Tag Archive for: phishing

Phishing in the Wild II

/by

OVERVIEW
Phishing events are commonly seen in the public so the Proficio’s threat intelligence team often receives opportunities to research different type of phishing activities. On the 13th November 2020, a client had requested for assistance on a phishing incidence that had occurred within their environment.

In this blog, we share some of the findings from our own deep-dive investigations into the HTM spear-phishing email campaigns.

PHISHING DETAILS
In this type of phishing attempt, the adversary would send a spear-phishing email with a HTM (.htm) file attach containing a URL link to the victim. Based on the team’s investigation of the incident that was reported, upon clicking on the phishing link it would redirect the victim to a phishing page which was hosted on another domain.

In this incidence, the phishing link was observed to be hosted on the domain “bayleafinternational[.]com” and upon clicking, the page would be redirected to the domain “laikipianorthtvc[.]ac[.]ke”. However, by 18th November 2020, the redirected phishing domain was taken down so instead of the first observed site “laikipianorthtvc[.]ac[.]ke”, it would redirect the user towards the domain “altia[.]in”. A Whois lookup (Figure 1) was performed on the first redirected link “laikipianorthtvc[.]ac[.]ke” and based on the updated date, it is suggested that this site was likely to taken down on 16th November 2020.

Figure 1 - Sample phishing domain

Figure 1 – Sample phishing domain

The team further investigated the redirected phishing link. Simulating access of the phishing domain would display a phishing page that resembles a Microsoft login page (Figure 2). Upon entering the credentials, we noticed that the phishing site would redirect the victim to a URL on the same domain with a URL path containing “/complete?ss=2”. In this incidence that we were investigating, the user was redirected to the request URL “hxxps://altia[.]in/complete?ss=2”. A HTTP POST request could also be identified upon submitting the credentials (Figure 3).

Figure 2 - Redirected fake login page

Figure 2 – Redirected fake login page

 

Test access with response code

Figure 3 – Test access with response code

Similar phishing activities were also found in the wild, with our research suggesting that this phishing campaign appears to have started as far back as 1st September 2020; it is likely this phishing campaign is still ongoing. We have noticed that multiple domains were being used in this phishing campaign, but some of the used and older pages have since been taken down.

Comparing the phishing activities observed with those seen in the wild, aside from the same fake Microsoft login page used, the phishing links appears to share similar naming formats as follows:

  • Initial URL from email
    • <domain>/<base64-encoded victim’s email address>
  • Redirected phishing page
    • < phishing domain>/?ss=2&ea=<victim email address>&session=<session ID>
  • Redirected complete page
    • <phishing domain>/complete?ss=2

MITRE ATT&CK FRAMEWORK
The following framework is produced based on the investigated incidence:

Tactics  Techniques  Use 
Reconnaissance [TA0043]  Phishing for Information: Spearphishing Link [T1598.003] The phishing email contains a HTM file with a phishing link that leads to a fake login page used to steal credentials
Defense Evasion [TA0005]  Masquerading: Match legitimate name or location [T1036.005] The phishing email contains the use of a htm files with the file name containing the client’s domain.
Initial access [TA0001]  Phishing: Spearphishing Link [T1566.002] The adversaries utilize spear phishing emails and redirect victims to credential harvesting sites.

 

PRECAUTIONARY MEASURES
Anyone can fall victim to a phishing attack. Cybercriminals offer try and catch unsuspecting individuals by sending a phishing email from a reputable or known users that they wouldn’t expect to be compromised. It is advisable to safeguard yourself and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
    • Remind users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • If your organization is expecting legitimate emails from the senders, filter by email subjects and quarantine emails sent from those compromised senders to anyone outside of an expected recipient list.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials.
  • Make use of network segmentation alongside the zero-trust model.

Typeform Phishing Campaign

/by

OVERVIEW
In recent years, phishing campaign comes in different types and forms. The attackers are known to utilize free online tools and a variety of methods in hope to harvest credentials out from the victims.

On 16 August 2020, a relatively new spear-phishing campaign was detected which appears to utilize a free online tool – Typeform. The attacker created and hosted fake online forms to harvest victims’ credentials.

In this blog, we share some of the findings from our own deep-dive investigations into the attack activities that we have observed.

