Got a Blockchain Wallet? Be Alert for These Phishing Emails

By Tej Tulachan and Milo Salvia

The CofenseTM Phishing Defense Center™ has seen a fresh wave of attacks targeting Blockchain wallet users. The attacks aim to steal all the information needed to hijack unsuspecting victims’ wallets and syphon off their hard-earned crypto gains. In the past week, we have detected more than 180 of these malicious emails, all reported by customers’ users.

Here’s how the phishing emails work.

Red Flag #1: ‘You Have Been Chosen.’

In the message below, we can see that the victim has been “selected to receive” a $50 dollar amount of  Stellar (XLM), an up and coming crypto currency. Better yet, they will be automatically eligible to receive future giveaways. Wow! This common attack method works because, well, who doesn’t like free money?

Fig 1. Email Body

Red Flag #2: The Dreaded Embedded Link

If we take a deeper look into the message body, we can see that there is an embedded hyperlink <hxxps://mysccess[.]lpages[.]co/blockchain/> From this, we can instantly tell something is not right. We can also see that the website linked to is NOT the official Blockchain wallet login page “https://login.blockchain.com/#/login”

You have been chosen to receive $50 in Stellar XLM as a valued Blockchain Wallet user.

To claim your free Stellar XLM, log in to your wallet and verify your identity. It only takes a few minutes. Once your identity is verified your XLM will be on its way to your wallet.

Better yet, you will also be automatically eligible to receive future giveaways.

     GET STARTED.<hxxps://mysccess[.]lpages[.]co/blockchain/>


Fig 2. Email Body in Plain Text

Red Flag #3: Indicator of Compromised Mailbox

From the email headers we can see that the threat source originates from the domain ame.gob.ec. This domain belongs to an Ecuadorian municipal government body. We also note that the email headers do not appear to be spoofed in any way apart from the “Nickname field” has been change to “Blockchain.” This would indicate that the mailbox used to send the phishing campaign has itself been compromised.

From: Blockchain <__________@ame.gob.ec>

Subject: Your airdrop of $50 is ready

Thread-Topic: Your airdrop of $50 is ready

Thread-Index: ozUHxyzm9QIDwDzmfizGH/nj/m+1AA==

Importance: high

X-Priority: 1

Date: Tue, 7 May 2019 12:03:45 +0000

Message-ID: <1224264524.394597.1557230625931.JavaMail.zimbra@ame.gob.ec>

Content-Language: fr-FR

 

Fig 3. Email Headers

Phishing Page: The main phishing page is a simple imitation of the https://login.blockchain.com/#/login page, but it contains the ability to steal all the information needed for an attacker to fully compromise your bitcoin wallet: wallet ID, passcode, and email address. Once the details are filled in, it will redirect to the legitimate blockchain site.

 

Fig 4. Phishing Page

Fig 5. Legitimate page

Right through the Gateway!

During our analysis, we noticed that the phishing email passed right through two different email security solutions: Forcepoint and Microsoft Anti-Spam and Anti-Malware solution in Office 365.

Conclusion: Again, we’ve detected 180+ of these emails in the past week alone. In recent headlines, hackers stole bitcoin worth $41 million from Binance, one of the world’s largest cryptocurrency exchanges, using a number of techniques including phishing emails. The attack was the latest in a string of thefts from cryptocurrency exchanges around the world. Be sure to educate users about phishing threats in general and Bitcoin wallet phishing in particular!

Learn more about the Cofense Phishing Defense Center. See how we analyze user-reported emails to provide actionable threat intelligence.

IOC’s

hxxps://mysccess[.]lpages[.]co/blockchain/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Jigsaw Ransomware Returns With Extortion Scam Ploys

By Lucas Ashbaugh

Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics.

The Delivery
Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and scaring victims, the emails attempt to trick them into clicking on a download link disguised as if it were a stolen bank statement. This download link uses a shortened link to evade detection and then sends the user over to the payload server, where the malware is ultimately downloaded under the guise of a file named Statement.pdf.msi.

