Phish Found in Proofpoint-Protected Environments – Week Ending August 9, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week sees a variety of the same ol’, same ol’. Logistics spoofs, trusted cloud storage, and finance themes. Good thing humans can be trained to detect these things.

phishing example delivers a zipped jnlp java downloader to then deliver ursnif banking trojan

TYPE: Malware – Ursnif

DESCRIPTION: Threat actors in this connected age love to spoof logistics companies. This example warns of a package being returned to the sender. The attached, zipped .jnlp shortcut file leads to a JAR Downloader that runs the Ursnif malware. This is one package you do not want to receive.

phishing example of credential theft using dropbox link

TYPE: Credential Theft

DESCRIPTION: Cloud storage is certainly convenient for sharing files with friends and colleagues. Attackers think so, too. This one uses Dropbox to deliver a credential phishing page to the recipient. How convenient is that?

phishing example uses a delivery spoof with a link to credential theft page

TYPE: Credential Theft

DESCRIPTION: These attackers really stepped up their game with a convincing looking phish mimicking another logistics company. If only it hadn’t come from a Hotmail account.

phishing example uses an image link to direct the recipient to the pyrogenic stealer

TYPE: Malware – Pyrogenic

DESCRIPTION: It may look like a PDF, but this finance-themed phish actually delivers a linked image that appears to be an attachment. The link leads to the Pyrogenic Stealer.

phishing example of OneDrive link to download agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Here’s your quote for the day: beware of emails bearing malware. This attack identifies as a quote but delivers the Agent Tesla Keylogger via an embedded URL.

phishing example uses a coronavirus theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: They say rest and exercise are good for you, but this exercise starter kit from HR is really at the other end of the scale. The provided link takes the recipient to a web page designed to steal their credentials. That’s sure to get your heart rate up.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 2, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We note quite a bit of spoofing this week. Attackers know if they can get their phishing attacks into a user’s inbox, they still need to convince the user to click. If you need help raising the awareness of your users, check out some of our free resources.

phishing example invoice theme delivers pyrogenic stealer with embedded link

TYPE: Malware – Pyrogenic

DESCRIPTION: For such a polite email is carries an awfully impolite payload, as this finance-themed phish uses an embedded URL disguised as a PDF to deliver the Pyrogenic Stealer.

phishing example uses PDF attachment to perform credential theft.

TYPE: Credential Theft

DESCRIPTION: Spoofing an international logistics company, this phish delivers an attached PDF with embedded links to a credential phishing site.

phishing example of a purchase order link that delivers nanocore remote access trojan

TYPE: Malware – NanoCore

DESCRIPTION: Everyone knows Dropbox is a legitimate cloud storage provider so, when we get a purchase order hosted on Dropbox, we click it. At least, that’s what the attacker hopes. In this attack, an archive holding the NanoCore Remote Access Trojan is downloaded. We’ve been discussing the use of Dropbox in phishing attacks for over 5 years.

phishing example spoofs logistics company to deliver avaddon ransomware and raccoon stealer

TYPE: Malware – Avaddon

DESCRIPTION: Another spoof of a major logistics company. This one really delivers. Using an embedded URL it delivers the Smoke Loader that then downloads Raccoon Stealer and Avaddon Ransomware. Read more about ransomware trends.

phishing example spoofs a voicemail delivers htm attachment to perform credential theft

TYPE: Credential Theft

DESCRIPTION: Stop me if you’ve heard this one. A spoofed voicemail notification uses an attached .htm file to mimic a Microsoft page to steal credentials. Voicemail notification phish are nothing new, but still reach users regularly.

phishing example delivers remcos rat using an xxe archive

TYPE: Malware – Remcos

DESCRIPTION: Self-quarantines and remote work arrangements seem like a recipe for increased deliveries and this phish takes advantage of that. Another logistics company spoof offers an invoice as a lure. In a rare twist, the attack delivers a .xxe archive that contains GuLoader, which will install the Remcos Remote Access Trojan.

