By Julie Hall and Dylan Duncan,
Cofense IntelligenceTM has detected a Russian language credential phishing campaign, spoofing a well-known financial organization, that delivers a malicious PDF to end users. The phishing campaign spoofs the Commonwealth of Independent States (CIS), a legitimate post-Soviet nations organization portal, and claims to offer ruble compensation. The is delivered with a blank phishing email containing a PDF file that includes a redirect link to a Russian language phishing site. Cofense has observed the phish making its way through Microsoft’s EOP Secure Email Gateway and it may have bypassed others.
Notably, all domains that Cofense Intelligence has recorded in this campaign contain valid certificates and were recently registered between November 19th and December 1st, 2019. Figure 1 presents the phishing email that contains no context, just a PDF attachment.
Figure 1: Phishing Email
Using a simplistic and blank email generally results in only curious, unsuspecting recipients being automatically directed to the phishing portal. However, in this phishing scenario, once the PDF is opened, the recipient is presented with an image and a link, as shown in Figure 2.
Figure 2: PDF File
Clicking the hyperlink, which requests the end user to review a document, redirects to a phishing site, as shown in Figure 3. The phishing attack consists of multiple steps. The spoofed financial service claims to offer eligible citizens monetary compensation; however, they are only given a limited time frame to register their claim. To claim the compensation, visitors must submit a bank card number and a Voila (cryptocurrency token). After providing the information, users are prompted to pay a randomly generated fee before receiving the compensation.
Figure 3: Landing Page of Phishing Attack
As a false sense of authenticity, every 30 to 60 seconds the site generates one of 10 pop-ups claiming that a user has received compensation (see Figure 4). Also, the site accepts all inputs and does not conduct any validation; therefore, all visitors are at risk of navigating their way through all of the steps. This combination of techniques—the limited time frame, spoofing of a legitimate organization, a large compensation offer, and the registered domains with valid certifications—create a sense of legitimacy and builds excitement and urgency for recipients. These Tactics, Techniques, and Procedures (TTPs) cloud judgment and lower the victim’s guard.
Figure 4: Received Compensation Pop-Up
In the file upssels.js, the domain clickpay24[.]tv is used as an API to accept the direct payments from the users. After completing each step of the phish, recipients are redirected to a payment site generated by clickpay24. The generated URLs follow the path az-payout.com[.]com/buy/<16 Integers> with random integers.
Preventing certain email-borne intrusions involves security awareness as the first line of defense. Alongside automated anti-phishing tools, educating company personnel on new phishing trends is the best way of countering a campaign such as this.
Table 1: Domains associated with the campaign
|h-formpay-a[.]top||November 19, 2019|
|x-a[.]top||December 1, 2019|
|Luckyclick[.]best||November 24, 2019|
|m-f1[.]top||December 1, 2019|
|c3p-cl[.]club||November 29, 2019|
|o-k-f.aadfk[.]top||November 28, 2019|
|m-go[.]top||November 11, 2019|
Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.
Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34008.
Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.