PHISHING DETAILS
Our investigation showed that victims would receive variants of emails, which can contain a URL link or an attachment that would redirect the victim to a phishing page. The phishing pages observed would inform the victim about a document that was sent through OneDrive in a PDF format.

Typeform Phished Email Example

Figure 1 – An example of phished email received

From our investigation, we have seen events where upon a successful phishing attempt, the compromised host would be used to subsequently broadcast the phishing email to all other employee using the organization email domain.

We have also seen events where the victim executed the phished PDF attachment in which the PDF would display a Microsoft labelled document with a “Open in OneDrive” button. Our investigation shows that clicking the button redirects to a phishing subdomain in Typeform with domain names such as

  • “hXXps://document-signonline[dot]typeform[dot]com”
  • ”hXXps://microsofonedrive6575[dot]typeform[dot]com”.
Typefrom Phishing Attachement Example

Figure 2 – An example of the attachment

Further investigations by the team reveals interesting network behaviour. Upon successful access to the phishing site and the user starts filling the phishing form, the page loads the domain ending with the URL parameter “/start-submission”. The phishing form first prompts for the user’s email address and then their password. Once the credentials are filled in, a button is displayed for the user to click on in order to send the inputs and view a document on the website. Clicking the button loads the domain ending with the URL parameter “/complete-submission”. Observing this traffic would represent a complete cycle whereby the victim has accessed and provided the credentials to the phished sites.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected several different IOCs to identify potential access to the phishing sites. The IOCs include URL parameters and IP addresses.

The most notable indicator of accessing the phishing page was the sequence of redirections that occur after clicking the initial phishing link. Based on this, we were able to identify potential phishing attempts with higher certainty despite the limited visibility allowed for an MDRP/MSSP like Proficio.

From our investigation, this campaign appears to target by organization rather than random individuals, as we had observed the phishing emails being sent to multiple employees within an organization together in one wave. Even if the emails were blocked, there were no repeated attempts to send the emails to the targets. This campaign does not appear to target any specific industry sector.

PRECAUTIONARY MEASURES
This could have happened to anyone of us that works in any organization whom we would unexpectedly receive phishing email send by reputable or known users that were being compromised. It is advisable to safeguard you and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • Quarantine emails sent from those compromised senders to anyone outside of an expected recipient list of filtering by email subjects if your organization is expecting legitimate emails from the senders.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials
  • Make use of network segmentation alongside the zero-trust model

Phishing in the Wild

/by

OVERVIEW
It’s no secret that phishing is one of the most common types of cyberattacks, both to individuals and organizations. According to the 2020 Verizon Data Breach Investigation Report, one out of four breaches involved phishing. So when Proficio’s Threat Intelligence Team received a client request, asking for assistance with a phishing incident, we conducted a thorough investigation on the specific threat actor. Below we share the key findings from our deep-dive investigation, including the hooks used and key targets for this campaign.

PHISHING CAMPAIGN DETAILS
The threat actor appears to be utilizing compromised user accounts within the targeted organization to send out phishing emails to internal contacts within their mailing list. We observed that such phishing emails sent by the legitimate, but compromised, user accounts would contain a download image that resembles the original PDF download button (Figure 1).

Sample email received

Figure 1 – Sample email received

The Proficio’s Threat Intelligence Team dissected the email received, observing the below PCAP from a simulated access attempt against the download link (Figure 2). While the download button masquerades as an attachment, it appears to be a request URL link. The threat actor employs pretty standard social engineering “hooks” to creates a false sense of urgency with words such as “advise ASAP”. The purpose, of course, is to lure the victim into quickly clicking on the button without thinking too much.

Sample PCAP from email received

Figure 2 – Sample PCAP of email received

Our analysis of the PCAP file (generated upon clicking on the download image seen from the email) reveals a redirect to an external request URL. Simulated access against the external request URL in a controlled environment reveal a redirect to a website with a “CLICK HERE TO VIEW” button. This phishing “hook” resembles a secure document intended for the victim to access.

Simulated access to request URL

Figure 3 – Simulated access to request URL

If a victim clicks on the “CLICK HERE TO VIEW” button, they would be directed to a fake Microsoft login page. When we input fake credentials into the login page, the adversary directs the user to an error page and requests for the credentials to be submitted again. We believe that the second credential request is meant to direct the user to the real Microsoft login page, a setup very similar to those practiced by other phishing campaigns. There are no other redirections observed subsequently.

