This Phish Uses Skype to Target Surging Remote Workers

By Harsh Patel

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users’ inboxes.

With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Figures 1 and 2: Email Body

For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address in the form of 67519-81987[@]skype.[REDACTED EMAIL]. While the sender address may appear legitimate at first glance, the real sender can be found in the return-path displayed as “sent from,” which also happens to be an external compromised account. Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend.

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

Upon clicking ‘Review’ users will be redirected via an app.link:

hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5

Finally, to the end phishing page:

hxxps://skype-online0345[.]web[.]app

The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.

Figure 3: Phishing Page

Clicking the link in the email, the user is shown an impersonation of the Skype login page. If a well-trained user inspects the URL, they will see that the URL contains the word Skype (hxxps://skype-online0345[.]web[.]app). To add even further sense of authenticity, the threat actor adds the recipient’s company logo to the login box as well as a disclaimer at the bottom warning this page is for “authorized use” of that company’s users only. The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.

 

Network IOCs
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
hxxps://skype-online0345[.]web[.]app

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time-based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Evade Proofpoint and Microsoft 365 ATP Protection to Capitalize on COVID-19 Fears

By: Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has witnessed a surge in Coronavirus phishing campaigns found in environments protected by Proofpoint and Microsoft Office 365 ATP. While these Secure Email Gateways (SEGs) are designed to safeguard end users from clicking on malicious links and attachments, both failed in a new phishing attack we recently observed.

Figure 1 – Proofpoint SEG within the Email Header

Figure 2 – Extracted Information in Email Header

The extracted header information above in Figure 2 displays fragments of the email from the received path. The threat actor spoofed the domain splashmath[.]com (an online learning game for children) with a spoofed IP address of 167[.]89[.]87[.]104, which is located in the United States. For this reason, the email slipped past basic security checks, such as DKIM and SPF, shown in Figure 2. The threat actor inserted key words, such as “who” and “community” in the sender email address to manipulate the user into thinking it’s from the World Health Organization.

Upon further investigation of the email header, the originating IP address of 88[.]119[.]86[.]63 was found to be from the Lithuanian city of Kaunas, as shown below in Figure 3. The phishing email was sent to different individuals, each with the same originating IP address, indicating the likelihood of a single threat actor carrying out these attacks.

Figure 3 – Originating IP Address

The body of the email in Figure 4, as shown below, urges the user to find out if there are cases of COVID-19 in their local area by clicking on ‘Read on’. When then end-user clicks, they are led to believe that they will be directed to an updated WHO document. However, the user is actually directed to a Microsoft branded credential phish to steal their Microsoft log-in information.

The subject of the email is “HIGH-RISK: New confirmed cases in your city,” followed by the spoofed WHO email address and display name (who[.]int-community[.]spread@ splashmath[.]com), thus making it appear as if the sender is really from the World Health Organization. The sender does not contain any information addressed to the recipient, such as “Good Morning” or “Dear…”, indicating that this is a mass-email attack sent to many individuals. In addition, there is an image that would have usually loaded, however in these stressful circumstances, individuals may overlook this and would click on the “Read on” link.

Figure 4 – Email Body

Network Indicators of Compromise (IOCs):

Users are under the impression that by clicking on the ‘read on’ link, they will be redirected to:

Hosted URL IP Address
hXXp://o[.]splashmath[.]com/ls/click?upn=H2FOwAYY7ZayaWl4grkl1LazPuy6jduhWjWPwf0O2D 167[.]89[.]118[.]52
167[.]89[.]123[.]54

The users are instead forwarded to one of the following malicious redirects:

Credential Phishing Pages URLs IP Address
hXXps://heinrichgrp[.]com/who/files/af1fd55c21fdb935bd71ead7acc353d7[.]php 31[.]193[.]4[.]14
hXXps://coronasdeflores[.]cl/who 186[.]64[.]116[.]135
hXXps://www[.]frufc[.]net/who/files/61fe6624ec1fcc7cac629546fc9f25c3[.]php 87[.]117[.]220[.]232
hXXps://pharmadrugdirect[.]com/who 31[.]193[.]4[.]14
hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php 82[.]166[.]34[.]188

A quick Google search reveals the last phishing page listed above (hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php) was created with “WordPress” within the description (Figure 5), a potential red flag for a savvy end user.

Figure 5 – Google Search of the Phishing Page

As shown in Figure 6 below, recipients are presented with a high-quality, spoofed Microsoft login page. Upon clicking, the user’s email address is attached within the URL of the webpage; therefore, the individual’s username automatically appears in the login box. Upon logging in, the user is under the impression he or she has been authenticated into a legitimate Microsoft website. At this point, the user’s credentials are unfortunately in the hands of the threat actor.

Figure 6 – Final Phishing Page

HOW COFENSE CAN HELP

Cofense has created the Coronavirus Phishing Infocenter with examples of real Coronavirus phishing scams, an infographic illustrating 5 signs of these phish, a publicly available YARA rule, and much more.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe. Tp remove the blind spot, get visibility of attacks with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received Yara rule PM_Intel_CredPhish_37315 and further information about this threat in Active Threat Report (ATR) 37315.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Are Using Google Forms to Bypass Popular Email Gateways

By Kian Mahdavi

Over the past couple of weeks, the Cofense Phishing Defense Center (PDC) has witnessed an increase in phishing campaigns that aim to harvest credentials from innocent email recipients by tricking them into ‘Updating their Office 365’ using a Google Docs Form.

Google Docs is a free web-based application, allowing people to create text documents and input and collect data. It is an enticing way for threat actors to harvest credentials and compromise accounts. Here’s how it works:

Figure 1 – Email Header

The phishing email originates from a compromised financial email account with privileged access to CIM Finance, a legitimate financial services provider. The threat actor used the CIM Finance website to host an array of comprised phishing emails. Since the emails come from a legitimate source, they pass basic email security checks such as DKIM and SPF. As seen from the headers above in figure 1, the email passed both the DKIM authentication check and SPF.

This threat actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company. However, they are instead linked to an external website hosted by Google, such as

hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform.

Figure 2 – Email Body

The email masquerades as a notification from “IT corporate team,” informing the business user to “update your Office 365” that has supposedly expired. The “administrator” claims immediate action must be taken or the account will be placed on hold. The importance of email access is key to this credential phish, leading users to panic and click on the phishing link, providing their credentials.

