Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon

Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message.

This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish.

Not Your Average Phish
The Cofense™ Phishing Defense Center (PDC) has recently been defending against an extensive Zombie Phishing campaign against multiple clients. Fraudsters hijack a compromised email account, and using that account’s inbox, reply to long dead conversations with a phishing link or malicious attachment. Due to the subject of the email being directly relevant to the victim, a curious click is highly likely to occur.

These Zombie Phish appear to use automatically generated infection URLs to evade detection. No two links are the same. These links are hidden behind unassuming “error” messages in the body of the email, providing an appealing scheme for users to fall victim to. Thus far, the PDC has observed two common Zombie Phishing templates that lead to malicious links. These email campaigns can be seen in Figures 1 and 2.

Figure 1

Figure 2

Another common hallmark of this campaign is the use of the .icu top-level domain (TLD), however this could change in the future. Example domains identified during this campaign, which abuse the .icu TLD, can be seen in Figure 3.

Figure 3 shows .icu domains associated with these campaigns.

Already, many of these domains have been shut down by their domain registrar after receiving reports of domain abuse. Figure 4 shows a domain associated with this campaign and the data that is collected and displayed by the registrar.

Figure 4, Courtesy of http://whois.domaintools.com

Additionally, the PDC has observed these phish using official organizational logos to add legitimacy to fake login pages – an example of such can be seen in figure 5. The pages are designed to impersonate an online portal of the target, including the company’s logo, and even its favicon. The end goal is credential theft of the victim.

Figure 5

Finally, any victim that visits the malicious website is “fingerprinted” using the host’s IP address as an identifier and upon entering credentials is immediately redirected to the same spam website seen by other victims. This is often via links obfuscated using URL shorteners (such as hxxps://href[.]li/). If the same host attempts to visit the phishing link again the spoofed login page is skipped and instead you are forwarded directly to the spam page. This finger-printing and the URL shortener obfuscation helps the attackers keep a low profile and continue their campaign unabated.

Conversation Hijacking
The tactic of “conversation hijacking” itself is by no means new, fraudsters have been hijacking compromised email accounts to dish out malware and phish as replies to prior conversations for years now. This technique is still popular because it makes victims much more likely to click on links and download or open files because their guard is down when these are within conversations already in their inbox. An ongoing and currently in the wild example of this is the Geodo botnet which has a history of inserting itself into existing email threads to deliver malicious documents that in turn download a sample of Geodo or other malware like Ursnif. However, the effectiveness of this tactic can depend greatly on the content of the conversations, a response to an automated advertising email is less likely to result in an infection than a response to a help desk support thread such as the one seen in Figure 6. Cofense IntelligenceTM has seen several Geodo campaigns consisting of responses to automated advertising emails indicating that, in some cases, the campaigns consist of indiscriminate responses to all emails in an inbox. Given that the volume of these “conversation hijacking” campaigns is still comparatively low, the smaller scope of these emails is likely limited by the number of ongoing conversations. Certain types of accounts therefore are more likely to draw threat actors direct attention and to induce them to invest additional effort and time into developing unique phishing campaigns for those accounts.

Preventing Your Personal Zombie Apocalypse
The PDC has compiled these quick tips to avoid losing your credentials (or your brains) to a Zombie Phish:

  • Be alert for email subjects that may appear relevant but are from old conversations.
  • Watch out for the hallmark green “error” button (pictured above in figure 1).
  • Don’t trust attached documents simply because they are replying to a conversation.
  • Mouse over buttons or links in suspicious messages to check them for the “.icu” top-level domain.

Cofense’s Phishing Defense CenterTM has observed that these campaigns have become increasingly clever, to combat this, training employees to be able to spot these types of emails is key. You can put down your nail-bats and pitchforks – a properly trained workforce is what is needed to defend your organization against the Zombie Phish hordes.

