This Phishing Attacker Takes American Express—and Victims’ Credentials

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

UK Banking Phish Targets 2-Factor Information

Recently, the Cofense Phishing Defense Center observed a wave of phishing attacks  targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses.

The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards.

Most UK banks implement two-factor authentication. They require users to set a standard password and a piece of memorable information, which users authenticate with their user name and password. Users are then asked to provide three random characters from their memorable information. This does two things to help improve the security of your bank account:

  1. It can help mitigate against man in the middle attacks, as any intercepted data would only reveal partial fragments of the memorable information.
  2. If a user’s email address and password combination has been leaked online, it provides an extra barrier for attackers attempting to access their accounts.

Again, if successful this phish could help the attacker evade these extra controls. Here’s how it works:

Email Body:

The attacks begins with an email purporting to be from the TSB customer care team, informing the customer that a new “SSL server” has been implemented to prevent access to customer accounts by third parties. It then asks the user to update their account information by clicking on the conveniently placed hyperlink.

Fig 1. Phishing Email

Headers:

To add authenticity to the attack, the threat actors have spoofed the sending information to make the email appear to come from the sender customercare[@]tsb[.]co[.]uk If we correlate this with the message ID, we can see that it actually originated from the ttrvidros[.]com[.]br a Brazilian registered domain.

From: TSB Bank <customercare[@]tsb[.]co[.]uk>
To: "MR, Example" <example@cofense.com>
Subject: EXTERNAL: Account Update Notice
Thread-Topic: EXTERNAL: Account Update Notice
Thread-Index: AQHVJzUy0rKRdi+45UWU8FPBrgSqiQ==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Thu, 20 Jun 2019 06:55:28 +0000
Message-ID: <5630c1ff905b65891e435ec91b8a1390[@]www[.]ttrvidros[.]com[.]br>
Content-Language: en-GB

Fig 2. Header Information

Phishing Page:

The malicious page shown below on fig3 is almost identical to TSB online banking portal. The first page is directed to ask for a User ID and password.

Fig 3. Phishing Page 1

The victim is then asked to supply characters from their memorable information. This is typically a word that is memorable to the user and six characters or longer, usually a pet’s name, mother’s maiden name, or a favorite city or sports team. It is standard practice to only provide three characters of your memorable information. However, this is just a clever ruse to gain the confidence of the victim.

Fig 4. Phishing Page 2

The user is then redirected to a fake error page that states, “There is a problem with some of the information you have submitted. Please amend the fields below and resubmit this form.” Afterward, the form asks the victim for the full memorable information and the mobile phone number. Armed with the victim’s user-ID, password, memorable information, and phone number an attacker can easily gain access to the victim’s bank account and credit cards through the online portal—or perhaps more worryingly, they can utilize this information to launch a social engineering campaign over the phone, commonly referred to as vishing (Voice Phishing).

Fig 5. Phishing page 3

Gateway Evasion:

This threat was found in an environment running Microsoft Exchange Online Protection (EOP) which provides built-in malware and spam filtering capabilities it is intended to screen inbound and outbound messages from malicious software spam transferred through email. 

Learn More

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe™, which among many training scenarios offers an “Account Update Notice” phish to prepare for the type of credential attack examined in this blog post.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense Reporter™.

Quickly turn user reported emails into actionable intelligence with Cofense Triage™. Reduce exposure time by rapidly quarantining threats with Cofense Vision™.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker™.

Thanks to our unique perspective, no one knows more about the current REAL phishing threat than Cofense™. To improve your understanding, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics.

In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place.

Fast forward to this week where our Phishing Defense Center™ stopped a phishing campaign aimed at customers in Finance. The analysis below outlines the attacker’s use of a URL encoded in a QR code to evade the above-named technologies.  While you’ve probably seen QR codes in your everyday life, this might be the first time you are seeing QR codes used as a phishing tactic.

The Phish:

The email itself is relatively simple. It poses as a pseudo SharePoint email with the subject line: “Review Important Document”. The message body invites the victim to: “Scan Bar Code To View Document”. The only other visible content is a tantalizing QR code that a curious user may be tempted to scan.

Figure 1, Email Body

The message body in plain text consists of several basic HTML elements for styling and an embedded .gif image file of the QR code. Very basic, but very effective.

When the QR code is decoded we can see that that it contains a phishing URL: hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-college/Sharepoint/sharepoint/index.php

Most smartphone QR code scanner apps will instantly redirect the user to the malicious website via the phone’s native browser. In this case the victim would be redirected to a SharePoint branded phishing site. The victim is then confronted with options to sign in with AOL, Microsoft, or “Other” account services. While this sounds like a simple phish, there is a more nefarious tactic in play: removing the user from the security of a corporate business network.