Figure 3 – Phishing Page

Upon clicking the link, the end user is presented with a substandard imitation of the Microsoft Office365 login page, as seen in figure 3, that does not follow Microsoft’s visual protocol. Half the words are capitalized, and letters are replaced with asterisks; examples include the word ‘email’ and the word ‘password.’ In addition, when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real. Once the user enters credentials, the data is then forwarded to the threat actors via Google Drive.

 

Network IOC IP
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform 172[.]217[.]7[.]238

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe through the “Account Security Alert” or “Cloud Login” templates and get visibility of attacks with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36388.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Emotet Modifies Command & Control URI Structure and Brings Back Link-based Emails

By Noah Mizell, Cofense Phishing Defense Center

Emotet has been busy wrapping up the year with some minor tweaks to their client code and the reintroduction of some tactics that have worked well for them in the past. The botnet that began its life as a banking trojan in 2014 has proven to be a formidable threat to organizations around the world and shows no signs of stopping. Before we look at their recent changes, let’s begin with a quick review of some of the notable updates we have observed this year:

  • January 13, 2019 – The Emotet botnet reemerges from vacation to begin its first campaign of the year.
  • January 28, 2019 – Experimentation with Qakbot as a payload.
  • March 14, 2019 – The client code is changed to utilize a wordlist to generate random paths when checking into the Command & Control (C2) and now uses the POST method instead of GET. The use of JavaScript attachments is noted as well.
  • April 9, 2019 – The botnet operators begin using the emails that were stolen starting in the last part of their 2018 campaign. The use of stolen content provides the ability to create spear-phishing like emails on a scale never seen before.
  • May 31, 2019 – Emotet goes on summer vacation shutting down a large part of its infrastructure.
  • Sep 3, 2019 – C2 begins to come back online.
  • Sep 16, 2019 – Spamming operations resume. Link and PDF attachment based emails are very limited. The vast majority of their campaigns are macro document-based. Heavy use of the reply-chain (stolen email) tactic is observed.
  • Large deployments of TrickBot and Dreambot are used as secondary infections throughout the year.
  • The term “Triple Threat” is created to note the high incidence of Emotet -> TrickBot -> Ryuk infections seen in the wild, leading to massive ransomware payments and a great deal of lost time and money for many government and private organizations.

Starting on November 27th, we noticed a change in the way the Emotet client code was checking into the C2 servers. Gone are the random paths utilizing the word list (figure 1) that was seen in the past.

Figure 1: URI structure introduced in early 2019

Figure 2: The new URI structure seen as of Nov. 27

The clients are now adding a path that, at first glance, appears to be a random string with a minimum length of four characters.  A slightly deeper investigation into this traffic shows the path is actually the key from the key/value pair in the posted form data.  This change is odd, as it does not actually alter the check-in data in any meaningful way and appears instead to be more cosmetic in nature. This leads us to believe that it may have been a rudimentary attempt at identifying researchers who are running emulation code alone, as their check-in structure would not have dynamically changed when the code base was updated.

Figure 3: Example Emotet delivery email

Another noted change was the reintroduction of link-based email templates. We have seen Emotet emails use links with great success in the past. For unknown reasons, the threat actors did not seem to use them when coming back from summer vacation. In all likelihood, they are using them now to maximize their victim count before breaking again for the winter holidays.

We have included a listing of some of the URLs seen on the first day back further below.  Heavy distribution of TrickBot has also been seen in recent campaigns as a secondary infection and may be a money grab to fund their holidays.

Figure 4: Example Emotet delivery email

As with past campaigns, we have also seen an uptick in the use of shipping company themed emails to coincide with the holiday season, a recurring theme for the actors around this time of year. One change to the email templates that appears to be a new lure is an “Open Enrollment 2020” theme to entice users who have not yet decided on their insurance program for the upcoming calendar year.

The Emotet actors are masters at creating email templates that exploit a user’s emotional response, and this is a prime example.

Cofense’s research teams – Cofense Labs, Cofense Intelligence and the Cofense Phishing Defense Center – actively monitor the Emotet botnet to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.

 

HOW COFENSE CAN HELP

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center are reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Order Confirmation – Emotet/Geodo,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34580.

Quickly turn user reported emails into actionable intelligence with Cofense Triage and reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

hXXp://3mbapparel[.]com/ce8p4mw/Scan/23sr2r3h-227136449-4100-o7f3aukln-5ek9w7yx/

hXXp://abbasghanbari[.]com/cgi-bin/m2gx-j9l-2674/

hXXp://abis[.]abis-dom[.]ru/wp-content/multifunctional-zone/external-portal/XKnI9c95VXtO-2koeL1odjG8e45/

hXXp://adrianoogushi[.]com[.]br/blogs/available-resource/test-forum/CO37HIcUG-4KiqqruHlj9/

hXXp://agramarket[.]com/wp-admin/554841538461/9igxpru22w-3404-624501945-dtenc-cvona7/

hXXp://agramarket[.]com/wp-admin/images/Document/

hXXp://aijiuli[.]com/wp-content/common-3644746801311-F61eGi6VrRfSERpV/guarded-722116w-9jx99j5uyog/2b51q65tivz3f97-3vw70xy142675/

hXXp://alfaem[.]by/wp-includes/wcevu12a6j/ui13miem-1842496-647941-b1maguvyl7-0wm1/

hXXp://allgamers[.]ir/wp-content/6270900376591-TrHEgUBtm-sector/verified-portal/3rw-x42z0/

hXXp://aminulnakla[.]com/test/5mpub-u9jdh-1356/

hXXp://amoutleather[.]com/a/multifunctional_9313571_Y9mwVe/additional_forum/EAvHHxYA2_z07m8sM36w72/

hXXp://anantasquare[.]com/wp-content/Documentation/1yzenuu55v/zdx0oqd5mp-79785-92241-lqk84aode-i65yma2m1/

hXXp://andishkademedia[.]com/wp-includes/8vcppv-4l1-885316/

hXXp://anhjenda[.]net/wp-content/vmpyh5c3pi/

hXXp://anjumpackages[.]com/nrri/private_44709616882_WQZDa1KAyj/corporate_V6tkmPmj_jRcx2PfQ/on3_1v7649ys6t1/