Cofense offers comprehensive phishing training to arm your employees with the weapons they need to protect your organization. And if you need reinforcements to help against the hordes, the Cofense Phishing Defense Center is happy to do battle with you.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Indicators of Compromise:

Observed Domains
message-akbq[.]cdnmsgload[.]icu

id-Wdtd[.]cdnmsgload[.]icu

message-XPsO[.]cdnmsgload[.]icu

www-jaus[.]check256ssl[.]icu

www-gcgc[.]emailmobile[.]icu

www-wNZq[.]emailmobile[.]icu

message-ncvm[.]emailmobile[.]icu

message-fbfa[.]extmailread[.]icu

www-gwXs[.]fetchemailgo[.]icu

message-jkgj[.]fetchemailgo[.]icu

www-udzi[.]fetchemailgo[.]icu

www-DQcE[.]inboxloaderror[.]icu

message-rpaK[.]inboxloaderror[.]icu

id-jPXC[.]iosemail[.]icu

id-oexq[.]iosemail[.]icu

www-BEOb[.]iosemail[.]icu

id-hKHR[.]iosemail[.]icu

message-EQdH[.]loadcdnmsg[.]icu

www-IqMJ[.]loadcdnmsg[.]icu

message-kqif[.]loading8[.]icu

message-pzvv[.]loading8[.]icu

www-qtnt[.]loading8[.]icu

id-pjgx[.]loading8[.]icu

www-ZMZs[.]loading8[.]icu

www-YIjn[.]loading8[.]icu

message-spuj[.]mail-load[.]icu

www-stxs[.]msgmailweb[.]icu

message-cmmh[.]portalmail[.]icu

message-pcsf[.]secure2[.]icu

id-amjs[.]securemail1[.]icu

www-tesj[.]userclientmsg[.]icu

 

Observed IPs

198[.]46[.]131[.]54

192[.]3[.]202[.]53

Email Security Gateway (to Your Next Breach)

BY THE COFENSE PHISHING DEFENSE CENTER

Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface.

Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks

That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous to claim these technologies prevent all threats. At Cofense™, we deal with hundreds of phish that bypass email gateways and lead to compromised user accounts.

Security solutions like Proofpoint and Mimecast routinely fail to stop phishing attacks while leaving customers with a false sense of security. We see this all the time, including attacks where Proofpoint and Mimecast failed to defang URLs as advertised. These services also routinely fail to stop basic phishing schemes, including some that use hosted services like Drive and Sharepoint; campaigns that use attachments to deliver malware or malicious links; and Business Email Compromise (BEC) attacks.

Below are a few of the many cases where we have seen Proofpoint and Mimecast let simple phishing attacks proceed without a fight.

Phishing Using Trusted Services

Cofense has often found that hyperlinks to traditionally trusted web services can easily make their way through firewalls and email gateways. Unfortunately, due to their low cost and free business models, services such as Google Drive, SharePoint, WeTransfer, and Dropbox are used by malicious actors to host files that contain embedded links to credential phishing sites. Email gateways are unable to access the embedded link and thus cannot check or block the link in question. See figure 1 below for an example of a PDF file with an embedded phishing link that was hosted on Google Drive:

Figure 1 – A common PDF containing a phishing URL

The text “Document.pdf (150.45 kb)” is a hyperlink to a shortened URL, which then redirects the victim to the “Smartsheet” branded phish seen in figure 2 below:

Figure 2 – A “Smartsheet” branded credential phish.

This phishing email made it through Proofpoint which failed to stop the attack due to the attacker’s evasion techniques. Luckily, the employee was well trained and reported the phish immediately.

Social Engineering, Business Email Compromise, & Vish

Some basic social engineering tactics can elicit a victim’s credentials without ever having to send malicious links or attachments to the user, making email gateways useless because there are no URLs to block.

Business Email Compromise is a common type of social engineering that tries to strike up a conversation with an employee in hopes of committing fraud, such as a fraudulent wire transfer or harvesting of company PII, as shown in Figure 3 below.

