MFA Bypass Phish Caught: OAuth2 Grants Access to User Data Without a Password

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defense Center (PDC) uncovered a phishing tactic that leverages the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data. The phish is not a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn’t have helped. Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it’s a stark reminder that phishing isn’t going to be solved by Multi-Factor Authentication.

Using the lure of a Q1 bonus, the email is crafted to appear to be a normal invite to a SharePoint hosted file. The prospect of receiving an increase to their salary is an effective lure that can lead users to fall prey.

Figure 1 – Email Body

After clicking on the link, users are taken to the legitimate Microsoft Office 365 login page at https://login.microsoftonline.com (Figure 2). However, if one inspects the URL in its entirety, which average users are unlikely to do, a more sinister purpose is revealed.

Figure 2 – O365 Login Page

Anatomy of a URL

First, a quick primer: applications that want to access Office 365 data on behalf of a user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform. This is where OAuth2 and OIDC come in. The latter is used to authenticate the user who will be granting the access, and if authentication is successful, the former authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.

Figure 3 – Entire URL

The response_time parameter denotes the type of access being requested to the Microsoft Identity Platform /authorize endpoint. In this case, both an ID token and an authorization code (id_token+code) are requested. The latter will be exchanged for an access token which will, in turn, be presented by the application to Microsoft Graph for data access.

Next, the redirect uri parameter indicates the location to which authorization responses are sent. This includes tokens and authorization codes. As we can see, responses are sent to hxxps://officehnoc[.]com/office, a domain masquerading as a legitimate Office 365 entity, located at 88[.]80[.]148[.]31 in Sofia, Bulgaria and hosted by BelCloud.

Moving on, the scope parameter shows a list of permissions the user gives to the application (note “%20” represents a blank space). These allow the application to read (read) and/or modify (write) specific resources for the signed in user. If the “All” constraint is present, permissions apply for all such resources in a directory.

For example “contacts.read” enables the application to read only the user’s contacts, whereas “notes.read.all” allows it to read all OneNote notebooks the user has access to, and “Files.ReadWrite.All” to both read and modify (create, update and delete) all files accessible to the user, not only his or her own.

If the attackers were successful, they could grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information. Once the attacker has sensitive information, they can use it to extort victims for a Bitcoin ransom. The same permissions can also be used to download the user’s contact list to be used against fresh victims. Using the address book and old emails would allow the attacker to create hyper-realistic Reply-Chain phishing emails.

Perhaps most concerning however is “offline_access” As access tokens have an expiration time, this permission allows the application to obtain refresh tokens, which can be exchanged for new access tokens. Therefore, users need only to authenticate and approve permissions once to potentially enable indefinite access to their data.

Finally, we find openid and profile which are technically scopes in themselves; openid indicates the application uses OIDC for user authentication, while profile provides basic information such as the user’s name, profile picture, gender and locale among others. This information, known as claims, is sent to the application in the ID token issued by the /authorize endpoint.

After signing in, the user will be asked to confirm one last time that he or she wants to grant the application the aforementioned permissions. If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.

The OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data.

Network IOC IP
hxxps://officehnoc[.]com:8081/office 88[.]80[.]148[.]31

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Phishing Scam Targets Teleworkers with Bogus Microsoft Teams Notification

By: Kian Mahdavi, Cofense Phishing Defense Center

With the influx of remote workers, it’s a perfect opportunity to flood people’s inboxes with malicious emails and fake links. The Cofense Phishing Defense Center (PDC) recently uncovered a phishing campaign that targets employees to harvest their Microsoft credentials. Ironically, the phish was found in an environment protected by Microsoft’s own secure email gateway (SEG). The phishing email, which was reported to the PDC using the Cofense Reporter button, included a well thought out “AudioChat” notification link supposedly from Microsoft Teams.

Teams is one of the most popular platforms for remote employees. Predictably, the threat actors have taken this into consideration – especially during the COVID-19 pandemic with millions of people teleworking. We expect this trend to continue with similar communication platforms.

Figure 1: Email Body of an official Microsoft Teams example notification

Figure 2: Email Body of illegitimate Microsoft Teams notification

Credit where credit’s due, we were impressed by the effort of the threat actor and their high-quality social engineering tactics. The subject line reads “Chat Message in Teams”- is this just an ordinary notification?