The Malware

At $400, this rendition of Jigsaw demands more than many of its predecessors, however it remains similar otherwise. As usual, a flashy dialog pops up and slowly types out its demand. It encrypts the victim’s files and then starts deleting them at an increasing pace, as outlined in the below ransom note. This escalation of file deletions is one of the reasons Jigsaw is so dangerous, heavily pressuring victims to pay the ransom in a short time frame or suffer increasing consequences.

Upon download, the file creates two malicious executables named drpbx.exe and firefox.exe., despite the different names these files are identical, they can be found at:

  • %AppData%local%Drpbx%drpbx.exe
  • %AppData%Roaming%Frfx%firefox.exe

   

Along with these executables, Jigsaw creates a new folder at %AppData%Roaming%System32Works which contains key files:

  • EncryptedFileList.txt

This document keeps a running record of all the files that have been encrypted so far.

  • Adress.txt

The bitcoin address that must receive payment is stored here.

For anyone daring enough to disregard the malware’s threat and turn off their machine, an ominous warning pops up. If the victim power cycles their machine, Jigsaw will automatically delete 1000 files.

Jigsaw is well known for its usage of the .fun file extension on its encrypted files. It has also been previously reported to use additional file extensions such as .kkk and .btc.

Jigsaw caters to a variety of different languages, selecting its language based off the victim machine’s locale setting.

Protecting Yourself and Your Company

User training. Jigsaw still relies on an untrained user to click on the infection URL in the first place. For a trained user, these scam ploy tactics should be glaringly obvious. The ploys include choppy English, urging a user to click a suspicious link. Users that are well trained with tools like Cofense PhishMeTM know to report these emails and not click.

Indicators of Compromise

Malicious File

File Name: Statement.pdf.msi

MD5: a362de111d5dff6bcdeaf4717af268b6

SHA256: 0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca

File size: 1.1 MiB (1,175,552 bytes)

 

Malicious File

File name: firefox.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

Malicious File

File name: drpbx.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon

Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message.

This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish.

Not Your Average Phish
The Cofense™ Phishing Defense Center (PDC) has recently been defending against an extensive Zombie Phishing campaign against multiple clients. Fraudsters hijack a compromised email account, and using that account’s inbox, reply to long dead conversations with a phishing link or malicious attachment. Due to the subject of the email being directly relevant to the victim, a curious click is highly likely to occur.

These Zombie Phish appear to use automatically generated infection URLs to evade detection. No two links are the same. These links are hidden behind unassuming “error” messages in the body of the email, providing an appealing scheme for users to fall victim to. Thus far, the PDC has observed two common Zombie Phishing templates that lead to malicious links. These email campaigns can be seen in Figures 1 and 2.

Figure 1

Figure 2

Another common hallmark of this campaign is the use of the .icu top-level domain (TLD), however this could change in the future. Example domains identified during this campaign, which abuse the .icu TLD, can be seen in Figure 3.

Figure 3 shows .icu domains associated with these campaigns.

Already, many of these domains have been shut down by their domain registrar after receiving reports of domain abuse. Figure 4 shows a domain associated with this campaign and the data that is collected and displayed by the registrar.

Figure 4, Courtesy of http://whois.domaintools.com

Additionally, the PDC has observed these phish using official organizational logos to add legitimacy to fake login pages – an example of such can be seen in figure 5. The pages are designed to impersonate an online portal of the target, including the company’s logo, and even its favicon. The end goal is credential theft of the victim.

Figure 5

Finally, any victim that visits the malicious website is “fingerprinted” using the host’s IP address as an identifier and upon entering credentials is immediately redirected to the same spam website seen by other victims. This is often via links obfuscated using URL shorteners (such as hxxps://href[.]li/). If the same host attempts to visit the phishing link again the spoofed login page is skipped and instead you are forwarded directly to the spam page. This finger-printing and the URL shortener obfuscation helps the attackers keep a low profile and continue their campaign unabated.