Figure 2, Phishing site

Standard Security Controls Circumvented:

By enticing the victim to pull out their smartphone and scan the QR code the attacker manages to evade standard corporate security controls. Secure email gateways, link protection services, sandboxes, and web content filters no longer matter because the user is now interacting with the phishing site in their own security space: their mobile phone. And yes, the phishing site is optimized for mobile viewing. Here’s a glance at what the site looks like on a smartphone:

Figure 3, Phishing page viewed on phone

Though the user may now be using their personal device to access the phish, they are still in the “corporate” mindset as the original email was received at their business email address. Therefore, it is highly likely that the victim would input their corporate account credentials to attempt to access this “document”. 

Gateway Evasion:

This attack was observed passing through an environment utilizing Symantec Messaging Gateway. When scanned, the message was deemed “Not spam” by the system as seen in Fig 4 below.

Figure 4, Email Header Snippet

Conclusion:

In the past QR codes were reserved for geeks on the bleeding edge of technology. Today we interact with QR codes more and more as we cut the cord on cable, setup home internet devices, transact crypto currencies, etc…  Will QR codes be a common phishing tactic of the future? Time will tell.  But THIS phishing attack that snuck past best in class phishing technologies was only stopped by an informed, in tune human, who reported it with Cofense Reporter ™ , so that their security teams could stop it.

Today over 90% of phishing threats observed by the Cofense Phishing Defense Center ™ bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe ™ and remove the blind spot with Cofense Reporter.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attacks on High Street Target Major Retailer

By Jake Longden

The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year.

With the goal of stealing your store credit card and login information, here’s how it works:

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Fig 1. Email Body

Email Body:

The message itself follows a standard phishing template to inform the user that their account has been restricted and that user sign in is required for verification. The use of bad grammar and typos are a dead giveaway that this email communication is not genuine.

Message body in plain text:

In reviewing the body of the email, we see the hyperlink for “Sign into your account” which directs the potential victim to: hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/

The attacker repeatedly used the string of the legitimate Argos site in the URL, both as part of the subdomains, and as a subdirectory. This was an attempt to mask the true source, and to lure the victim into trusting the legitimacy of the website.

Upon examination, we see that the link is wrapped by a URL filtering service.

href="hxxps://clicktime[.]symantec[.]com/3AuyExDNpRSjkQbgT2gXygH6H2?u=hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/" target="_blank" rel="noopener"><span class="ox-dad7652f0e-m_609589041267919212link-blue ox-dad7652f0e-m_609589041267919212MsoHyperlink ox-dad7652f0e-m_609589041267919212MsoHyperlinkFollowed">SIGN
INTO YOUR ACCOUNT

Fig 2. Email Body in Plain Text

 

Email Headers:

Analysis of the headers indicates that the “from” address is spoofed; the “reply to” field contains the address ‘no-reply[@]creativenepal[.]org’, which does not match ‘no-replays[@]multitravel.wisata-islam[.]com’.

Research on the ‘multitravel.wisata-islam’ domain failed to produce relevant data and reinforces the suspicion that the address is spoofed. At the time of analysis, we were unable to resolve an IP address, or load the domain.

From: <no-replays[@]multitravel[.]wisata-islam[.]com>
To: <xxxx.xxxxxx@xxxxxx.com>
Subject: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make sure
 you complete the form correctly.
Thread-Topic: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make
 sure you complete the form correctly.
Thread-Index: AQHVIXUk7CjiCOKjHEyntcvh4etMFg==
Date: Wed, 12 Jun 2019 23:18:17 +0000
Message-ID: <7d885f411da93272271ec8ad32e5064b@localhost.localdomain>
Reply-To: <“:no-reply”[@]creativenepal[.]org>

Fig 3. Email Headers

Phishing Page:

Once the user clicks on the “Sign into your account” hyperlink, they are redirected to a convincing imitation of the true Argos login page requesting the victims’ Username and Password.

This then leads the user to a second page, where the user is requested to supply details for their Argos store credit card account. This page follows the standard format for regular credit/debit cards with one key difference: the additional request for a ‘Card Amount’. This request is specific to the Argos Card as referenced in the copy: “The Argos Card lets you shop at Argos, with flexible payment plans that give you longer to pay” (see: https://www.argos.co.uk/help/argos-card/apply). This deviates from standard forms by asking the user for their credit limit.

 

 

Fig 4. Phishing Page

Gateway Evasion:

This campaign has been observed to pass through the ‘Symantec Messaging Gateway’.

We can see the influence of the Email gateway which injected ‘Warning Suspected Spam’ headers to the Subject Line and incorrectly presented this phish as a benign marketing email, and not a phishing attempt.

