Archive

Archive for the ‘zero-point font’ Category

Franken-phish: TodayZoo built from other phishing kits

October 21st, 2021 No comments

A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. We uncovered this phishing kit while examining an extensive series of credential phishing campaigns that all sent credentials to a set of endpoints operated by the attackers.

We named the kit “TodayZoo” because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.

Today’s phishing attacks operate on a landscape fueled by an evolved service-based economy filled with efficient, reliable, and profitable offerings. Attackers who wish to launch a phishing campaign may rent their resource and infrastructure needs from phishing-as-a-service (PhaaS) providers, who do the legwork for them. Alternatively, they can make a one-time purchase of a phishing kit that they can “plug and play.”

That’s not to say that attackers who build their kits from the ground up are at a disadvantage. If anything, the abundance of phishing kits and other tools available for sale or rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits. They put these functionalities together in a customized kit and try to reap the benefits all to themselves. Such is the case of TodayZoo: because of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, we believe that the actors behind it came across an old phishing kit template and replaced the credential harvesting part with its own exfiltration logic to make TodayZoo solely for their nefarious purposes.

Since the first observed instances of the TodayZoo phishing kit last December, large email campaigns leading to it have continued without significant pause. Our analysis of its phishing page artifacts, redirection routines, and domain generation algorithm (DGA) methods for the initial sites helps ensure Microsoft Defender for Office 365 effectively protect customers from the said campaigns.

Microsoft tracks unique phishing kits, phishing services, and other components used in phishing to better protect customers from malicious emails at a larger scale. Combined with our monitoring of individual credential campaigns and the latest evasion techniques, our research into kits and services provides us with a better understanding of the structure of phishing email messages. Such threat intelligence and insights, in turn, feed into our protection technologies, such as Defender for Office 365 and Microsoft 365 Defender.

This blog post details some of the technical aspects of a phishing campaign based on the TodayZoo kit. It also provides information about “DanceVida,” a potential parent family of kits based on a shared resource link, and how it and other historical patterns figure in TodayZoo’s code structure.

What’s in a kit?

A “phishing kit” or “phish kit” can refer to various parts of a set of software or services meant to facilitate phishing. The term refers most commonly to an archive file containing images, scripts, and HTML pages that enable an attacker to quickly set up an undetectable phishing page and collect credentials through it. However, “phishing kit” can also be used to refer specifically to the unique page itself that spoofs a brand and interacts with a user, collects the user’s credentials, and posts them to an asset the attacker owns.

Phishing kits are generally split into the following major components based on function:

  • Imitation: These components help make the login pages appear legitimate. These can include imagery to imitate welcome banners, as well as dynamically generated logos and branding that are fetched based on the target’s email address. These components may also include legitimate links and “help” or “password reset” buttons that navigate cautious users out of the page and onto legitimate sites.
  • Obfuscation: These components hide the pages’ true purpose from scanners or automated security detection systems. Obfuscation techniques can be through encoding or individual functions designed to make the extraction of resources more difficult. Obfuscation can also include anti-sandboxing resources on the page or on the site that are called to enforce geofencing, CAPTCHAs, and others.
  • Credential harvest: These components facilitate the entry, collection, and exfiltration of the credentials the target user provides. These components also include information about where said credentials are sent, how they are stored, and which sites the user is sent to after giving their credentials.

These components are seen in the TodayZoo phishing kit, which we will discuss in the following sections.

Breaking down a TodayZoo-based phishing campaign

The use of the TodayZoo phishing kit was initially seen in December 2020. Then, in March 2021, we observed a series of phishing campaigns abuse the AwsApps[.]com domain to send the email messages that eventually directed users to the final landing pages, leading us to examine the kit more closely. As of this writing, we have already notified Amazon about the abovementioned abuse in their domain, and they promptly took action.

The attackers created malicious accounts at scale. Initially, the sender emails appeared with randomly generated domain names such as wederfs76y3uwedi3uy89ewdu23ye87293eqwhduayqw[.]awsapps[.]com. This contrasts legitimate emails—and even some spoofed phishing ones—where the subdomain would represent a company hostname.

The email message itself was relatively simple: it impersonated Microsoft and leveraged a zero-point font obfuscation technique in an attempt to evade detection. For example, in the early iterations of their campaign, the attackers used the <ins></ins> tags to insert the date of the message every few characters invisibly, as shown below:

Screenshot of HTML code showing zero-point font technique

Figure 1. Example of zero-point font obfuscation to insert the date into the HTML code of the email message

The social engineering lures in the message body repeatedly changed over the months. Campaigns in April and May used password reset, while more the recent campaigns in August were leveraging fax and scanner notifications.