hXXp://aquimero[.]net/wp-includes/8gdm6-y4kj-461/

hXXp://archinnovatedesigns[.]com/wp-includes/464728-V0rjOQkXZi4SSiW-disk/580333-3VP9JZcfWI6-cloud/028eeth-vu553tyw/

hXXp://arielcarter[.]com/j7foqo2/DOC/iqrh6hczo0cw/

hXXp://arttoliveby[.]com/yyrye/private_86192_eZoBMjbfcDvuPq/test_cloud/ws3uh67ha1tup_5128t108/

hXXp://auliskicamp[.]in/wp-admin/common_resource/verified_vZUVdO8ppY_CWfMSl2yMCEH/bgJEju1jvH_3iNK6o4Ii4G/

hXXp://awooddashacabka[.]com/yt46/open-box/individual-area/yNmy5HQif-8o8tG738h2/

hXXp://babdigital[.]com[.]br/wp-content/esp/6v5nej75l/

hXXp://bakeacake[.]com/wp-admin/available-disk/security-warehouse/z1XGaZ-NemjMNrc3a/

hXXp://bassigarments[.]com/wp-content/personal-592742204-WBrGGz/4469690-7SOBhN7gbB7s-area/b90h417-wtxsw/

hXXp://batdongsanhathanh[.]net/wp-admin/open-resource/568A8V-ILYyxINK-profile/jdux7bsdp-twyu179678t1/

hXXp://beiramarsushi[.]com[.]br/1g3ld9f/closed_n941_aUn1fAfrvX8Bhu/test_warehouse/6N1JhlV_M8oi1aM9Gyw/

hXXp://best-fences[.]ru/css/4ey-6v7y0-5856/

hXXp://betaoptimexfreze[.]com/bebkat/Reporting/9zooeodt/x827ofzp-289202990-87262-q99cri9-xr06/

hXXp://bgctexas[.]com/quietnightcompany/xb1k2g9/personal_zone/test_WlYEqat2Ie_OgiyQ9W40qCyP/bw54a4lhlrx_9636w4uu0xsxt1/

hXXp://bilgigazetesi[.]net/a6lwm1m/open_sector/special_forum/Ej4oMEQf3AN_Gudt5tx97J/

hXXp://bimattien[.]com/wp-admin/eTrac/ld6u234c3/ga438o-5744266-474284-eejhd-5ctewz/

hXXp://blicher[.]info/wp-includes/KPrV/

hXXp://blog[.]inkentikaburlu[.]com/70jjm53klo/sites/2yd7bvuh-505209-64670737-fr4vs-t7zp3cjl0/

hXXp://blog[.]sawanadruki[.]pl/wp-content/uilb8dz6_hwpeyvx_sector/security_warehouse/0gKrzfjYpvFO_3yLM891Meliz/

hXXp://blogkolorsillas[.]kolorsillas[.]com/wordpress/xnq1k-rkkl-803/

hXXp://bluemedgroup[.]com/wp-admin/mnfd8_nbij_436575782_UQEO1IVCs4LqadTV/security_profile/XODmvThQGR7_H7vrzccMec5/

hXXp://bmrvengineering[.]com/wp-admin/FILE/

hXXp://bookitcarrental[.]com/wordpress/INC/iddp2ggtm/eccvup8c-3843-818470-69yg4b28wh-w1kxriyo/

hXXp://bupaari[.]com[.]pk/RoyalAdventureClub[.]com/eTrac/ncevpoamvlp0/

hXXp://buyrealdocumentonline[.]com/wp/Documentation/d7mz-688402499-7314933257-fkwggnu-t4ybrvaf7/

hXXp://cabosanlorenzo[.]com/wp-load/protected-resource/verifiable-tk2c-3kfk3g9iz/ebub24rmzo8-9u88717yx935/

hXXp://cacimbanoronha[.]com[.]br/wp-content/Scan/

hXXp://caotruongthanh[.]com/wp-admin/qeku-4ys4-83891/

hXXp://carolscloud[.]com/media/public/

hXXp://carolzerbini[.]com[.]br/6ttp7t0/Overview/qoawf12j0jbp/

hXXp://carvalhopagnoncelli[.]com[.]br/lvqhz/Overview/0rrnguk8z/lg4qyh7-338411-43458560-pp7dts1ba-3msz/

hXXp://cas[.]biscast[.]edu[.]ph/updates/personal_sector/verifiable_warehouse/D3buvGg_1yyMJGrM6gp/

hXXp://casaquintaletcetal[.]com[.]br/e6viur/04383245_xZw1ZKxX_41063_29gQlRhcVl5eGs/additional_area/4004h_s035tt6461/

hXXp://casinovegas[.]in/cgi-bin/protected_module/additional_warehouse/NzQU7EbxmY_mLobpJqHn8Lh8/

hXXp://catchraccoons[.]com/wp-admin/open_9135304_x3VG052S9vjEZN/external_warehouse/AgnasV_o0M4JIrNt67j/

hXXp://caughtonthestreet[.]com/sh5bne/available_sector/test_mhc3xk01u_if5a3isqhztj4/fwpqcd9admvnur_yuu17s15/

hXXp://cetpro[.]harvar[.]edu[.]pe/dup-installer/2i5i_r76gl3x5v6vge_disk/individual_profile/NrWPp5_3Hj0zszymw/

hXXp://championretrievers[.]com/wp-admin/paclm/mdjx-81327-4043-zujiz-uoi7hp59w4/

hXXp://charger-battery[.]co[.]uk/chargerimages/Reporting/

hXXp://chatnwax[.]com/dir/RRETX2MC9ZE7/syc01o4x/

hXXp://cheappigeontraps[.]com/wp-admin/personal-resource/guarded-gueidxaiga-544/a4hko1sshe-6530yx62/

hXXp://cheapraccoontraps[.]com/wp-admin/parts_service/zn6iszxroew/0vqf-97169-6342681145-z9iyge-xws5/

hXXp://cherrypointanimalhospital[.]com/new/parts_service/po53iyxo22m/

hXXp://chintamuktwelfare[.]com/wuvke31kdk/open-array/open-space/j2hg7S-Mseglc5d/

hXXp://chongthamhoanglinh[.]com/cgi-bin/Reporting/

hXXp://chooseyourtable[.]sapian[.]co[.]in/wp-includes/x3qc-azmz9-340871/

hXXp://clurit[.]com/matematika/images/content/open-array/additional-portal/open-array/additional-portal/3qZqx-tb7HH2KcNhHi82/

