One, Two, Three Phish: Adversaries Target Mobile Users

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has spotted a phishing attack directed at mobile users purporting to come from Three, a British telecommunications and internet service provider. The attack relies on a well-spoofed html file, enticing users to provide everything from their password and personal details to their credit card information. 

Users are informed of a bill payment that could not be processed by their bank. They are urged to download the html file “3GUK[.]html” to edit their billing information in order to avoid service suspension. Users should always be wary of requests to download and open html/htm file attachments as opposed to being linked directly from their email client (which also, of course, is no guarantee of a legitimate email).

Figure 1 – Email Body

Spoofed Phish Page

As seen in Figures 2 and 3, The attached 3GUK[.]html file then requests login credentials, personal information and credit card details. The source code indicates this is a clone of actual Three html code, re-appropriated for malicious purposes; for instance, styling elements are pulled from actual Three websites. Additionally, all options in 3GUK[.]html direct to the legitimate relevant Three page so that, for example, if one clicks on “iPhone 11” under the Popular Phones section at the bottom, the end user is redirected to the real Three iPhone 11 page.

Figures 2 and 3 – Cloned Phishing Pages

The smoking gun is in the action attribute of the HTML form element. Figure 4 confirms that any information provided is processed by the “processing[.]php” script, located at hxxp://joaquinmeyer[.]com/wb/processing[.]php, a domain the adversary has compromised. Adversaries need only modify key sections of the cloned html code such as in Figure 4 below in order to turn benign code into a convincing phish.

Figure 4 – Malicious cloned html code

The Devil is in the Metadata

The From field, as seen in Figure 5 below, indicates “online@three[.]co[.]uk” as the apparent source of the email. The SPF check shows this was the address provided in the SMTP MAIL FROM command. We also see a SoftFail result for the originating IP 86.47.56.231; this means the domain of three.co.uk discourages, but does not explicitly rule out, this IP address as a permitted sender.

Figure 5 – SPF check

In other words, the SPF records for the domain of three[.]co[.]uk contain the ~all mechanism, which flags but ultimately lets the email through. Worried that legitimate email will be blocked by a stricter SPF policy, such as a (Hard)Fail with -all, many companies’ SPF records do not dare make an explicit statement regarding who is and is not permitted sender, potentially enabling spoofed emails.

DNS PTR record resolves the originating IP 86.47.56.231 to mail[.]moultondesign[.]com. Although an apparent subdomain of moultondesign[.]com, there is no evident relation between the two. There is no corresponding DNS A record, as confirmed by a Wireshark capture, as seen in Figure 6. The supposed parent domain is hosted by Namesco Ireland at 195.7.226.154, unlike the malicious IP address which is part the ADSL Pool of Irish provider EIR, suggesting a residential use.

Figure 6 – Missing DNS A Record

The email also contains a spoofed Message-ID (Figure 7). Although these do not need to conform to any particular structure, they often contain a timestamp. In this case, the digits on the left of the dot seem to follow the format YYYYMMDDhhhhss, amounting to 2020 February 5th 16:34:08; the digits to the right of the dot could or could not have any significance. Finally, the presence of Three’s Fully Qualified Domain Name adds a further element of credibility that might deceive more tech-savvy users.

Figure 7 – Message-ID

IOCs:

Malicious URLs:
hxxp://joaquinmeyer[.]com/wb/processing[.]php
mail[.]moultondesign[.]com

Associated IPs:
65.60.11.250
86.47.56.231

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 37144.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

This Employee Satisfaction Survey is Not so Satisfying… Except for the Credential Phishing Actors Behind It.

By Max Gannon, Dylan Duncan in Cofense Intelligence

Cofense Intelligence has tracked a complex credential phishing operation that evades Microsoft Office 365, Cisco Ironport and Mimecast Secure Email Gateways and has been active since at least December 2019—a very long time for an active credential phishing campaign. The use of a series of convincing tactics suggests that threat actors have taken great effort to create an air of authenticity for targeted recipients. Targeted users receive an email, supposedly from their HR departments, mandating that they complete a SurveyMonkey employee satisfaction survey. The convoluted attack chain uses trusted sources and eventually redirects to a real SurveyMonkey survey, allowing the threat actors to evade detection, and provides recipients with the end results that they expect – a real survey.