Figure 3 – A Business Email Compromise attack initiation

Additionally, Cofense frequently observes vishing attacks. In one attack, (Figure 4) the vish impersonate a trusted company requesting a phone call to fix a non-existent issue with the victim’s account. These attacks allow threat actors to gain a victim’s account information over the phone or over email without ever using malicious content that could be blocked by an email gateway.

Figure 4 – A social engineering Vishing attack

Malicious Attachments

Fabricated invoices and receipts, password protected PDFs, and other malicious attachment schemes are all common phishing tactics. Because most automated solutions only screen links in the body of the message, these attached phish regularly waltz their way past email gateways.

Recently, a password protected PDF phishing campaign targeted Cofense customers and completely circumvented Proofpoint protection. This phish included the password to the attached document within the body of the email, urging users to open it upon receipt, seen in Figures 5 and 6 below.

Figure 5 – Content snippet of a phishing email including a document’s password.

After opening the password protected PDF, the user is confronted with a link to a credential phishing site.

Like the previous example, basic word documents with hyperlinks consistently bypass automated security solutions like Proofpoint and Mimecast, as seen in figure 6.

Figure 6 – A .docx file with an embedded phishing link

Companies that rely purely on automated gateway solutions consistently fail to stop phish embedded within attachments.

Weakness in their Strength

These email security gateways perform better when a malicious link is in the body of an email. However, we have observed cases where many of those emails bypass such gateways and reach the targeted victim. Following are some examples where either Mimecast or Proofpoint failed to rewrite the URL completely. Additionally, we will look at a very interesting example where Proofpoint did rewrite the URL completely but failed to block it, allowing the user to engage with the malicious website.

Proofpoint Examples

Figure 7 below shows the first example where the email gateway failed to correctly rewrite the URL:

Figure 7 – Banco do Brasil Email

The email above includes a link “INICIAR REGULARIZAÇÃO” that will redirect the user to a malicious website. A closer look at the HTML code of the email body (Figure 8) reveals that the href of the link brings the user to hxxp://50[.]63[.]162[.]13/dkng[.]html, which redirects again to hxxps://atualizacaocliente[./]info/loginseguro/Operador/.

Figure 8 – HTML Code of Banco do Brasil Email

The email gateway failed to rewrite the initial URL hxxp://50[.]63[.]162[.]13/dkng[.]html.

Figure 9 shows another example where the email gateway did not rewrite the URLs in the email:

Figure 9 – Example 2 Email

Investigating the HTML body of the email again reveals that the link in the email directs the user to hxxp://s1[.]sleove[.]com/id (Figure 10).

Figure 10 – Example 2 HTML Body

In both examples above, the email gateway failed to rewrite the URLs and replace them with a safe landing page for potential victims.

Mimecast

The following examples focus on Mimecast and demonstrate that Mimecast failed to rewrite the URL within the body of the emails (Figure 11, Figure 12, Figure 13).

Figure 11 – Mimecast Example 1

Figure 12 – Mimecast Example 2

Figure 13 – Mimecast Example 3

The Phishing Defense Center has analyzed all three emails mentioned above and identified that they are part of a Geodo campaign. Geodo, also known as Emotet, is a banking trojan which steals financial information and often enables other malware to be installed on the victim’s computer. Many of the URLs that Mimecast missed to rewrite are related to Geodo campaigns.

Proofpoint Rewrites but Does Not Block

While spot-checking the 1,095 cases where the gateway did rewrite the URLs, we have identified another issue: the gateway did rewrite the URL, but it did not block the URL, thereby allowing the user to browse to and interact with a malicious page. As clearly shown in Figure 14, the URL is appended with https://urldefense.proofpoint.com, which suggests that this customer uses Proofpoint as the email security solution.

