Zoom Phish Zooming Through Inboxes Amid Pandemic

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that acts as a Zoom video conference invitation to obtain Microsoft credentials from users.

As noted in numerous other articles posted by Cofense, it is no secret this pandemic has changed the threat landscape. From emails to employees regarding safety guidelines to the latest news from the WHO or CDC on Coronavirus cases in the area- threat actors have done it all to make the most of this situation, especially targeting remote workers. Within that group of remote workers there are users who are unfamiliar with teleconferencing and the emails that come with using the service. Some users may not have the best home office set up and work on monitors that barely afford them a proper view, making it difficult to look over these emails closely. The attack covered below is specifically aimed toward those users.

Figure 1– Email Bodies

For this attack, users are informed of an invite to a video conference from what appears to be “Zoom Video Communications” which is followed by either as noted in Figures 1-2. For now, this all appears to be in order, however looking more closely at the senders, there are barely noticeable typos- communcations missing an ‘i’, confrence missing an ‘e’. While this may seem like just an innocuous mistake, it’s in fact a carefully crafted scheme.

Mere hours before sending this email, the threat actors registered the domains zoomcommuncations.com and zoomvideoconfrence.com, as noted in s 3-4.

Figure 2-3: Email Body

When visiting either domain, it may appear to be a German site speaking on different Lasik treatments and surgery options. However, this is merely a cover for its true purpose of helping send malicious emails while impersonating teleconferencing giant Zoom.

The email itself is reminiscent of a legitimate Zoom communication- the blue Zoom logo, a vague mention of a video conference for users to join and a link for them to review said invitation; it’s inconspicuous enough and mostly free of the grammatical mistakes phish often contain.

Hovering over the “Review Invitation” the link shown is:

hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44=REDACTED[@]company[.]com

For this attack, the threat actor used a redirector link from Smore, a newsletter creation and distribution website. This is not the first time threat actors have used a legitimate online service’s personal redirect links to pilot users to malicious sites. In this case, this redirect link, once clicked, navigates users to:

hxxp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44

Which then redirects to the final page:

hxxps://logonmicrosftonlinezoomconference[.]azureedge[.]net/

For this attack, the threat actor has utilized Microsoft’s Azure is used to host the phishing domain, but this is not a new tactic. Threat actors flock to these domain hosting services due to some of the perks it offers. For this service, a free SSL certificate comes with any website hosted through it which adds a padlock next to the URL in the address bar, most people incorrectly assumes this indicates a site is legitimate. Another benefit of Azure is the customization option for the subdomain, allowing a URL to mimic or at least appear as a legitimate URL for the service attacks are attempting to impersonate. In this case, the subdomain is “logonmicrosftonlinezoomconference”, with all the keywords most users would expect to see in a Zoom email that goes to a Microsoft login page: “logon microsoft” and “zoom conference”. With both a padlock in the address bar along with relevant names displayed, this attack becomes less noticeable to most users.

Figure 4: Phishing Page

Figure 5 shows the phishing page users are presented with should they make it this far. The page is a generic Microsoft phish with an accompanying URL which, once again, seems to legitimize the phish to users.

The request is simple: “Sign in to Zoom with your Microsoft 365 account.” At face value, this seems like a completely reasonable use of credentials. And since Zoom allows for users to login in via SSO and most companies have linked Microsoft credentials to the platform, some users may even be familiar with Microsoft helping to access their Zoom account.

Meanwhile, with the user’s email appended in the URL, it in turn pre-populates the username field with that information, leaving only the password left for the user to provide.

Network IOC  IP 
hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44?e5=REDACTED[@]company.com 52[.]27[.]29[.]106
hXXp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44 209[.]159[.]154[.]74
13[.]107[.]246[.]10
hXXps://logonmicrosftonlinezoomconference[.]azureedge[.]net/ 13[.]107[.]246[.]10
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Continue to Spoof WebEx

By Kaleb Kirk, Cofense Phishing Defense Center

Last month, the Cofense Phishing Defense Center (PDC) observed a new phishing trend wherein threat actors spoofed WebEx pages to harvest Office365 (O365) credentials. Since the posting of the original blog, the PDC has seen an increase in the number of similarly themed WebEx phishing attacks, yet another example of attackers leveraging the rapid shift to remote work in light of COVID-19 concerns. As many organizations and their workforce are increasingly dependent on remote working tools and solutions, reducing the attack surface (the number of different approaches a threat actor can use to enter or extract data) of such online platforms and services is becoming even more critical.

Attackers know this and are constantly looking at ways to circumvent detection by secure email gateways and position themselves between users and legitimate services. The WebEx phishing campaign is a prime example, slipping past email protection to dupe users into providing their credentials out of fear they will be unable to use the service and perform their job otherwise.  It’s therefore not a surprise the PDC has seen an increase in phishing attacks that spoof legitimate, business critical services.

While this blog focuses on a new phishing campaign imitating WebEx, this style of attack can and has taken multiple forms, mimicking many different legitimate web services. Luckily however, once an end user knows some of the telltale signs,  it’s often easy to identify what is truly legitimate and what is fake.

Figures 1-2: Email Body

Upon an initial glance, this email may appear innocuous enough. It has the look and format one would likely expect when receiving an email from Cisco. The style is professional, the layout of the email isn’t mangled or chaotic, and it appears legitimate – an intentional and easy tactic to pull off. All the threat actor required was a real WebEx email to copy from in order to duplicate the style and alter select elements for nefarious purposes. The sender address appears to come from WebEx. However, this is what is known as the “friendly” from address – while the recipient sees the displaying address, which appears to be authentic, the email headers reveal a very different story. The problem with a “friendly” sender address is that it is easily spoofed by attackers; it’s a well-known, simple trick designed to convince the recipient that an email is legitimate.

Looking beyond simple aesthetics, however, other indicators of phishing are evident. The subject line indicates there is an issue with SSL certificates that requires the user to sign in and resolve. This is referenced further in the body of the email, providing a sense of legitimacy and enticing them to open the email and read it.

The wording of the email also employs scare tactics that are prevalent in phishing attacks. The recipient is informed there is a problem that has caused their service to become deactivated and the user must log-in and authenticate by clicking the link. Verbiage like this is often used to coerce the end user into clicking on a link or attachment in haste before they have time to fully think it through – a key tactic used by threat actors in phishing campaigns.

Finally, the link itself reveals something else is fishy about this alert. Hovering over the button shows the embedded link is not, in fact, a WebEx page, but a SendGrid link, a legitimate customer communication service used by marketing professionals. SendGrid links are commonly used in phishing attacks, as they require minimal effort.

Figure 3: Phishing Page, Step 1

Upon clicking the SendGrid link, the user is redirected to a phishing page, as seen in Figure 3. The only difference between a legitimate WebEx login page and this phishing page is the URL itself, suggesting the attacker conducted some form of web scraping to create an intentionally benign looking and familiar login page for the end user. Web scraping, essentially, is the practice of using a tool to automatically copy data from a website and create a convincing copy.