The email content has perfect similarities between Microsoft’s services; in particular, it incorporates matching font size and color as well as the overall layout. The email also includes the generic ‘tips’ section towards the bottom half of the message, evident above in Figure 2. However, there’s a catch: despite the solid efforts of the email content, there are a few tell-tale indications this is a phish. The most obvious sign is the sender’s lengthy spoofed email address:

matcnotification[.]teamadmin_audidsenderderweeu44we7yhw[@]ssiconstructionnw[.]com

The words “notification” and “teamadmin” have been skilfully included within the account name. But more importantly, the TLD – “ssiconstructionwn” – does not contain the all-important ‘Microsoft’ reference. No prize for guessing, it is a construction company located in Seattle, Washington that the attacker has spoofed. Since the TLD is from a legitimate source, not only does it pass basic email security checks, such as DKIM and SPF, but also provides HTTPS displaying the essential green lock to the left of the URL, located below in Figure 3 – a valiant effort on behalf of the threat actor.

On top of that, the text displays: “Teammate sent you an offline message.” Notice the message practices a generic word: “teammate” rather than the specific name of the sender. Contradicting itself, the email includes an initial (JC) of the supposed sender within the avatar, further hindering the legitimacy of the email and raising suspicion.

As mentioned above, the user is requested to click on the “16 second AudioChat,” and once hovered, displays the following link:

hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20

The user’s email address (now redacted) is embedded into the above URL. Companies often use various email protection solutions, and as a result, URLs are often packaged with security phrases. In this phishing campaign, the email contains the words “safelinks.protection” planted at the very beginning of the hover link. This could trip up inquisitive readers who might overlook the rest of the URL and click.

Figure 3: Initial Phishing Page

The phishing page above, where users are forwarded, adheres to Microsoft’s protocol (an almost picture-perfect replica); of course, we are overlooking the forged URL within the web-bar. Once ‘Open Microsoft Teams’ has been clicked, the user should have been automatically redirected to the Microsoft Teams application. Instead, the user is taken on a slight detour to the final link of this phishing attack:

hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/

Figure 4: Secondary Phishing Page

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Indicators of Compromise:

Network IOC IP
hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20
hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/
104[.]118[.]190[.]227

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

A Not So Relieving Tax Relief Email: Threat Actors Take Aim at US Stimulus Efforts

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest a variety of email credentials specifically from United States citizens.

Countries all around the world are providing relief programs to their citizens to help alleviate the financial strain as a result of the COVID-19 pandemic. This threat actor, however, targets US relief efforts and the citizens who need it most. This email campaign uses the logo of the Internal Revenue Service (IRS) to bolster its credibility.

Figure 1: Email Preview

The threat actor made both the subject and sender information eye catching, as seen in Figure 1. The email appears to be from ‘IRS GOV’ regarding the subject “Tax Relief Fund,” which would be enough to gain the attention of anyone, especially those who may not have received their relief or need more. Upon clicking into the email, users are presented with the following message, as seen in Figure 2 below.

Figure 2-3: Email Body

Despite the image missing from this email sample, assumed to once have been a DocuSign logo based on the image description, the email may appear legitimate at first glance. The IRS has sent a secure document via DocuSign along with a security code to view it, but it must be used soon as it will “expire.” The email is also marked “High Importance.”

A closer look at the body of the email reveals many warning signs this email is a phish. Anyone acquainted with DocuSign would know this is not what an invitation from the service looks like. Not to mention there is odd spacing and capitalization found in the text – atypical for professional emails. There is also mention of a security code that must be used “before expiration,” a common social engineering tactic used to illicit a sense urgency.

The link found in the email, “View Shared Folder,” redirects users to the phishing site located at:

hxxp://playdemy[.]org/office/doc-new

Figures 4-5: Phishing Page and Confirmation Page

Figures 4-5 are examples of the first page users will see upon navigating through the link found in the email. The page is a simple DocuSign page prompting for the user’s email address in order to access the promised document. Visually there aren’t many differences compared to DocuSign’s website, other than the incorrect URL displayed in the address bar. However, the threat actor may have intentionally used a .org-based domain to make it appear safe, as many end users have heard .org top-level domains are “secure.”

Should a user proceed to enter their email address on this page, they are prompted once again to verify the information before being redirected to the next step of this attack.

Figures 6-7: AOL login page

The next step involves redirecting users to a phishing page based on their email provider. In Figures 6-7 above, we used a dummy AOL email and were redirected to an AOL phish. The attacker’s AOL login page rivals the look and feel of AOL’s — the only real difference is the incorrect URL in the address bar. The email entered in the first step is already pre-filled as well. This same occurs with other email providers inputted into the first step of the attack. Figures 8-10, for example, show the Gmail phish that users are redirected to if that was the email provider they entered.