Fake Microsoft login page

Figure 4 – Fake Microsoft login page

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected several different IOCs to identify potential access to the phishing sites. The IOCs includes known domain, IP addresses and unique URL parameter used in this phishing attempt.

Our investigation revealed that this campaign targets organizations rather than random individuals, as we observed that the phishing emails were sent to multiple employees within an organization together in one wave. Our analysis and study of the threat actor’s infrastructure and TTPs reveal that the threat actor conducting the phishing campaign appears to be interested in targeting specific geographic regions. We have identified the presence of several interesting strings such as “AUSTRALIA” and “YANKEE” used by the threat actor in their request URLs to organize their data depending on the geographic region associated with their target.

During our extensive investigations, we discovered the phishing emails were sent to multiple clients containing multiple different phished domains which ends with “/DOCUMENT.html”. Simulated access towards all the discovered sites exhibits the same redirection behaviour. Most of the identified activity was from inbound phishing emails. In most cases, we did not identify any click-through traffic that would indicate a potentially successful phishing attack.

While the threat actor appears to be interested in only a few geographic region, they do not appear to target any specific industry sector. We have identified multiple clients who have received emails from this phishing campaign. The sectors targeted by the threat actor most frequently were:

  • Healthcare
  • Commercial Services
  • Real Estate

We will continue to keep an eye out for other phishing campaigns and intrusions that could be associated with this particular threat actor.

PRECAUTIONARY MEASURES & RECOMMENDATIONS
Phishing remains a popular attack vector because it continues to work very effectively. Anyone could receive phishing emails, and they could be sent by reputable or known users that were unknowingly compromised. It is advisable to take proactive steps to safeguard you and your organization to avoid being the next victim of a phishing attack or credential theft. We would recommend organizations to consider the following measures to protect themselves from phishing attacks.

  • Educate your employees and users to improve cybersecurity awareness.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • Quarantine emails sent from those compromised senders to anyone outside of an expected recipient list of filtering by email subjects if your organization is expecting legitimate emails from the senders.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials
  • Make use of network segmentation alongside the zero-trust model

“Voicemail” Phishing Campaign

/by

OVERVIEW
On February 28th, the Proficio Threat Intelligence Team identified a new spear-phishing campaign that pretends to be sending a voicemail to targeted recipients.

In this blog, we share some of the findings from our deep-dive investigations into the attack activities that we have observed for this campaign.

PHISHING DETAILS
The attack starts with a phishing email pretending to send the recipient a voicemail. The email has a sender address starting with “voice@” and a subject containing text such as “New VM was sent” or “Voice Receiver”. The email contains a URL link which when clicked, redirects the recipient to a phishing page that resembles a Microsoft login page. The victim’s credentials are then stolen when entered and submitted on the fake login page.

An example of a fake Microsoft login page

Figure 1a and 1b

Figure 1 – An example of the fake login page (a) and real (b)

The initial phishing attempt is merely the first step of the adversary’s intrusion attempt. After successfully gaining user login, the threat actor responsible uses the credentials obtained to conduct a targeted spear phishing campaign against other employees within the victim’s organization.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team gathered and researched a number of different IOCs to identify potential access to the phishing sites. The IOCs included email subject strings, known domains, URL parameters and IP addresses. These IOCs were used to kickstart the detection and discovery phase of our threat hunting campaign. We identified several potential victims and performed deep-dive investigations on each potential victims identified.

The most notable and useful indicator we generated was the sequence of redirections that occurred after clicking the initial phishing link. Such activity strongly indicated a successful access attempt to the phishing page by the victim(s), and we were thus able to identify potentially successful phishing attempts with a high level of confidence despite the limited visibility of the dataset at our disposal.

Our investigations indicate that this campaign appears to focus on targeting organizations rather than random individuals, as we observed that the phishing emails were being sent to multiple employees within an organization together in a single wave. The adversary does not appear to be targeting any specific organization as there were no repeated attempts to send the emails to the targets even if the emails were blocked or did not result in a successful click-through.