hXXp://collegebolo[.]in/wp-content/OCT/i91smxgw72t/iayid-933690-003423-pxhqzu7z4-e9fxqjnvn/

hXXp://collegiatevideoscout[.]com/piq88y/multifunctional-zone/verifiable-portal/vzwsusvfoq2kbmt-y496uwt7xz68uy/

hXXp://compworldinc[.]com/browse/4ni6zf2fq/

hXXp://contestshub[.]xyz/wp-content/evfch-p40-368725/

hXXp://cosmeticsurgeoninkolkata[.]in/wp-content/multifunctional-zone/security-space/oG7v7CkLAl-jz0rugqbjvi73/

hXXp://cosmicconsultancy[.]in/custom-icons/Reporting/

hXXp://cp[.]3rdeyehosting[.]com/wp-includes/esp/

hXXp://crazyroger[.]com/cgi-bin/1710496674006_01bd6Zeef0mCJ_disk/external_forum/4dwy_zxz36x4/

hXXp://creatitif[.]com/wp-admin/Reporting/

hXXp://croptool[.]com/theblackjackmob/Documentation/

hXXp://crownedbynature[.]com/jtaa6jtb/LLC/

hXXp://csa[.]cries[.]ro/ckjca7/11206-JdwhXBh41Cj8irAC-resource/individual-warehouse/ay7fc9ll3dnke7e-4yw99s2t6w/

hXXp://csrngo[.]in/alfacgiapi/15vu8s-c85u1-9139/

hXXp://daisybucketdesigns[.]com/pocketframes/images/aci32rk/eTrac/5w4kiwqito3r/

hXXp://dalao5188[.]top/wp-content/open-sector/test-forum/f0pqn-5328/

hXXp://dastsaz[.]shop/wordpress/private_array/verifiable_forum/BpajlMaeH_297iwG6jj7pGc/

hXXp://datrienterprise[.]com/wp-content/eTrac/7qzoqzrkjyuc/

hXXp://demo[.]bragma[.]com/site/pt48-pk3089b-682065491-ZkL2pS9yz/open-warehouse/LXWiJKrI-62Hui1o9a/

hXXp://demo[.]podamibenepal[.]com/superior/t2c-jpip6-22/

hXXp://demo[.]tanralili[.]com/apehhpf/INC/

hXXp://designers-platform[.]com/binzbc/FILE/a69zlr8/

hXXp://dev[.]consolidationexpress[.]co[.]uk/wp-admin/closed_sector/924553_1wSxAW2z_portal/2EI6ej9js5j_15M1p7xI9Gov/

hXXp://diamondbreeze[.]com/wp-content/docs/ig220w-64348062-050708-0o2ix-nk0skuh0/

hXXp://diecinuevebn[.]com/cgi-bin/protected-disk/verified-forum/ah7hwmjvvuuy84mx-t467s/

hXXp://diegojmachado[.]com/cgi-bin/open_sector/CLp2Etz_eUR1Q6uDDBgHkI_area/bDuOHXDda_cgI6sNcjl1gK/

hXXp://dishekimieroluzun[.]com/wp-content/DOC/

hXXp://dreammotokolkata[.]com/cqye/iaft92-6lplx-826/

hXXp://drsudhirhebbar[.]com/minds/private-sector/open-portal/rb2vj1kuwjbb-swuys/

hXXp://dubit[.]pl/site2/pxre-ns-297/

hXXp://dumann[.]com[.]br/z3gy5lb/sites/7bg1i8n2/jvsjhn3j-868085891-343651-sgosfko-20u4kmz2cb/

hXXp://elitexpressdiplomats[.]com/cgi-bin/available-array/guarded-5UJi7-pIM1v1g3Q6k6/whf6zxh-txsts2/

hXXp://empowerlearning[.]online/wp-admin/ruh006-rgkj-590/

hXXp://especialistassm[.]com[.]mx/inoxl28kgldf/docs/l5rbj6g/iibea-032709148-341719111-6r6auusna-6j9m/

hXXp://euonymus[.]info/twxppk/Document/7uo0t4osm95p/

hXXp://evokativit[.]com/TEST777/YHErlTl/

hXXp://evolvedself[.]com/dir/azpdj41_sugzd3yhwwsy_3709679_Rvta29FrYib/special_QDPYSSWZ1L_PJAv0ICNK1P/2Edulb_98mGeuzy3ty2Lz/

hXXp://extend[.]stijlgenoten-interactief[.]nl/test/Pages/w6014u-84395-6469-hthslxcbne-8vj2et4/

hXXp://finndonfinance[.]com/wp-content/Document/wjswrn1s/qgltg-85747767-49820504-2gz892-ydp6o4o4e/

hXXp://fooladshahr[.]simamanzar[.]ir/dup-installer/closed_box/interior_portal/0f6j5b5bga_06zs0/

hXXp://fozet[.]in/wp-content/eTrac/hb6yb86ei36/yrqsf32-172576671-4195092231-c97ty6f-5cu2q8hj8/

hXXp://freestyle[.]hk/picture_library/eTrac/s9shv2eo/

hXXp://frezydermusa[.]com/wp-content/parts_service/fisq814goap0/fhyl68-5565-326796-rr55j9spg-ug9mfyg/

hXXp://galeriariera[.]cat/assets/lm/g9zkvryjwq-0524005005-0333576-k58dqx5-326yx/

hXXp://gameonline11[.]com/wordpress/pqOAPS/

hXXp://gargchaat[.]com/phpmailo/lm/538skcfoe/7vps0iy-66657310-44075-q2gbc4-2vhp2c/

hXXp://gayweddingsarasota[.]com/cgi-bin/esp/68f6yd4ehwdr/

hXXp://gayweddingtampabay[.]com/cgi-bin/private-2828581710383-rNH3ETP8sT2ggXrt/additional-forum/DEsne0OE5vz-KmmglLMf/

hXXp://geekmonks[.]com/cgi-bin/common_sector/special_forum/9cfuf_ts9y4twzx0709/

hXXp://germxit[.]mu/calendar/4rxl-2932-78/

hXXp://gestto[.]com[.]br/wp-lindge/Scan/

hXXp://getabat[.]in/wp-content/closed_module/test_88i6oai_sjwnuscqjjl/abgyQKwZhv6i_inKjGl8hG98/

