Invoice Themed Phishing Emails Are Spreading from Trusted Links

By: Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) is seeing continued growth in phishing attacks which harvests users’ credentials via genuine file-sharing websites, which are found in environments protected by Proofpoint’s Secure Email Gateway (SEG). A huge factor in this campaign is the confidence users have in emails containing the “trusted” Dropbox reference.

It is tricky for SEGs to keep up with attempts to spread phishing attacks and malware via sharing services such as Dropbox, ShareFile, WeTransfer, Google Docs, Egnyte and even SharePoint. Fortunately, a few of our clients’ users reported the phishing emails via the Cofense Reporter button.

The “traditional” methodology for attackers was to “break in.” Nowadays, they easily can “login,” thanks to sharing sites.

Figure 1 – Body of email showcasing the victory of this attack tying in with user interaction

The spear phishing attack sends a link requesting users to access a purchase order form with a (.pdf) extension. Upon clicking, the attack automatically redirects the user to their default web browser, requesting to click the “Download” button. The website will begin the download inside the “Downloads” folder. Nothing sinister going on, right?

The ‘sent addresses’ TLD – “actionsportsequipment[.]com” – coincidentally relates to the nature of the client’s industry; this demonstrates the extent the attackers went to, in a bid to slip through the “secure” environment. One must question themself: “Was I expecting this transfer?” and “Am I expecting to receive a purchase order from this sender?”

Moreover, since the emails have been authenticated against Dropbox’s internal servers, the emails pass basic email security checks such as DKIM and SPF.

Figure 2 & 3 – Downloadable purchase order file

Once the download has been completed, the user is prompted to open the (.html) link assuming the “purchase order” form would appear, however upon clicking, the campaign redirects the user to a supposed “Microsoft” login page.

In this case, the attackers used the free website builder “Weebly.com” … yet another legitimate source, further deceiving the security measures in place with trusted redirect domains and IPs which will naturally continue to be white-listed and deemed “safe” since millions of users share data with one another on a daily basis.

For this reason, the presence of the padlock appears, adding not only security on both parties, but also the illusion that the website is “secure.”

Figure 5 – Phishing site built by Weebly

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Figure 6 – Redirect to Microsoft Office webpage  

Indicators of Compromise:

Network IOC IP
hXXps://www[.]dropbox[.]com/l/AADOPQGXtuDK03QYuvJqI0MbDlDxBTV28Cs
hXXps://www[.]dropbox[.]com/l/AAAtWq-LVZcqXBnFLinUi9rB3LpEijuPo78
162[.]125[.]6[.]1
hXXps://helpsupport0ffice20[.]weebly[.]com/ 199[.]34[.]228[.]53
199[.]34[.]228[.]54

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 12, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s theme is financial – with a large number of invoice and purchase order lures designed to trick recipients into clicking links and attachments. We’ve documented these attack types for some time now.

TYPE: Credential Theft

DESCRIPTION: Mail storage-themed phish have been used for some time to frighten recipients into clicking the link so their email account isn’t suspended. This attack, in Chinese, directs the recipient to a credential harvesting page customized with the recipient’s email domain name, lending a sense of veracity to the site.

TYPE: Credential Theft

DESCRIPTION: This finance-themed attack uses the ever-popular Microsoft OneDrive to host a malicious OneNote document that steals Office365 credentials before redirecting the recipient to a real Microsoft page, delaying the recognition that they were just targeted.

TYPE: Credential Theft

DESCRIPTION: Keeping with the finance theme, this attack delivers an embedded URL that leads to a credential harvesting page. Proof that if the lure looks good, the recipient can be tricked into clicking.

TYPE: Credential Theft

DESCRIPTION: This is getting repetitive, but another finance-themed attack spoofing a popular brand to convince the recipient to click. This attack targets banking credentials, potentially giving the attackers access to the bank account of the recipient.

TYPE: Malware – Pyrogenic

DESCRIPTION: Last week’s attackers really had money on their minds. This invoice-themed attack uses image links pretending to be invoices to drive the recipient to download the Pyrogenic stealer malware.

TYPE: Malware – Agent Tesla

DESCRIPTION: This attack uses a purchase order theme to deliver an attached .html file that will direct the recipient to download the Agent Tesla malware. We discussed this malware earlier this year on our Phish Fryday podcast.

TYPE: Malware – Dridex

DESCRIPTION: Another invoice, another piece of malware. This time the attacker uses a macro-enabled Microsoft Excel file to deliver the Dridex malware. Are you sure you want to enable macros?