Conversation Hijacking
The tactic of “conversation hijacking” itself is by no means new, fraudsters have been hijacking compromised email accounts to dish out malware and phish as replies to prior conversations for years now. This technique is still popular because it makes victims much more likely to click on links and download or open files because their guard is down when these are within conversations already in their inbox. An ongoing and currently in the wild example of this is the Geodo botnet which has a history of inserting itself into existing email threads to deliver malicious documents that in turn download a sample of Geodo or other malware like Ursnif. However, the effectiveness of this tactic can depend greatly on the content of the conversations, a response to an automated advertising email is less likely to result in an infection than a response to a help desk support thread such as the one seen in Figure 6. Cofense IntelligenceTM has seen several Geodo campaigns consisting of responses to automated advertising emails indicating that, in some cases, the campaigns consist of indiscriminate responses to all emails in an inbox. Given that the volume of these “conversation hijacking” campaigns is still comparatively low, the smaller scope of these emails is likely limited by the number of ongoing conversations. Certain types of accounts therefore are more likely to draw threat actors direct attention and to induce them to invest additional effort and time into developing unique phishing campaigns for those accounts.

Preventing Your Personal Zombie Apocalypse
The PDC has compiled these quick tips to avoid losing your credentials (or your brains) to a Zombie Phish:

  • Be alert for email subjects that may appear relevant but are from old conversations.
  • Watch out for the hallmark green “error” button (pictured above in figure 1).
  • Don’t trust attached documents simply because they are replying to a conversation.
  • Mouse over buttons or links in suspicious messages to check them for the “.icu” top-level domain.

Cofense’s Phishing Defense CenterTM has observed that these campaigns have become increasingly clever, to combat this, training employees to be able to spot these types of emails is key. You can put down your nail-bats and pitchforks – a properly trained workforce is what is needed to defend your organization against the Zombie Phish hordes.

Cofense offers comprehensive phishing training to arm your employees with the weapons they need to protect your organization. And if you need reinforcements to help against the hordes, the Cofense Phishing Defense Center is happy to do battle with you.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Indicators of Compromise:

Observed Domains
message-akbq[.]cdnmsgload[.]icu

id-Wdtd[.]cdnmsgload[.]icu

message-XPsO[.]cdnmsgload[.]icu

www-jaus[.]check256ssl[.]icu

www-gcgc[.]emailmobile[.]icu

www-wNZq[.]emailmobile[.]icu

message-ncvm[.]emailmobile[.]icu

message-fbfa[.]extmailread[.]icu

www-gwXs[.]fetchemailgo[.]icu

message-jkgj[.]fetchemailgo[.]icu

www-udzi[.]fetchemailgo[.]icu

www-DQcE[.]inboxloaderror[.]icu

message-rpaK[.]inboxloaderror[.]icu

id-jPXC[.]iosemail[.]icu

id-oexq[.]iosemail[.]icu

www-BEOb[.]iosemail[.]icu

id-hKHR[.]iosemail[.]icu

message-EQdH[.]loadcdnmsg[.]icu

www-IqMJ[.]loadcdnmsg[.]icu

message-kqif[.]loading8[.]icu

message-pzvv[.]loading8[.]icu

www-qtnt[.]loading8[.]icu

id-pjgx[.]loading8[.]icu

www-ZMZs[.]loading8[.]icu

www-YIjn[.]loading8[.]icu

message-spuj[.]mail-load[.]icu

www-stxs[.]msgmailweb[.]icu

message-cmmh[.]portalmail[.]icu

message-pcsf[.]secure2[.]icu

id-amjs[.]securemail1[.]icu

www-tesj[.]userclientmsg[.]icu

 

Observed IPs

198[.]46[.]131[.]54

192[.]3[.]202[.]53

Email Security Gateway (to Your Next Breach)

BY THE COFENSE PHISHING DEFENSE CENTER

Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface.

Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks

That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous to claim these technologies prevent all threats. At Cofense™, we deal with hundreds of phish that bypass email gateways and lead to compromised user accounts.

Security solutions like Proofpoint and Mimecast routinely fail to stop phishing attacks while leaving customers with a false sense of security. We see this all the time, including attacks where Proofpoint and Mimecast failed to defang URLs as advertised. These services also routinely fail to stop basic phishing schemes, including some that use hosted services like Drive and Sharepoint; campaigns that use attachments to deliver malware or malicious links; and Business Email Compromise (BEC) attacks.

