This blog originally appeared in September 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.
A new campaign is attempting to harvest credentials from several businesses across industry verticals using the European Union’s General Data Protection Regulation (GDPR) compliance as a lure. This phishing message, first caught by Area 1 Security on August 31st, leverages misconceptions regarding GDPR compliance in an effort to steal email login credentials from unsuspecting targets.
The phish uses a classic tactic of creating a false sense of urgency to fool recipients into complying with the request. The attacker lures targets under the pretense that their email security is not GDPR-compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message.
As shown below, the attacker makes use of graphics and clever formatting to give the message a more credible, authoritative appearance. To maintain the illusion that the email originated from a legitimate source, the sender email address is spoofed to appear as an automated message from the security department of the targeted company. In order to stay relevant, the attacker also regularly updates to comply - or “Action required” - date included in the body of the message.
Based on Area 1 Security’s analysis, this campaign is predominantly launched at public-facing emails of the targeted companies, e.g. @.com. However, to a lesser extent, there are instances when individuals are targeted, typically executives and upper management. These individuals often work in the sales department, demonstrating the attacker is purposefully choosing targets who are likely to have access to client data and need to comply with GDPR regulations.
In the initial wave of the campaign, the attacker sent phishing messages from a Virtual Private Server (VPS) IP address belonging to ReadyIDC, 103[.]22[.]183[.]95. Using a VPS allows the attacker a greater degree of anonymity when conducting phishing campaigns since it is extremely difficult to pinpoint their physical location. They are able to leverage all the benefits of using a cloud-based service, as well as the ability to easily spin up new servers in the event that their IP address gets blocked or otherwise identified as phishing infrastructure.
A careful inspection of the headers in one of the first instances of this phish reveals a misstep by the threat actor when launching their campaign. As detailed below, despite successfully spoofing the visible FROM header, the envelope MAIL FROM address divulges that the attacker sent their malicious messages via a Gmail account.
MAIL FROM:<redacted>@gmail.com>
From: noreplysecurityservices@<targeted company’s domain>
To: <public-facing targeted company’s email account>
Subject: User account security alert
Date: 31 Aug 2020 22:17:43 +0700
This mistake is quickly rectified in subsequent phishing messages, where the attacker successfully spoofs not only the visible From address but also the envelope MAIL FROM domain of the targeted companies. However, these “stealthier” messages expose yet another blunder, as evidenced by the presence of a “Disposition-Notification-To” header. This header indicates that read-receipts are enabled, meaning the attacker will be notified when a target opens the malicious email. This once again discloses the sender account, which happens to be the same Gmail address as identified in the first wave of the campaign.
On the second day of the campaign (September 1st) the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions. Shown in the following headers, the true origin of the email is the IP address 196[.]53[.]250[.]243:
smtp.pra=noreplysecurityservices@<targeted company’s domain>; spf=None
smtp.mailfrom=noreplysecurityservices@<targeted company’s domain>; spf=None
smtp.helo=postmaster@<targeted company’s domain>
Received: from unknown (HELO <targeted company’s domain>) ([196[.]53[.]250[.]243])
by <redacted>.com with ESMTP; 01 Sep 2020 05:19:33 -0400
From: noreplysecurityservices@<targeted company’s domain>
To: <email of employee at targeted company>
Subject: Email User security alert
Date: 1 Sep 2020 16:19:07 +0700
The attacker switched to this IP address to launch the second wave of the campaign. Depicted below is a screenshot of a vulnerable and shoddy gaming site, Ran Smok, which is directly accessible via this IP (i.e., hxxp://196[.]53[.]250[.]243). The site links to various web pages that result in “Access denied,” and the IP address has been associated with numerous suspicious websites over the years. An analysis of available services running on the IP address reveals that port 25 (used by the Simple Mail Transfer Protocol, or SMTP) is running in a filtered state, and is most likely how the attacker is sending the phishing messages. A closer look at the list of open ports on the IP address reveals a number of additional services that should never be open to the internet, thus leaving the host at this IP exceedingly vulnerable, and all-the-more enticing to an attacker.
Analysis of Link
The malicious payload in this phish is a link to a credential harvester, located at hxxps://www[.]techgaia[.]com/wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff6668eyrtsaaadaf8/completesrvr/verification/Src/?email=. The value of the “email” parameter in the URL will vary depending on the recipient, wherein the threat actor tailors each phishing message by setting this parameter equal to the target’s email address. The link opens up to a simple web page, hosted on a compromised WordPress site, as shown below.
The HTML form on the malicious webpage autopopulates the username field based on the email address found in the URL’s “email” parameter. After clicking “Next,” the page will prompt the user to enter a password. Based on Area 1 Security’s analysis, the page appears to return an error regardless of whether the victim enters a correct password. Stolen credentials are then sent to the attacker via a script located at, hxxps://www[.]techgaia[.]com//wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff6668eyrtsaaadaf8/completesrvr/verification/Src/l0gin[.]php.
Area 1 Security’s analysis revealed that www[.]techgaia[.]com is the older, now-defunct site for a revamped IT consulting services company. The site was running an outdated version of WordPress (version 4.9.7), making it susceptible to a number of vulnerabilities. Its content has since been removed, and navigating to the domain now results in an HTTP 301 redirect. The vulnerable nature of this site made it easy prey, providing the perfect opportunity for an attacker to insert themselves into the fray and leverage the historic legitimacy of the site to bypass detections. With the ease of compromising unmaintained, vulnerable WordPress sites, it will only take the attacker a matter of days (at most) to resume operations with a new, otherwise legitimate site. As a result, legacy vendors that rely on deny lists to block suspect messages will be one step behind the attacker.
Recommendations
For companies that deal with sensitive customer data, it is important to be knowledgeable in the latest data security and privacy regulations for the respective industry and region. New data privacy laws, such as the California Consumer Protection Act, are requiring businesses to ensure that consumers residing in California are able to opt out of data collection. All the while, GDPR currently remains the most stringent regulation in consumer data privacy. It is vital to communicate with all employees any updates regarding new protocols for handling Personally Identifiable Information (PII) to help ensure those in your organization do not fall victim to phishing attacks that rely on confusion from unclear or nonexistent communication regarding these regulations.
Additionally, it is imperative that employees understand the risks of clicking on unsolicited links and entering sensitive data into unauthorized login portals. However, current technology allows an attacker to easily create a phish that is a pixel-perfect forgery of a legitimate login page. Therefore, the safer, more secure option is to utilize a dedicated security solution; one that uses bleeding-edge technology to verify emails before they arrive in a user’s inbox, removing the risk of accidentally clicking a malicious link or file.
Area 1 Security’s advanced detection techniques, such as blind URL inspection, help stop phishing messages like those seen in this GDPR campaign from reaching customers’ inboxes. Our comprehensive anti-phishing solution includes sophisticated pattern-matching algorithms that allow us to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.
Indicators of Compromise
Credential Harvesters:
Sender IP Addresses:
196[.]53[.]250[.]243
103[.]22.183[.]95