TYPE: Malware – Ursnif

DESCRIPTION: This Italian invoice-themed attack forces the victim through a few steps, which were designed with SEG evasion in mind. A password-protected .zip file is delivered, with password provided, which contains a macro-enabled Microsoft Office document. From there, the Ursnif malware is downloaded and deployed. Arrevaderci, baby.

TYPE: Malware – ZLoader

DESCRIPTION: A simple invoice. A simple .xls attachment. A complex attack that uses Microsoft Excel macros and a VBS downloader to install ZLoader on the recipient’s machine. We blogged about this tactic a few weeks ago.

TYPE: Malware – Agent Tesla

DESCRIPTION: Agent Tesla continues to be a popular threat delivered via phishing emails. This attack uses a purchase order theme to entice the recipient into clicking the embedded link to download this malicious keylogger extraordinaire.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Practitioners Report the Need for Layered Email Security

By: Edward Amoroso, CEO and Analyst, TAG Cyber

In a recent survey, a majority of practitioners agreed on the need for protection that augments email gateways to deal with phishing attacks.

As phishing has become more prevalent and sophisticated, security experts have focused more on securing endpoints and email, the latter being the simplest way into an organization’s network. While cyber security teams have numerous defensive controls, according to a recent industry survey conducted jointly by TAG Cyber and Cofense, experts agree that deployed controls such as secure email gateways (SEGs) are necessary as a first line of defense but, on their own, aren’t sufficient to keep attackers from exploiting the endpoint.

On July 22, 2020, TAG Cyber and Cofense will present a webinar to discuss the survey results and present phishing defense strategies for companies who want to increase their efficacy against phishing attacks. You can learn more about the webinar and register here.

The survey asked security practitioners to answer the following question: Our security team sees phishing emails get past our Secure Email Gateway (SEG) at the following rate:

  1. Never
  2. Daily
  3. Weekly
  4. Monthly
  5. Hourly

Conducted by email and web and targeted at mid-to-senior level security practitioners, the survey concluded that 50% of organizations report that phishing emails bypass deployed SEGs daily. One respondent, the Chief Information Security Officer of a major financial institution, replied, “SEGs are getting much better at blocking emails with links and forms, but spam asking for money or hardware or simply probing for valid email addresses still get through at a daily rate.”

Another respondent, also a CISO at a financial firm responded, “Phishing emails will always get through. I don’t think any SEG is going to be 100% effective, or even 75%, because there are so many variables that can be changed to evade detection. We accept this to be true, and therefore have other controls…that can block access to the links once clicked, isolation that can render pages inert, or visual cues to indicate to the employees that the e-mail might not be safe.”

The remaining 50% of respondents reported that phishing emails bypass SEGs weekly (26%) and monthly (24%). Frank Abelson, President of Navitend, which provides managed services, including security to business and government customers, agreed that a layered approach is recommended. “Many of our clients combine gateway solutions with additional controls such as training to protect their inboxes from phishing,” he said.

Aaron Higbee, CTO of Cofense, sees this as an opportunity. “We have known for years that human detection combined with automation is necessary to protect employees from phishing attacks,” he said. “We are not surprised that this TAG Cyber survey found attacks leaking into enterprise inboxes.”

To learn more about the survey’s results and layered phishing defenses, register for the webinar.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

HMRC latest target in global COVID relief phishing campaigns

By Jake Longden, Cofense Phishing Defense Center

Taxes and rebates have long been some of a phisher’s favorite targets. Now the coronavirus has provided a fresh new way to exploit this topic: the government grants designed to help small businesses and those out of work due to the pandemic.

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign in the U.K. that aims to harvest HMRC (Her Majesties Revenue and Customs) credentials and sensitive personal information by preying on employees who are expecting COVID relief grants.

With multiple world governments providing such grants, this is an easily modifiable tactic—simply modify the email to spoof the target country’s tax service.

Figure 1: Email Header

To add authenticity to the email, the threat actors have used an email address (hmrc@hotmail.com) with the impersonated organization in the name and set the name to match (HM Revenue & Customs). That, combined with the subject line, is a great way to attract the user’s interest (“Helping you during this covid from government”). Whilst this sentence is not using the greatest grammar, who wouldn’t want government assistance during these difficult times?

Figure 2: Email Body

When first viewing the email, the user is presented with a notification that the government is offering between £2500 and £7500 in tax grants for those whose work has been affected by the virus. The email includes a link to check their eligibility. With the government publicly and repeatedly mentioning such sums,  the email is believable to inattentive users. The attacker also mentions the “Open Government License v3.0,” a legitimate copyright license used by the Government and Crown Services, to provide additional credibility.