phishing example uses box.com to deliver ursnif malware

TYPE: Malware – Ursnif

DESCRIPTION: Another attack relying on trust in a popular cloud storage provider. This one includes a link to a .js file that downloads and executes Ursnif. Are we having trust issues?

phishing example delivers password-protected zip to install icedid banking trojan

TYPE: Malware – IcedID

DESCRIPTION: If it is protected by a password, it must be secure. That’s the lure this attacker uses to convince the recipient to open the attached .zip archive, enable the macros in the provided Microsoft Office document, and install the IcedID trojan. It’s a blast from the past, as we wrote about password-protected ZIP files in phishing attacks way back on 2011.

phishing example spoofs small business administration sba with coronavirus theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: While we hoped to get through an entire week’s blog without a COVID-19 example, it wasn’t meant to be. This phish pretends to be from the US Small Business Administration with details about an approved funding request. The embedded URL leads to a credential phishing page. Recipients should keep their mouse at least 6 feet away from the link.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Bypass Gateways with Google Ad Redirects

By Dylan Main and Harsh Patel, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to steal Office 365 login credentials by luring employees to accept a new Terms of Use and Privacy Policy. This new campaign has been seen across multiple organizations and uses advanced techniques to garner employee login credentials, including a Google Ad Services redirect to fool email gateways.

Figure 1: Headers

The originating IP in the headers of this email proved its source was coming from a legitimate account with the ‘from’ address “info@jtpsecurity[.]co[.]za” It appeared as though this email address was compromised and then used to send the phish to multiple employees. The word “security” in the from address could potentially lull the user into trusting the email’s origin.

Figure 2: Email Preview

At first glance, the user will see “This message was sent with High Importance.” Again, the from address contains the word security and the subject talks about a “Recent Policy Change,” creating urgency to click and handle the matter immediately.

The email body talks about accepting the newly updated “Terms of Use & Privacy Policy.” Also, it notes how this new policy will affect personal data and discontinue all active services on the user’s account. Curious users will likely want to “Learn More.”

Figure 3 shows the URL embedded in both buttons, “Accept” and “Learn More”:

Figure 3: URL redirect of the buttons

As seen in the above figure, the threat actor has utilized a Google Ad Services redirect to pilot users to their phish. This suggests that the threat actor(s) may have paid to have the URL go through an authorized source. In turn, this easily bypasses secure email gateways and exposes employees to the phish.

Upon clicking on either button, users are redirected to a duplicate of the real Microsoft page at the URL:

hXXps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/common/oauth2-authorize

 On this page users are presented with a pop up of the privacy policy the email mentions. In this window there are two notable logos as well, a Microsoft logo and the user’s company’s logo, in a bid to make this page appear that much more legitimate. Scrolling through the text box you can see the Privacy Statement was taken from Microsoft’s website.

Figure 4: First Page of the phishing attack

After accepting the updated policy, the user is then redirected to a Microsoft login page, which impersonates the Office 365 login page. An employee who enters their credentials and clicks “Next” will have sent the Threat Actor(s) their Microsoft credentials and compromised their account.

Figure 5: Second Page (The actual phishing)

Following the login page, users find further reason to believe the update is legitimate, one more box saying, “We’ve updated our terms.” Upon clicking the “Finish” button, they’ll be all set.

Figure 6: Third Page (Post entering credentials)

Last step: users are redirected to the legitimate Microsoft page, their Service Agreement, to complete the scam. Nothing malicious here!