This credential phishing chain begins with an email (Figure 1) containing a link to a PDF hosted on the legitimate cloud service provider Hightail. The email itself contains multiple tactics, techniques, and procedures (TTPs) to deceive the end user. These TTPs consist of a seemingly legitimate Hightail spoofed email address ‘delivery @ spaces[.]hightailmail[.]com,’ fronting as a target’s HR department. The email creates a sense of urgency, indicating the survey is mandatory, requires action, only takes a few moments to complete, and will benefit the targeted employee.

Figure 1: Example of one original email sent to targeted recipients

After following the link to Hightail, a PDF is downloaded (Figure 2). Within the PDF, the from, subject, and message fields match the email line-for-line. The URLs for Hightail contain the recipient’s email address encoded in the URL path, and with the page hosted by the threat actor, these collected URLs could be decoded to gather the email address before they access the PDF. Hightail provides a preview of the PDF before downloading (Figure 3), which shows a faded survey and an icon that appears to lead into the survey.

Figure 2: The Hightail web page hosting a PDF that recipients are encouraged to download

Figure 3: A preview of the PDF hosted on Hightail, encouraging the user to participate in the “mandatory” survey

Once the PDF has been downloaded, a ‘Take Survey’ icon links to one of many credential phishing URLs used in this scheme. As displayed in Figure 4 below, the phishing URLs often change with each different PDF, but continue to remain consistent with the theme of an HR Department survey.

Examples include:

  • hxxps://hrsurveyportal[.]work/Start/
  • hxxps://my[.]hr-portalsurvey[.]work/

A complete list of identified URLs was used in different PDFs and is included at the end of this document in Table 2. This kind of differentiation allows the threat actors to maintain an appearance of legitimacy in their phishing URLs, while making it more difficult to defend against these attacks by shunning previously used or shared URLs.

Figure 4: PDF with an embedded link to a credential phishing website

This credential phishing campaign, and its variants, have been operating since at least December 5th, 2019. In most of these identified campaigns, the credential phishing pages were the same spoofed “Norton Secured” page, seen in Figure 5, regardless of the URL or the original target company. Older campaigns, primarily seen in December and January, mostly used appspot[.]com sub-domains rather than HR department themed domains and all led to pages like the one shown in Figure 6.

Figure 5: Spoofed login page where credentials are harvested

Figure 6: A less convincing example of a credential phishing page identified in this broader campaign.

When a recipient enters his or her information in any of the credential phishing websites, the data is sent via an HTTP POST to the URL shown in Figure 7. This is most commonly hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/. Much like the hrsurvey[.]work URL variants designed to provide an additional sense of legitimacy, this URL also spoofs “Norton Secured”. Recipients are then immediately sent to the SurveyMonkey survey shown in Figure 8.

Figure 7: Credential phishing page source with the highlighted URL where credentials are posted and recipients are redirected.

Figure 8: The final SurveyMonkey survey

The SurveyMonkey survey shown in Figure 8 is of particular importance. First, this survey link is either legitimate and has been repurposed by threat actors, or threat actors themselves went to the effort to create it. Either way, the detail and effort involved in the survey indicates the possible intent of the threat actors to use the survey as a long-term resource across multiple short-lived credential phishing pages. Secondly, this survey leads targeted recipients to a credible conclusion—ending the attack chain in a way that would not leave recipients suspecting that anything suspicious had happened. Many credential phishing campaigns end by redirecting a user to a generic page or displaying a login error message, which can cause users to stop and consider potentially harmful activity that had occurred, leading them to warn others or report the original email. By avoiding such suspicious signposts, the threat actors can further protect their infrastructure and avoid detection.

This campaign presented a convincing impersonation of an HR department delivering a mandatory survey to its employees. The final destination of the chain was a survey hosted on SurveyMonkey—leading recipients to believe that nothing was wrong. The choice of the campaign endpoint—a survey hosted on a well-known legitimate site, rather than an obvious error message or redirect—indicates a level of attention above and beyond what is usually exhibited by credential phishing adversaries. Additionally, custom domains were used to host the credential phishing infrastructure rather than compromised domains, as is often the case with simple credential phishing. Cofense Intelligence assesses that this campaign was carefully designed with long term capability and minimal detection in mind. This has no doubt allowed for the repeated success of this campaign—also quite unusual when it comes to credential phishing.