Below are a few of the many cases where we have seen Proofpoint and Mimecast let simple phishing attacks proceed without a fight.

Phishing Using Trusted Services

Cofense has often found that hyperlinks to traditionally trusted web services can easily make their way through firewalls and email gateways. Unfortunately, due to their low cost and free business models, services such as Google Drive, SharePoint, WeTransfer, and Dropbox are used by malicious actors to host files that contain embedded links to credential phishing sites. Email gateways are unable to access the embedded link and thus cannot check or block the link in question. See figure 1 below for an example of a PDF file with an embedded phishing link that was hosted on Google Drive:

Figure 1 – A common PDF containing a phishing URL

The text “Document.pdf (150.45 kb)” is a hyperlink to a shortened URL, which then redirects the victim to the “Smartsheet” branded phish seen in figure 2 below:

Figure 2 – A “Smartsheet” branded credential phish.

This phishing email made it through Proofpoint which failed to stop the attack due to the attacker’s evasion techniques. Luckily, the employee was well trained and reported the phish immediately.

Social Engineering, Business Email Compromise, & Vish

Some basic social engineering tactics can elicit a victim’s credentials without ever having to send malicious links or attachments to the user, making email gateways useless because there are no URLs to block.

Business Email Compromise is a common type of social engineering that tries to strike up a conversation with an employee in hopes of committing fraud, such as a fraudulent wire transfer or harvesting of company PII, as shown in Figure 3 below.

Figure 3 – A Business Email Compromise attack initiation

Additionally, Cofense frequently observes vishing attacks. In one attack, (Figure 4) the vish impersonate a trusted company requesting a phone call to fix a non-existent issue with the victim’s account. These attacks allow threat actors to gain a victim’s account information over the phone or over email without ever using malicious content that could be blocked by an email gateway.

Figure 4 – A social engineering Vishing attack

Malicious Attachments

Fabricated invoices and receipts, password protected PDFs, and other malicious attachment schemes are all common phishing tactics. Because most automated solutions only screen links in the body of the message, these attached phish regularly waltz their way past email gateways.

Recently, a password protected PDF phishing campaign targeted Cofense customers and completely circumvented Proofpoint protection. This phish included the password to the attached document within the body of the email, urging users to open it upon receipt, seen in Figures 5 and 6 below.

Figure 5 – Content snippet of a phishing email including a document’s password.

After opening the password protected PDF, the user is confronted with a link to a credential phishing site.

Like the previous example, basic word documents with hyperlinks consistently bypass automated security solutions like Proofpoint and Mimecast, as seen in figure 6.

Figure 6 – A .docx file with an embedded phishing link

Companies that rely purely on automated gateway solutions consistently fail to stop phish embedded within attachments.

Weakness in their Strength

These email security gateways perform better when a malicious link is in the body of an email. However, we have observed cases where many of those emails bypass such gateways and reach the targeted victim. Following are some examples where either Mimecast or Proofpoint failed to rewrite the URL completely. Additionally, we will look at a very interesting example where Proofpoint did rewrite the URL completely but failed to block it, allowing the user to engage with the malicious website.

Proofpoint Examples

Figure 7 below shows the first example where the email gateway failed to correctly rewrite the URL:

Figure 7 – Banco do Brasil Email

The email above includes a link “INICIAR REGULARIZAÇÃO” that will redirect the user to a malicious website. A closer look at the HTML code of the email body (Figure 8) reveals that the href of the link brings the user to hxxp://50[.]63[.]162[.]13/dkng[.]html, which redirects again to hxxps://atualizacaocliente[./]info/loginseguro/Operador/.

Figure 8 – HTML Code of Banco do Brasil Email

The email gateway failed to rewrite the initial URL hxxp://50[.]63[.]162[.]13/dkng[.]html.