hXXp://globalstudymaterial[.]com/pdf/available-zone/individual-warehouse/vWOq8gdCRu0-ra1nf24iHayat/

hXXp://goldinnaija[.]com/wp-admin/sites/xaz6-030261-0911995608-sm9u-99rd1/

hXXp://gomaui[.]co/wp-includes/personal-resource/test-area/a9kj-wsuyvw59t/

hXXp://grace2hk[.]com/b6vg89hb/common_sector/security_forum/4tx_uu501xxxs/

hXXp://grahaksatria[.]com/towed/private_box/additional_forum/x1T0kdo_q89uLjatbqJ8/

hXXp://greatercanaan[.]org/wp-admin/Document/kqfz63hy/

hXXp://grocery2door[.]com/nkpk/97_dwi59_03276182_sJsjrqR/corporate_warehouse/13wrnaGqqET_lIy0l5eJsNdIc/

hXXp://groovy-server[.]com/masjid/backend/web/assets/rhhl/

hXXp://group8[.]metropolitanculture[.]net/wp-admin/multifunctional-sector/verifiable-cloud/l0q-4vww/

hXXp://haoyun33[.]com/wordpress/browse/9kmt2hi/

hXXp://hasung[.]vn/wp-includes/1bvxk7fvre5_lnci6bcnim_resource/special_forum/5BZ0CZ_p4052N871e/

hXXp://hfn-inc[.]com/mail/available-box/security-PgUqz6ktI-GY00tgjAgbFSr5/zy5escaf56fzw5y-y78s2tzu60v7z4/

hXXp://homecarehvac[.]com/wp-includes/open_resource/guarded_profile/eshftvv0ht_61x297v2/

hXXp://indusautotec[.]com/n8l7suy/open-xNFfQ20VO-FjqtokyzbQ6HGF/security-jdEM-dDzAJO2Ccnx/G3P8qq-MmI2GLf3JdK/

hXXp://jgx[.]xhk[.]mybluehost[.]me/scarcelli/multifunctional_098152347732_CYNEZ9DFQ/guarded_space/2qq1r_29xuz/

hXXp://jurness2shop[.]com/cgi-bin/private_disk/individual_ufyGUNB_QRlHjxmYMMbuaY/30lpuw22llwzm_vx60vx4s/

hXXp://kallinsgate[.]com/cw6vmaj/common-2561851-hLdPAOsBNVrNeE/open-space/5irmsa8-8x82zv7t2zw2x/

hXXp://kanntours[.]com/wp-security/Overview/yprr0k8-808004671-920995225-dc1d7q7-trbbwtd/

hXXp://kayzer[.]yenfikir[.]com/quadra[.]goldeyestheme[.]com/lm/

hXXp://kelurahanraya[.]ulvitravel[.]com/tmp/eTrac/wpag9c-3294986-0565941971-rbtkv0yr0p-rs604o/

hXXp://kpu[.]dinkeskabminsel[.]com/wp-admin/available_229278636_TO7LG1kXBWax3/847166_Zm9B3oXaP_portal/ZcAtrKAnB_nJGzswNc/

hXXp://kyrmedia[.]com/whnh/closed_zone/test_warehouse/o1yvycunyw222_tz6z71svs35/

hXXp://lalletera[.]cat/bootstrap/closed-array/test-warehouse/9y3rm68-7251/

hXXp://lastminuteminicab[.]com/l56mcv/Scan/qrg67fldazss/cd38ot-8952552-5429276851-63g720il-z2uwrr/

hXXp://lindamarstontherapy[.]com/psqlud/common_1810413_gc4qCpSFYbBM/additional_forum/4kmyjjijspz85_tt20x6w/

hXXp://liveleshow[.]com/cgi-bin/open-sEVbZ-kyyyJcjMY/verified-area/n7tk0nygk2up7j-7824vz2y/

hXXp://lsperennial[.]com/tnnfxu/545533028378/ofzt2ll4a-4754801-8569215-64d2t-rbtsi5ylgq/

hXXp://masspaths[.]org/transcyclist/open-array/69537295-LwrlRuR-portal/riy-u5984475/

hXXp://mistyvillage[.]com/inoxl28kgldf/open-sector/individual-forum/TC1AThq8D-H4iKcw9erMc8a7/

hXXp://monoclepetes[.]com/disneyworldclassroom/browse/

hXXp://mosaiclabel[.]com/4f9xnykaf/common-box/corporate-a30njr6-34dhllfehbjex6/14rm3hr6k358-x32zy5/

hXXp://myclarkcounty[.]com/wp-includes/open-resource/open-forum/o6a3exwvzfo-4wwxx8uts7/

hXXp://myfamilyresearch[.]org/dir/paclm/

hXXp://nisanurkayseri[.]com/fhiq04sgna7/a683w-an3x-4946/

hXXp://norikkon[.]com/administrator/16542-fBTLcdbEyJr-sector/VFCLsV-bAwgBBBeBqaJ-forum/fft2z7gdyzqee-8z80w6z68vs/

hXXp://nunes[.]ca/s59nlj/DOC/

hXXp://pascalterjanian[.]com/logs/multifunctional-2519534-Fs87CEgtQY82H6/verifiable-forum/2iFKNGyl-Ksmyn3gyI/

hXXp://plaestudio[.]com/wp-admin/multifunctional-zone/verified-space/zftkjoaw-xzuwtu1228/

hXXp://pmnmusic[.]com/backup-1540795171-wp-includes/Document/

hXXp://productorad10[.]cl/cdn-cgi/lm/6bwolkvw/

hXXp://radigio[.]com/qcloid/Pages/aveebb8ri/

hXXp://rememberingcelia[.]com/cgi-bin/private-box/additional-cloud/WoMAYyGYPic-ejGtLw5zKk9132/

hXXp://richardciccarone[.]com/watixl/Pages/iwq2bcuhtc/fpl5dh7-1085-7485017905-7upoox-mmwh5rr/

hXXp://rkpd[.]ulvitravel[.]com/cgi-bin/s0pgy-yg3-606/

hXXp://rozziebikes[.]com/tshirts/7XOEME6DSPI/l6bpob8m-8104-0278018-y6o222jln-fsxji7gy9l/

hXXp://safiryapi[.]net/mainto/private-zone/9977527-TGAtxV-space/noliIDq-ffuwzjN5H8zj/