Figures 8-10: Alternative Gmail Phish

Should a user enter an email address to proceed this far, the threat actor has made sure to ask for further compromising information, as seen in Figure 10: a recovery number or recovery email address per their back-up login information.

Figure 11: Final Destination

Regardless of the email address, and should the user enter this information, users are then redirected to an unexpected document; in lieu of the promised “Tax Relief Fund,” they see a completely unrelated academic paper hosted on Harvard Business School’s website. This is a common tactic, designed to confuse users into thinking there is nothing amiss, that perhaps this was a mistaken exchange or they received the wrong document in error and must wait for further contact.

Further analysis of the website utilized for this attack yielded further information on the attack and the actors behind it.

Figure 12: Open Directory

Upon navigating to the main domain, as shown in Figure 12, an open directory appears. While the file Chetos.php is password protected at present, the file 039434.php exposes a greater security threat that can be observed in Figure 13, a web shell.

Figure 13: WebAccess Shell

The beginnings of a malicious web shell start with an attacker methodically installing the malicious script for the shell on the targeted site, either by SQL injection or cross-site scripting. From there the web shell is utilized by attackers to maintain persistent access to a compromised website without having to repeat all the work of exploiting the same vulnerability they used the first time – generally, a backdoor. They can remotely execute commands and manage files that they abuse to carry out their attacks, such as a phishing attack.
As observed in Figure 13, investigation of the shell reveals files from the open directory are displayed, last modified 2020-04-24 by “owner/group” “njlugdc”, otherwise known as the attacker. The real guts of this attack, however, can be found within the directory path office/doc-new seen in Figure 14.

Figure 14: office/doc-new Directory

Within the directory are the many steps in what appears to be a simple phish. There are multiple email branded folders such as “a0l”, “earthl1nk”, “gma1l,” all of which help the threat actor target email clients. Each of these email branded folders host a phish that is specifically tailored to that brand, allowing for a more “authentic” experience that lull users into a sense of security.

Figure 15: Code Behind the Attack

Figure 15 demonstrates the code behind the attack that sanitizes user input to determine which of these phish a user is redirected to, along with the associated email brand logo to display during the redirect process.

Figure 16: Threat Actor Emails Exposed

Within the files contained in this web shell, the threat actor’s emails are displayed. Figure 16 shows the code of the Email.php file and information exfiltrated from users during the phishing attack that are sent to:
techhome18[@]gmail[.]com
we.us1[@]protonmail[.]com

Although the identity of the attacker behind this IRS phish is unknown, it is evident they took care to carefully craft this attack and chose to exploit a current event that is closely followed by Americans in an attempt to successfully steal as many log-in credentials as possible.

Network IOC IP
hxxp://playdemy[.]org/office/doc-new 206[.]123[.]154[.]15

 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Continue to Spoof WebEx

By Kaleb Kirk, Cofense Phishing Defense Center

Last month, the Cofense Phishing Defense Center (PDC) observed a new phishing trend wherein threat actors spoofed WebEx pages to harvest Office365 (O365) credentials. Since the posting of the original blog, the PDC has seen an increase in the number of similarly themed WebEx phishing attacks, yet another example of attackers leveraging the rapid shift to remote work in light of COVID-19 concerns. As many organizations and their workforce are increasingly dependent on remote working tools and solutions, reducing the attack surface (the number of different approaches a threat actor can use to enter or extract data) of such online platforms and services is becoming even more critical.

Attackers know this and are constantly looking at ways to circumvent detection by secure email gateways and position themselves between users and legitimate services. The WebEx phishing campaign is a prime example, slipping past email protection to dupe users into providing their credentials out of fear they will be unable to use the service and perform their job otherwise.  It’s therefore not a surprise the PDC has seen an increase in phishing attacks that spoof legitimate, business critical services.

While this blog focuses on a new phishing campaign imitating WebEx, this style of attack can and has taken multiple forms, mimicking many different legitimate web services. Luckily however, once an end user knows some of the telltale signs,  it’s often easy to identify what is truly legitimate and what is fake.