Figure 9 shows another example where the email gateway did not rewrite the URLs in the email:

Figure 9 – Example 2 Email

Investigating the HTML body of the email again reveals that the link in the email directs the user to hxxp://s1[.]sleove[.]com/id (Figure 10).

Figure 10 – Example 2 HTML Body

In both examples above, the email gateway failed to rewrite the URLs and replace them with a safe landing page for potential victims.

Mimecast

The following examples focus on Mimecast and demonstrate that Mimecast failed to rewrite the URL within the body of the emails (Figure 11, Figure 12, Figure 13).

Figure 11 – Mimecast Example 1

Figure 12 – Mimecast Example 2

Figure 13 – Mimecast Example 3

The Phishing Defense Center has analyzed all three emails mentioned above and identified that they are part of a Geodo campaign. Geodo, also known as Emotet, is a banking trojan which steals financial information and often enables other malware to be installed on the victim’s computer. Many of the URLs that Mimecast missed to rewrite are related to Geodo campaigns.

Proofpoint Rewrites but Does Not Block

While spot-checking the 1,095 cases where the gateway did rewrite the URLs, we have identified another issue: the gateway did rewrite the URL, but it did not block the URL, thereby allowing the user to browse to and interact with a malicious page. As clearly shown in Figure 14, the URL is appended with https://urldefense.proofpoint.com, which suggests that this customer uses Proofpoint as the email security solution.

Figure 14 – Proofpoint Email where URL was not blocked

However, a click on the rewritten Proofpoint URL directs the user to hxxps://olook[.]ml, a phishing page that is attempting to steal user credentials, as shown in Figure 15.

Figure 15- Phishing Page after clicking on rewritten Proofpoint URL

The submit button calls a JavaScript file which validates the input and if the input is accepted, sends the data to the attacker.

Conclusion

These examples show that email gateways often fail to stop phishing threats. While both Proofpoint and Mimecast were successful in rewriting and blocking URLs, there were still many cases where those products did not or would not have prevented a compromise. Simply relying on email gateways to stop malicious emails can leave you with a false sense of security and can result in breaches.

Understanding the weaknesses in Proofpoint, Mimecast, and other automated gateway solutions can be the first step in learning how to better defend yourself. Only a holistic strategy will work against the full spectrum of phishing attacks your company sees.

To learn more about active phishing threats, view the Cofense State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

  1. Verizon, Data Breach Investigations Report, 2018.
  2. Symantec, Internet Security Threat Report, 2018.

The Lazy Man’s Guide to Phishing

By Lucas Ashbaugh

Laziness and sloppy work are the twenty first century’s newest business model, and for phishing actors it’s a gold rush. The real winners from modern phishing have taken a chapter out of the entrepreneur’s  handbook: The Lean Startup. For them, phishing isn’t about artisanal fraud and refined skills, it’s about starting cheap, failing quickly, and getting their head back in the game. It’s horrendously brilliant. In a world where SOCs are constantly grinding to block that IP, scan for that hash, disable macros, etc., automated solutions just can’t keep up. When it comes to phishing, speed is king. At the CofenseTM Phishing Defense Center, threat analysts witness this sloppy and rushed businesses model day in and day out. And worse yet, they get the occasional glance at businesses who have failed to learn this same lesson.

An Analyst’s View of Surging PowerShell-based Malware

Over the past couple of weeks, the Cofense™ Phishing Defence Center (PDC) has observed a rise in PowerShell-based malware. PowerShell is a very powerful scripting language that is legitimately used in many organisations. PowerShell is packed with almost endless capabilities, most of which are particularly interesting to threat actors who wish to abuse PowerShell for malicious purposes.

Customer Satisfaction Survey Leads to Credential Phishing

The CofenseTM Phishing Defense Center (PDC) has observed a phishing campaign masquerading as a Customer Satisfaction Survey from Cathay Pacific. Fake surveys are an old tactic, but the PDC has recently seen an increase in their use. Examining the following email will show you what to look out for.

At first look, the email appears to be a legitimate Satisfaction Survey. It is not uncommon to receive a reward for completing a survey, so that alone is not an Indicator of Phishing (IoP). However, as shown in Figure 1, the “Click here – Participate and Win” link feels out of place. This could be an indicator that something is suspicious and should be investigated further.