Figure 3: Phishing Page

Once the link is clicked, the user is presented with a realistic clone of the GOV.UK website. This may alleviate concerns a user may have and provide a false sense of security, as the page is extremely similar to the HMRC account sign-in page. The biggest red flag: the URL, just-bee.nl, is not relevant.

Figure 4: Phishing Page

Figure 5: Phishing Page

Here the user is asked to enter some very personal and sensitive data. Another sign that this is a scam: the volume and sensitivity of data requested far exceeds what is required to sign into a legitimate account. The data requested here screams “identity theft/impersonation.”

From there, the user is directed to a page that seems to be loading, to help provide the impression that the data is being processed and an eligibility check performed.

Figure 6: Processing Page

 

Network IOC IP
hXXps://www[.]lagesports[.]com/[.]tmb/xml[.]php 69[.]10[.]32[.]186
hXXps://rtoutletpremium[.]com[.]br/[.]well-known/pki-validation/UTR/index[.]php 162[.]241[.]182[.]5

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Covid-19 Phish Abuses Tax Relief Act to Steal Credentials

By Ashley Atkins, Cofense Phishing Defense Center

For the past few months, the Cofense Phishing Defense Center (PDC) has observed numerous phishing campaigns associated with the coronavirus (COVID-19) pandemic.  These COVID-19-themed phish come in various forms and tend to prey on those fearful of contracting the disease as well as those who are in dire need of economic relief. Recently, the PDC identified a unique version that deserves an overview.

For this attack the user received a malicious email impersonating the US Department of Revenue with the subject: CARES Relief Certificate. The message body references information regarding the 2019 185 Act that has received attention in media outlets and social platforms. Upon researching the Act, it is highly likely the attacker copied that information from a website, made minor changes and created this phishing email, as seen in Figure 1 below.

Figure 1: Email Body

At a glance, this email simply informs users of the tax provisions adopted from the CARES Relief Act and outlines the details regarding it. It also mentions a deadline for applying, and that in order to apply users must fill out an attached secure document. One thing to note, this email arrived a few days after the stated deadline in the email. This may be intentional on the threat actor’s part in order to instill a sense of urgency in users – “you’re late and the deadline has passed!” However, some users may be pressed enough to attempt to apply, thinking it is worth a shot if it could mean receiving relief during this pandemic.

Many obvious red flags are present in this email. Besides the unsightly format, grammatical errors and random property address, the most evident red flag is the sender’s address. The attacker has abused AWeber’s email marketing service. AWeber’s use of SenderID authentication results in the “From” line showing as “Department of Revenue <state=lrs-gov[.]tk[@]send[.]aweber[.]com> on behalf of Department Of Revenue <state[@]lrs-gov[.]tk>”. When reviewing the domain, it seems to read as “Irs” (IRS), but the first letter is actually a lower-case L. The use of the .tk top-level domain (TLD) is worth noting as well. This TLD is the country code for a New Zealand territory called Tokelau. It is also free and one of the top TLDs used in phishing attacks.

Should users go so far as to download and open the “secure” HTML attachment, they are presented with a typically formatted Microsoft login page. This may appear odd, as the threat actor has impersonated a well-known and trusted entity such as the US Department of Revenue.

The fake Microsoft login page prompts for the standard username and password.

Figure 2: Phishing Page

Once credentials are submitted, a PHP script sends the stolen information to the attacker. The HTML’s source code attempts to bypass URL detection by using base tags that splits the malicious URLs into two sections.

Figures 3- 5: Source Code

Network IOCs IP
hxxps://youdiaddy[.]ml/api/api[.]php? 192[.]236[.]194[.]247
hxxps://ijodaddy[.]cf/api/api[.]php? 23[.]254[.]230[.]115

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 5, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. The majority of this week’s examples are Credential Theft, an attack type we’ve been watching grow for some time. While not a panacea, many companies are rolling out MFA solutions to reduce the risk from compromised accounts.

TYPE: Credential Theft

DESCRIPTION: This notification-themed phish spoofs a European provider of credit and payment cards to trick victims into turning over their credentials.

TYPE: Credential Theft

DESCRIPTION: This notification-themed email delivers a .htm file pretending to be a short voice message. Instead, it spoofs Microsoft URLs with the intent to harvest login credentials.