Figure 7: Final Page (Official Microsoft site)

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

Indicators of Compromise:

Network IOCs IP  
hxxps://www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=C3seiJpC5XstooZGJBrPArsADp__a3lyH_4PTjAqoqKfonA8QASC7-_keYISV7IXcHaABzavQ-gPIAQmpAt6UwcHeNU0-qAMByANKqgTEAU_Q2dNvWCQ_LtumFUNLEz16PFVhg8cC3HmYEdlxma4KWUfGkvbdLFpKvCC92odSoiBTw9idw1iHRgreOTD1xyzoBBif4axm3JFTnekl_2_OeuLDQv0U_HzVVt10Iu5SkzsX6nGWyfUgPHIgJkxJqY4me8SG8d0nlmJ8PumQhJhze02bPmqEr4puzh2awPAoHoVPQ7QaXlbeJvf4W7Wexg1RGQ0EqMY8Z7YLfyh6tceagXiYGwWU1r3H9HuiISfj4G-RYYTABM-Sru2hAsAFBfoFBgglEAEYAJAGAaAGLoAHm9SvBYgHAZAHAqgHjs4bqAeT2BuoB7oGqAfw2RuoB_LZG6gHpr4bqAfs1RuoB_PRG6gH7NUbqAeW2BuoB8LaG9gHAMAIAdIIBggAEAIYGoAKAZALA5gLAcgLAYAMAeAS_6jY_crtxomjAdgTDg&ae=1&num=1&cid=CAMSeQClSFh3L5xTIDfFt35D8xjVEHFCYXr5NOlTRany4t_BBsFsAp3b7XCD0nSBKDirzhPVamy0H75uzx6gQxh5_rKDAlBAJWTUCf1Tqi6saFbojDtHd_R8dtCePj4ZvH0zHZWyRITLXvztggY2ibrWY9oLm5X8Wcuetvk&sig=AOD64_0L9hd4oCjDoroDTf6-7Fkon2bwsw&ctype=5&client=ca-pub-1169945711933407&adurl=https%3A%2F%2Fmicrosoftoffice-servicepolicy-onlineserver[.]comisys[.]host172[.]217[.]7[.]226
hxxps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/198[.]23[.]137[.]146
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 26, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Reply chain attacks are of particular note this week, as attackers use existing email discussions to lend a sense of legitimacy to their phish. Cofense saw these Zombie Phish last year and they continue to find success.

phishing example of a voicemail theme credential theft

TYPE: Credential Theft

DESCRIPTION: Here’s a voicemail-themed attack that includes a partial transcript – just enough to lure the recipient into clicking. Doing so leads to a Google Forms page that captures and exfiltrates login credentials. Voicemail spoofs aren’t new. Cofense has been blogging about them for some time

example phish spoofing tax forms for credential theft

TYPE: Credential Theft

DESCRIPTION: With due dates for taxes extended thanks to the COVID-19 situation, tax-themed phish are still effective. Posing as a Human Resources representative, this phish uses Infogram URLs to capture email login credentials.

phishing example of a reply chain attack using emotet to download qakbot

TYPE: Malware – QakBot

DESCRIPTION: Over a year ago, Cofense wrote about Emotet and its use of compromised emails to perform reply-chain attacks. This example uses an attached PDF with links to a macro-laden Microsoft Office document to deliver first Emotet and then QakBot.

phishing sample poses as an invoice but links to the pyrogenic stealer malware

TYPE: Malware – Pyrogenic

DESCRIPTION: Another example of reply-chain tactics to trick a recipient into following the embedded links to the Pyrogenic Stealer malware. This one uses a finance theme spoofing an Accounts Payable department.

sample phish uses an image link to deliver agent tesla malware

TYPE: Malware – Agent Tesla

DESCRIPTION: No one wants to miss a sale, and the attackers know it. They use a quotation theme to lure the recipient into clicking the image link to download the Agent Tesla keylogger, a piece of malware we covered last year.

phishing example of a quarantine theme credential theft

TYPE: Credential Theft

DESCRIPTION: Knowing users are becoming better trained to detect phishing attempts and to rely on existing security mechanisms, the attackers behind this phish spoof an email quarantine service to encourage the recipient to click and give up their credentials. Can your users tell the difference between your organization’s quarantine and a fake?

phish sample uses covid-19 pandemic theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: This last example for the week spoofs the Human Resources department using a Coronavirus theme to encourage the recipient to click the link and give up their credentials. Cofense put together a Coronavirus InfoCenter with numerous resources to help educate your organization on these threats.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 19, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Phishing threat actors continue to rely on tried-and-true methods to get their attacks into user inboxes. We discussed the latest trends recently on our Phish Fryday podcast.