Figure 4: Phishing Page, Step 2

Deception quickly falls apart when reviewing the URL, however; while designed to look like the actual URL, there actually isn’t a portion that includes ‘webex.com’. The numerous dashes, coupled with one very long word followed by ‘index.php’ is not reflective of a professional link, suggesting the phishing URL was registered to appear legitimate at first glance. While phishers commonly make a valiant effort for their pages to look legitimate, looking at the address bar generally reveals if it’s legitimate. Misspelling, similar looking words and strange top-level domains are common tricks used by attackers to guile end users for just long enough to not question it.

While the initial phishing page only requests the user’s email address, the following page then changes URLs from “index.php” to “step2.php” and asks for the user’s password- this is another indicator the site is not legitimate, as the specific internals of which php file is being invoked for this webpage would be usually be hidden to the user.

Figure 5: Final redirect to official WebEx login page

As the final stage of attack, when the user enters their credentials on the page shown in Figure 5 above, the user is then redirected to WebEx’s real sign-in page. At this point, the malicious actor now has the user’s credentials, but it is in their best interest to ensure the user is unaware that a successful credential phishing attack occurred, giving the threat actors time to make use of newly stolen log-in details. The final redirect to WebEx’s legitimate log-in page may make the end user believe there was a log-in error and they need to log-in again. A common theme in a many phishing attacks is appealing to and preying on the feeling that nothing is amiss and there is nothing to question about the experience. In the meantime, threat actors gain precious time to do damage while the end user moves on with his or her workday.

Figure 6: Open Directory

A final interesting finding about this phishing campaign is the main domain itself, which reveals an open directory. This open directory shows the files included in the phishing page: images, fonts, .css files, and more. Although finding this directory was easy, it isn’t necessary to hide it, as most end users will only go through to login rather investigating into the internals of the site. However, it must be noted no professional website allows access to its file directories in this way. If reached, it is an almost sure-fire way of immediately identifying a phish.

Network IOC IP
hXXps://cert-ssl-global-prod-webmeetings[.]com/da4njy=/idb/saml/jsp/index[.]php 137[.]135[.]110[.]140

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Phishing Campaign Spoofs WebEx to Target Remote Workers

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center  (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch. In the midst of the COVID-19 pandemic, millions of people are working from home using a multitude of online platforms and software. Attackers, of course, know this and are exploiting trusted brands like WebEx to deliver malicious emails to users.

Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.

Here’s how this campaign works:

Figure 1: Email Body

For this attack, the threat actor sends an email with varying subject lines such as “Critical Update” or “Alert!” from the spoofed address “meetings[@]webex[.]com”. With the subject and mail content combined, this may gauge users’ curiosity enough to entice them click in order to take the requested action.

The email then explains there is a vulnerability the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system.” In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further. The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223:

hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223

The linked article uses the same words as the email, lending further credibility.

The only thing for a responsible user to do next is follow the instructions in the email and update their Desktop App, right?

Even if more cautious users hover over the ‘Join’ button before clicking, they could still very well believe it’s legitimate. The URL embedded behind it is:

hxxps://globalpagee-prod-webex[.]com/signin

While the legitimate Cisco WebEx URL is:

hxxps://globalpage-prod[.]webex[.]com/signin

At a first glance, both URLs look eerily similar. A closer look, however, reveals an extra ‘e’ is added to ‘globalpage.’ Likewise, instead of ‘prod.webex’, the malicious link is ‘prod-webex’.

To carry out this attack, the threat actor registered a fraudulent domain through Public Domain Registry just days before sending out the credential phishing email.

The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users. While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.

Figure 2:  Initial Phishing Page

The phishing page to which users are redirected is identical to the legitimate Cisco WebEx login page; visually there is no difference. Behavior-wise, there is a deviation between the real site and the fraudulent page. When email addresses are typed into the real Cisco page, the entries are checked to verify if there are associated accounts. With this phishing page, however, any email formatted entry takes the recipient to the next page where they then requested to enter their password.

Figure 3: Secondary Phishing Page

Once credentials are provided, users are redirected to the official Cisco website to download WebEx, which may be enough to convince most users it is a legitimate login process to update their WebEx app.

Figure 4: Legitimate Redirect Page – Official Cisco WebEx Download Page

At the time of writing, this fraudulent domain is still live and active. In fact, when navigating to the main domain, there is an open directory showing files the threat actor has utilized with this attack.

Figure 5: Open Directory

Files of interest include ‘sign-in%3fsurl=https%[…]’ and ‘out.php’.

The file ‘sign-in%3fsurl=https%[…]’ is the phishing page itself. When users click from this directory, they are redirected to the fraudulent WebEx login (Figure 3).

Figure 6: ‘out.php’ File

The ‘out.php’ file, seen in Figure 6, is the mailer the threat actor appears to have used to send this attack to users’ inboxes. The threat actor can manually input any subject they want – in this case, they chose “Critical Update!!”, adding the HTML for the email to the box below and designating an email list to which they wish to mass send this campaign.

With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions.

Indicators of Compromise:

Network IOC IP
hxxps://globalpagee-prod-webex[.]com/signin 192[.]185[.]214[.]109

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 37308 and received YARA rule PM_Intel_CredPhish_37308. Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.

By Max Gannon, Dylan Duncan in Cofense Intelligence

Cofense Intelligence has tracked a complex credential phishing operation that evades Microsoft Office 365, Cisco Ironport and Mimecast Secure Email Gateways and has been active since at least December 2019—a very long time for an active credential phishing campaign. The use of a series of convincing tactics suggests that threat actors have taken great effort to create an air of authenticity for targeted recipients. Targeted users receive an email, supposedly from their HR departments, mandating that they complete a SurveyMonkey employee satisfaction survey. The convoluted attack chain uses trusted sources and eventually redirects to a real SurveyMonkey survey, allowing the threat actors to evade detection, and provides recipients with the end results that they expect – a real survey.

This credential phishing chain begins with an email (Figure 1) containing a link to a PDF hosted on the legitimate cloud service provider Hightail. The email itself contains multiple tactics, techniques, and procedures (TTPs) to deceive the end user. These TTPs consist of a seemingly legitimate Hightail spoofed email address ‘delivery @ spaces[.]hightailmail[.]com,’ fronting as a target’s HR department. The email creates a sense of urgency, indicating the survey is mandatory, requires action, only takes a few moments to complete, and will benefit the targeted employee.

Figure 1: Example of one original email sent to targeted recipients

After following the link to Hightail, a PDF is downloaded (Figure 2). Within the PDF, the from, subject, and message fields match the email line-for-line. The URLs for Hightail contain the recipient’s email address encoded in the URL path, and with the page hosted by the threat actor, these collected URLs could be decoded to gather the email address before they access the PDF. Hightail provides a preview of the PDF before downloading (Figure 3), which shows a faded survey and an icon that appears to lead into the survey.