TYPE: Malware – Mass Logger

DESCRIPTION: This finance-themed attack delivers OneDrive URLs to the unsuspecting victim, leading them to download the Mass Logger malware. This malware was recently analyzed by Cofense and noted for its capabilities as well as its frequent update cycle.

TYPE: Credential Theft

DESCRIPTION: Here’s a finance-themed phishing attack that delivers attached .html files. These files spoof a well-known brand to capture corporate credentials.

TYPE: Credential Theft

DESCRIPTION: They say sharing is caring, but not when it’s a phishing attack masquerading as a Coronavirus document. This attack uses SharePoint URLs to host credential-stealing pages. Cofense has been tracking COVID-19 scams since the beginning.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 28, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Of note is the use of macro-enabled documents using Microsoft Office document extensions dating to versions sold prior to 2007. Organizations may want to consider ways to identify and filter these files.

TYPE: Malware – Dridex

DESCRIPTION: Macro-enabled Excel documents and Dridex malware – name a more iconic pair. This phishing attack used Microsoft Excel documents to deliver Dridex to the inbox. Just like we’ve been blogging about since 2017.

TYPE: Malware – ZLoader

DESCRIPTION: Who uses XLS files anymore? Well, attackers for one. This attack uses the long outdated file type to execute macros that download ZLoader via a VBS chain. Cofense Triage customers have been detecting and remediating attacks delivering ZLoader since 2017.

TYPE: Credential Theft

DESCRIPTION: This phish leverages a trusted cloud storage service to capture login credentials from the Danish-speaking victim. This should come as no surprise, as Cofense has been seeing the use of trusted cloud services for years.

TYPE: Malware – NetWire

DESCRIPTION: Microsoft’s Office Equation Editor vulnerability (CVE-2017-11882) has been a favorite for attackers. Discovered in 2017, malicious documents are delivered via attachment or, as in this case, embedded URL to compromise victims. This example delivers the NetWire Remote Access Trojan.

TYPE: Malware – ZLoader

DESCRIPTION: Another attack using the old XLS format with macros to deliver ZLoader. This one uses an invoice theme to trick its victims into opening the attachment.

TYPE: Malware – Agent Tesla

DESCRIPTION: This invoice-themed phish includes an embedded URL to download a .7z archive. Inside the archive is the ever-popular Agent Tesla, a top threat as recently as last year.

TYPE: Credential Theft

DESCRIPTION: While we saw plenty of malware in this week’s batch, the old standard of credential phish is still around. This profile-themed phish spoofs a state agency to capture credentials that are exfiltrated using Google forms.

TYPE: Malware – Hive

DESCRIPTION: This purchase order-themed phish delivers an embedded URL to the FireBird Remote Access Trojan variant known as Hive.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

“You’re Invited!” to Phishing Links Inside .ics Calendar Attachments

By Ashley Tran, Cofense Phishing Defense Center

Every day threat actors find more and more ingenious ways to deliver phishing emails to end users. From direct attachments to using third party document hosting sites and… calendar invitations? The Cofense Phishing Defense Center (PDC) has unearthed a new phishing campaign in multiple enterprise email environments protected by Proofpoint and Microsoft that delivers .ics calendar invite attachments containing phishing links in the body. It’s assumed that the attackers believe stuffing the URL inside a calendar invite would help avoid automated analysis.

Figure 1: Email Body

The subject of this phish is “Fraud Detection from Message Center,” reeling in curious users. The sender display name is Walker, but the email address appears to be legitimate, possibly indicating a compromised account belonging to a school district. Cofense observed the use of several compromised accounts used to send this campaign. Using a compromised real account originating from Office 365 allows the email to bypass email filters that rely on DKIM/SPF.

The story in this phish is a version of a classic lure “suspicious activity on the user’s bank account.” This attachment, however, doesn’t jibe with the ruse considering it’s a calendar invite. A more fitting lure would have been something like “I attached a meeting invite; can you please attend?” Maybe this attacker flunked out of Internet bad guy school.

Figure 2 shows what the calendar invite looks like when opened. Note that it’s hosted on the legitimate Sharepoint.com site, an issue that continues to be problematic for Microsoft.

Figure 2: Calendar invite (.ics) Attachment

Upon clicking the link in the fake invitation, a relatively simple document opens with yet another link to follow, as seen in Figure 3 below:

Figure 3: Phishing Page

If the victim follows that link, they are redirected from sharepoint.com to a phishing site hosted by Google. Clicking anywhere on the document then redirects users to a bogus phishing page seen in Figure 4.

