Practice Makes Perfect

By Noah Mizell and Kyle Duncan, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) has discovered two distinct phishing campaigns found in environments protected by Proofpoint that spoof Twitter by using registered fraudulent domains.

Threat actors utilize numerous attacks throughout their careers; others stick with tried-and-true attacks proven to be effective. The latter is the case in the following scenarios with these attacks coming from the same campaign based on similar tactics: registered fraudulent domains, specifically tailored sender emails, and nearly identical phishing emails and pages.

Figures 1-2: First Iteration of Attack

The subject of the phishing email is “Security alert: new or unusual login” followed by the sender email “verify[@]tlwtttierz[.]com”.  Although it is obviously not Twitter.com, it is similar to the actual name, that users may overlook due to the urgent tone.  However, users must be careful when reacting in haste, as threat actors seek to turn quick thinking against targets to steal their credentials.

The body of the email looks like a legitimate Twitter notification. Similar font type, layout, the familiar Twitter logo showing – nothing appears to be amiss. Reading the contents of the message though, users may be surprised to see there has been a new login from a new device from Spain! Supposing the user is not connected to this location, this is likely to be cause for concern. But worry not, “Twitter” has sent a handy link to secure the account in question.

Hovering over the link “Secure my account”, it shows the redirect is:

twltt%C4%99r[.]com

However once clicked, users are sent to a URL that looks like “Twitter.com”:

twlttęr[.]com

For this attack, the threat actor uses punycode to make the final URL look like “Twitter.com”. The use of punycode has been noted as an extremely easy way to make phishing URLs look very similar to the site they are impersonating. Punycode essentially takes words that cannot be written in ASCII and puts them into an ASCII encoding that browsers will understand.

For example, the URL to which the attack directs does not actually include a letter ‘e’ ASCII would understand; it uses the hexadecimal encoding ‘C4 99’ for a character that can be seen in the first URL. When the browser gets this encoding, twltt%C4%99r, it renders the string, %C4%99, to the Polish letter ę, which just so happens to look very similar to the ‘e’ we’re used to seeing in the legitimate Twitter.com URL.

Figure 3-4: Second Iteration of Attack 

Although this second attack may appear to be the same one from Figures 1-2, it is an improvement – the threat actor made minor tweaks to enhance its believability.

The subject of the email has changed: “New login from Safari on iPhone”. Like the previous attack’s subject, this is also meant to evoke a sense of urgency. This time, however, the sender email is not the obviously wrong “verify[@]tlwtttierz[.]com” but rather a more subtle “verify[@]mobiles-twitter[.]com”.

Although this email looks like an exact copy of the last attack, the threat actor added a small yet impactful detail: at the bottom they specifically reference the recipient: “We sent this email to _____”. Most users have been told to look out for generic “Dear sir/ma’am” terms in emails. If the email is not specifically addressed to the recipient, it is likely a mass mailing, perhaps with malicious intent. For most users, personalization adds legitimacy.

Like in the last attack, the threat actor included disclaimer under this hyperlink to “help” users know this is a legitimate email from Twitter. Both emails mention the display of a padlock to mean a secure and legitimate site. This padlock only shows that the website is using an active SSL certificate to signify encrypted communications between the user and the web server.  However, contrary to widespread belief, a padlock does not equal safe. The attacker is simply trying to erase any doubts about the site.

The final change of this second attack can be seen when hovering over the “Confirm my identity” hyperlink and finding a new fraudulent domain:

mobiles-twitter[.]comThis domain appears to be more legitimate than the one from the first attack, as it contains the word “twitter”. Considering mobile[.]twitter[.]com leads to the legitimate mobile version of Twitter, this “mobiles-twitter[.]com” was more than likely supposed to be a dupe.

Perhaps this attack may have intended to typosquatt to lure victims the attacker never initially targeted. Typosquatting, or URL hijacking, relies on users making small mistakes when typing a URL, whether adding a period where there was a dash or misspelling the domain. The attacker has registered that mistakenly typed out URL, so should anyone accidentally visit it they will be subject to whatever is on that page.