Figures 1-2: Email Body

Upon an initial glance, this email may appear innocuous enough. It has the look and format one would likely expect when receiving an email from Cisco. The style is professional, the layout of the email isn’t mangled or chaotic, and it appears legitimate – an intentional and easy tactic to pull off. All the threat actor required was a real WebEx email to copy from in order to duplicate the style and alter select elements for nefarious purposes. The sender address appears to come from WebEx. However, this is what is known as the “friendly” from address – while the recipient sees the displaying address, which appears to be authentic, the email headers reveal a very different story. The problem with a “friendly” sender address is that it is easily spoofed by attackers; it’s a well-known, simple trick designed to convince the recipient that an email is legitimate.

Looking beyond simple aesthetics, however, other indicators of phishing are evident. The subject line indicates there is an issue with SSL certificates that requires the user to sign in and resolve. This is referenced further in the body of the email, providing a sense of legitimacy and enticing them to open the email and read it.

The wording of the email also employs scare tactics that are prevalent in phishing attacks. The recipient is informed there is a problem that has caused their service to become deactivated and the user must log-in and authenticate by clicking the link. Verbiage like this is often used to coerce the end user into clicking on a link or attachment in haste before they have time to fully think it through – a key tactic used by threat actors in phishing campaigns.

Finally, the link itself reveals something else is fishy about this alert. Hovering over the button shows the embedded link is not, in fact, a WebEx page, but a SendGrid link, a legitimate customer communication service used by marketing professionals. SendGrid links are commonly used in phishing attacks, as they require minimal effort.

Figure 3: Phishing Page, Step 1

Upon clicking the SendGrid link, the user is redirected to a phishing page, as seen in Figure 3. The only difference between a legitimate WebEx login page and this phishing page is the URL itself, suggesting the attacker conducted some form of web scraping to create an intentionally benign looking and familiar login page for the end user. Web scraping, essentially, is the practice of using a tool to automatically copy data from a website and create a convincing copy.

Figure 4: Phishing Page, Step 2

Deception quickly falls apart when reviewing the URL, however; while designed to look like the actual URL, there actually isn’t a portion that includes ‘webex.com’. The numerous dashes, coupled with one very long word followed by ‘index.php’ is not reflective of a professional link, suggesting the phishing URL was registered to appear legitimate at first glance. While phishers commonly make a valiant effort for their pages to look legitimate, looking at the address bar generally reveals if it’s legitimate. Misspelling, similar looking words and strange top-level domains are common tricks used by attackers to guile end users for just long enough to not question it.

While the initial phishing page only requests the user’s email address, the following page then changes URLs from “index.php” to “step2.php” and asks for the user’s password- this is another indicator the site is not legitimate, as the specific internals of which php file is being invoked for this webpage would be usually be hidden to the user.

Figure 5: Final redirect to official WebEx login page

As the final stage of attack, when the user enters their credentials on the page shown in Figure 5 above, the user is then redirected to WebEx’s real sign-in page. At this point, the malicious actor now has the user’s credentials, but it is in their best interest to ensure the user is unaware that a successful credential phishing attack occurred, giving the threat actors time to make use of newly stolen log-in details. The final redirect to WebEx’s legitimate log-in page may make the end user believe there was a log-in error and they need to log-in again. A common theme in a many phishing attacks is appealing to and preying on the feeling that nothing is amiss and there is nothing to question about the experience. In the meantime, threat actors gain precious time to do damage while the end user moves on with his or her workday.

Figure 6: Open Directory

A final interesting finding about this phishing campaign is the main domain itself, which reveals an open directory. This open directory shows the files included in the phishing page: images, fonts, .css files, and more. Although finding this directory was easy, it isn’t necessary to hide it, as most end users will only go through to login rather investigating into the internals of the site. However, it must be noted no professional website allows access to its file directories in this way. If reached, it is an almost sure-fire way of immediately identifying a phish.

Network IOC IP
hXXps://cert-ssl-global-prod-webmeetings[.]com/da4njy=/idb/saml/jsp/index[.]php 137[.]135[.]110[.]140

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Staff Members’ Inbox Positive for Coronavirus Themed Phish

By Ashley Tran, Cofense Phishing Defense Center

From prime ministers, members of congress to celebrities and staff of nursing homes — many have been affected by COVID-19. And the worst part? Threat actors know this and are heavily weaponizing this pandemic, exploiting the fears and concerns of users everywhere. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in environments protected by Microsoft and Symantec that not only impersonates a company’s management but also suggests that a fellow employee has tested positive for the disease, urging users to read an enclosed malicious attachment posed as “guidelines” or “next steps.”