Figure 4: Phishing Page

As shown in Figure 4, the final phishing page users are directed to is hosted on:

hXXps://storage[.]googleapis[.]com/awells-putlogs-308643420/index[.]html

This is not the first time threat actors have utilized “storage[.]googleapis[.]com” to host their phish. In fact, it is becoming increasingly common thanks to its ease of use as well as the built-in SSL certificate the domain comes with which adds the “trusty” padlock to the side of its URL.

Once redirected here from the previous SharePoint page, users are presented with a convincing Wells Fargo banking page, as seen in Figure 4. This page asks for a variety of Wells Fargo account information including login details, PIN and various account numbers along with email credentials. At surface value, it may seem excessive to request this level of information, but under the pretense of “securing” one’s account, it may not appear to be so much.

Should users provide all the requested information, they will finally be redirected to the legitimate Wells Fargo login page to make the user believe they have successfully secured their account and nothing malicious has taken place.

And to think, all of this from a simple calendar invite. It goes to show, users and their security teams must constantly maintain phishing awareness training and remain vigilant as threat actors continue to find new ways to slip past gateways right into inboxes.

Network IOCs IPs
hXXps://mko37372112-my[.]sharepoint[.]com/:b:/g/personal/admin_mko37372112_onmicrosoft_com/ERto2NKXu6NKm1rXAVz0DcMB431N0n1QoqmcqDRXnfKocA 172[.]217[.]13[.]240
hXXps://storage[.]googleapis[.]com/awells-putlogs-308643420/index[.]html 13[.]107[.]136[.]9
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 21, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We are not alone in dealing with attachment issues. This week’s batch of phish contain quite a few bearing common attachments to deliver malware and steal credentials. If only there were a better way to defend ourselves.

TYPE: Malware – NanoCore

DESCRIPTION: This purchase order-themed phish delivered a .zipx attachment that was actually a RAR archive. The attackers were kind enough to instruct the recipient what software to use to access the NanoCore Remote Access Trojan within. NanoCore resurfaced in early 2018 and still reaches inboxes.

TYPE: Malware – Dridex

DESCRIPTION: A finance-themed phish uses a macro-enabled Microsoft Excel attachment to deliver the Dridex malware. Cofense was reporting on this malware back in 2015 and it still finds success despite the latest advances in perimeter technologies.

TYPE: Malware – Agent Tesla

DESCRIPTION: The delivery-themed phishing example targets organizations in Thailand promising shipping information at the embedded link. The victim will end up with a case of Agent Tesla, a keylogger (and more) that we discussed in a recent Phish Fryday podcast.

TYPE: Malware – Remcos

DESCRIPTION: This document-themed phish includes a Microsoft Word attachment that leverages a pair of Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to download a DotNETLoader to install the Remcos Remote Access Trojan. Cofense has tracked the exploitation of these vulnerabilities since 2017.

TYPE: Malware – Dridex

DESCRIPTION: Pretending to be an international logisitics company with some shipment information, the attached .zip file contains a macro-enabled Microsoft Office document that displays a fake invoice while silently installing the Dridex malware.

TYPE: Malware – Ursnif

DESCRIPTION: Attackers love to leverage legitimate cloud services to make their phish more successful. This response-themed attack makes use of Firefox Send to deliver a password-protected archive containing VBScripts that will download and run the Ursnif malware.

TYPE: Malware – TrickBot

DESCRIPTION: Spoofing a state government office, this phish delivers macro-laden Microsoft Office documents via an embedded link to a SharePoint site requiring a password for access. The victim will download the TrickBot malware.

TYPE: Credential Theft

DESCRIPTION: Attackers haven’t forgotten about the Coronavirus and continue to leverage the theme to get recipients to engage. This attack delivers an HTML attachment that spoofs Adobe to steal credentials.

TYPE: Credential Theft

DESCRIPTION: Another document-themed attack delivering a web page (.htm). This one spoofs a Microsoft login page to harvest credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Practice Makes Perfect

By Noah Mizell and Kyle Duncan, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) has discovered two distinct phishing campaigns found in environments protected by Proofpoint that spoof Twitter by using registered fraudulent domains.

Threat actors utilize numerous attacks throughout their careers; others stick with tried-and-true attacks proven to be effective. The latter is the case in the following scenarios with these attacks coming from the same campaign based on similar tactics: registered fraudulent domains, specifically tailored sender emails, and nearly identical phishing emails and pages.