Figure 5: Phishing Page

As seen in Figure 5 above, users are presented with a login page for either attack, however this one is specifically for the phish located at twlttęr[.]com. This page is made to look extremely close to the current Twitter login page that can be seen on a desktop browser. The obvious difference between this phishing attack and the legitimate Twitter login page would be the URL, with its unusual letter ‘ę’, and the atypical tab icon.

This is just the first iteration of the threat actor’s attack. The second attack has an even more dismissible body email and a URL that looks closer to a legitimate URL. Regardless, it is no secret that users should pay close attention to the URLs in their address bar.

 

Network IOCs IPs  
hXXps://mobiles-twitter[.]com/login/70[.]37[.]100[.]82
hXXps://twltt%C4%99r[.]com70[.]37[.]100[.]82
hXXps://xn--twlttr-04a[.]com/login/70[.]37[.]100[.]82
hXXps://t[.]co/U6DLQ2B1xC

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 14, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Cofense sees macro-laden attachments reaching the inbox so frequently, we did a Phish Fryday episode on the topic.

TYPE: Malware – NanoCore

DESCRIPTION: This phish spoofs an international lifestyle company to deliver a macro-laden Microsoft Publisher file. Once enabled, the macros download a series of HTA scripts to unpack enclosed .NET libraries which then unpack and run the NanoCore Remote Access Trojan. The use of Publisher files in phishing attacks is not new, as Cofense reported on its use in the Necurs botnet back in 2018.

TYPE: Credential Theft

DESCRIPTION: This French phish – poisson? – pretends to be a number of missed calls. The link leads to a web form designed to steal credentials. Attackers leverage the simplicity of many voicemail notification emails, as Cofense has been reporting for over a year.

TYPE: Malware – Ursnif

DESCRIPTION: This Italian-language phish uses a tactic that is successful far too often – Microsoft Office documents (in this case Excel) that contain malicious macros. This sample delivered the Ursnif data stealer. Ursnif is hardly a newcomer to the phishing threat landscape, as Cofense has been reporting on it for years.

TYPE: Credential Theft

DESCRIPTION: Got documents? This phishing attempt claims to deliver an important PDF file but leads to a website designed to steal Office 365 credentials. Once these credentials are provided, the victim is redirected to a document hosted on Google Drive.

TYPE: Reconnaisance

DESCRIPTION: Information gathering is often a prelude to a cyberattack and this phish used a layered approach to perform reconnaissance on the target. Using an embedded URL, the victim is lured into downloading an archive containing a VBScript (.vbs). This script then attempts to download a PowerShell script that will gather information about the infected endpoint and environment.

TYPE: Credential Theft

DESCRIPTION: With a smorgasbord of foreign language-themed attacks in this week’s catch, this Swedish phish delivers an embedded URL that leads the victim to a Microsoft OneNote-hosted page designed to steal Office 365 credentials. Once provided, the victim is redirected to a document hosted on docdroid. Attackers leveraging Microsoft infrastructure to host malicious OneNote documents is nothing new.

TYPE: Credential Theft

DESCRIPTION: Here’s another example of voicemail spoofing. This one leads to a website designed to steal Office 365 credentials and then direct the victim to office.com. Simple. Effective.

TYPE: Malware – Trickbot

DESCRIPTION: While many of us like to enjoy a cup of java in the morning, this phishing attack uses Java shortcut files – .jnlp – that pull down a Java Archive (.jar) which then downloads and runs the Trickbot trojan. Hardly something you’d like to wake up to.

TYPE: Credential Theft

DESCRIPTION: This Coronavirus-themed phish promises a survey designed to steal corporate credentials. The malicious survey is hosted on Microsoft infrastructure – SharePoint – and exfiltrates the credentials using the legitimate SubmitSurveyData Microsoft URL. Survey phish is hardly a new tactic.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Zoom Phish Zooming Through Inboxes Amid Pandemic

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that acts as a Zoom video conference invitation to obtain Microsoft credentials from users.

As noted in numerous other articles posted by Cofense, it is no secret this pandemic has changed the threat landscape. From emails to employees regarding safety guidelines to the latest news from the WHO or CDC on Coronavirus cases in the area- threat actors have done it all to make the most of this situation, especially targeting remote workers. Within that group of remote workers there are users who are unfamiliar with teleconferencing and the emails that come with using the service. Some users may not have the best home office set up and work on monitors that barely afford them a proper view, making it difficult to look over these emails closely. The attack covered below is specifically aimed toward those users.