example phish delivers LolKek ransomware with an xlsb attachment

TYPE: Malware – LolKek

DESCRIPTION: This phish uses an order theme spoofing Salesforce.com to deliver a Microsoft Excel Binary attachment (.xlsb). Within this file, macros are designed to download and install a recently discovered form of ransomware called LolKek. Excel Binary documents aren’t as common in general usage, but come in handy when working with large files. Or malicious attachments.

sample phish delivers Remcos remote access trojan via image link

TYPE: Malware – Remcos

DESCRIPTION: This contract-themed phish delivers an image link designed to look like an attached Microsoft Office document. Instead, it downloads a document crafted to exploit CVE-2017-11882, download a VBS script, which downloads a PowerShell script. That script then unpacks and loads a DotNET Loader that runs the Remcos Remote Access Trojan. That’s a long way of saying system compromise.

phishing example spoofs world health organization to deliver credential theft link

TYPE: Credential Theft

DESCRIPTION: Taking advantage of the current pandemic, this phish spoofs the World Health Organization to convince the recipient to click the link. Doing so prompts for credentials including “Gmail, Office, Yahoo, AOL, Outlook, and ‘other’” and then directs to a Google Drive-hosted PDF. Despite the official looking sender and logo, the body is rife with grammatical errors.

phishing example performs credential theft via image link

TYPE: Credential Theft

DESCRIPTION: Claiming to provide an attached statement, this phish uses a linked URL masquerading as a PDF attachment to direct the recipient to a Microsoft SharePoint-hosted page designed to steal credentials. Cofense continues to cover the use of trusted cloud services for untrustworthy purposes.

phishing sample delivers dridex malware via zipped attached word document

TYPE: Malware – Dridex

DESCRIPTION: This invoice-themed phishing attack promises a booking invoice but delivers a macro-enabled Microsoft Word document inside a ZIP archive. Those macros lead to the installation of the Dridex malware.

phish example spoofs HR to deliver credential theft via embedded link to sharepoint

TYPE: Credential Theft

DESCRIPTION: Still getting used to remote work? Attackers hope so, attempting to trick recipients into following their trusted Microsoft SharePoint links to a nasty end. In this case, a credential harvesting page. Cofense has put together a number of tips to help you defend your remote workers.

example phish with fax theme delivers credential theft with an htm attachment

TYPE: Credential Theft

DESCRIPTION: Just the fax, ma’am. This fax-themed phish encourages the recipient to open the attached .htm file. The file is designed to look like a Microsoft login page. The attacker is hoping to capture the login credentials of the recipient.

example phish that delivers an embedded URL for credential theft

TYPE: Credential Theft

DESCRIPTION: The Coronavirus theme is still getting some mileage among attackers. This one includes an embedded URL that will try and steal credentials for “Outlook, Office365, Gmail, Yahoo, and ‘other’” services. After providing credentials, the recipient is sent to a legitimate-looking PDF in an attempt to reduce suspicion.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Invoice Themed Phishing Emails Are Spreading from Trusted Links

By: Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) is seeing continued growth in phishing attacks which harvests users’ credentials via genuine file-sharing websites, which are found in environments protected by Proofpoint’s Secure Email Gateway (SEG). A huge factor in this campaign is the confidence users have in emails containing the “trusted” Dropbox reference.

It is tricky for SEGs to keep up with attempts to spread phishing attacks and malware via sharing services such as Dropbox, ShareFile, WeTransfer, Google Docs, Egnyte and even SharePoint. Fortunately, a few of our clients’ users reported the phishing emails via the Cofense Reporter button.

The “traditional” methodology for attackers was to “break in.” Nowadays, they easily can “login,” thanks to sharing sites.

Figure 1 – Body of email showcasing the victory of this attack tying in with user interaction

The spear phishing attack sends a link requesting users to access a purchase order form with a (.pdf) extension. Upon clicking, the attack automatically redirects the user to their default web browser, requesting to click the “Download” button. The website will begin the download inside the “Downloads” folder. Nothing sinister going on, right?