Figure 1 – Received “Customer Satisfaction Survey” Report

As shown in Figure 2, the From field shows that the email appears to be from Cathay Pacific, using the email address cathay[.]pacific[@]email[.]cathaypacific[.]com. The SMTP relay also appears to be from cathaypacific.com, but the IP address of the relay resolves to hostserv.eu, a European hosting provider. This is another indicator that the email could be suspicious as it seems highly unlikely that a Cathay Pacific would use a low-cost European hosting provider as their mail server.

Figure 2 – Email Details

Figure 3 – Email Header

Opening the “Click here – Participate and Win” link directs the user to hxxp://syconst[.]com/ebv/[.]uk/CathayP/. The threat actors have done a good job in making the survey look like the legitimate website of Cathay Pacific. Figure 4 shows a comparison of the fake and genuine website.

Figure 4 – Website comparison

On closer inspection of the fake website, you notice that its header is actually a picture and therefore users are unable to click on any of the links (Figure 5).

Figure 5 – HTML View of Fake Survey Page

Figure 6 – Credit/Debit Card Details Page

The victim is also required to select the credit card issuer. With this specific phishing campaign, the threat actors target the following banks:

  • Hang Seng Bank
  • Citibank
  • Hongkong and Shanghai Banking
  • HSBC UK
  • Standard Chartered Bank
  • DBS Bank
  • Dah Sing Bank
  • UnionPay Card

After submitting the credit/debit card details, the victim is redirected to a fake “Verified by Visa – MasterCard SecureCode” page that tricks the user into thinking the details submitted are processed by Visa and MasterCard (Figure 7).

Figure 7 – Fake Visa/MasterCard Verfication Page

Based on the selected credit card issuer, the victim is automatically redirected to another fake site that appears to be from the bank they chose. If the card issuer is not listed and the field is left blank, an error message appears, and the victim is redirected to the start of the survey.

Figure 8 shows the landing page for UnionPay which asks the victim to provide additional details such as email address and mobile number.

Figure 8 – UnionPay Landing Page

In Summary: Nothing New, But Still Effective

While Customer Survey Phishes are nothing new and have been around for years, we have recently observed an increase in such reports. Nowadays, threat actors deliver phishing campaigns that at first seem to be non-malicious as they include formatting and logos that make them look like valid emails from the company. The email and the surveys may also be customized to resemble the organisation’s genuine website. No matter how sophisticated the phishing campaigns are, they all follow the same old tactic:

The victim is first presented a form containing “bogus” questions, where often a response is not required. The victim is then prompted to supply credit/debit card details to supposedly receive the reward for completing the survey. However, this is entirely imaginary, and all information provided is collected and used by the threat actors.

Users should be very cautious of any messages that promise to pay a fee for completing a survey. While companies certainly conduct surveys and even offer a reward for participants in some cases, it is extremely unlikely to receive a substantial amount for completing a small and rather insignificant survey.

Tips to spot suspicious emails:

  • Check the email for grammatical errors—if there are any, there is a high probability that the survey is not genuine
  • Don’t open attachments! Even a genuine looking PDF can contain malware
  • Hover over a link to see where it really takes you and be cautious as there may be subtle differences between the fake URL and the genuine URL
  • Organisations won’t ask for your bank details, credit card information, or other personal information in exchange for money or free gifts

To stay on top of the latest phishing and malware threats, sign up for free Cofense Threat Alerts.

Indicators of Compromise (IOCs): 
Malicious URL:
hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv1[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv2[.]htm

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv3[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/surv4[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/Table[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/SENG[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HENG/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/CITIBANK[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/CITI/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/DNA[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/HK/dna[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/SC[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/OCB[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/SC/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/DBS[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DBS/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/DAH[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/DAH/go[.]php

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/UnionPaym[.]html

hxxp://syconst[.]com/ebv/[.]uk/CathayP/VB/UnionPay/uws[.]php

Associated IP:
211[.]43[.]203[.]23

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.