Figure 1– Email Bodies

For this attack, users are informed of an invite to a video conference from what appears to be “Zoom Video Communications” which is followed by either as noted in Figures 1-2. For now, this all appears to be in order, however looking more closely at the senders, there are barely noticeable typos- communcations missing an ‘i’, confrence missing an ‘e’. While this may seem like just an innocuous mistake, it’s in fact a carefully crafted scheme.

Mere hours before sending this email, the threat actors registered the domains zoomcommuncations.com and zoomvideoconfrence.com, as noted in s 3-4.

Figure 2-3: Email Body

When visiting either domain, it may appear to be a German site speaking on different Lasik treatments and surgery options. However, this is merely a cover for its true purpose of helping send malicious emails while impersonating teleconferencing giant Zoom.

The email itself is reminiscent of a legitimate Zoom communication- the blue Zoom logo, a vague mention of a video conference for users to join and a link for them to review said invitation; it’s inconspicuous enough and mostly free of the grammatical mistakes phish often contain.

Hovering over the “Review Invitation” the link shown is:

hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44=REDACTED[@]company[.]com

For this attack, the threat actor used a redirector link from Smore, a newsletter creation and distribution website. This is not the first time threat actors have used a legitimate online service’s personal redirect links to pilot users to malicious sites. In this case, this redirect link, once clicked, navigates users to:

hxxp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44

Which then redirects to the final page:

hxxps://logonmicrosftonlinezoomconference[.]azureedge[.]net/

For this attack, the threat actor has utilized Microsoft’s Azure is used to host the phishing domain, but this is not a new tactic. Threat actors flock to these domain hosting services due to some of the perks it offers. For this service, a free SSL certificate comes with any website hosted through it which adds a padlock next to the URL in the address bar, most people incorrectly assumes this indicates a site is legitimate. Another benefit of Azure is the customization option for the subdomain, allowing a URL to mimic or at least appear as a legitimate URL for the service attacks are attempting to impersonate. In this case, the subdomain is “logonmicrosftonlinezoomconference”, with all the keywords most users would expect to see in a Zoom email that goes to a Microsoft login page: “logon microsoft” and “zoom conference”. With both a padlock in the address bar along with relevant names displayed, this attack becomes less noticeable to most users.

Figure 4: Phishing Page

Figure 5 shows the phishing page users are presented with should they make it this far. The page is a generic Microsoft phish with an accompanying URL which, once again, seems to legitimize the phish to users.

The request is simple: “Sign in to Zoom with your Microsoft 365 account.” At face value, this seems like a completely reasonable use of credentials. And since Zoom allows for users to login in via SSO and most companies have linked Microsoft credentials to the platform, some users may even be familiar with Microsoft helping to access their Zoom account.

Meanwhile, with the user’s email appended in the URL, it in turn pre-populates the username field with that information, leaving only the password left for the user to provide.

Network IOC IP 
hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44?e5=REDACTED[@]company.com52[.]27[.]29[.]106
hXXp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44209[.]159[.]154[.]74
13[.]107[.]246[.]10
hXXps://logonmicrosftonlinezoomconference[.]azureedge[.]net/13[.]107[.]246[.]10
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending June 7, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs) and were reported by humans.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We continue to see various cloud hosting services used to harvest credentials.

TYPE: Credential Theft

DESCRIPTION: Email spoofs a global bank to deliver attached .ics files. When the .ics is opened, the calendar event contains a link to a .pdf file hosted on SharePoint. The .pdf file also spoofs the bank and contains a link to a phishing page, hosted on googleapis and designed to steal banking credentials.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails target credentials via an embedded link. The link is a phishing URL that spoofs a DocuSign login page targeting credentials for Office 365, Gmail, Yahoo, and other email platforms. This is only the latest example of DocuSign phish Cofense has found.

TYPE: Malware – Reconnaissance Tool

DESCRIPTION: Finance-themed emails spoof an engineering firm to deliver a reconnaissance tool. The malware is embedded in an Office macro-laden spreadsheet, downloaded via an attached HTML file. For the past few years, Cofense has tracked the dominance of Office macros in the phishing landscape.