As we have seen before and noted in previous Cofense blogs and media stories, Coronavirus themed phishing attacks are running rampant and attacking users across all industries. Although the attacks vary in method, the main takeaway is the same: all users must exercise the utmost caution and restraint in the face of emotionally jarring emails.

Figures 1-3: Email Bodies

The PDC has found multiple instances of this attack and a trend among them all. As demonstrated in Figures 1-3, the email subject lines are relatively similar: “Staff Member Confirmed COVID 19 Positive ID,” followed by a random string of numbers and that day’s date. The emotion these subject lines evoke in users are also the same: fear and curiosity. Emails appearing to be a “Team Update on COVID 19” and bearing their company’s name can convince end users to believe the email was sent internally. However, the true senders are revealed via the return paths:

Maga[@]tus[.]tusdns[.]com and ungrez[@]ssd7[@]linuxpl[.]com

Admittedly these emails would appear suspicious to most, but the threat actor is relying on the emotional subject line to overcome logic and push users to read just the first line of the sender information and nothing more.

The bodies of the emails have more variety and are worded differently, but the same main point: a fellow employee has the virus, so read this guideline we’ve attached to get more details or at least learn the “next steps” to take. To top it off the email is signed by “Management.”

The true part of this attack lies within the HTML file found in the email.

Figure 4 shows that the attachment has been detected as malicious by a multitude of services, however users won’t see this when they read the email.

Figure 4: VirusTotal Analysis

Figure 5: Phishing Page

Upon opening the attachment users are presented with a generic Microsoft login page, a frequently targeted brand. The difference with this phish, however, is the threat actor has superimposed the login box over a blurred document that may appear to users as the previously mentioned “guidelines” lending an even greater sense of legitimacy.

The email of the recipient is automatically appended to the username field via code in the HTML. In fact, the threat actor has painstakingly put the base64 for each of the recipient’s email addresses, which is then translated to a readable format when interacting with the phish. This snippet of code can be observed in Figure 6.

Figure 6: Email Bodies

Once a user navigates to the next page and inputs their password, the information is then sent to the compromised site:

hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423

This exchange of information can be viewed by opening developer tools on any browser and navigating to the networking tab as shown in Figure 7.

Figure 7: Phishing Page

The code found within the HTML file that hosts the phishing content employs typical malicious tactics. For example, as seen in Figure 8, the code does not look like a typical HTML code. This is because the threat actor has attempted to obfuscate their code, to make analysis as well as detection harder. However, this is nothing new for phishing campaigns that choose to utilize a HTML file. De-obfuscating the code and revealing some its methods is not difficult.

Figure 8: Obfuscated Code

To begin, the code is notably broken into different parts. Each of these parts may stand out to anyone with an eye for encoding as being Hex text and base64. These both can easily be decoded back into their original form, the true HTML code, by utilizing tools such as RapidTables and Base64 Decode.

Figure 9: De-obfuscated Code

After de-obfuscating the code, the true HTML is seen in Figure 9, revealing the threat actor has compromised, or at the very least utilized, a compromised site to host the style sheet for their phish:

hxxp://ibuykenya[.]com/vendor/doctrine/styles[.]css

Figure 10: Open Directory with Phish Resource Files

The following is the directory which the threat actor has used to store the style sheet for the phish, along with what appears to be two additional files, based on their last modified dates.

Within the code, the image seen in the background of the document can also be recovered. The image is hosted on ImgBB, yet another relatively benign image hosting site to which threat actors flock to host images for their attacks.

hxxps://i[.]ibb[.]co/dMcjCWC/image[.]png

Figure 11: Document Preview from Phish

Upon closer observation, the title of the document can be obtained. With a quick search, the image the threat actor has used to further legitimize this login page in the eyes of the user can be linked back to the legitimate document found in Figure 12.

Figure 12: Legitimate Document Utilized by Threat Actor

All these steps – the social engineering, the obfuscated code, use of official COVID health advisories and more-are designed to ensure users don’t detect the phishing attack is in progress. This phish also demonstrates the attacker’s need to employ layered techniques designed to avoid detection by email gateways, as well as the incident responder’s need for the right investigative tools to properly analyze, detect and quarantine this threat.

