your program strategy, reach out to your Security Operations/Incident Response team. This team should be your best friend—and YOU will become theirs. They genuinely care about protecting your organization and you will be a breath of fresh air to them. But you will most likely need to remind them that they have the “Curse of Knowledge” (week-two book suggestion) and they don’t remember what it’s like not to know something. They’ve been doing technology and cyber too long to put themselves in the shoes of the user, so that’s where you step in. 

 What to ask them? They have lots of data and metrics. They most likely can give you a number of high risk incident categories that they track. What are the top two or three categories that ….? How much time does it take to remediate each of these incidents—for the user and the highly skilled technical staff? 

Start simple. 

Once you have identified the top behaviors for your organization, you can now begin building a program by outlining strategy and goals. Remember that a strategy is a longterm plan, so don’t try to tackle every behavior in your first year. Start simple. Some behaviors may require further analysis. 

 Let’s take browsing for instance. As you dig into the data, you find that users are able to open websites that have been categorized by your proxy filtering solution. You block the bad stuff—malicious, inappropriate content, gambling, etc. But what about those new websites, you know, the ones attackers like to host their malware on. Do you allow traffic to those websites? Most proxy solutions have a method for you to post a banner or warning to the user, letting them know a site has been blocked and why (it’s been categorized as malicious).

So, part of your strategy might be to leverage existing technology to stop users in their tracks. Another part could be to design a banner page explaining WHY a site is potentially bad, along with a way to gain access to and register for the site, so users can do business if they think the risk is low. 

It’s not training, it’s culture and behavior change.  

Security awareness programs over the years have been lumped into the “training” category. Don’t jump right to the “Let’s give them training” camp. Security Awareness is about a culture change, communicating the security posture of the organization. 

If your organization is regulated, you are required to provide annual mandatory training for security. The typical default for this training is a CBT module because it’s easy to track and demonstrate compliance. But don’t stop there. In order to influence change in behavior and culture, you need ongoing communications and content, not just once a year. This is where building a catalog of content and available resources is necessary. Build a portal where you can post newsletters, alerts and videos so your users come to you. Build a calendar of themes for the year, either by month or quarter, but allow for flexibility. This allows you to address new threats that affect your organization or industry. 

You can’t do this alone. Yes, you may be the only one officially assigned to this task but building your informal network and team will help you get your program off the ground. First and foremost, find a senior leader to champion your program, someone who understands the value the program and will go to bat with their peers. This will help build confidence in your program and make it more visible. 

The next group you should befriend are your corporate communications and marketing teams. These groups typically hold the keys to getting your message out. That intranet page? Those teams control the content appearing above and below the scroll. 

Building a program takes time and resources. If those are limited, start small and grow as your program gains credibility. Use small wins to demonstrate value and then expand those resources. There are also plenty of free resources available to help get you started. 

Recommended reading: If you’re looking for more material on changing organizational behavior, I suggest getting a copy of SWITCH, How to Change Things when Change is Hard, by Chip Heath. 

Next week, part 2 will cover how to add the right content to your program.  

Phish Found in Environments Protected by Proofpoint, Microsoft, Cisco, Mimecast and Symantec

By Mark Zigadlo, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) sees tens of thousands of phishing emails that bypass secure email gateways (SEGs) every month. The PDC is an advanced managed detection and response (MDR) service that can remediate these malicious emails from mail environments within minutes.   

A few examples of phishing emails found in environments protected by SEGs can be found here. The ineffectiveness of SEGs continue to increase business risk daily. And the solution is more than high production-value awarenesstraining modules. You need a combination of people and technology to combat the innovativeness of attackers to quickly reduce/remove the business risk. 

Here’s a recent and real story about a phishing campaign (and its quickly morphed successor) that bypassed SEGs from Proofpoint (PFPT), Microsoft (MSFT), Mimecast (MIME), Cisco (CSCO) and Symantec (SYMC).   

The suspicious email below arrived in my inbox. I reported it to the PDC using Cofense Reporter.

Figure 1 – Phishing Email 

I received a response eight minutes later saying the email was malicious (BazarBackdoor malware) and removed from my mailbox. Amazing speed, eight minutes to remove the threat and stop the attack!

Detection

Drilling down further, I saw Cofense’s network effect was in full action in the PDC. The network effect is the unique combination of people and technology that allows one participant in the network to benefit from threats found by another participant in the network. At Cofense, we have over 25 million people contributing to make the network effect an unparalleled security tool. In this case, the PDC had detected similar attacks for 15 other PDC customers (people in the network), which enabled the PDC to respond with lightning speed throughout the day.

Here is the kill chain/timeline for the first customer that received this phishing campaign.

Twelve minutes between the first report and removal of malicious emails from user mailboxes, but the story gets better.   

The PDC uses a key feature of Cofense Vision called Auto Quarantine which looks for new emails matching the ones just identified and quarantined. Over the next 24 minutes, 22 additional emails were detected and removed by Cofense Vision. 

Response & Remediation 

As we know, attackers are constantly innovating to bypass security technology. This is why you need the combination of people and technology to reduce/remove the risk. This case was no different. Two hours after the first phishing campaign was identified and stopped, a slightly modified campaign was launched against the same customer. The PDC jumped back into action again. 