The ‘sent addresses’ TLD – “actionsportsequipment[.]com” – coincidentally relates to the nature of the client’s industry; this demonstrates the extent the attackers went to, in a bid to slip through the “secure” environment. One must question themself: “Was I expecting this transfer?” and “Am I expecting to receive a purchase order from this sender?”

Moreover, since the emails have been authenticated against Dropbox’s internal servers, the emails pass basic email security checks such as DKIM and SPF.

Figure 2 & 3 – Downloadable purchase order file

Once the download has been completed, the user is prompted to open the (.html) link assuming the “purchase order” form would appear, however upon clicking, the campaign redirects the user to a supposed “Microsoft” login page.

In this case, the attackers used the free website builder “Weebly.com” … yet another legitimate source, further deceiving the security measures in place with trusted redirect domains and IPs which will naturally continue to be white-listed and deemed “safe” since millions of users share data with one another on a daily basis.

For this reason, the presence of the padlock appears, adding not only security on both parties, but also the illusion that the website is “secure.”

Figure 5 – Phishing site built by Weebly

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Figure 6 – Redirect to Microsoft Office webpage  

Indicators of Compromise:

Network IOC IP
hXXps://www[.]dropbox[.]com/l/AADOPQGXtuDK03QYuvJqI0MbDlDxBTV28Cs
hXXps://www[.]dropbox[.]com/l/AAAtWq-LVZcqXBnFLinUi9rB3LpEijuPo78
162[.]125[.]6[.]1
hXXps://helpsupport0ffice20[.]weebly[.]com/ 199[.]34[.]228[.]53
199[.]34[.]228[.]54

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 12, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s theme is financial – with a large number of invoice and purchase order lures designed to trick recipients into clicking links and attachments. We’ve documented these attack types for some time now.

TYPE: Credential Theft

DESCRIPTION: Mail storage-themed phish have been used for some time to frighten recipients into clicking the link so their email account isn’t suspended. This attack, in Chinese, directs the recipient to a credential harvesting page customized with the recipient’s email domain name, lending a sense of veracity to the site.

TYPE: Credential Theft

DESCRIPTION: This finance-themed attack uses the ever-popular Microsoft OneDrive to host a malicious OneNote document that steals Office365 credentials before redirecting the recipient to a real Microsoft page, delaying the recognition that they were just targeted.

TYPE: Credential Theft

DESCRIPTION: Keeping with the finance theme, this attack delivers an embedded URL that leads to a credential harvesting page. Proof that if the lure looks good, the recipient can be tricked into clicking.

TYPE: Credential Theft

DESCRIPTION: This is getting repetitive, but another finance-themed attack spoofing a popular brand to convince the recipient to click. This attack targets banking credentials, potentially giving the attackers access to the bank account of the recipient.

TYPE: Malware – Pyrogenic

DESCRIPTION: Last week’s attackers really had money on their minds. This invoice-themed attack uses image links pretending to be invoices to drive the recipient to download the Pyrogenic stealer malware.

TYPE: Malware – Agent Tesla

DESCRIPTION: This attack uses a purchase order theme to deliver an attached .html file that will direct the recipient to download the Agent Tesla malware. We discussed this malware earlier this year on our Phish Fryday podcast.

TYPE: Malware – Dridex

DESCRIPTION: Another invoice, another piece of malware. This time the attacker uses a macro-enabled Microsoft Excel file to deliver the Dridex malware. Are you sure you want to enable macros?

TYPE: Malware – Ursnif

DESCRIPTION: This Italian invoice-themed attack forces the victim through a few steps, which were designed with SEG evasion in mind. A password-protected .zip file is delivered, with password provided, which contains a macro-enabled Microsoft Office document. From there, the Ursnif malware is downloaded and deployed. Arrevaderci, baby.