Network IOC  IP
hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423 150[.]60[.]156[.]116

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns. (edited) 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Targeted Attack Uses Fake EE Email to Deceive Users

By Kian Mahdavi and Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a spear-phishing campaign designed to defraud corporate executives’ payment details by spoofing EE, a well-known UK-based telecommunications and internet service provider.  These spear phishing messages were reported to the Cofense PDC by end users whose email environments are protected by Microsoft 365 EOP and Symantec. This new, targeted campaign shows that while exploiting well-known telecommunications brands is nothing new, such phishing emails continue to go undetected by popular email gateways designed to protect end users, leading to possible theft of prized corporate credentials

Figure 1: Email Body

Threat actors sent a targeted email to a few executives, including one at a leading financial firm, with the subject line reading ‘View Bill – Error’ from a purchased top-level domain (moniquemoll[.]nl). These details in and of themselves may raise red flags to eagle-eyed recipients, as EE’s trademarked name isn’t included in any part of the full email address.

The malicious URL inserted within the text is:

hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo

The vague email indicates ‘we’re working to get this fixed’. At no point does the email give an indication what this error is. As we read on, the second hyperlink states ‘view billing to make sure your account details are correct’ to entice the recipient to click the phishing link.

The threat actor fails to include the correct registered office address, evident towards the bottom of the email. Once the threat actor’s social engineering does the trick and the user clicks one of the links, they are redirected to a phishing page.

Noted in Figure 2 below is the trusted HTTPS protocol (also displayed as the green padlock) within the URL, giving false hope to the user that network traffic is being encrypted, ensuring all data transferred between the browser and website is secure and not being eavesdropped on.

However, the threat actor even went to the trouble of obtaining SSL certificates for the domain to further gain end users’ trust. In fact, it has become much easier for site owners, including fraudsters, to obtain these certificates.

Figures 2 and 3: First and second phishing pages

The peculiar aspect is the message in which the threat actor included: ‘You will not be charged’ to reassure recipients and trick them into providing their payment information.  The user is then automatically redirected to the legitimate EE website, as displayed below in Figure 4, to avoid suspicion. This is a common tactic to make the user believe the session timed out or their password was mistyped.

Figure 4: Legitimate Redirect Login Page

At the time of writing, the phishing page is still live and active. To further validate the analysis of the investigation, we decided to input some fake credentials, allowing us to verify the transmitted TCP requests and redirects to the fraudster’s domain at hXXps://kbimperial[.]com/data[.]php.

Figure 5: TCP Retransmission Packets

Indicators of Compromise:

Network IOC IP
hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/
hXXps://kbimperial[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/logins
hXXps://kbimperial[.]com/data[.]php?
104[.]31[.]82[.]7
104[.]31[.]83[.]7
35[.]208[.]71[.]62

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

This Phish Uses Skype to Target Surging Remote Workers

By Harsh Patel

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users’ inboxes.

With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Figures 1 and 2: Email Body

For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address in the form of 67519-81987[@]skype.[REDACTED EMAIL]. While the sender address may appear legitimate at first glance, the real sender can be found in the return-path displayed as “sent from,” which also happens to be an external compromised account. Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend.

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

Upon clicking ‘Review’ users will be redirected via an app.link:

hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5

Finally, to the end phishing page:

hxxps://skype-online0345[.]web[.]app

The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.

Figure 3: Phishing Page

Clicking the link in the email, the user is shown an impersonation of the Skype login page. If a well-trained user inspects the URL, they will see that the URL contains the word Skype (hxxps://skype-online0345[.]web[.]app). To add even further sense of authenticity, the threat actor adds the recipient’s company logo to the login box as well as a disclaimer at the bottom warning this page is for “authorized use” of that company’s users only. The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.

 

Network IOCs
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
hxxps://skype-online0345[.]web[.]app

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

By: Kian Mahdavi, Cofense Phishing Defense Center

With the escalation of COVID-19, organizations are rapidly adjusting as they move their workforce to work from home; it’s no surprise that threat actors have followed suit. Over the past few weeks, the Cofense Phishing Defense Center (PDC) has observed a notable uptick in phishing campaigns that exploit the widely used Microsoft Sway application to steal organizational credentials and to host phishing websites. Sway is a free application from Microsoft that allows employees to generate documents such as newsletters and presentations and is commonly used by professionals to conduct their regular day to day work tasks.

In a new campaign, threat actors send emails with subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access.’

Figure 1: Email body

The sender in Figure 1 claims to come from ‘Human Resources.’ Closer inspection, however, reveals the actual sender’s address – a purchased domain address ‘chuckanderson.com’ with no association to the HR team or the organization’s official mailing address.  The attack includes carefully thought out trigger words, such as ‘expected’ and ‘selection/approval,’ language that often trips up employees who are accustomed to receiving occasional emails from their local HR team, especially during this pandemic. Should users hover over the link within the email, however, they would see ‘mimecast.com’ along with ‘office.com,’ potentially and mistakenly deeming these URL(s) as non-suspicious.