Figure 2: The Hightail web page hosting a PDF that recipients are encouraged to download

Figure 3: A preview of the PDF hosted on Hightail, encouraging the user to participate in the “mandatory” survey

Once the PDF has been downloaded, a ‘Take Survey’ icon links to one of many credential phishing URLs used in this scheme. As displayed in Figure 4 below, the phishing URLs often change with each different PDF, but continue to remain consistent with the theme of an HR Department survey.

Examples include:

  • hxxps://hrsurveyportal[.]work/Start/
  • hxxps://my[.]hr-portalsurvey[.]work/

A complete list of identified URLs was used in different PDFs and is included at the end of this document in Table 2. This kind of differentiation allows the threat actors to maintain an appearance of legitimacy in their phishing URLs, while making it more difficult to defend against these attacks by shunning previously used or shared URLs.

Figure 4: PDF with an embedded link to a credential phishing website

This credential phishing campaign, and its variants, have been operating since at least December 5th, 2019. In most of these identified campaigns, the credential phishing pages were the same spoofed “Norton Secured” page, seen in Figure 5, regardless of the URL or the original target company. Older campaigns, primarily seen in December and January, mostly used appspot[.]com sub-domains rather than HR department themed domains and all led to pages like the one shown in Figure 6.

Figure 5: Spoofed login page where credentials are harvested

Figure 6: A less convincing example of a credential phishing page identified in this broader campaign.

When a recipient enters his or her information in any of the credential phishing websites, the data is sent via an HTTP POST to the URL shown in Figure 7. This is most commonly hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/. Much like the hrsurvey[.]work URL variants designed to provide an additional sense of legitimacy, this URL also spoofs “Norton Secured”. Recipients are then immediately sent to the SurveyMonkey survey shown in Figure 8.

Figure 7: Credential phishing page source with the highlighted URL where credentials are posted and recipients are redirected.

Figure 8: The final SurveyMonkey survey

The SurveyMonkey survey shown in Figure 8 is of particular importance. First, this survey link is either legitimate and has been repurposed by threat actors, or threat actors themselves went to the effort to create it. Either way, the detail and effort involved in the survey indicates the possible intent of the threat actors to use the survey as a long-term resource across multiple short-lived credential phishing pages. Secondly, this survey leads targeted recipients to a credible conclusion—ending the attack chain in a way that would not leave recipients suspecting that anything suspicious had happened. Many credential phishing campaigns end by redirecting a user to a generic page or displaying a login error message, which can cause users to stop and consider potentially harmful activity that had occurred, leading them to warn others or report the original email. By avoiding such suspicious signposts, the threat actors can further protect their infrastructure and avoid detection.

This campaign presented a convincing impersonation of an HR department delivering a mandatory survey to its employees. The final destination of the chain was a survey hosted on SurveyMonkey—leading recipients to believe that nothing was wrong. The choice of the campaign endpoint—a survey hosted on a well-known legitimate site, rather than an obvious error message or redirect—indicates a level of attention above and beyond what is usually exhibited by credential phishing adversaries. Additionally, custom domains were used to host the credential phishing infrastructure rather than compromised domains, as is often the case with simple credential phishing. Cofense Intelligence assesses that this campaign was carefully designed with long term capability and minimal detection in mind. This has no doubt allowed for the repeated success of this campaign—also quite unusual when it comes to credential phishing.

Hightail Hosted PDF URLs
hxxp://spaces[.]hightail[.]com/receive/gmaTEP8hhh/
hxxp://spaces[.]hightail[.]com/receive/GvXjcQjRac/
hxxp://spaces[.]hightail[.]com/receive/gWGl9E9QrM/
hxxp://spaces[.]hightail[.]com/receive/hiasiM3Bc4/
hxxp://spaces[.]hightail[.]com/receive/Huh5Kd9ngs/
hxxp://spaces[.]hightail[.]com/receive/N2hZnCrDRr/
hxxp://spaces[.]hightail[.]com/receive/NewA1DfvtL/
hxxp://spaces[.]hightail[.]com/receive/pvHwWmHUxB/
hxxp://spaces[.]hightail[.]com/receive/rlTbN1a1sV/
hxxp://spaces[.]hightail[.]com/receive/wgmOI2E6VF/
hxxp://spaces[.]hightail[.]com/receive/yGDAtZ2Cld/
Credential Phishing Pages URLs
hxxps://hrsurvey[.]work/Home/
hxxps://hrsurvey[.]work/hr/
hxxps://hrsurveyportal[.]work/begin/
hxxps://hrsurveyportal[.]work/secure/
hxxps://hrsurveyportal[.]work/Start/
hxxps://my[.]hr-portalsurvey[.]work/
hxxps://my[.]hrsurveyportal[.]work/
hxxps://my[.]worksurvey[.]work/
hxxps://secure[.]hrsurveyportal[.]work/
hxxps://mwz1552alry[.]appspot[.]com/
Redirect URLs
hxxps://csosun[.]org/administrator/manifests/login[.]php
hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/
Hosted Survey URL
hxxps://www[.]surveymonkey[.]com/r/2MHSTQ8
Downloaded PDF Files MD5 Hash
Employee Satisfaction Survey.pdf d61822e79a797356598b6296af360f3e
Employee Satisfaction Survey.pdf b760297ada010198d40f585206e2c769
Description Indicator
Cofense Intelligence ATR ID 36729
Cofense Triage Yara RULE PM_Intel_CredPhish_36729

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 36729.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Capitalize on Global Concern About Coronavirus in New Phishing Campaigns

By Kyle Duncan and Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in an environment protected by Ironport that aims to strike alarm and manipulate end users into clicking on a Microsoft-branded credential phish that prays on concerns surrounding the coronavirus.

The email appears to be from The Centers for Disease Control and the message is that the coronavirus has officially become airborne and there have been confirmed cases of the disease in your location. The email goes on to say that the only way to minimize risk of infection is by avoiding high-risk areas that are listed on a page they have personally hyperlinked to you – the recipient. The email is NOT from the CDC and the link to possible safe havens is actually malicious.

Since news of the coronavirus hit national headlines, many threat actors have played on its infamy to target unsuspecting users. While there are numerous phishing campaigns raving about the latest safety measures, all claiming to be reputable health organizations or doctors, this email differs in its methods, weaponizing fear to panic users into clicking malicious links.

Figure 1: Email Header

The following are snippets of the header information for the email. Looking at the first stop on the received path we see that the email originated from the domain veloxserv.net with an IP address of 193[.]105[.]188[.]10. This obviously has nothing to do with the Centers for Disease Control, as this is an IP located within the United Kingdom. However, the sender is issuing a HELO command which tells the email server to treat this email as if it were originating from the domain “cdc.gov”.

Figure 2: Email Body

The subject of the email is “COVID-19 – Now Airborne, Increased Community Transmission” followed by a spoofed display name, CDC INFO, and from address, CDC-Covid19@cdc.gov, thus making it appear as if the sender is really the CDC. Despite odd capitalization on some words in the email, it is a rather good forgery which, when combined with the high stress situation it presents, may cause most users to overlook those details and click the link immediately.