hXXp://sakuralabs[.]com/4gubn/personal-zone/interior-forum/rye8idbdwx6uiw9-vtw0y35413/

hXXp://scottproink[.]com/wp-includes/LLC/3nm06yz1og/

hXXp://sigepromo[.]com/fonts/multifunctional-sector/security-kojbhnhsfxht47-4qgj/xznv8-35sz95t0t7/

hXXp://sofiarebecca[.]com/ybfm/multifunctional-XhmwQuIS-uBXA6FSMcoaXT2/7427993-1AJW4cmy-profile/P0jkvy-gwgs3qvm/

hXXp://southeasternamateurchampionships[.]com/0ng1en8p/common-57GaJ-JU2y57Cw9wWp/test-area/1CP3gWMySaac-iixIpxfJ216/

hXXp://southernlights[.]org/wp-includes/attachments/13iqe8n/

hXXp://stlaurentpro[.]com/25bd/Overview/qnrlmvj/

hXXp://stluketupelo[.]net/sermon/Document/

hXXp://technosolarenergy[.]com/wpk0/esp/xcggf7f/l41sd6-372903-111521309-pe7nqblm-rnbcyph7/

hXXp://thebeaversinstitute[.]org/m6zxne/open_sector/verifiable_grIwVfcE_JNkyS1ABG7O/JOr8Y2_c0N5pfizn8tqv/

hXXp://thecityglobal[.]com/creative/DOC/tmi48tldo/8fcpm52kxc-1823-224157721-0k5g3-2ntwz3u/

hXXp://theconsciouslivingguide[.]com/w63gh/NQOOE7ZE6E/

hXXp://theordeal[.]org/2hqr15/71028031_i0jDg_array/verified_profile/M17xNfJi_afcjbJ9y2/

hXXp://tinystudiocollective[.]com/tvtepc/parts_service/c5hlpnbm/04yte-92982998-989677-xuln504d-wj8wr99a0r/

hXXp://trinituscollective[.]com/wp-admin/DOC/3k2yxczqa-017872-15130767-6fcy299dtf-5p8y1zk/

hXXp://turbinetoyz[.]com/inc/available_sector/open_cloud/7gDaxLdZntQO_f54w1mdqt/

hXXp://vektra-grude[.]com/components/sites/xyj3oy2f/

hXXp://wolvesinstitute[.]org/wp-admin/INC/muosryq6917p/uozxo9-82202-738575-fbm4hisdv-0q5dy3ciz/

hXXp://www[.]africanswoo[.]com/wp-includes/IOG/

hXXp://www[.]bonfireholidays[.]in/efqog/Documentation/

hXXp://www[.]demarplus[.]com/19sn7/Overview/

hXXp://www[.]southwayhomes[.]co[.]uk/wp-admin/lm/5x8c1xywx2h/

hXXp://xhd[.]qhv[.]mybluehost[.]me/Maidentiffany/a4wnq/INC/be5oryde748n/877iw8k2-5677720-10188-kjqm-al3ax20hth/

hXXp://xn--3jsp48bswaq48h[.]com/binzbc/protected_disk/WsgEuoVh6_GLg1uIsNZxocly_tdagf_sb0hy87m9gi/jWdMxTd9_a73ophNx/

hXXp://yourdirectory[.]website/Mccracken/eTrac/rpiglgay-1418052884-1524951880-uuys-0fxj/

hXXps://bipinvideolab[.]com/wp-admin/51917864823222027/b0n0hcp4sl83/

hXXps://crossworldltd[.]com/wp-includes/48p5-o3ih-71/

hXXps://flexwebsolution[.]com/assets/multifunctional_disk/external_forum/7aa8z9os32iqygd_3gp4h/

hXXps://gurukool[.]tech/assets/t85vawx7s2xbi3q-1mvazihmr-module/interior-forum/gEwMX8-s0pLx8jJMLhGN/

hXXps://keshavalur[.]com/css/WRssOm/

hXXps://makmursuksesmandiri[.]com/wp-content/e3tpt3cph1wncut-ika4etq8sml6-sector/interior-htMCj-UR5CVYGd/bnb5oaopu0ptx-0wyytzw7u5/

hXXps://misterglobe[.]org/generall/Overview/i9y202-334800485-67760472-jj04w2e19-xppp1/

hXXps://mountainstory[.]pk/qoaij52hfs1d/common_FOQqDSi_Q50ORC3MzecY/guarded_9ode8j8xa3q9fa_3a14tqqj/x1e_418t92/

hXXps://murraysautoworks[.]com/contact/6VE37Q01O/50v2q5af8tv/y27daizl9-678276-439755027-2i7xojwpjd-ryyu/

hXXps://nhakhoachoban[.]vn/wp-includes/paclm/

hXXps://power-charger[.]co[.]uk/faq/Reporting/g30g4b8wvh/0w5c-2857976-135390-1dg1e-bjus2/

hXXps://risefoundations[.]in/rise/8448397_cee81q_jftx3_eseQqSx/corporate_pfmWWf_7uk8kfJTJvUrTR/OvdwZPUQy_ntycKI1ipM2/

hXXps://sharefoundation[.]in/wp-admin/multifunctional_module/test_cloud/oJuKHM3ik_Mee0ttbGc/

hXXps://summit2018[.]techsauce[.]co/startup/sYHAteT/

hXXps://timestampindia[.]com/citech/Document/

hXXps://twincitiesfrugalmom[.]com/wp-admin/eTrac/9porgmi/ul99a0-5568735694-75056-vt6wk395a-yymz6f/

hXXps://www[.]jadegardenmm[.]com/engl/docs/h85me2-45331562-6525577-0c62dwu3hl-mk47l/

hXXps://www[.]u4web[.]com/bnkddo/open_disk/guarded_kzfciuyy_v4gqdp/1dOq8z5_ILk0gJmw/

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Threat Actors Use Bogus Payment HTML File to Scoot Past Proofpoint Gateway

By Tej Tulachan

The Cofense Phishing Defense CenterTM (PDC) has prevented a phishing attack that attempts to steal users’ Office365 credentials by luring them with a fake payment order attachment. Hiding a malicious re-direct within a html file, threat actors bypassed the Proofpoint secure email gateway to try and steal users’ credentials.