TYPE: Malware – ZLoader

DESCRIPTION: A simple invoice. A simple .xls attachment. A complex attack that uses Microsoft Excel macros and a VBS downloader to install ZLoader on the recipient’s machine. We blogged about this tactic a few weeks ago.

TYPE: Malware – Agent Tesla

DESCRIPTION: Agent Tesla continues to be a popular threat delivered via phishing emails. This attack uses a purchase order theme to entice the recipient into clicking the embedded link to download this malicious keylogger extraordinaire.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Practitioners Report the Need for Layered Email Security

By: Edward Amoroso, CEO and Analyst, TAG Cyber

In a recent survey, a majority of practitioners agreed on the need for protection that augments email gateways to deal with phishing attacks.

As phishing has become more prevalent and sophisticated, security experts have focused more on securing endpoints and email, the latter being the simplest way into an organization’s network. While cyber security teams have numerous defensive controls, according to a recent industry survey conducted jointly by TAG Cyber and Cofense, experts agree that deployed controls such as secure email gateways (SEGs) are necessary as a first line of defense but, on their own, aren’t sufficient to keep attackers from exploiting the endpoint.

On July 22, 2020, TAG Cyber and Cofense will present a webinar to discuss the survey results and present phishing defense strategies for companies who want to increase their efficacy against phishing attacks. You can learn more about the webinar and register here.

The survey asked security practitioners to answer the following question: Our security team sees phishing emails get past our Secure Email Gateway (SEG) at the following rate:

  1. Never
  2. Daily
  3. Weekly
  4. Monthly
  5. Hourly

Conducted by email and web and targeted at mid-to-senior level security practitioners, the survey concluded that 50% of organizations report that phishing emails bypass deployed SEGs daily. One respondent, the Chief Information Security Officer of a major financial institution, replied, “SEGs are getting much better at blocking emails with links and forms, but spam asking for money or hardware or simply probing for valid email addresses still get through at a daily rate.”

Another respondent, also a CISO at a financial firm responded, “Phishing emails will always get through. I don’t think any SEG is going to be 100% effective, or even 75%, because there are so many variables that can be changed to evade detection. We accept this to be true, and therefore have other controls…that can block access to the links once clicked, isolation that can render pages inert, or visual cues to indicate to the employees that the e-mail might not be safe.”

The remaining 50% of respondents reported that phishing emails bypass SEGs weekly (26%) and monthly (24%). Frank Abelson, President of Navitend, which provides managed services, including security to business and government customers, agreed that a layered approach is recommended. “Many of our clients combine gateway solutions with additional controls such as training to protect their inboxes from phishing,” he said.

Aaron Higbee, CTO of Cofense, sees this as an opportunity. “We have known for years that human detection combined with automation is necessary to protect employees from phishing attacks,” he said. “We are not surprised that this TAG Cyber survey found attacks leaking into enterprise inboxes.”

To learn more about the survey’s results and layered phishing defenses, register for the webinar.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

HMRC latest target in global COVID relief phishing campaigns

By Jake Longden, Cofense Phishing Defense Center

Taxes and rebates have long been some of a phisher’s favorite targets. Now the coronavirus has provided a fresh new way to exploit this topic: the government grants designed to help small businesses and those out of work due to the pandemic.

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign in the U.K. that aims to harvest HMRC (Her Majesties Revenue and Customs) credentials and sensitive personal information by preying on employees who are expecting COVID relief grants.

With multiple world governments providing such grants, this is an easily modifiable tactic—simply modify the email to spoof the target country’s tax service.

Figure 1: Email Header

To add authenticity to the email, the threat actors have used an email address (hmrc@hotmail.com) with the impersonated organization in the name and set the name to match (HM Revenue & Customs). That, combined with the subject line, is a great way to attract the user’s interest (“Helping you during this covid from government”). Whilst this sentence is not using the greatest grammar, who wouldn’t want government assistance during these difficult times?