Figure 14 – Proofpoint Email where URL was not blocked

However, a click on the rewritten Proofpoint URL directs the user to hxxps://olook[.]ml, a phishing page that is attempting to steal user credentials, as shown in Figure 15.

Figure 15- Phishing Page after clicking on rewritten Proofpoint URL

The submit button calls a JavaScript file which validates the input and if the input is accepted, sends the data to the attacker.

Conclusion

These examples show that email gateways often fail to stop phishing threats. While both Proofpoint and Mimecast were successful in rewriting and blocking URLs, there were still many cases where those products did not or would not have prevented a compromise. Simply relying on email gateways to stop malicious emails can leave you with a false sense of security and can result in breaches.

Understanding the weaknesses in Proofpoint, Mimecast, and other automated gateway solutions can be the first step in learning how to better defend yourself. Only a holistic strategy will work against the full spectrum of phishing attacks your company sees.

To learn more about active phishing threats, view the Cofense State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

  1. Verizon, Data Breach Investigations Report, 2018.
  2. Symantec, Internet Security Threat Report, 2018.

The Lazy Man’s Guide to Phishing

By Lucas Ashbaugh

Laziness and sloppy work are the twenty first century’s newest business model, and for phishing actors it’s a gold rush. The real winners from modern phishing have taken a chapter out of the entrepreneur’s  handbook: The Lean Startup. For them, phishing isn’t about artisanal fraud and refined skills, it’s about starting cheap, failing quickly, and getting their head back in the game. It’s horrendously brilliant. In a world where SOCs are constantly grinding to block that IP, scan for that hash, disable macros, etc., automated solutions just can’t keep up. When it comes to phishing, speed is king. At the CofenseTM Phishing Defense Center, threat analysts witness this sloppy and rushed businesses model day in and day out. And worse yet, they get the occasional glance at businesses who have failed to learn this same lesson.

An Analyst’s View of Surging PowerShell-based Malware

Over the past couple of weeks, the Cofense™ Phishing Defence Center (PDC) has observed a rise in PowerShell-based malware. PowerShell is a very powerful scripting language that is legitimately used in many organisations. PowerShell is packed with almost endless capabilities, most of which are particularly interesting to threat actors who wish to abuse PowerShell for malicious purposes.

Customer Satisfaction Survey Leads to Credential Phishing

The CofenseTM Phishing Defense Center (PDC) has observed a phishing campaign masquerading as a Customer Satisfaction Survey from Cathay Pacific. Fake surveys are an old tactic, but the PDC has recently seen an increase in their use. Examining the following email will show you what to look out for.

At first look, the email appears to be a legitimate Satisfaction Survey. It is not uncommon to receive a reward for completing a survey, so that alone is not an Indicator of Phishing (IoP). However, as shown in Figure 1, the “Click here – Participate and Win” link feels out of place. This could be an indicator that something is suspicious and should be investigated further.

Figure 1 – Received “Customer Satisfaction Survey” Report

As shown in Figure 2, the From field shows that the email appears to be from Cathay Pacific, using the email address cathay[.]pacific[@]email[.]cathaypacific[.]com. The SMTP relay also appears to be from cathaypacific.com, but the IP address of the relay resolves to hostserv.eu, a European hosting provider. This is another indicator that the email could be suspicious as it seems highly unlikely that a Cathay Pacific would use a low-cost European hosting provider as their mail server.

Figure 2 – Email Details

Figure 3 – Email Header

Opening the “Click here – Participate and Win” link directs the user to hxxp://syconst[.]com/ebv/[.]uk/CathayP/. The threat actors have done a good job in making the survey look like the legitimate website of Cathay Pacific. Figure 4 shows a comparison of the fake and genuine website.

Figure 4 – Website comparison

On closer inspection of the fake website, you notice that its header is actually a picture and therefore users are unable to click on any of the links (Figure 5).