Figures 1-2: First Iteration of Attack

The subject of the phishing email is “Security alert: new or unusual login” followed by the sender email “verify[@]tlwtttierz[.]com”.  Although it is obviously not Twitter.com, it is similar to the actual name, that users may overlook due to the urgent tone.  However, users must be careful when reacting in haste, as threat actors seek to turn quick thinking against targets to steal their credentials.

The body of the email looks like a legitimate Twitter notification. Similar font type, layout, the familiar Twitter logo showing – nothing appears to be amiss. Reading the contents of the message though, users may be surprised to see there has been a new login from a new device from Spain! Supposing the user is not connected to this location, this is likely to be cause for concern. But worry not, “Twitter” has sent a handy link to secure the account in question.

Hovering over the link “Secure my account”, it shows the redirect is:

twltt%C4%99r[.]com

However once clicked, users are sent to a URL that looks like “Twitter.com”:

twlttęr[.]com

For this attack, the threat actor uses punycode to make the final URL look like “Twitter.com”. The use of punycode has been noted as an extremely easy way to make phishing URLs look very similar to the site they are impersonating. Punycode essentially takes words that cannot be written in ASCII and puts them into an ASCII encoding that browsers will understand.

For example, the URL to which the attack directs does not actually include a letter ‘e’ ASCII would understand; it uses the hexadecimal encoding ‘C4 99’ for a character that can be seen in the first URL. When the browser gets this encoding, twltt%C4%99r, it renders the string, %C4%99, to the Polish letter ę, which just so happens to look very similar to the ‘e’ we’re used to seeing in the legitimate Twitter.com URL.

Figure 3-4: Second Iteration of Attack 

Although this second attack may appear to be the same one from Figures 1-2, it is an improvement – the threat actor made minor tweaks to enhance its believability.

The subject of the email has changed: “New login from Safari on iPhone”. Like the previous attack’s subject, this is also meant to evoke a sense of urgency. This time, however, the sender email is not the obviously wrong “verify[@]tlwtttierz[.]com” but rather a more subtle “verify[@]mobiles-twitter[.]com”.

Although this email looks like an exact copy of the last attack, the threat actor added a small yet impactful detail: at the bottom they specifically reference the recipient: “We sent this email to _____”. Most users have been told to look out for generic “Dear sir/ma’am” terms in emails. If the email is not specifically addressed to the recipient, it is likely a mass mailing, perhaps with malicious intent. For most users, personalization adds legitimacy.

Like in the last attack, the threat actor included disclaimer under this hyperlink to “help” users know this is a legitimate email from Twitter. Both emails mention the display of a padlock to mean a secure and legitimate site. This padlock only shows that the website is using an active SSL certificate to signify encrypted communications between the user and the web server.  However, contrary to widespread belief, a padlock does not equal safe. The attacker is simply trying to erase any doubts about the site.

The final change of this second attack can be seen when hovering over the “Confirm my identity” hyperlink and finding a new fraudulent domain:

mobiles-twitter[.]comThis domain appears to be more legitimate than the one from the first attack, as it contains the word “twitter”. Considering mobile[.]twitter[.]com leads to the legitimate mobile version of Twitter, this “mobiles-twitter[.]com” was more than likely supposed to be a dupe.

Perhaps this attack may have intended to typosquatt to lure victims the attacker never initially targeted. Typosquatting, or URL hijacking, relies on users making small mistakes when typing a URL, whether adding a period where there was a dash or misspelling the domain. The attacker has registered that mistakenly typed out URL, so should anyone accidentally visit it they will be subject to whatever is on that page.

Figure 5: Phishing Page

As seen in Figure 5 above, users are presented with a login page for either attack, however this one is specifically for the phish located at twlttęr[.]com. This page is made to look extremely close to the current Twitter login page that can be seen on a desktop browser. The obvious difference between this phishing attack and the legitimate Twitter login page would be the URL, with its unusual letter ‘ę’, and the atypical tab icon.

This is just the first iteration of the threat actor’s attack. The second attack has an even more dismissible body email and a URL that looks closer to a legitimate URL. Regardless, it is no secret that users should pay close attention to the URLs in their address bar.

 

Network IOCs  IPs  
hXXps://mobiles-twitter[.]com/login/ 70[.]37[.]100[.]82
hXXps://twltt%C4%99r[.]com 70[.]37[.]100[.]82
hXXps://xn--twlttr-04a[.]com/login/ 70[.]37[.]100[.]82
hXXps://t[.]co/U6DLQ2B1xC

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.