Users are led to believe they are clicking a link to:
hxxps://www[.]cdc[.]gov/COVID-19/newcases/feb26/your-city[.]html

However, embedded behind that link is the following malicious redirect:
hxxp://healing-yui223[.]com/cd[.]php

Which in turn goes to the final landing page of the phish located at:
hxxps://www[.]schooluniformtrading[.]com[.]au/cdcgov/files/

Upon further research, there were two additional compromised sites set up with this same phishing kit.

Additional redirecting URLs found were:
hxxps://onthefx[.]com/cd[.]php

Additional phishing pages:
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files
hxxps://gocycle[.]com[.]au/cdcgov/files/

In each of these three unique attacks, the URLs used to redirect the victim to the credential phishing site are of Japanese origin. All use the file cd.php, which forces the redirection to the phish. The phishing pages themselves have the same Top-Level Domain, .com.au, and each has a SSL certificate. These clues point to a single threat actor carrying out these attacks. Further observation may soon reveal the actor’s identity or at least a general attack vector that can be monitored for and blocked by network firewalls.

Figure 3: Phishing Page

Users will be presented with a generic looking Microsoft login page upon clicking the link.

The recipient email address is appended within the URL, thus automatically populating the login box with their account name. The only thing for the user to provide now is their password. Upon doing so, the user is sent to the threat actor.

Once users enter their credentials, they are redirected to a legitimate website of the CDC:

hxxps://www[.]cdc[.]gov/coronavirus/2019-ncov/php/preparing-communities[.]html

Indicators of Compromise:

Network IOC IP
hxxps://healing-yui223.com/cd[.]php 150[.]95[.]52[.]104
hxxps://www.schooluniformtrading[.]com[.]au/cdcgov/files/ 118[.]127[.]3[.]247
hxxps://onthefx[.]com/cd[.]php 153[.]120[.]181[.]196
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files 112[.]140[.]180[.]26
hxxps://gocycle[.]com[.]au/cdcgov/files/ 13[.]239[.]26[.]132

 

Spoofed World Health Organization Delivers Agent Tesla Keylogger

In addition to the spoofed CDC message discovered by the Cofense Phishing Defense Center, Cofense Intelligence also recently identified a phishing campaign spoofing the World Health Organization (WHO) to deliver the Agent Tesla keylogger. The phishing campaign is designed to invoke fear and curiosity of the intended recipient with the subject “Attention: List Of Companies Affected With Coronavirus March 02, 2020.”

The attachment accompanying the phishing email spoofing the WHO is labeled ‘SAFETY PRECAUTIONS’ and has a .exe extension. The icon of this executable is that of a Microsoft Office Excel file, intending to fool the end user into believing that the attachment is indeed an Excel document, listing the infected companies. The attachment is in fact an .exe, delivering a sample of Agent Tesla keylogger. The email body can be seen below.

Figure 4: The phishing email spoofing the World Health Organization

 

Filename MD5 Hash
SAFETY PRECAUTIONS.rar 05adf4a08f16776ee0b1c271713a7880
SAFETY PRECAUTIONS.exe ef07feae7c00a550f97ed4824862c459

Table 1: Agent Tesla Keylogger Attachments

 

Agent Tesla C2s
Postmaster[@]mallinckrodt[.]xyz
brentpaul403[@]yandex[.]ru

Table 2: Agent Tesla Keylogger Command and Control (C2) Locations

 

YARA Rules
PM_Intel_AgentTesla_36802

 

Given the levels of concern associated with the COVID-19 outbreak, such phishing themes will almost certainly increase, delivering a broader array of malware families.

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Emotet Modifies Command & Control URI Structure and Brings Back Link-based Emails

By Noah Mizell, Cofense Phishing Defense Center

Emotet has been busy wrapping up the year with some minor tweaks to their client code and the reintroduction of some tactics that have worked well for them in the past. The botnet that began its life as a banking trojan in 2014 has proven to be a formidable threat to organizations around the world and shows no signs of stopping. Before we look at their recent changes, let’s begin with a quick review of some of the notable updates we have observed this year:

  • January 13, 2019 – The Emotet botnet reemerges from vacation to begin its first campaign of the year.
  • January 28, 2019 – Experimentation with Qakbot as a payload.
  • March 14, 2019 – The client code is changed to utilize a wordlist to generate random paths when checking into the Command & Control (C2) and now uses the POST method instead of GET. The use of JavaScript attachments is noted as well.
  • April 9, 2019 – The botnet operators begin using the emails that were stolen starting in the last part of their 2018 campaign. The use of stolen content provides the ability to create spear-phishing like emails on a scale never seen before.
  • May 31, 2019 – Emotet goes on summer vacation shutting down a large part of its infrastructure.
  • Sep 3, 2019 – C2 begins to come back online.
  • Sep 16, 2019 – Spamming operations resume. Link and PDF attachment based emails are very limited. The vast majority of their campaigns are macro document-based. Heavy use of the reply-chain (stolen email) tactic is observed.
  • Large deployments of TrickBot and Dreambot are used as secondary infections throughout the year.
  • The term “Triple Threat” is created to note the high incidence of Emotet -> TrickBot -> Ryuk infections seen in the wild, leading to massive ransomware payments and a great deal of lost time and money for many government and private organizations.

Starting on November 27th, we noticed a change in the way the Emotet client code was checking into the C2 servers. Gone are the random paths utilizing the word list (figure 1) that was seen in the past.

Figure 1: URI structure introduced in early 2019

Figure 2: The new URI structure seen as of Nov. 27

The clients are now adding a path that, at first glance, appears to be a random string with a minimum length of four characters.  A slightly deeper investigation into this traffic shows the path is actually the key from the key/value pair in the posted form data.  This change is odd, as it does not actually alter the check-in data in any meaningful way and appears instead to be more cosmetic in nature. This leads us to believe that it may have been a rudimentary attempt at identifying researchers who are running emulation code alone, as their check-in structure would not have dynamically changed when the code base was updated.

Figure 3: Example Emotet delivery email

Another noted change was the reintroduction of link-based email templates. We have seen Emotet emails use links with great success in the past. For unknown reasons, the threat actors did not seem to use them when coming back from summer vacation. In all likelihood, they are using them now to maximize their victim count before breaking again for the winter holidays.

We have included a listing of some of the URLs seen on the first day back further below.  Heavy distribution of TrickBot has also been seen in recent campaigns as a secondary infection and may be a money grab to fund their holidays.

Figure 4: Example Emotet delivery email

As with past campaigns, we have also seen an uptick in the use of shipping company themed emails to coincide with the holiday season, a recurring theme for the actors around this time of year. One change to the email templates that appears to be a new lure is an “Open Enrollment 2020” theme to entice users who have not yet decided on their insurance program for the upcoming calendar year.

The Emotet actors are masters at creating email templates that exploit a user’s emotional response, and this is a prime example.

Cofense’s research teams – Cofense Labs, Cofense Intelligence and the Cofense Phishing Defense Center – actively monitor the Emotet botnet to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.

 

HOW COFENSE CAN HELP

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center are reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Order Confirmation – Emotet/Geodo,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34580.