More amazing results. Twenty-two minutes between the first report of the modified campaign and removal of malicious emails from user mailboxes through Cofense’s Phishing Defense Center.

The Phishing Defense Center harnesses phishing intelligence from the frontlines of the world’s most active phishing campaigns to quickly protect everyone in the network. 

To learn how you can efficiently identify and remove phish that have bypassed your SEG, click here for a free demo of the Phishing Defense Center. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Twelve Flavors of Phish: Canadian Workers Targeted With Fake Covid-19 Relief Deposits

By Jake Longden and Elmer Hernandez, Cofense Phishing Defense Center

Financial aid programs continue to be popular targets in the midst of the COVID-19 pandemic, with government relief grants a particularly great one to exploit.  

The Cofense Phishing Defence Center (PDC) has observed a recent phishing campaign in Canada that aims to harvest banking credentials and other personal information from 12 different banking institutions. This was achieved by preying on employees who were expecting COVID-19 relief grants in the form of the CERB (Canada Emergency Response Benefit). These funds are supposedly sent via an electronic transfer from Interac, a legitimate Canadian interbank network. 

With multiple world governments providing such grants, and millions of people relying on these as their main source of sustenance, adversaries will continue exploiting such dependence. 

CERB Deposit

The email purports to be a notification from Interac’s e-transfer service, indicating that the Canada Revenue Agency (CRA) has made a CERB deposit of $1,957.5 CAD (approx. $1,463 USD). A fictitious expiration date is included in an attempt to instill a sense of urgency.

The CERB scheme gives financial support to employed and self-employed Canadians who have been affected by the COVID- 19 pandemic. It offers $2,000 CAD (approx. $1,490 USD) for a four-week period.

Figure 1 – Email Body 

Header

The SPF fail in the headers (Figure 2) indicates that the email is likely spoofed, and the IP address suggests that it came from a potentially compromised device using the University of South Florida network (Figure 3). The choice of the name ‘cra-cerb’ in the address is used to add credibility to the email.

Figure 2 – SPF Fail 

Figure 3 – USF IP Address 

A Phish of 12 Different Flavors

The first landing page the phish visits is an impersonation of the CRA. It has working links in both French and English like a legitimate site from the Canadian government. Once the user has selected their language choice, they will be redirected to an impersonated Interac e-transfer site in said language.

Figure 4 – CRA Spoofed Site  

Once in the spoofed Interac e-transfer site (Figure 5)the user must choose their personal bank from twelve different options in order to receive the deposit. All of these banks are actual members of the Interac network, which suggests attention to detail from adversaries: 

  • ATB Financial 
  • Bank of Montreal (BMO) 
  • Canadian Imperial Bank of Commerce (CIBC) 
  • Desjardins 
  • Laurentian Bank 
  • Meridian 
  • National Bank of Canada 
  • Royal Bank of Canada (RBC) 
  • Scotiabank 
  • Simplii Financial 
  • Tangerine 
  • TD Canada Trust 

Figure 5 – Spoofed Interac Page 

Next, the recipient is taken through a series of spoofed pages for the corresponding bankwith some offering both English and French versionsAll pages reside within compromised website of a Washington, DC area businessThe URL paths vary depending on the bank, but follow the following format:  

hxxps://lincolnrestaurant-dc[.]com/interca/{unique 32 character string}/bank/{bank name}/{html or php file} 

Although no two options are identical, most of the twelve spoofed banks ask for similar details: 

  • Usernames 
  • Card Numbers 
  • Passwords 
  • Security Questions and Answers 
  • Personal Information (PI) (Full Name, Date of Birth, Email, etc) 

Scotiabank (English) was chosen to showcase an example of the entire phish process. The initial page the user is presented with is a standard login page asking for credentials, notice the slight typo of the word “sign” on the “Sing in button (Figure 6). 

Figure 6 – Scotiabank Sign in 

The next page asks for sensitive PI and card information (Figure 7). The user is then asked for Security questions and answers (Figure 8), which might falsely provide the reassurance that some form of multi-factor authentication is being employed. The combination of PI such as a Social Insurance number, credit card numbers and MFA questions could form a fairly solid base for identity theft/impersonation. Once submitted a final page confirms the funds will be deposited in 48 hours (Figure 9).

Figure 7 – Scotia PI and Card Info 

Figure 8 – Scotia MFA Security Questions 

Figure 9 – Deposit Successful 

Figures 10 through 20 show the login pages for the remaining eleven spoofed banks.  

Figure 10 – ATB 

Figure 11 – BMO 

Figure 12 – CIBC  

Figure 13 – Desjardins  

Figure 14 – Laurentian  

Figure 15 – Meridian  

Figure 16 – National Bank 

Figure 17 – RBC  

Figure 18 – Simplii  

Figure 19 – Tangerine  

Figure 20 – TD  

Indicators of Compromise

Malicious URL:

hxxps://lincolnrestaurant-dc[.]com/interca

Associated IP:

108[.]167[.]182[.]39

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.