Here’s how it works:

At first glance, the email appears to be a genuine communication originating from the accounts team of a relatively well-known company. The message body informs the recipient there is a payment order that requires processing. The message simply says, “Please find attached copies of our P.O#9000, dated 05/11/2019,” with the attachment to the email as a html file labelled “P.O#9000.” The email doesn’t specifically ask the user to open the attachment, however it does instruct the user to acknowledge receipt of the email. Any vigilant accountant would be inclined to check the contents of the bill as part of their workflow or processing procedures.

Malicious Attachment

If we take a deeper look into the source code of the html file, we can see that it only contains three lines of html code. The code takes advantage of the http-equiv attribute, used to trigger a page refresh of the user’s web browser and then load new content, which in this case is a URL to a phishing page. This happens almost instantly when the user opens the attachment.

Fig 2: Malicious URL

Phishing Page

Once the attachment is opened the user is redirected to the phishing page as seen below in fig.3. The malicious page attempts to disguise itself as a genuine Microsoft Online Excel document, which most users would expect to see if they are editing documents on SharePoint. In the background we can see a blurred-out Excel spreadsheet with an authentication box obscuring the file contents. The user’s email address is auto populated in the dialog box, which asks the user to authenticate with his or her password.

Fig 3: Phishing Page

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases.

The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works:

Email Body

Figure 1: Email Body

The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the part of the from field that dictates the “nickname” displayed in the mail client to make it appear as if it originated within the company.

The email body is simple: recipients see the company name in bold at the top of the page. Greeted by only their first names, they are informed that “As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.” Recipients are then presented with what appears to be a hosted Excel document called “salary-increase-sheet-November-2019.xls.”

It is not uncommon, of course, for companies to increase salaries throughout the year. As a result, it wouldn’t be uncommon for an email like this to appear in an employee’s mailbox. Human curiosity compels users to click the embedded link.

The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.

Figure 2: Phishing Pages

Once users click on the link, they are presented with a common imitation of the Microsoft Office365 login page. The recipient email address is appended to the end of the URL that automatically populates the email box within the form, leaving just the password field blank to be submitted by the recipient. This adds a sense of legitimacy to the campaign, allowing the recipient to believe this comes from their own company.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a simulation template, “Salary Increase,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR ID 31510

Cofense TriageTM: YARA rule PM_Intel_CredPhish_31510

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM. Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Are URL Scanning Services Accurate for Phishing Analysis?

By Chris Hall, Professional Services

There are plenty of websites offering URL scanning for malicious links. Their tools are a quick and easy way to analyze a URL without visiting the site in a sandboxed environment. Widely used, these tools are accurate to a point.

But in today’s phishing landscape, where attacks are increasingly sophisticated, such tools are becoming less and less reliable. We in the Cofense Phishing Defense CenterTM (PDC) believe they are ineffective against more advanced phishing websites.

Phishing Sites Are Using Redirect Methods to Avoid Detection

Let start with this example:

An attacker can easily set up a new domain and host a phishing site with a legit SSL certificate from most established certificate authorities for free. The attacker then can configure the server or webpage to redirect all connections that are not from the organization’s IP to an external safe site such as google.com.

If a security analyst then submits the URL to a third-party lookup tool, for example VirusTotal, the tool will only detect the site google.com and not the actual phishing site. At this point, the analyst can submit the URL to another URL scanning tool, but the results will all come back the same.

In the Cofense PDC, we are seeing an increase of phishing sites that are using redirect methods to avoid detection from URL scanners and unaware security analysts.

Here is another example with browser detection phishing websites:

This phishing link below redirected users depending on which browser they used.  If users use Firefox as their default browser, they will get the actual payload, while a Chrome default browser will get a redirect to MSN.

Figure 1: Original Phishing Email

When recipients click the ‘Open Notification’ link in the email message above, they are directed to the website below.

URL: hxxp://web-mobile-mail.inboxinboxqjua[.]host/midspaces/pseudo-canadian.html?minor=nailer-[recipient’s Email Address]

When someone clicks the URL, the experience can vary depending on the default browser, Firefox vs. Chrome.

The real phish site using Firefox:

Figure 2: Actual Phishing Site

Using Chrome:

Figure 3: Redirected Site

Regardless of the user’s geolocation, the URL redirect will go to the UK page. URL: https://www.msn.com/en-gb/news/uknews

Now let’s put the same URL in a popular URL scanner and see the results:

Figure 4: Virus Total Results of the Reported URL

The search results show that one of the vendors has detected the phishing site as malware. However, this is not the case.  Let’s look at the Details tab.

Figure 5: VirusTotal Details of the Reported URL

In the results it states that the final URL is to msn.com. We still do not know what the actual phishing site looks like, what the site is doing, or even if the phishing site is active at all.

There’s a Better Way to Check for Malicious Links

Organizations must ask if these URL scanners are providing enough information to analysts so they can complete their investigations.  Is the scanner testing the suspicious link with multiple user agents or querying the site with different source IP addresses?  While the URL scanning services are useful, they lack the basic dynamic analysis that most analysts will perform on a malicious website.

What if I told you that it is quick, easy, and more accurate by far to analyze URL based phishing attacks manually, using various tools such as User-agent switcher or with a VPN and proxy servers while in a dedicated virtual machine? Remember that if a phishing email bypassed those same scanners to reach your users’ inboxes, it’s an undiscovered phishing attack and will require human analysis.

To better equip your analysts, we came up with a list that your security team can use to detect these types of attacks.

  1. Create an isolated proxy server that can reach out to the phishing site without restrictions.

– If your company has locations in different countries, use additional proxy servers in those countries or use proxy services like Tor or a third-party VPN service.

– Acquiring a VPN service with multiple locations is another option.

– Create a “dirty” network to browse malicious sites that can also be used to analyze malware samples.

 

  1. Create a VM for URL analysis.

– This VM should be isolated from the organization’s network.

– VMs such as Remnux will have tools built-in to assist in URL and file analysis.

 

  1. Use Firefox for visiting the site

– Based on the vast amounts of customization, Firefox may be the best browser suited to URL analysis

– Add-ons such as User-agent switcher, FoxyProxy, and HTTP Header Live are essential.

– You can also use the browser’s developer tools to track requests, detect redirects, and alter elements on the page.