Quickly turn user reported emails into actionable intelligence with Cofense Triage and reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

hXXp://3mbapparel[.]com/ce8p4mw/Scan/23sr2r3h-227136449-4100-o7f3aukln-5ek9w7yx/

hXXp://abbasghanbari[.]com/cgi-bin/m2gx-j9l-2674/

hXXp://abis[.]abis-dom[.]ru/wp-content/multifunctional-zone/external-portal/XKnI9c95VXtO-2koeL1odjG8e45/

hXXp://adrianoogushi[.]com[.]br/blogs/available-resource/test-forum/CO37HIcUG-4KiqqruHlj9/

hXXp://agramarket[.]com/wp-admin/554841538461/9igxpru22w-3404-624501945-dtenc-cvona7/

hXXp://agramarket[.]com/wp-admin/images/Document/

hXXp://aijiuli[.]com/wp-content/common-3644746801311-F61eGi6VrRfSERpV/guarded-722116w-9jx99j5uyog/2b51q65tivz3f97-3vw70xy142675/

hXXp://alfaem[.]by/wp-includes/wcevu12a6j/ui13miem-1842496-647941-b1maguvyl7-0wm1/

hXXp://allgamers[.]ir/wp-content/6270900376591-TrHEgUBtm-sector/verified-portal/3rw-x42z0/

hXXp://aminulnakla[.]com/test/5mpub-u9jdh-1356/

hXXp://amoutleather[.]com/a/multifunctional_9313571_Y9mwVe/additional_forum/EAvHHxYA2_z07m8sM36w72/

hXXp://anantasquare[.]com/wp-content/Documentation/1yzenuu55v/zdx0oqd5mp-79785-92241-lqk84aode-i65yma2m1/

hXXp://andishkademedia[.]com/wp-includes/8vcppv-4l1-885316/

hXXp://anhjenda[.]net/wp-content/vmpyh5c3pi/

hXXp://anjumpackages[.]com/nrri/private_44709616882_WQZDa1KAyj/corporate_V6tkmPmj_jRcx2PfQ/on3_1v7649ys6t1/

hXXp://aquimero[.]net/wp-includes/8gdm6-y4kj-461/

hXXp://archinnovatedesigns[.]com/wp-includes/464728-V0rjOQkXZi4SSiW-disk/580333-3VP9JZcfWI6-cloud/028eeth-vu553tyw/

hXXp://arielcarter[.]com/j7foqo2/DOC/iqrh6hczo0cw/

hXXp://arttoliveby[.]com/yyrye/private_86192_eZoBMjbfcDvuPq/test_cloud/ws3uh67ha1tup_5128t108/

hXXp://auliskicamp[.]in/wp-admin/common_resource/verified_vZUVdO8ppY_CWfMSl2yMCEH/bgJEju1jvH_3iNK6o4Ii4G/

hXXp://awooddashacabka[.]com/yt46/open-box/individual-area/yNmy5HQif-8o8tG738h2/

hXXp://babdigital[.]com[.]br/wp-content/esp/6v5nej75l/

hXXp://bakeacake[.]com/wp-admin/available-disk/security-warehouse/z1XGaZ-NemjMNrc3a/

hXXp://bassigarments[.]com/wp-content/personal-592742204-WBrGGz/4469690-7SOBhN7gbB7s-area/b90h417-wtxsw/

hXXp://batdongsanhathanh[.]net/wp-admin/open-resource/568A8V-ILYyxINK-profile/jdux7bsdp-twyu179678t1/

hXXp://beiramarsushi[.]com[.]br/1g3ld9f/closed_n941_aUn1fAfrvX8Bhu/test_warehouse/6N1JhlV_M8oi1aM9Gyw/

hXXp://best-fences[.]ru/css/4ey-6v7y0-5856/

hXXp://betaoptimexfreze[.]com/bebkat/Reporting/9zooeodt/x827ofzp-289202990-87262-q99cri9-xr06/

hXXp://bgctexas[.]com/quietnightcompany/xb1k2g9/personal_zone/test_WlYEqat2Ie_OgiyQ9W40qCyP/bw54a4lhlrx_9636w4uu0xsxt1/

hXXp://bilgigazetesi[.]net/a6lwm1m/open_sector/special_forum/Ej4oMEQf3AN_Gudt5tx97J/

hXXp://bimattien[.]com/wp-admin/eTrac/ld6u234c3/ga438o-5744266-474284-eejhd-5ctewz/

hXXp://blicher[.]info/wp-includes/KPrV/

hXXp://blog[.]inkentikaburlu[.]com/70jjm53klo/sites/2yd7bvuh-505209-64670737-fr4vs-t7zp3cjl0/

hXXp://blog[.]sawanadruki[.]pl/wp-content/uilb8dz6_hwpeyvx_sector/security_warehouse/0gKrzfjYpvFO_3yLM891Meliz/

hXXp://blogkolorsillas[.]kolorsillas[.]com/wordpress/xnq1k-rkkl-803/

hXXp://bluemedgroup[.]com/wp-admin/mnfd8_nbij_436575782_UQEO1IVCs4LqadTV/security_profile/XODmvThQGR7_H7vrzccMec5/

hXXp://bmrvengineering[.]com/wp-admin/FILE/

hXXp://bookitcarrental[.]com/wordpress/INC/iddp2ggtm/eccvup8c-3843-818470-69yg4b28wh-w1kxriyo/

hXXp://bupaari[.]com[.]pk/RoyalAdventureClub[.]com/eTrac/ncevpoamvlp0/

hXXp://buyrealdocumentonline[.]com/wp/Documentation/d7mz-688402499-7314933257-fkwggnu-t4ybrvaf7/

hXXp://cabosanlorenzo[.]com/wp-load/protected-resource/verifiable-tk2c-3kfk3g9iz/ebub24rmzo8-9u88717yx935/

hXXp://cacimbanoronha[.]com[.]br/wp-content/Scan/

hXXp://caotruongthanh[.]com/wp-admin/qeku-4ys4-83891/

hXXp://carolscloud[.]com/media/public/

hXXp://carolzerbini[.]com[.]br/6ttp7t0/Overview/qoawf12j0jbp/

hXXp://carvalhopagnoncelli[.]com[.]br/lvqhz/Overview/0rrnguk8z/lg4qyh7-338411-43458560-pp7dts1ba-3msz/

hXXp://cas[.]biscast[.]edu[.]ph/updates/personal_sector/verifiable_warehouse/D3buvGg_1yyMJGrM6gp/

hXXp://casaquintaletcetal[.]com[.]br/e6viur/04383245_xZw1ZKxX_41063_29gQlRhcVl5eGs/additional_area/4004h_s035tt6461/

hXXp://casinovegas[.]in/cgi-bin/protected_module/additional_warehouse/NzQU7EbxmY_mLobpJqHn8Lh8/

hXXp://catchraccoons[.]com/wp-admin/open_9135304_x3VG052S9vjEZN/external_warehouse/AgnasV_o0M4JIrNt67j/