By using trusted sources such as Sway to deliver malware or steal corporate credentials, such campaigns often evade Secure Email Gateways (SEGs) thanks to the trusted domains, SSL certificates and URL(s) used within the email headers.

Figure 2: Cofense PDC Triage flagging the known malicious URL

Numerous employees across a variety of departments within the same company received and reported this email to the Cofense PDC, with each email consistently redirecting users to similar Sway URLs.  These URLs were already known by our Cofense Triage solution and were identified as malicious, providing valuable context for our PDC analysts when they commenced their investigation.

As previously discussed, as legitimate domains and URLs were used, these campaigns remained undetected for longer periods of time, likely leading to a higher number of compromised account credentials. On the other hand, malicious content hosted on purpose-built phishing sites usually gets flagged much quicker, taken down earlier, and therefore leading to a much shorter ‘time to live’ period. In short, this attack was easy to execute, required minimal skill, and remained undetected by security technologies.

Figure 3: Virus Total URL Analysis  

Upon conducting a web search using reliable threat intelligence feeds, as shown above in Figure 3, the authenticity of URLs can be verified against trusted security vendors that have recently detected the attack, flagging them as ‘malicious/phishing’. Displayed in the top right-hand side of Figure 3 is the timestamp revealing the latest known update from a security vendor.

Figure 4: First phase of phishing page

Awaiting the user is the bait on a generic looking page, a ‘BEGIN ENROLLMENT’ button and once clicked, redirects to a document hosted on SharePoint as seen below in Figure 5.

Figure 5: Second phase of phishing page

Once employees enter their credentials and hit the ‘Submit’ button, their log-in information is sent to the threat actor – the end user is none the wiser that they have been successfully phished.

As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalize on the COVID-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future.

Indicators of Compromise:

First Hosted URL IP Address
hXXps://sway[.]office[.]com/5CgSZtOqeHrKSKYS?ref=Link 52[.]109[.]12[.]51

 

Second Hosted URL IP Address
hXXps://netorgft6234871my[.]sharepoint[.]com/:x:/r/personal/enable_payservicecenter_com/_layouts/15/WopiFrame[.]aspx 13[.]107[.]136[.]9

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Phishing Campaign Spoofs WebEx to Target Remote Workers

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center  (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch. In the midst of the COVID-19 pandemic, millions of people are working from home using a multitude of online platforms and software. Attackers, of course, know this and are exploiting trusted brands like WebEx to deliver malicious emails to users.

Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.

Here’s how this campaign works:

Figure 1: Email Body

For this attack, the threat actor sends an email with varying subject lines such as “Critical Update” or “Alert!” from the spoofed address “meetings[@]webex[.]com”. With the subject and mail content combined, this may gauge users’ curiosity enough to entice them click in order to take the requested action.

The email then explains there is a vulnerability the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system.” In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further. The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223:

hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223

The linked article uses the same words as the email, lending further credibility.

The only thing for a responsible user to do next is follow the instructions in the email and update their Desktop App, right?

Even if more cautious users hover over the ‘Join’ button before clicking, they could still very well believe it’s legitimate. The URL embedded behind it is:

hxxps://globalpagee-prod-webex[.]com/signin

While the legitimate Cisco WebEx URL is:

hxxps://globalpage-prod[.]webex[.]com/signin

At a first glance, both URLs look eerily similar. A closer look, however, reveals an extra ‘e’ is added to ‘globalpage.’ Likewise, instead of ‘prod.webex’, the malicious link is ‘prod-webex’.

To carry out this attack, the threat actor registered a fraudulent domain through Public Domain Registry just days before sending out the credential phishing email.

The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users. While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.

Figure 2:  Initial Phishing Page

The phishing page to which users are redirected is identical to the legitimate Cisco WebEx login page; visually there is no difference. Behavior-wise, there is a deviation between the real site and the fraudulent page. When email addresses are typed into the real Cisco page, the entries are checked to verify if there are associated accounts. With this phishing page, however, any email formatted entry takes the recipient to the next page where they then requested to enter their password.

Figure 3: Secondary Phishing Page

Once credentials are provided, users are redirected to the official Cisco website to download WebEx, which may be enough to convince most users it is a legitimate login process to update their WebEx app.