URL scanning services are useful to a point. These tools will alert you to some suspicious URLs, but often lack the details need for escalations and blocking the threat. More often than not, the tools will be a point of failure for your organization’s security due to the high amount of risk they introduce. So take a couple of minutes to look at that suspicious URL in a safe environment and see what it really does. It may save you lots of money and time cleaning up an incident.

 

HOW COFENSE SOLUTIONS CAN HELP

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

By Hunter Johnson, Cofense Professional Services 

Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin.

Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity.

Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began writing detection rules to block those emails, threat actors modified the text by replacing it with an image, which prevented key words from being identified by Secure Email Gateways (SEGs). The bitcoin address was left as a plain text string in the email, so it could be easily copied. As enterprises began checking for bitcoin addresses, threat actors removed text and images and switched to attaching PDF documents containing the threats. Most recently, threat actors began encrypting PDF attachments and including the password in the email body to foil any further SEG detection rules.

This latest sextortion version is using a Litecoin wallet address instead of bitcoin to evade detection. Previous iterations showed a gradual shift away from identifiable patterns and to alternative crypto currencies, in an attempt to foil SEG bitcoin-detection rules. The current emails appear to be crafted to contain very few searchable word patterns. While we could publish the contents of those emails, let’s just say the emails contained adult language admonishing the recipient to be more careful about their browsing and webcam habits.

As this latest twist shows, threat actors can switch to the next crypto currency and attempt to iterate through all the scam’s previous versions. While there are thousands of crypto currencies, only a dozen or so are easily attainable from large exchanges. For the scam to work, the recipient needs an easy way to acquire the requested payment method.

Avoiding this scam is simple with phishing awareness training. Your users can safely ignore the emails—if threat actors actually had such access and data, they would include stronger proof. Also educate users about sites such as haveibeenpwned.com, so they can know if their email address is likely to become a target.

Cofense will also be publishing a rule to detect attacks we’ve seen so far using this new method.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation template, “Fear Driven Phishing Scams Involving Embarrassing Situations,” to educate users on sextortion and similar scams.

Cofense Labs has published a database of 300 million compromised email accounts for use in sextortion campaigns. Find out if your organization’s accounts are at risk.

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeeker TM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway

By Tej Tulachan

The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link. Trickbot has been making the rounds for a long time now and is still considered one of the biggest malware threats targeting business today. Threat actors frequently utilize legitimate applications or trusted file sharing sites like Google Docs to bypass the email gateway and lure users to click on the link to deliver malware. In this case, the email made it through Proofpoint’s gateway utilized by our PDC customer.

Email Body

The email attempts to lure curious users to click on the link: “Have you already received documentation I’ve directed you recently? I am sending them over again.” This is a legitimately generated email by Google Docs when a file is shared by one of its subscribers. Unknowingly, the recipient is directed to a document hosted on Google that contains a malicious URL.

Fig 1. Email body

When the recipient clicks on the link it directs to a genuine Google Docs page as shown below, which contains a fake 404 error message and another embedded link. The threat actor baits the recipient into downloading the document: “Downloading the document manually via the link”. This link hxxps://docs[.]google[.]com/uc?id=112QLCdDtd4y-mAzr8hobCs0TP5mQmKfL downloads the malicious payload.

Fig 2. Google doc page

Once the URL links to a file hosted on Google drive, it downloads a Review_Rep.19.PDF.exe which has been disguised as PDF file. Many recipients will not see the .exe file extension. It’s something that you need to specifically enable in Windows. So, to them it looks like a legitimate PDF file since the attacker uses the icon for a PDF.

Fig 3. Pdf Icon

If we look at the file in a hex editor, we see that in fact it’s an executable file and not a PDF.

Take a look below in the editor, indicated by the magic bytes MZ which denotes a windows executable.

Fig 4. Magic Number

Once the payload is executed it creates a copy of itself (egолаСывЯыФЙ) in C:\ProgramData, where it  undertakes control over execution of the malware.

Fig 5. egолаСывЯыФЙ.exe

Furthermore, it creates another copy in “C:\Users\REM\AppData\Roaming\speedLan” that also includes the config file for Trickbot (settings.ini) (The directory depends on the Trickbot version.)

Fig 6. speedlan

If we look inside the settings.ini we see a lot of the “obfuscated” text.

Fig 7. Obfuscated text

Additionally, if we open up the Task Scheduler, we can see it also sets a task that starts the malicious file from the “Speedlan” folder.

Fig 8. Start Task Scheduler

Looking at the Triggers tab, we can see it has been set to repeat itself every 11 minutes for 596843 minutes (414 days) for this particular version of Trickbot. The scheduled task checks to see if the binary is running in memory every 11 minutes over a 1-year period. This means that the binary will stay persistent on the system if the process is terminated. The 414 day counter just insures that the scheduled task stays running for as long as the system is online (generally, people will reboot their computer at least once a year).

 

 

 

 

 

 

 

 

 

Fig 9. Trigger

This then hollows out Svchost, injects its malicious code, and launches it. It keeps launching more and more Svchost’s if you let it run. Each of these are typically responsible for a module of Trickbot.

Fig 10. Hollows Svchost

Indicators of Compromise (IOCs):

Malicious File(s):

 

Filename: Review_ Rep.19.PDF.exe

MD5: ab2a8fc10e8c1a39ae816734db9480de

SHA-256: 20328b1f169b1edeef38853dafbbacfdac53c66f7f1dd62f387091bedebfd497

File Size: 404,320 Bytes

Extension: exe

 

Malicious URL(s):

 

hxxps://docs[.]google[.]com/document/d/1fgSfd4DwReVKbcLI3ISO2jhX1Yn8WOqbXnmU_bg00_A/edit?usp=sharing_eip&ts=5d5accb1
hxxps://docs[.]google[.]com/uc?id=112QLCdDtd4y-mAzr8hobCs0TP5mQmKfL
hxxps://jaquetas01[.]cordenadorltda[.]org
hxxps://services[.]halapar[.]org

 

Associated IP(s):

200[.]119[.]45[.]140

107[.]181[.]175[.]122

79[.]143[.]31[.]94

198[.]27[.]74[.]146

186[.]47[.]40[.]234

181[.]129[.]93[.]226

190[.]152[.]4[.]210

 

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM. Cofense PhishMe offers a phishing scenario, “Shared Google Doc – TrickBot,” to help users identify the attack described in today’s blog.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense™. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works: