Microsoft 365 EOP
Cisco Ironport
By Ashley Tran, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch. In the midst of the COVID-19 pandemic, millions of people are working from home using a multitude of online platforms and software. Attackers, of course, know this and are exploiting trusted brands like WebEx to deliver malicious emails to users.
Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.
Here’s how this campaign works:
Figure 1: Email Body
For this attack, the threat actor sends an email with varying subject lines such as “Critical Update” or “Alert!” from the spoofed address “meetings[@]webex[.]com”. With the subject and mail content combined, this may gauge users’ curiosity enough to entice them click in order to take the requested action.
The email then explains there is a vulnerability the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system.” In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further. The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223:
hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223
The linked article uses the same words as the email, lending further credibility.
The only thing for a responsible user to do next is follow the instructions in the email and update their Desktop App, right?
Even if more cautious users hover over the ‘Join’ button before clicking, they could still very well believe it’s legitimate. The URL embedded behind it is:
hxxps://globalpagee-prod-webex[.]com/signin
While the legitimate Cisco WebEx URL is:
hxxps://globalpage-prod[.]webex[.]com/signin
At a first glance, both URLs look eerily similar. A closer look, however, reveals an extra ‘e’ is added to ‘globalpage.’ Likewise, instead of ‘prod.webex’, the malicious link is ‘prod-webex’.
To carry out this attack, the threat actor registered a fraudulent domain through Public Domain Registry just days before sending out the credential phishing email.
The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users. While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.
Figure 2: Initial Phishing Page
The phishing page to which users are redirected is identical to the legitimate Cisco WebEx login page; visually there is no difference. Behavior-wise, there is a deviation between the real site and the fraudulent page. When email addresses are typed into the real Cisco page, the entries are checked to verify if there are associated accounts. With this phishing page, however, any email formatted entry takes the recipient to the next page where they then requested to enter their password.
Figure 3: Secondary Phishing Page
Once credentials are provided, users are redirected to the official Cisco website to download WebEx, which may be enough to convince most users it is a legitimate login process to update their WebEx app.
Figure 4: Legitimate Redirect Page – Official Cisco WebEx Download Page
At the time of writing, this fraudulent domain is still live and active. In fact, when navigating to the main domain, there is an open directory showing files the threat actor has utilized with this attack.
Figure 5: Open Directory
Files of interest include ‘sign-in%3fsurl=https%’ and ‘out.php’.
The file ‘sign-in%3fsurl=https%’ is the phishing page itself. When users click from this directory, they are redirected to the fraudulent WebEx login (Figure 3).
Figure 6: ‘out.php’ File
The ‘out.php’ file, seen in Figure 6, is the mailer the threat actor appears to have used to send this attack to users’ inboxes. The threat actor can manually input any subject they want – in this case, they chose “Critical Update!!”, adding the HTML for the email to the box below and designating an email list to which they wish to mass send this campaign.
With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions. Learn more how phishing awareness training can help your organization defend against changing phishing threats.
Indicators of Compromise:
Network IOC | IP |
hxxps://globalpagee-prod-webex[.]com/signin | 192[.]185[.]214[.]109 |
How Cofense Can Help
Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.
Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish.
Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 37308 and received YARA rule PM_Intel_CredPhish_37308. Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.