Conclusion:

To help protect against this type of credential phish, Cofense PhishMe™ offers a template called “Account Limitation.”

This credential phish eluded gateways and was actually mis-identified as harmless marketing spam. In fact 75% of threats reported to the Cofense Phishing Defense Center are Credential Phish. Protect the keys to your kingdom – condition end users to be resilient to Credential Harvesting attacks with Cofense PhishMe.

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

i Google Search “Argos Data Breach 2018”

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley

The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

By Milo Salvia and Kamlesh Patel

The Cofense Phishing Defense CenterTM has observed a phishing campaign that masquerades as a voicemail message from a well-known company. The goal is to steal your domain credentials by mimicking the Outlook Web App (OWA). 

Email Body: 

The message body is designed to mimic your typical VOIP missed call message delivered via email when a user misses a call. A simple HTML box appears with a blue hyperlink, Play Voice. One would assume it was meant to say Play Message or Play Voice Message. This could indicate that English is not the threat actor’s first language and the original message was mistranslated. It’s the first indicator that something is not quite right about this message. 

Fig 1. Email Body

Message body in HTML:  

If you look at the message body in HTML, you can see that the embedded hyperlink redirects to www[.]lkjhyb[.]com_dg[.]php=”. As you can tell, the URL has been wrapped by a URL filtering service. 

 

<Div align=”center” style=”text-align: center;”> 

<a href=”hxxps://urldefense[.]proofpoint[.]com/v2/url?u=hxxps-3A__www[.]lkjhyb[.]com_dg[.]php=“>Play Voice</a></div> 

</span></font></div>* 

 

Fig 2. Email Body in Plain Text  

Email Headers: 

A closer look at the header information reveals that the threat originates from the domain “protogonay.com. Further research into this domain suggests that it could be a throwaway domain—no company or website can be found that is directly linked to the name 

ext-caller108[@]progonay[.]com.” The threat source itself uses ext-caller108 to add legitimacy to the voicemail ruse. 

** From: Voice Ext <ext-caller108[@]progonay[.]com> 

To: <dxxx.mxxx@axxxx.com> 

Subject: Voice call from ******* (39 seconds) 

Date: Wed, 22 May 2019 08:23:33 -0700 

Message-ID: <20190522082333.8F2288151F642334@progonay.com> 

Content-Type: text/html; charset=”iso-8859-1″ 

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-05-22_08:,, 

 signatures=0 

X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 priorityscore=1501 malwarescore=0 

 suspectscore=2 phishscore=0 bulkscore=0 spamscore=1 clxscore=-94 

 lowpriorityscore=0 mlxscore=1 impostorscore=0 mlxlogscore=206 adultscore=0 

Fig 3. Email Headers

Phishing Page:  

Once the user clicks on the “Play Voice (sic)” hyperlink, it redirects to what looks like the default corporate Outlook Web App (OWA) login page. This page is designed to steal your O365 domain credentials. As we can see, it asks the victim to supply domain/username:  and password.  

Fig 4. Phishing Page 

Gateway Present:  

This threat was found in an environment running Proofpoint Email Gateway and URL filter. 

Conclusion:  

Threat actors pull out the stops to deliver malicious messages to users’ inboxes. This “voice mail” message is yet another creative example.  

To help protect against this type of credential phish, Cofense PhishMeTM offers a template called “Play Voice Message.” 

Learn more about evolving phishing tactics and techniques—view the Cofense Phishing Threat and Malware Review 2019. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

The Zombie Phish Is Back with a Vengeance

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard.

Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

Got a Blockchain Wallet? Be Alert for These Phishing Emails

By Tej Tulachan and Milo Salvia

The CofenseTM Phishing Defense Center™ has seen a fresh wave of attacks targeting Blockchain wallet users. The attacks aim to steal all the information needed to hijack unsuspecting victims’ wallets and syphon off their hard-earned crypto gains. In the past week, we have detected more than 180 of these malicious emails, all reported by customers’ users.

Here’s how the phishing emails work.

Red Flag #1: ‘You Have Been Chosen.’

In the message below, we can see that the victim has been “selected to receive” a $50 dollar amount of  Stellar (XLM), an up and coming crypto currency. Better yet, they will be automatically eligible to receive future giveaways. Wow! This common attack method works because, well, who doesn’t like free money?

Fig 1. Email Body

Red Flag #2: The Dreaded Embedded Link

If we take a deeper look into the message body, we can see that there is an embedded hyperlink <hxxps://mysccess[.]lpages[.]co/blockchain/> From this, we can instantly tell something is not right. We can also see that the website linked to is NOT the official Blockchain wallet login page “https://login.blockchain.com/#/login”

You have been chosen to receive $50 in Stellar XLM as a valued Blockchain Wallet user.