hXXp://caughtonthestreet[.]com/sh5bne/available_sector/test_mhc3xk01u_if5a3isqhztj4/fwpqcd9admvnur_yuu17s15/

hXXp://cetpro[.]harvar[.]edu[.]pe/dup-installer/2i5i_r76gl3x5v6vge_disk/individual_profile/NrWPp5_3Hj0zszymw/

hXXp://championretrievers[.]com/wp-admin/paclm/mdjx-81327-4043-zujiz-uoi7hp59w4/

hXXp://charger-battery[.]co[.]uk/chargerimages/Reporting/

hXXp://chatnwax[.]com/dir/RRETX2MC9ZE7/syc01o4x/

hXXp://cheappigeontraps[.]com/wp-admin/personal-resource/guarded-gueidxaiga-544/a4hko1sshe-6530yx62/

hXXp://cheapraccoontraps[.]com/wp-admin/parts_service/zn6iszxroew/0vqf-97169-6342681145-z9iyge-xws5/

hXXp://cherrypointanimalhospital[.]com/new/parts_service/po53iyxo22m/

hXXp://chintamuktwelfare[.]com/wuvke31kdk/open-array/open-space/j2hg7S-Mseglc5d/

hXXp://chongthamhoanglinh[.]com/cgi-bin/Reporting/

hXXp://chooseyourtable[.]sapian[.]co[.]in/wp-includes/x3qc-azmz9-340871/

hXXp://clurit[.]com/matematika/images/content/open-array/additional-portal/open-array/additional-portal/3qZqx-tb7HH2KcNhHi82/

hXXp://collegebolo[.]in/wp-content/OCT/i91smxgw72t/iayid-933690-003423-pxhqzu7z4-e9fxqjnvn/

hXXp://collegiatevideoscout[.]com/piq88y/multifunctional-zone/verifiable-portal/vzwsusvfoq2kbmt-y496uwt7xz68uy/

hXXp://compworldinc[.]com/browse/4ni6zf2fq/

hXXp://contestshub[.]xyz/wp-content/evfch-p40-368725/

hXXp://cosmeticsurgeoninkolkata[.]in/wp-content/multifunctional-zone/security-space/oG7v7CkLAl-jz0rugqbjvi73/

hXXp://cosmicconsultancy[.]in/custom-icons/Reporting/

hXXp://cp[.]3rdeyehosting[.]com/wp-includes/esp/

hXXp://crazyroger[.]com/cgi-bin/1710496674006_01bd6Zeef0mCJ_disk/external_forum/4dwy_zxz36x4/

hXXp://creatitif[.]com/wp-admin/Reporting/

hXXp://croptool[.]com/theblackjackmob/Documentation/

hXXp://crownedbynature[.]com/jtaa6jtb/LLC/

hXXp://csa[.]cries[.]ro/ckjca7/11206-JdwhXBh41Cj8irAC-resource/individual-warehouse/ay7fc9ll3dnke7e-4yw99s2t6w/

hXXp://csrngo[.]in/alfacgiapi/15vu8s-c85u1-9139/

hXXp://daisybucketdesigns[.]com/pocketframes/images/aci32rk/eTrac/5w4kiwqito3r/

hXXp://dalao5188[.]top/wp-content/open-sector/test-forum/f0pqn-5328/

hXXp://dastsaz[.]shop/wordpress/private_array/verifiable_forum/BpajlMaeH_297iwG6jj7pGc/

hXXp://datrienterprise[.]com/wp-content/eTrac/7qzoqzrkjyuc/

hXXp://demo[.]bragma[.]com/site/pt48-pk3089b-682065491-ZkL2pS9yz/open-warehouse/LXWiJKrI-62Hui1o9a/

hXXp://demo[.]podamibenepal[.]com/superior/t2c-jpip6-22/

hXXp://demo[.]tanralili[.]com/apehhpf/INC/

hXXp://designers-platform[.]com/binzbc/FILE/a69zlr8/

hXXp://dev[.]consolidationexpress[.]co[.]uk/wp-admin/closed_sector/924553_1wSxAW2z_portal/2EI6ej9js5j_15M1p7xI9Gov/

hXXp://diamondbreeze[.]com/wp-content/docs/ig220w-64348062-050708-0o2ix-nk0skuh0/

hXXp://diecinuevebn[.]com/cgi-bin/protected-disk/verified-forum/ah7hwmjvvuuy84mx-t467s/

hXXp://diegojmachado[.]com/cgi-bin/open_sector/CLp2Etz_eUR1Q6uDDBgHkI_area/bDuOHXDda_cgI6sNcjl1gK/

hXXp://dishekimieroluzun[.]com/wp-content/DOC/

hXXp://dreammotokolkata[.]com/cqye/iaft92-6lplx-826/

hXXp://drsudhirhebbar[.]com/minds/private-sector/open-portal/rb2vj1kuwjbb-swuys/

hXXp://dubit[.]pl/site2/pxre-ns-297/

hXXp://dumann[.]com[.]br/z3gy5lb/sites/7bg1i8n2/jvsjhn3j-868085891-343651-sgosfko-20u4kmz2cb/

hXXp://elitexpressdiplomats[.]com/cgi-bin/available-array/guarded-5UJi7-pIM1v1g3Q6k6/whf6zxh-txsts2/

hXXp://empowerlearning[.]online/wp-admin/ruh006-rgkj-590/

hXXp://especialistassm[.]com[.]mx/inoxl28kgldf/docs/l5rbj6g/iibea-032709148-341719111-6r6auusna-6j9m/

hXXp://euonymus[.]info/twxppk/Document/7uo0t4osm95p/

hXXp://evokativit[.]com/TEST777/YHErlTl/

hXXp://evolvedself[.]com/dir/azpdj41_sugzd3yhwwsy_3709679_Rvta29FrYib/special_QDPYSSWZ1L_PJAv0ICNK1P/2Edulb_98mGeuzy3ty2Lz/

hXXp://extend[.]stijlgenoten-interactief[.]nl/test/Pages/w6014u-84395-6469-hthslxcbne-8vj2et4/

hXXp://finndonfinance[.]com/wp-content/Document/wjswrn1s/qgltg-85747767-49820504-2gz892-ydp6o4o4e/

hXXp://fooladshahr[.]simamanzar[.]ir/dup-installer/closed_box/interior_portal/0f6j5b5bga_06zs0/

hXXp://fozet[.]in/wp-content/eTrac/hb6yb86ei36/yrqsf32-172576671-4195092231-c97ty6f-5cu2q8hj8/

hXXp://freestyle[.]hk/picture_library/eTrac/s9shv2eo/

hXXp://frezydermusa[.]com/wp-content/parts_service/fisq814goap0/fhyl68-5565-326796-rr55j9spg-ug9mfyg/

hXXp://galeriariera[.]cat/assets/lm/g9zkvryjwq-0524005005-0333576-k58dqx5-326yx/

hXXp://gameonline11[.]com/wordpress/pqOAPS/

hXXp://gargchaat[.]com/phpmailo/lm/538skcfoe/7vps0iy-66657310-44075-q2gbc4-2vhp2c/