Figure 2: Email Body

When first viewing the email, the user is presented with a notification that the government is offering between £2500 and £7500 in tax grants for those whose work has been affected by the virus. The email includes a link to check their eligibility. With the government publicly and repeatedly mentioning such sums,  the email is believable to inattentive users. The attacker also mentions the “Open Government License v3.0,” a legitimate copyright license used by the Government and Crown Services, to provide additional credibility.

Figure 3: Phishing Page

Once the link is clicked, the user is presented with a realistic clone of the GOV.UK website. This may alleviate concerns a user may have and provide a false sense of security, as the page is extremely similar to the HMRC account sign-in page. The biggest red flag: the URL, just-bee.nl, is not relevant.

Figure 4: Phishing Page

Figure 5: Phishing Page

Here the user is asked to enter some very personal and sensitive data. Another sign that this is a scam: the volume and sensitivity of data requested far exceeds what is required to sign into a legitimate account. The data requested here screams “identity theft/impersonation.”

From there, the user is directed to a page that seems to be loading, to help provide the impression that the data is being processed and an eligibility check performed.

Figure 6: Processing Page

 

Network IOC IP
hXXps://www[.]lagesports[.]com/[.]tmb/xml[.]php 69[.]10[.]32[.]186
hXXps://rtoutletpremium[.]com[.]br/[.]well-known/pki-validation/UTR/index[.]php 162[.]241[.]182[.]5

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Covid-19 Phish Abuses Tax Relief Act to Steal Credentials

By Ashley Atkins, Cofense Phishing Defense Center

For the past few months, the Cofense Phishing Defense Center (PDC) has observed numerous phishing campaigns associated with the coronavirus (COVID-19) pandemic.  These COVID-19-themed phish come in various forms and tend to prey on those fearful of contracting the disease as well as those who are in dire need of economic relief. Recently, the PDC identified a unique version that deserves an overview.

For this attack the user received a malicious email impersonating the US Department of Revenue with the subject: CARES Relief Certificate. The message body references information regarding the 2019 185 Act that has received attention in media outlets and social platforms. Upon researching the Act, it is highly likely the attacker copied that information from a website, made minor changes and created this phishing email, as seen in Figure 1 below.

Figure 1: Email Body

At a glance, this email simply informs users of the tax provisions adopted from the CARES Relief Act and outlines the details regarding it. It also mentions a deadline for applying, and that in order to apply users must fill out an attached secure document. One thing to note, this email arrived a few days after the stated deadline in the email. This may be intentional on the threat actor’s part in order to instill a sense of urgency in users – “you’re late and the deadline has passed!” However, some users may be pressed enough to attempt to apply, thinking it is worth a shot if it could mean receiving relief during this pandemic.

Many obvious red flags are present in this email. Besides the unsightly format, grammatical errors and random property address, the most evident red flag is the sender’s address. The attacker has abused AWeber’s email marketing service. AWeber’s use of SenderID authentication results in the “From” line showing as “Department of Revenue <state=lrs-gov[.]tk[@]send[.]aweber[.]com> on behalf of Department Of Revenue <state[@]lrs-gov[.]tk>”. When reviewing the domain, it seems to read as “Irs” (IRS), but the first letter is actually a lower-case L. The use of the .tk top-level domain (TLD) is worth noting as well. This TLD is the country code for a New Zealand territory called Tokelau. It is also free and one of the top TLDs used in phishing attacks.

Should users go so far as to download and open the “secure” HTML attachment, they are presented with a typically formatted Microsoft login page. This may appear odd, as the threat actor has impersonated a well-known and trusted entity such as the US Department of Revenue.

The fake Microsoft login page prompts for the standard username and password.

Figure 2: Phishing Page

Once credentials are submitted, a PHP script sends the stolen information to the attacker. The HTML’s source code attempts to bypass URL detection by using base tags that splits the malicious URLs into two sections.

Figures 3- 5: Source Code

Network IOCs IP
hxxps://youdiaddy[.]ml/api/api[.]php? 192[.]236[.]194[.]247
hxxps://ijodaddy[.]cf/api/api[.]php? 23[.]254[.]230[.]115

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.