Figure 5 – HTML View of Fake Survey Page

Figure 6 – Credit/Debit Card Details Page

The victim is also required to select the credit card issuer. With this specific phishing campaign, the threat actors target the following banks:

  • Hang Seng Bank
  • Citibank
  • Hongkong and Shanghai Banking
  • HSBC UK
  • Standard Chartered Bank
  • DBS Bank
  • Dah Sing Bank
  • UnionPay Card

After submitting the credit/debit card details, the victim is redirected to a fake “Verified by Visa – MasterCard SecureCode” page that tricks the user into thinking the details submitted are processed by Visa and MasterCard (Figure 7).

Figure 7 – Fake Visa/MasterCard Verfication Page

Based on the selected credit card issuer, the victim is automatically redirected to another fake site that appears to be from the bank they chose. If the card issuer is not listed and the field is left blank, an error message appears, and the victim is redirected to the start of the survey.

Figure 8 shows the landing page for UnionPay which asks the victim to provide additional details such as email address and mobile number.

Figure 8 – UnionPay Landing Page

In Summary: Nothing New, But Still Effective

While Customer Survey Phishes are nothing new and have been around for years, we have recently observed an increase in such reports. Nowadays, threat actors deliver phishing campaigns that at first seem to be non-malicious as they include formatting and logos that make them look like valid emails from the company. The email and the surveys may also be customized to resemble the organisation’s genuine website. No matter how sophisticated the phishing campaigns are, they all follow the same old tactic:

The victim is first presented a form containing “bogus” questions, where often a response is not required. The victim is then prompted to supply credit/debit card details to supposedly receive the reward for completing the survey. However, this is entirely imaginary, and all information provided is collected and used by the threat actors.

Users should be very cautious of any messages that promise to pay a fee for completing a survey. While companies certainly conduct surveys and even offer a reward for participants in some cases, it is extremely unlikely to receive a substantial amount for completing a small and rather insignificant survey.

Tips to spot suspicious emails:

  • Check the email for grammatical errors—if there are any, there is a high probability that the survey is not genuine
  • Don’t open attachments! Even a genuine looking PDF can contain malware
  • Hover over a link to see where it really takes you and be cautious as there may be subtle differences between the fake URL and the genuine URL
  • Organisations won’t ask for your bank details, credit card information, or other personal information in exchange for money or free gifts

To stay on top of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

Indicators of Compromise (IOCs): 
Malicious URL:
hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv1[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv2[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv3[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv4[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/Table[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/SENG[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/CITIBANK[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/DNA[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/dna[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/SC[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/OCB[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/DBS[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/DAH[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/UnionPaym[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/uws[.]php

Associated IP:
211[.]43[.]203[.]23

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

A Very Convincing Tax-Rebate Phishing Campaign Is Targeting UK Users

The Cofense™ Phishing Defence Center has observed a convincing new phishing campaign targeting taxpaying UK nationals. The threat actors posing as Her Majesty’s Revenue and Customs (HMRC) have imitated the Government Gateway tool which is commonly used by UK citizens to access government services online. The threat actor attempts to convince victims that they are due a tax rebate of £458.21 using the lure below.

This “Man in the Inbox” Phishing Attack Highlights a Concerning Gap in Perimeter Technology Defenses

“Man in the Inbox” phishing attacks come from compromised email accounts. They look like someone from within a business, for example the HR director, sent an email directing employees to do something legitimate—like logging onto a fabricated page to read and agree to a corporate policy. When employees log on, the attackers harvest their credentials. These attacks are yet another example of increasingly sophisticated credential phishing.  

Attackers Use a Bag of Tricks to Target Greek Banking Customers

Recently, the Cofense™ Phishing Defense Center has observed a phishing campaign targeting Greek-speaking users and customers of Alpha Bank. Alpha Bank is the fourth-largest Greek bank. We observed threat actors using multiple tactics to gain login credentials which include user names, passwords, and secret questions. This information would allow threat actors to access unsuspecting victims’ accounts draining funds and perhaps reusing those credentials on other websites.