To claim your free Stellar XLM, log in to your wallet and verify your identity. It only takes a few minutes. Once your identity is verified your XLM will be on its way to your wallet.

Better yet, you will also be automatically eligible to receive future giveaways.

     GET STARTED.<hxxps://mysccess[.]lpages[.]co/blockchain/>


Fig 2. Email Body in Plain Text

Red Flag #3: Indicator of Compromised Mailbox

From the email headers we can see that the threat source originates from the domain ame.gob.ec. This domain belongs to an Ecuadorian municipal government body. We also note that the email headers do not appear to be spoofed in any way apart from the “Nickname field” has been change to “Blockchain.” This would indicate that the mailbox used to send the phishing campaign has itself been compromised.

From: Blockchain <__________@ame.gob.ec>

Subject: Your airdrop of $50 is ready

Thread-Topic: Your airdrop of $50 is ready

Thread-Index: ozUHxyzm9QIDwDzmfizGH/nj/m+1AA==

Importance: high

X-Priority: 1

Date: Tue, 7 May 2019 12:03:45 +0000

Message-ID: <1224264524.394597.1557230625931.JavaMail.zimbra@ame.gob.ec>

Content-Language: fr-FR

 

Fig 3. Email Headers

Phishing Page: The main phishing page is a simple imitation of the https://login.blockchain.com/#/login page, but it contains the ability to steal all the information needed for an attacker to fully compromise your bitcoin wallet: wallet ID, passcode, and email address. Once the details are filled in, it will redirect to the legitimate blockchain site.

 

Fig 4. Phishing Page

Fig 5. Legitimate page

Right through the Gateway!

During our analysis, we noticed that the phishing email passed right through two different email security solutions: Forcepoint and Microsoft Anti-Spam and Anti-Malware solution in Office 365.

Conclusion: Again, we’ve detected 180+ of these emails in the past week alone. In recent headlines, hackers stole bitcoin worth $41 million from Binance, one of the world’s largest cryptocurrency exchanges, using a number of techniques including phishing emails. The attack was the latest in a string of thefts from cryptocurrency exchanges around the world. Be sure to educate users about phishing threats in general and Bitcoin wallet phishing in particular!

Learn more about the Cofense Phishing Defense Center. See how we analyze user-reported emails to provide actionable threat intelligence.

IOC’s

hxxps://mysccess[.]lpages[.]co/blockchain/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Jigsaw Ransomware Returns With Extortion Scam Ploys

By Lucas Ashbaugh

Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics.

The Delivery
Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and scaring victims, the emails attempt to trick them into clicking on a download link disguised as if it were a stolen bank statement. This download link uses a shortened link to evade detection and then sends the user over to the payload server, where the malware is ultimately downloaded under the guise of a file named Statement.pdf.msi.

The Malware

At $400, this rendition of Jigsaw demands more than many of its predecessors, however it remains similar otherwise. As usual, a flashy dialog pops up and slowly types out its demand. It encrypts the victim’s files and then starts deleting them at an increasing pace, as outlined in the below ransom note. This escalation of file deletions is one of the reasons Jigsaw is so dangerous, heavily pressuring victims to pay the ransom in a short time frame or suffer increasing consequences.

Upon download, the file creates two malicious executables named drpbx.exe and firefox.exe., despite the different names these files are identical, they can be found at:

  • %AppData%local%Drpbx%drpbx.exe
  • %AppData%Roaming%Frfx%firefox.exe

   

Along with these executables, Jigsaw creates a new folder at %AppData%Roaming%System32Works which contains key files:

  • EncryptedFileList.txt

This document keeps a running record of all the files that have been encrypted so far.

  • Adress.txt

The bitcoin address that must receive payment is stored here.

For anyone daring enough to disregard the malware’s threat and turn off their machine, an ominous warning pops up. If the victim power cycles their machine, Jigsaw will automatically delete 1000 files.

Jigsaw is well known for its usage of the .fun file extension on its encrypted files. It has also been previously reported to use additional file extensions such as .kkk and .btc.

Jigsaw caters to a variety of different languages, selecting its language based off the victim machine’s locale setting.

Protecting Yourself and Your Company

User training. Jigsaw still relies on an untrained user to click on the infection URL in the first place. For a trained user, these scam ploy tactics should be glaringly obvious. The ploys include choppy English, urging a user to click a suspicious link. Users that are well trained with tools like Cofense PhishMeTM know to report these emails and not click.

Indicators of Compromise

Malicious File

File Name: Statement.pdf.msi

MD5: a362de111d5dff6bcdeaf4717af268b6

SHA256: 0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca

File size: 1.1 MiB (1,175,552 bytes)

 

Malicious File

File name: firefox.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

Malicious File

File name: drpbx.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.