Hightail Hosted PDF URLs
hxxp://spaces[.]hightail[.]com/receive/gmaTEP8hhh/
hxxp://spaces[.]hightail[.]com/receive/GvXjcQjRac/
hxxp://spaces[.]hightail[.]com/receive/gWGl9E9QrM/
hxxp://spaces[.]hightail[.]com/receive/hiasiM3Bc4/
hxxp://spaces[.]hightail[.]com/receive/Huh5Kd9ngs/
hxxp://spaces[.]hightail[.]com/receive/N2hZnCrDRr/
hxxp://spaces[.]hightail[.]com/receive/NewA1DfvtL/
hxxp://spaces[.]hightail[.]com/receive/pvHwWmHUxB/
hxxp://spaces[.]hightail[.]com/receive/rlTbN1a1sV/
hxxp://spaces[.]hightail[.]com/receive/wgmOI2E6VF/
hxxp://spaces[.]hightail[.]com/receive/yGDAtZ2Cld/
Credential Phishing Pages URLs
hxxps://hrsurvey[.]work/Home/
hxxps://hrsurvey[.]work/hr/
hxxps://hrsurveyportal[.]work/begin/
hxxps://hrsurveyportal[.]work/secure/
hxxps://hrsurveyportal[.]work/Start/
hxxps://my[.]hr-portalsurvey[.]work/
hxxps://my[.]hrsurveyportal[.]work/
hxxps://my[.]worksurvey[.]work/
hxxps://secure[.]hrsurveyportal[.]work/
hxxps://mwz1552alry[.]appspot[.]com/
Redirect URLs
hxxps://csosun[.]org/administrator/manifests/login[.]php
hxxps://nortonsymantecssl[.]000webhostapp[.]com/vlog/
Hosted Survey URL
hxxps://www[.]surveymonkey[.]com/r/2MHSTQ8
Downloaded PDF Files MD5 Hash
Employee Satisfaction Survey.pdf d61822e79a797356598b6296af360f3e
Employee Satisfaction Survey.pdf b760297ada010198d40f585206e2c769
Description Indicator
Cofense Intelligence ATR ID 36729
Cofense Triage Yara RULE PM_Intel_CredPhish_36729

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 36729.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .ODP Attachments on a Shoestring Budget

By Tonia Dudley, Cofense Security Solutions

Have you ever paid an invoice delivered in PowerPoint file, similar to Figure 1 below? No? Me neither. An accounts reconciliation aging report? Don’t those typically get sent as a .PDF file so your auditor can ensure you haven’t “adjusted” the report?

Figure 1: Phishing email with fake invoice delivered via an .ODP file, appearing as a .PPT file

We recently uncovered a new, previously unseen tactic used by threat actors eager to capitalize on organizations’ concerns around COVID-19. The threat actors use an OpenOffice file format as an .ODP file, recognized by Microsoft as .PPT file, thus leading unsuspecting users to easily recognize the PowerPoint icon.

But let’s go back to the emails that included this file type. Would you receive an email to process an invoice that used a PowerPoint file for this transaction? It’s no wonder a well-trained user was able to spot this email as suspicious and reported the message to the Cofense Phishing Defense Center.

As we continue to monitor suspicious emails related to COVID-19, both seen in the wild and reported by our customers, we noticed a few interesting tactics used in the email (Figure 2 below) that leverages the OpenOffice format to trick unsuspecting employees into opening the document. The email message is fairly basic and contains some simple phishing indicators. The salutation is generic and an incomplete sentence – “Good morning.” Is this how you punctuate this salutation? Speaking of punctuation – they also used a period after “signing” their name “Donna.” at the end of the email.

When digging into the header information, it was, however, surprising that this email was flagged as “Received-SPF: Fail”. Organizations have spent a great deal of time setting up and configuring DMARC, DKIM and SPF, and the message is delivered to the inbox? We’ll give this organization the benefit of doubt and assume they’re still finetuning and configuring that control.

Yet the most interesting part of this phishing email is the attachment itself – we had never seen an .ODP file type in a phishing email before.

Figure 2: Phishing email delivering an .ODP file masquerading as a COVID-19 preparation guide

In an effort to ensure our customers can detect this new tactic, we wrote a YARA rule to look for any OpenOffice file type. This new search took us back to late January to find the use of the .ODP filetype. It also bubbled up another OpenOffice file type of .ODT, displaying the MS Word icon to the user. In each of these files, the use case for the threat actor was to merely deliver the link to direct to the malicious website.

HOW COFENSE CAN HELP

Yara Rule: PM_LABS_OpenOffice_ImpressFiles

For more information and resources about COVID-19 related phish and malware, visit our Infocenter: https://cofense.com/solutions/topic/coronavirus-infocenter/

Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.