hXXp://gayweddingsarasota[.]com/cgi-bin/esp/68f6yd4ehwdr/

hXXp://gayweddingtampabay[.]com/cgi-bin/private-2828581710383-rNH3ETP8sT2ggXrt/additional-forum/DEsne0OE5vz-KmmglLMf/

hXXp://geekmonks[.]com/cgi-bin/common_sector/special_forum/9cfuf_ts9y4twzx0709/

hXXp://germxit[.]mu/calendar/4rxl-2932-78/

hXXp://gestto[.]com[.]br/wp-lindge/Scan/

hXXp://getabat[.]in/wp-content/closed_module/test_88i6oai_sjwnuscqjjl/abgyQKwZhv6i_inKjGl8hG98/

hXXp://globalstudymaterial[.]com/pdf/available-zone/individual-warehouse/vWOq8gdCRu0-ra1nf24iHayat/

hXXp://goldinnaija[.]com/wp-admin/sites/xaz6-030261-0911995608-sm9u-99rd1/

hXXp://gomaui[.]co/wp-includes/personal-resource/test-area/a9kj-wsuyvw59t/

hXXp://grace2hk[.]com/b6vg89hb/common_sector/security_forum/4tx_uu501xxxs/

hXXp://grahaksatria[.]com/towed/private_box/additional_forum/x1T0kdo_q89uLjatbqJ8/

hXXp://greatercanaan[.]org/wp-admin/Document/kqfz63hy/

hXXp://grocery2door[.]com/nkpk/97_dwi59_03276182_sJsjrqR/corporate_warehouse/13wrnaGqqET_lIy0l5eJsNdIc/

hXXp://groovy-server[.]com/masjid/backend/web/assets/rhhl/

hXXp://group8[.]metropolitanculture[.]net/wp-admin/multifunctional-sector/verifiable-cloud/l0q-4vww/

hXXp://haoyun33[.]com/wordpress/browse/9kmt2hi/

hXXp://hasung[.]vn/wp-includes/1bvxk7fvre5_lnci6bcnim_resource/special_forum/5BZ0CZ_p4052N871e/

hXXp://hfn-inc[.]com/mail/available-box/security-PgUqz6ktI-GY00tgjAgbFSr5/zy5escaf56fzw5y-y78s2tzu60v7z4/

hXXp://homecarehvac[.]com/wp-includes/open_resource/guarded_profile/eshftvv0ht_61x297v2/

hXXp://indusautotec[.]com/n8l7suy/open-xNFfQ20VO-FjqtokyzbQ6HGF/security-jdEM-dDzAJO2Ccnx/G3P8qq-MmI2GLf3JdK/

hXXp://jgx[.]xhk[.]mybluehost[.]me/scarcelli/multifunctional_098152347732_CYNEZ9DFQ/guarded_space/2qq1r_29xuz/

hXXp://jurness2shop[.]com/cgi-bin/private_disk/individual_ufyGUNB_QRlHjxmYMMbuaY/30lpuw22llwzm_vx60vx4s/

hXXp://kallinsgate[.]com/cw6vmaj/common-2561851-hLdPAOsBNVrNeE/open-space/5irmsa8-8x82zv7t2zw2x/

hXXp://kanntours[.]com/wp-security/Overview/yprr0k8-808004671-920995225-dc1d7q7-trbbwtd/

hXXp://kayzer[.]yenfikir[.]com/quadra[.]goldeyestheme[.]com/lm/

hXXp://kelurahanraya[.]ulvitravel[.]com/tmp/eTrac/wpag9c-3294986-0565941971-rbtkv0yr0p-rs604o/

hXXp://kpu[.]dinkeskabminsel[.]com/wp-admin/available_229278636_TO7LG1kXBWax3/847166_Zm9B3oXaP_portal/ZcAtrKAnB_nJGzswNc/

hXXp://kyrmedia[.]com/whnh/closed_zone/test_warehouse/o1yvycunyw222_tz6z71svs35/

hXXp://lalletera[.]cat/bootstrap/closed-array/test-warehouse/9y3rm68-7251/

hXXp://lastminuteminicab[.]com/l56mcv/Scan/qrg67fldazss/cd38ot-8952552-5429276851-63g720il-z2uwrr/

hXXp://lindamarstontherapy[.]com/psqlud/common_1810413_gc4qCpSFYbBM/additional_forum/4kmyjjijspz85_tt20x6w/

hXXp://liveleshow[.]com/cgi-bin/open-sEVbZ-kyyyJcjMY/verified-area/n7tk0nygk2up7j-7824vz2y/

hXXp://lsperennial[.]com/tnnfxu/545533028378/ofzt2ll4a-4754801-8569215-64d2t-rbtsi5ylgq/

hXXp://masspaths[.]org/transcyclist/open-array/69537295-LwrlRuR-portal/riy-u5984475/

hXXp://mistyvillage[.]com/inoxl28kgldf/open-sector/individual-forum/TC1AThq8D-H4iKcw9erMc8a7/

hXXp://monoclepetes[.]com/disneyworldclassroom/browse/

hXXp://mosaiclabel[.]com/4f9xnykaf/common-box/corporate-a30njr6-34dhllfehbjex6/14rm3hr6k358-x32zy5/

hXXp://myclarkcounty[.]com/wp-includes/open-resource/open-forum/o6a3exwvzfo-4wwxx8uts7/

hXXp://myfamilyresearch[.]org/dir/paclm/

hXXp://nisanurkayseri[.]com/fhiq04sgna7/a683w-an3x-4946/

hXXp://norikkon[.]com/administrator/16542-fBTLcdbEyJr-sector/VFCLsV-bAwgBBBeBqaJ-forum/fft2z7gdyzqee-8z80w6z68vs/

hXXp://nunes[.]ca/s59nlj/DOC/

hXXp://pascalterjanian[.]com/logs/multifunctional-2519534-Fs87CEgtQY82H6/verifiable-forum/2iFKNGyl-Ksmyn3gyI/

hXXp://plaestudio[.]com/wp-admin/multifunctional-zone/verified-space/zftkjoaw-xzuwtu1228/

hXXp://pmnmusic[.]com/backup-1540795171-wp-includes/Document/

hXXp://productorad10[.]cl/cdn-cgi/lm/6bwolkvw/

hXXp://radigio[.]com/qcloid/Pages/aveebb8ri/

hXXp://rememberingcelia[.]com/cgi-bin/private-box/additional-cloud/WoMAYyGYPic-ejGtLw5zKk9132/

hXXp://richardciccarone[.]com/watixl/Pages/iwq2bcuhtc/fpl5dh7-1085-7485017905-7upoox-mmwh5rr/

hXXp://rkpd[.]ulvitravel[.]com/cgi-bin/s0pgy-yg3-606/

hXXp://rozziebikes[.]com/tshirts/7XOEME6DSPI/l6bpob8m-8104-0278018-y6o222jln-fsxji7gy9l/