TYPE: Malware – Cobian RAT

DESCRIPTION: Purchase order-themed emails deliver Cobian RAT, via an embedded OneDrive URL. Cofense has analyzed the use of RATs numerous times since 2014.

TYPE: Credential Theft

DESCRIPTION: Purchase order-themed emails spoof Dropbox and deliver a .pdf file via an embedded URL. The .pdf provides a link to a phishing website targeting Office 365 credentials. Cofense has warned about Dropbox links since 2014.

TYPE: Malware – Ursnif

DESCRIPTION: Finance-themed emails deliver Ursnif via attached Office macros. It’s another example of attackers using creative techniques and seemingly benign file types to bypass security controls.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails spoof both the CDC and WHO and deliver credential phishing via embedded links. The page uses a “verify your email” window title and includes an image that looks to be from the WHO web page. Cofense has compiled a database of numerous Coronavirus phish.

TYPE: Malware – Pyrogenic Stealer

DESCRIPTION: Finance-themed emails spoof a leading bank and deliver Pyrogenic Stealer via embedded URLs. Cofense has reported extensively on the use of stealer malware.

TYPE: Credential Theft

DESCRIPTION: Document-themed emails spoof Microsoft to deliver credential phishing via .html documents. The documents are either attached or downloaded via embedded URLs to target Office 365/Microsoft credentials.

TYPE: Malware – Reconnaissance Tool

DESCRIPTION: Human resources-themed emails deliver a Reconnaissance Tool. The malware is embedded in an Office macro laden spreadsheet which is downloaded via an attached HTML file. Before downloading, recipients must first pass an “are you human” test.

TYPE: Malware – Agent Tesla

DESCRIPTION: Inquiry-themed emails spoof an auto manufacturer to deliver GuLoader via an embedded link. GuLoader downloads, decrypts, and runs an encrypted Agent Tesla Keylogger binary. Cofense noted last year how Agent Tesla has become a top threat.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 31, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We have observed a number of attacks leveraging password protections on attachments and their macros, a tactic that has been successful for years.

TYPE: Malware – Remote Manipulator System

DESCRIPTION: Software update-themed emails spoof a travel company to deliver a .txt file containing a URL which recipients are encouraged to visit. The URL downloads a malicious Remote Manipulator System sample. Cofense analyzed RMS almost a year ago.

TYPE: Credential Theft

DESCRIPTION: Spoofing the videoconferencing platform Zoom, this phish delivers an attached html file that holds a phishing link. The victim is led to a phishing page spoofing Microsoft Outlook designed to steal credentials. Phishing attacks are taking advantage of the uptick in Remote Work to trick victims into clicking.

TYPE: Malware – Ursnif

DESCRIPTION: Finance-themed campaign delivers an attached, malicious Microsoft Excel file. Within the file, password-protected macros deliver Ursnif to the victim’s computer. Cofense published an analysis of Ursnif back in 2017.

TYPE: Credential Theft

DESCRIPTION: Finance-themed emails deliver attached .xlsx files containing links to a SharePoint page hosting another .xlsx file with a link leading to a credential phishing page with a “Office 365 Buisness” banner at the top and has categories for creds to O365, Outlook, AOL, Gmail, Yahoo, and “other mail”.

TYPE: Malware – Valak

DESCRIPTION: Response-themed emails deliver attached password-protected archives containing Office macros, which we have been reporting on since 2011. The Office macros download a binary which drops the first stage of a Valak malware downloader infection. Valak then downloads a plugin manager binary.

TYPE: Malware – NetWire

DESCRIPTION: Request-themed emails spoof well-known vendors to deliver an attached .xlsb file with password-protected Office macros which download GuLoader. GuLoader then downloads the NetWire Remote Access Trojan.

TYPE: Credential Theft

DESCRIPTION: This Coronavirus-themed phish spoofs Microsoft Outlook promising an upgrade to gain access to a “Covid-19 employee tracker”. The link leads to a credential phishing site which exfiltrates stolen credentials to a legitimate URL. Attackers continue to leverage the COVID-19 pandemic to lure victims.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Cast a Wider Net in the African Banking Sector

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defence Center (PDC) has uncovered a wide-ranging attempt to compromise credentials from five different African financial institutions. Posing as tax collection authorities, adversaries seek to collect account numbers, user IDs, PINs and cell phone numbers from unsuspecting customers.

One such email, which was found in environments protected by Proofpoint and Microsoft, alleges to come from the South African Revenue Service’s (SARS) eFiling service. It claims a tax return deposit of R12,560.5 (South African Rands), approximately $700 USD, has been made to the user’s account and urges them to click on their financial institution in order to claim it. The real sender of the email, however, appears to be a personal Gmail address that may have been created or compromised by the adversaries.

Figure 1 – (Partial) Email Body

As seen in Figure 2, it is erroneously assigned a score of zero in Proofpoint’s “phishscore” metric.

Figure 2 – Proofpoint Header

Dragging and Dropping a Net

Each of the images embedded in the email corresponds to a different bank. Clicking on any of these will take the user to a spoofed login portal corresponding to the selected bank. The spoofed banks include ABSA, Capitec, First National Bank (FNB), Nedbank and Standard Bank, all of which are based in South Africa. The lookalike sites are located at 81[.]0[.]226[.]156 and hosted by Czech hosting provider Nethost. It should be noted that, at the time of analysis, only the site for Standard Bank was unavailable. Figures below -6 show the phishing portals imitating each bank.

Figure 3 – ABSA

Figure 4 – Capitec

Figure 5 – FNB

Figure 6 – Nedbank

All spoofed portals were created using Webnode, a website building service known for its friendly drag and drop features. Despite this ease of use, adversaries have kept things rather simple, as all portals are basic forms with a few or no images. The portals ask for a variety of personal information, including account numbers, passwords, PINs and even cell phone numbers.

Adversaries can access all entries directly from the form itself. They can also receive notifications to an email address of their choosing every time a submission is made; the Gmail account used to send the phishing email may also be where adversaries are notified of each and every new victim. Webnode also allows the export of form submission data in xml and csv formats.

Webnode therefore is an optimal way to store and retrieve stolen user data. There is no need for additional infrastructure, nor to compromise any third parties. As in the case of the Standard Bank portal, the risk of discovery and subsequent closure of spoofed sites means adversaries can lose access to any unretrieved information. However, this risk seems to be offset by the ease with which replacement spoofed sites can be created.

IOCs:

Malicious URLs:

  • hxxps://absa9[.]webnode[.]com
  • hxxps://capitec-za[.]webnode[.]com
  • hxxps://first-national-bnk[.]webnode[.]com
  • hxxps://nedbank-za0[.]webnode[.]com
  • hxxps://standardbnk[.]webnode[.]com

Associated IPs:

  • 81[.]0[.]226[.]156

 

How Cofense Can Help:

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence™. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 38237 and a YARA rule.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 24, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s examples see the continued use of macro-laden Microsoft Office documents, which have been a top delivery mechanism of malware for years.

TYPE: Malware – QakBot

DESCRIPTION: Response-themed emails deliver embedded URLs to VBS scripts to download the QakBot banking trojan. Because the phishing email is a reply to a legitimate chain, these attack URLs are often skipped by URL protection methods.

TYPE: Malware – Pyrogenic

DESCRIPTION: Finance-themed emails deliver embedded URLs to JAR files to download the Pyrogenic Stealer. Though obfuscated, the stealer’s code is rather straight forward, and yet frequently avoids detection.

TYPE: Credential Theft 

DESCRIPTION: Finance-themed emails a management company to deliver embedded OneNote links. The OneNote page contains different versions with links pages crafted to steal credentials. Hosted OneNote notebooks are becoming more popular in phishing attacks.

TYPE: Malware – FormGrabber

DESCRIPTION: Order-themed emails spoofing a vendor delivers the FormGrabber malware via a CVE-2017-0199 to CVE-2017-11882 download chain. This phishing campaign is included in Cofense’s free COVID-19 YARA Rules.

TYPE: Malware – NanoCore

DESCRIPTION: Finance-themed emails deliver an embedded DropBox link to a 7z archive containing the GuLoader executable. Once clicked, the GuLoader downloads and executes NanoCore RAT from Microsoft OneDrive.

TYPE: Credential Theft 

DESCRIPTION: Document-themed emails deliver embedded Google Cloud Storage (GCS) links. The links harvest email login credentials and exfiltrate to a non-GCS location.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails spoof the United Kingdom government and HRMC to deliver embedded URL shorteners from tinyurl and is[.]gd. The URL shorteners redirect to a phishing URL that uses disc[.]us and appears to allow you to ‘claim your tax refund’. The phishing URL harvests personal information, credit card and issuer details.

TYPE: Malware – TrickBot

DESCRIPTION: Coronavirus-themed emails deliver an attached Excel spreadsheet which exploits CVE-2017-11882 and includes an Office Macro, both of which are used to drop and run a VBS script. This script then downloads and runs TrickBot.

TYPE: Credential Theft

DESCRIPTION: Voicemail Notice-themed emails deliver an embedded link to a credential phishing landing page that is spoofed to look like a Microsoft Outlook sign in page.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Chronology of COVID-19 Phish Found in Environments Protected by Proofpoint During the Pandemic

Cofense was one of the first to report on the risk of COVID-19 themed phishing threats and launched its Coronavirus Infocenter on March 12, 2020. Since that time, we’ve seen no slow down. Every day we see new examples. And while the tactics and schemes may differ, one thing remains consistent: phishing attacks are bypassing secure email gateways, and gateways are not stopping the attacks.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

SEE THE PHISHING THREATS THAT ARE SLIPPING BY YOUR EMAIL GATEWAY
FREE FOR 90 DAYS!

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense Phishing Defense Center (PDC) found in environments protected by Proofpoint – detected by humans, analyzed with Cofense Triage, and quarantined by Cofense Vision.

Email Examples

A Credential Phish promising information about a COVID-19 vaccine that includes .png attachments and delivers a URL leading to a sharepoint.com site.

March 19, 2020

A spoofed email pretending to be from the World Health Organization delivers a malicious URL.

March 23, 2020

A Credential Phish crafted to look like a Dropbox-hosted document actually leads to storage.googleapis.com. Cofense has seen Dropbox phish since 2014.

Another Credential Phish that spoofs an organization’s Human Resources department and delivers a link to a login page designed to steal corporate credentials.

A Credential Phish crafted to look like a corporate communication provides a link to hb-bonusclaim.com and a login page designed to steal corporate credentials.

March 24, 2020

A Credential Phish with an apparent PDF attachment is actually an image linked to a Microsoft Sway-hosted page and eventually to a page designed to steal corporate credentials. Sway usage in phishing campaigns has been increasing.

March 26, 2020

A Credential Phish that appears to be a voice mail with a COVID-19 message but leads to a URL hosted on samsungusa.com.

March 29, 2020

A Credential Phish containing a link to a Dropbox-hosted resource, supposedly a PDF document, but that leads to a web page designed to steal corporate credentials.

March 30, 2020

Another Credential Phish requesting payment and prompting for corporate credentials.

March 31, 2020

A Credential Phish using a Microsoft Word attachment that redirects the victim to a Microsoft OneNote document, eventually leading to a page designed to steal corporate credentials. Read more about the use of OneNote in phishing attacks.

Another Credential Phish, this one offering an investment opportunity but delivering a link that leads to a web page designed to steal corporate credentials.

A Credential Phish designed to look like a fax transmission delivers a link leading to a web page designed to steal corporate credentials.

April 1, 2020

A Credential Phish that spoofs Microsoft SharePoint but leads to a web page designed to steal corporate credentials. Phishing attacks using SharePoint continue to be a problem for all SEGs.

April 2, 2020

A spoofed email pretending to be the US Department of Health and Human Services delivers a password-protected malicious Microsoft Word document.

April 3, 2020

A spoofed email pretending to be the World Health Organization provides a link to innocentminds.com that leads to a web page designed to steal corporate credentials.

April 5, 2020

A spoofed email pretending to be a healthcare professional delivers a Microsoft Excel document containing ZLoader, a malicious loader first seen in 2016. Read how Cofense Triage stopped a ZLoader attack.

April 10, 2020

A spoofed email pretending to be Human Resources delivers a link to a Google Docs-hosted page that leads to the installation of TrickBot, a banking trojan developed in 2016 and still seen reaching inboxes.

April 13, 2020

Another phish leveraging Google services (FirebaseStorage), this one is a Credential Phish with a URL that leads the victim to a web page designed to steal corporate credentials. Read more about attacks leveraging Google infrastructure.

A Credential Phish spoofing Outlook (Microsoft) delivers a link to a godaddysites.com hosted page, leading the victim to a web page designed to steal corporate credentials.

April 14, 2020

A Credential Phish spoofing the National Health Service promises a document noting confirmed cases of COVID-19, but leads to a web page designed to steal corporate credentials.

April 15, 2020

A Credential Phish crafted to appear like a corporate communication that leads to a Microsoft OneDrive site. The link leads to a web page designed to steal corporate credentials.

A spoofed email pretending to be a business leader is actually an attempted Business Email Compromise (BEC), seeking to trick the victim into replying.

April 21, 2020

A Credential Phish spoofing the Internal Revenue Service and promising tax relief information hosted in DocuSign. The actual link leads to playdemy.org and leads to a web page designed to steal corporate credentials.

April 24, 2020

Another spoofed email that is actually an attempted Business Email Compromise (BEC) attack using a COVID-19 theme. BEC attacks have been growing for years and SEGs still aren’t blocking them.

April 25, 2020

Yet another BEC attempt, this time from a business executive using an email reply strategy and needing gift cards.

April 28, 2020

Another COVID-19 themed phishing attack, this one embeds an image that looks like PDF attachments but actually is linked to a website designed to steal corporate credentials.

Claiming to be a link to an electronic fax from “The Fax Team”, the embedded link actually leads to a website designed to steal corporate credentials.

April 29, 2020

More COVID-19 themed phishing attacks, this one providing a link to a trusted Dropbox source. The victim is led to a website designed to steal corporate credentials.

May 4, 2020

Spoofing the Internal Revenue Service, this phishing attack delivers an embedded link that leads to a website designed to steal corporate credentials. Read more in the Cofense Blog.

May 5, 2020

Another phishing attack using a Dropbox link to lead the victim to a website designed to steal corporate credentials.

 

May 6, 2020

This phishing attack spoofs the Public Health Agency of Canada and delivers a link that will lead the victim to a website designed to steal credentials.

  

Spoofing a well-known bank, this phishing attack purports to have a large file needing to be downloaded from a Microsoft Excel Document Portal but will lead the victim to a website designed to steal credentials.

  

Another spoof of the Public Health Agency of Canada, this one also delivers a link that leads to a website designed to steal credentials.

  

This phishing attack embeds an image that looks like email content. Clicking it leads the victim to a website designed to steal credentials.

  

May 7, 2020

Combining a COVID-19 theme with an emergency request by an executive, this Business Email Compromise attempts to lure the victim into purchasing gift cards.

  

May 8, 2020

Looking to capture Netflix credentials, this phish may take advantage of people’s propensity for password re-use, putting corporate credentials at risk. Netflix spoofs aren’t just for consumers anymore.

  

May 10, 2020

Another BEC, this one pretending to be the financial director, tricks the victim into sending the attacker outstanding invoices, which can be used in attacks against 3rd parties.

  

May 11, 2020

Another embedded image designed to look like attachments but actually lead to a credential-stealing website.

  

With some organizations offering a spam filtering service to their employees, phishing threat actors are taking advantage to mask their attacks as pending deliveries. This link, however, leads to a website crafted to steal credentials.

  

May 14, 2020

Cloud sharing platforms like Dropbox are often trusted by organizations and employees alike. This phishing attacks exploits that trust to direct the recipient to a malicious website designed to steal credentials.

  

Another phishing email that embeds an image designed to look like an attachment. Clicking the image takes the victim to a website designed to steal credentials.

 

May 18, 2020

This spoof of a financial “partner” is actually a Business Email Compromise attempt seeking to lure the victim into a financial transaction.

 

The problem of malicious emails evading secure email gateways is not going away. No perimeter control can keep up with the velocity of shifting techniques used by attackers. That’s why a well-conditioned workforce and a security operations team equipped with the tools needed to rapidly detect and quarantine threats is imperative.

Want to discover more about the phishing attacks your SEG is missing? Sign up for 3 free months of Cofense Intelligence, the best human-vetted phishing intelligence in the world.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 17, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint.  We note that the vast majority are Credential Theft attacks, which Cofense predicted would surge over 15 months ago. Today, they still remain a significant threat.

TYPE: Malware – Agent Tesla

DESCRIPTION: In 2019, Cofense Intelligence identified the Agent Tesla keylogger as a top phishing threat. 7 months later, this malware is still reaching inboxes. This example delivered an embedded URL, luring the victim with a purchase order.

TYPE: Credential Theft 

DESCRIPTION: Phishing threat actors love to leverage the trust that their victims and their SEGs place in online hosting platforms. This attack starts with a WeTransfer link that eventually steals email credentials via a Microsoft OneDrive-hosted file.

TYPE: Credential Theft 

DESCRIPTION: This attack takes a page from the spammer’s guidebook, seeking to obfuscate the sender address to slip through perimeter defenses. It spoofs Netflix to deliver a shortened URL leading to a phishing page.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attacks are both popular and successful at reaching inboxes to victimize recipients. This phish takes advantage of familiarity with Microsoft Office365 trick victims into clicking the embedded link and giving up their email credentials.

TYPE: Credential Theft 

DESCRIPTION: Many organizations let their SEG filter questionable email and empower the recipients to review and allow or block. Crafty phishers spoof the concept to get their victims to click the links. These lead the victim to a website designed to steal their email credentials.

TYPE: Credential Theft 

DESCRIPTION: Another phish exploiting a trusted platform. This example spoofs the Adobe Document Cloud with an image linked to a website designed to steal Adobe login credentials.

TYPE: Credential Theft

DESCRIPTION: Using Coronavirus as the premise, this attack spoofs a legitimate bank informing the recipient that they need a new bank card. The attackers steal not only the victim’s banking credentials, but their address, phone number and PIN.

TYPE: Credential Theft 

DESCRIPTION: Have we mentioned attackers leverage trusted platforms? This phish offers a Microsoft OneDrive-hosted invoice in PDF form. It collects the victim’s login credentials and then sends them to a legitimate PDF hosted by the Federal Reserve.

TYPE: Credential Theft

DESCRIPTION: Yet another attack using Microsoft infrastructure – this time SharePoint – to host portions of the attacker’s campaign. This one is a hosted PDF leading to a web page designed to steal credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 10, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint.  

TYPE: Credential Theft 

DESCRIPTION: Finance-themed phishing attack delivering an embedded link to a website designed to look like a webmail portal that attempts to steal email .

TYPE: Credential Theft 

DESCRIPTION: Invoice-themed phishing attack delivering a PDF which leads to a Microsoft SharePoint-hosted Excel spreadsheet, which then attempts to steal email credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-theme phishing attack delivering a Dropbox link to a PDF that eventually leads to a website that attempts to steal email credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attack spoof the IRS delivering an embedded link that leads to a website designed to steal Adobe login credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-theme phishing attack delivering a Dropbox link to a PDF that eventually leads to a Google Docs-hosted page that attempts to steal email credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attack delivering a .HTM attachment which leads to a website designed to steal Microsoft email credentials.

TYPE: Credential Theft

DESCRIPTION: Security warning-themed phishing attack delivering an embedded link spoofing Twitter that leads to a website designed to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attack spoofing a public health agency and delivering an embedded link that leads to a website designed to steal credentials.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed phishing attack spoofing a bank and delivering an embedded link designed to look like a shared document but attempts to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing attack delivering a link designed to look like a Microsoft SharePoint-hosted document but leads to a page that attempts to steal Microsoft credentials.

TYPE: Credential Theft

DESCRIPTION: Notification-themed email that spoofs Microsoft Outlook delivering an embedded link that leads to a website designed to steal Microsoft credentials.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing campaign spoofing a construction design and build organization delivering embedded Microsoft OneNote links that lead to a website crafted to steal email credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.