No specific industry sector was targeted; we identified several victims of this campaign, all from different sectors:

  • Banking and Financial
  • Technology
  • Commercial Services
  • Real Estate
  • Healthcare

All clients that we identified had a successful clickthrough activity of this phishing campaign have been notified. If you would like to know more about this campaign and what we have found, please reach out to your Client Success Manager or Security Advisor.

FUTURE PRECAUTIONARY MEASURES
Such phishing campaigns are not uncommon, and have been heightened in the past month where multiple phishing campaigns are using COVID-19 to lure victims. The use of COVID-19 as a phishing hook has been very effective in generating click-throughs for attackers’ phishing campaigns. To avoid being the next victim of credential theft, you can put into place safeguards to protect yourself and your organization from phishing attacks.

We would recommend the following measures:

  • To improve cybersecurity awareness, educate your employees and users.
  • To prevent malicious content from reaching users and reduce the chance of a possible compromise, apply content filters on email gateways and systems.
  • If any suspicious emails are received, report them to your security team so they can notify other employees in the organization of the threat.
  • Always verify such suspicious emails through a different channel.

Black Friday Threats

/by

Targeted threats against shoppers and retailers alike are on the rise, especially with Black Friday coming up.

As the volume of shopping increases for the 2016 holiday shopping season, shoppers need to arm themselves with knowledge regarding account takeovers targeting their bank information using Phishing, Smishing, Spam and Malvertising methods.

Retailers also need to be mindful of their risks. New POS malware methods are now being used to steal consumer credit/debit card data. With the considerable number of shoppers on Black Friday and beyond, retailers will need to be on high alert this holiday season.

Learn more about the methods used by cyber criminals to exploit both shopper and retailer vulnerabilities to stay cyber secure this holiday season.

METHOD: Scammers Use Breached Personal Data in Phishing Campaigns

/by

Scammers often use a wide spectrum of social engineering methods when persuading potential victims to follow the desired course of action. Recent campaigns are using details gathered in mass breaches such as passwords, email addresses, and other personal information gained from past data compromises. Such example of scams include:

 

1) Personalized Porn Extortion Scam
This campaign involves the sender claiming to have the evidence of the recipient’s porn viewing activities, and then demands payment in exchange of “suppressing” the evidence. It is also observed that the scammer utilises personal information about the recipient beyond just the name, such as a real password the recipient used that was discovered in a data breach dump. Attackers have also been observed claiming to have RDP (remote desktop protocol) access to your computer as a means to watch you while you browse the pornography sites. The scam often demands payment via non-trackable cryptocurrency like Bitcoin and deems this as “privacy fees.” The real user password used in the scam was likely to have been obtained and in one of the mass data breaches that includes email addresses, passwords, and other personal information.

2) Data Breach Lawsuit Case
In this case, the scammer utilizes the victim’s phone number to prove that the victim has sensitive data that was leaked. The scammer poses as an entity that is preparing to sue the company that allegedly leaked the data:

“Your data is compromised. We are preparing a lawsuit against the company that allowed a big data leak. If all our clients win a case, we plan to get a large amount of compensation and all the data and photos that were stolen from the company. For example, we write to your email and include part your number ****** from a large leak.”

The sender’s objective is to solicit additional personal information from the victim under the guise of preparing the lawsuit, possibly requesting the social security number, banking account details, etc.

Proficio Threat Intelligence Recommendations:

  • Enabling spam filters to recognize and prevent emails from suspicious sources to reach the inbox of employees.
  • Do not email or reply the scammers.
  • Paying only highlights being vulnerable and you may be targeted by the scammers again.


General Information on Campaigns – Click Here

Target – FAPD Phishing HIPAA Breach

/by

On June 1st, the Florida Agency for Persons with Disabilities (FAPD) disclosed that a phishing attack had compromised a single email account. The email account contained information that had PHI of over 1,951 customers and/or guardians. Although no evidence was gathered that indicated the information was accessed, FAPD could not completely rule out that it had not been. As a result, FAPD is providing the potentially affected patients with breach credit monitoring services for the following year for free.

The Proficio Threat Intelligence Recommendations:

  • Implement multi-factor authentication for email access of users that may access ePHI
  • Validate that auditing has been enabled to prove what emails were accessed during a user session
  • Limit email access to IP addresses geolocated within the organization’s place of business

General Info – Click Here