hXXp://safiryapi[.]net/mainto/private-zone/9977527-TGAtxV-space/noliIDq-ffuwzjN5H8zj/

hXXp://sakuralabs[.]com/4gubn/personal-zone/interior-forum/rye8idbdwx6uiw9-vtw0y35413/

hXXp://scottproink[.]com/wp-includes/LLC/3nm06yz1og/

hXXp://sigepromo[.]com/fonts/multifunctional-sector/security-kojbhnhsfxht47-4qgj/xznv8-35sz95t0t7/

hXXp://sofiarebecca[.]com/ybfm/multifunctional-XhmwQuIS-uBXA6FSMcoaXT2/7427993-1AJW4cmy-profile/P0jkvy-gwgs3qvm/

hXXp://southeasternamateurchampionships[.]com/0ng1en8p/common-57GaJ-JU2y57Cw9wWp/test-area/1CP3gWMySaac-iixIpxfJ216/

hXXp://southernlights[.]org/wp-includes/attachments/13iqe8n/

hXXp://stlaurentpro[.]com/25bd/Overview/qnrlmvj/

hXXp://stluketupelo[.]net/sermon/Document/

hXXp://technosolarenergy[.]com/wpk0/esp/xcggf7f/l41sd6-372903-111521309-pe7nqblm-rnbcyph7/

hXXp://thebeaversinstitute[.]org/m6zxne/open_sector/verifiable_grIwVfcE_JNkyS1ABG7O/JOr8Y2_c0N5pfizn8tqv/

hXXp://thecityglobal[.]com/creative/DOC/tmi48tldo/8fcpm52kxc-1823-224157721-0k5g3-2ntwz3u/

hXXp://theconsciouslivingguide[.]com/w63gh/NQOOE7ZE6E/

hXXp://theordeal[.]org/2hqr15/71028031_i0jDg_array/verified_profile/M17xNfJi_afcjbJ9y2/

hXXp://tinystudiocollective[.]com/tvtepc/parts_service/c5hlpnbm/04yte-92982998-989677-xuln504d-wj8wr99a0r/

hXXp://trinituscollective[.]com/wp-admin/DOC/3k2yxczqa-017872-15130767-6fcy299dtf-5p8y1zk/

hXXp://turbinetoyz[.]com/inc/available_sector/open_cloud/7gDaxLdZntQO_f54w1mdqt/

hXXp://vektra-grude[.]com/components/sites/xyj3oy2f/

hXXp://wolvesinstitute[.]org/wp-admin/INC/muosryq6917p/uozxo9-82202-738575-fbm4hisdv-0q5dy3ciz/

hXXp://www[.]africanswoo[.]com/wp-includes/IOG/

hXXp://www[.]bonfireholidays[.]in/efqog/Documentation/

hXXp://www[.]demarplus[.]com/19sn7/Overview/

hXXp://www[.]southwayhomes[.]co[.]uk/wp-admin/lm/5x8c1xywx2h/

hXXp://xhd[.]qhv[.]mybluehost[.]me/Maidentiffany/a4wnq/INC/be5oryde748n/877iw8k2-5677720-10188-kjqm-al3ax20hth/

hXXp://xn--3jsp48bswaq48h[.]com/binzbc/protected_disk/WsgEuoVh6_GLg1uIsNZxocly_tdagf_sb0hy87m9gi/jWdMxTd9_a73ophNx/

hXXp://yourdirectory[.]website/Mccracken/eTrac/rpiglgay-1418052884-1524951880-uuys-0fxj/

hXXps://bipinvideolab[.]com/wp-admin/51917864823222027/b0n0hcp4sl83/

hXXps://crossworldltd[.]com/wp-includes/48p5-o3ih-71/

hXXps://flexwebsolution[.]com/assets/multifunctional_disk/external_forum/7aa8z9os32iqygd_3gp4h/

hXXps://gurukool[.]tech/assets/t85vawx7s2xbi3q-1mvazihmr-module/interior-forum/gEwMX8-s0pLx8jJMLhGN/

hXXps://keshavalur[.]com/css/WRssOm/

hXXps://makmursuksesmandiri[.]com/wp-content/e3tpt3cph1wncut-ika4etq8sml6-sector/interior-htMCj-UR5CVYGd/bnb5oaopu0ptx-0wyytzw7u5/

hXXps://misterglobe[.]org/generall/Overview/i9y202-334800485-67760472-jj04w2e19-xppp1/

hXXps://mountainstory[.]pk/qoaij52hfs1d/common_FOQqDSi_Q50ORC3MzecY/guarded_9ode8j8xa3q9fa_3a14tqqj/x1e_418t92/

hXXps://murraysautoworks[.]com/contact/6VE37Q01O/50v2q5af8tv/y27daizl9-678276-439755027-2i7xojwpjd-ryyu/

hXXps://nhakhoachoban[.]vn/wp-includes/paclm/

hXXps://power-charger[.]co[.]uk/faq/Reporting/g30g4b8wvh/0w5c-2857976-135390-1dg1e-bjus2/

hXXps://risefoundations[.]in/rise/8448397_cee81q_jftx3_eseQqSx/corporate_pfmWWf_7uk8kfJTJvUrTR/OvdwZPUQy_ntycKI1ipM2/

hXXps://sharefoundation[.]in/wp-admin/multifunctional_module/test_cloud/oJuKHM3ik_Mee0ttbGc/

hXXps://summit2018[.]techsauce[.]co/startup/sYHAteT/

hXXps://timestampindia[.]com/citech/Document/

hXXps://twincitiesfrugalmom[.]com/wp-admin/eTrac/9porgmi/ul99a0-5568735694-75056-vt6wk395a-yymz6f/

hXXps://www[.]jadegardenmm[.]com/engl/docs/h85me2-45331562-6525577-0c62dwu3hl-mk47l/

hXXps://www[.]u4web[.]com/bnkddo/open_disk/guarded_kzfciuyy_v4gqdp/1dOq8z5_ILk0gJmw/

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases.

The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works:

Email Body

Figure 1: Email Body

The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the part of the from field that dictates the “nickname” displayed in the mail client to make it appear as if it originated within the company.

The email body is simple: recipients see the company name in bold at the top of the page. Greeted by only their first names, they are informed that “As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.” Recipients are then presented with what appears to be a hosted Excel document called “salary-increase-sheet-November-2019.xls.”

It is not uncommon, of course, for companies to increase salaries throughout the year. As a result, it wouldn’t be uncommon for an email like this to appear in an employee’s mailbox. Human curiosity compels users to click the embedded link.

The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.

Figure 2: Phishing Pages

Once users click on the link, they are presented with a common imitation of the Microsoft Office365 login page. The recipient email address is appended to the end of the URL that automatically populates the email box within the form, leaving just the password field blank to be submitted by the recipient. This adds a sense of legitimacy to the campaign, allowing the recipient to believe this comes from their own company.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a simulation template, “Salary Increase,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR ID 31510

Cofense TriageTM: YARA rule PM_Intel_CredPhish_31510

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM. Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.