Figure 4: Legitimate Redirect Page – Official Cisco WebEx Download Page

At the time of writing, this fraudulent domain is still live and active. In fact, when navigating to the main domain, there is an open directory showing files the threat actor has utilized with this attack.

Figure 5: Open Directory

Files of interest include ‘sign-in%3fsurl=https%[…]’ and ‘out.php’.

The file ‘sign-in%3fsurl=https%[…]’ is the phishing page itself. When users click from this directory, they are redirected to the fraudulent WebEx login (Figure 3).

Figure 6: ‘out.php’ File

The ‘out.php’ file, seen in Figure 6, is the mailer the threat actor appears to have used to send this attack to users’ inboxes. The threat actor can manually input any subject they want – in this case, they chose “Critical Update!!”, adding the HTML for the email to the box below and designating an email list to which they wish to mass send this campaign.

With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions.

Indicators of Compromise:

Network IOC IP
hxxps://globalpagee-prod-webex[.]com/signin 192[.]185[.]214[.]109

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 37308 and received YARA rule PM_Intel_CredPhish_37308. Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

One, Two, Three Phish: Adversaries Target Mobile Users

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has spotted a phishing attack directed at mobile users purporting to come from Three, a British telecommunications and internet service provider. The attack relies on a well-spoofed html file, enticing users to provide everything from their password and personal details to their credit card information. 

Users are informed of a bill payment that could not be processed by their bank. They are urged to download the html file “3GUK[.]html” to edit their billing information in order to avoid service suspension. Users should always be wary of requests to download and open html/htm file attachments as opposed to being linked directly from their email client (which also, of course, is no guarantee of a legitimate email).

Figure 1 – Email Body

Spoofed Phish Page

As seen in Figures 2 and 3, The attached 3GUK[.]html file then requests login credentials, personal information and credit card details. The source code indicates this is a clone of actual Three html code, re-appropriated for malicious purposes; for instance, styling elements are pulled from actual Three websites. Additionally, all options in 3GUK[.]html direct to the legitimate relevant Three page so that, for example, if one clicks on “iPhone 11” under the Popular Phones section at the bottom, the end user is redirected to the real Three iPhone 11 page.

Figures 2 and 3 – Cloned Phishing Pages

The smoking gun is in the action attribute of the HTML form element. Figure 4 confirms that any information provided is processed by the “processing[.]php” script, located at hxxp://joaquinmeyer[.]com/wb/processing[.]php, a domain the adversary has compromised. Adversaries need only modify key sections of the cloned html code such as in Figure 4 below in order to turn benign code into a convincing phish.

Figure 4 – Malicious cloned html code

The Devil is in the Metadata

The From field, as seen in Figure 5 below, indicates “online@three[.]co[.]uk” as the apparent source of the email. The SPF check shows this was the address provided in the SMTP MAIL FROM command. We also see a SoftFail result for the originating IP 86.47.56.231; this means the domain of three.co.uk discourages, but does not explicitly rule out, this IP address as a permitted sender.

Figure 5 – SPF check

In other words, the SPF records for the domain of three[.]co[.]uk contain the ~all mechanism, which flags but ultimately lets the email through. Worried that legitimate email will be blocked by a stricter SPF policy, such as a (Hard)Fail with -all, many companies’ SPF records do not dare make an explicit statement regarding who is and is not permitted sender, potentially enabling spoofed emails.

DNS PTR record resolves the originating IP 86.47.56.231 to mail[.]moultondesign[.]com. Although an apparent subdomain of moultondesign[.]com, there is no evident relation between the two. There is no corresponding DNS A record, as confirmed by a Wireshark capture, as seen in Figure 6. The supposed parent domain is hosted by Namesco Ireland at 195.7.226.154, unlike the malicious IP address which is part the ADSL Pool of Irish provider EIR, suggesting a residential use.

Figure 6 – Missing DNS A Record

The email also contains a spoofed Message-ID (Figure 7). Although these do not need to conform to any particular structure, they often contain a timestamp. In this case, the digits on the left of the dot seem to follow the format YYYYMMDDhhhhss, amounting to 2020 February 5th 16:34:08; the digits to the right of the dot could or could not have any significance. Finally, the presence of Three’s Fully Qualified Domain Name adds a further element of credibility that might deceive more tech-savvy users.

Figure 7 – Message-ID

IOCs:

Malicious URLs:
hxxp://joaquinmeyer[.]com/wb/processing[.]php
mail[.]moultondesign[.]com

Associated IPs:
65.60.11.250
86.47.56.231

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 37144.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.