Screenshot of email used in this campaign

Figure 2. Example of an email lure leading to TodayZoo phishing kit

Regardless of the lure, the following attack chain is consistent, with initial and secondary redirectors, a final landing page, and a credential harvesting page. Below is a sample of TodayZoo’s attack chain URLs:

  • Initial redirector: hxxp://2124658742[.]ujsd[.]pentsweser[.]com//fhwpp8sv[.]#aHR0cHM6Ly9saW1lc3RvbmVzbS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • Secondary redirector: hxxps://limestonesm[.]com/edfh.kerfq/#no-reply@microsoft[.]com
  • Final landing page: hxxps://fra1[.]digitaloceanspaces[.]com/koip/25_40_24_5E_40_26_40_26_28_29_23_23_5E_23_24_26_5E_25_26_40_5E_28_23_26.html#no-reply@microsoft[.]com
  • Credential harvesting page: hxxps://nftduniya[.]com/cas/vcoominctodayq[.]php

The initial and secondary URLs are either compromised or attacker-created sites and serve as redirectors to funnel the more extensive set of URLs used in the emails to the final landing page where the phishing kit is hosted. The initial URL used infinite subdomains, a previously discussed technique that allows attackers to use a unique URL for each recipient while only purchasing or compromising one domain. The URL also leveraged malformed URLs that consisted of multiple forward slashes at the demarcation of the path, as well as the secondary URL that is encoded along with the recipient’s email address.

In almost every instance of the TodayZoo-based campaign we’ve seen, the final landing page is hosted within the service provider DigitalOcean. This page bears a few tangible differences from a standard Microsoft 365 sign-in page. Notably, it has not substantially changed in appearance from the start of the year to the time of publication of this blog. This lack of change is because, despite the numerous changes in the delivery method, lures, and sites used as indicators of attack (IOAs), the TodayZoo kit stayed nearly identical with only a few strings changing.

Screenshot of phishing page where credentials are stolen

Figure 3. An example of TodayZoo’s fake sign-in page in August 2021

There was little of the obfuscation component within the TodayZoo kit because the landing page’s source code revealed where the stolen credentials would be exfiltrated, which was another compromised site ending in TodayZoo.php. Typically, credential harvesting pages process the credentials and forward them to additional email accounts owned by sellers or purchasers of the kit for collection later. It’s unusual for campaigns to store the credentials locally on the site itself.

Screenshot of code for credential harvesting

Figure 4. An excerpt from the TodayZoo HTML source depicting credential exfiltration

It should be noted that based on our analysis, the file name TodayZoo.php appears to be derived from a previous version of the phishing kit whose credential processing page ends in Zoom.php. The said version also has markers like “Today Zoom Meetings,” indicating that it was initially targeting users of a popular video conferencing application.

The succeeding TodayZoo-based campaigns follow the attack killchain pattern and source code discussed above. While for the first few months of operation, TodayZoo.php was utilized, the most recent harvesting pages have maintained the word “today” but now may use vcoominctodayq.php instead.

The attackers have also moved from abusing a single legitimate mailing service to compromising mailing service accounts for their email campaigns. However, they maintain specific leftover character patterns in their URL paths and subdomains that work with the other TTPs described.

Piecing the puzzle

Typically, phishing kits that are resold or reused have indicators of multiple actors using them through their generated email campaigns. For example, these campaigns will have varying redirection techniques and hosting domains for their final landing pages. In the case of TodayZoo, as previously mentioned, there is consistency in the patterns, domains, and TTPs of the related campaigns. While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own.

Within the source code of the TodayZoo landing page we analyzed, there were several static references at the very start to external sources. Generally, these external links help a phishing kit properly imitate the login page and other branding elements of the site they are spoofing. However, in TodayZoo’s case, many of these site connections were “dead links” and did not serve a relevant function within the page. Littered throughout the source code as well were various markers like <!– FORM 1111111111111111 –> and <!– FINISHHHHHHHHHHHHHHHHHHHHH –>. Some portions of the source code also utilized multiple languages in different sections, making clear indications of which ones have been replaced.

Upon further investigation, we identified the dead links and markers as holdovers from many other commoditized kits available for free or purchase. We then compared TodayZoo with other phishing kits we have analyzed previously and found that even these kits also contained references to sites like Dancevida[.]com but would have different code blocks for their obfuscation or credential harvest components.

Screenshot of TodayZoo code showing references to DanceVida

Figure 5. An excerpt from a TodayZoo landing page source code referencing DanceVida[.]com

The DanceVida connection

“DanceVida” is more of a code block than a full-fledged phishing kit. As such, kits that use DanceVida are rather diverse in their delivery, lures, and location because they are directly for sale on various forums under kit-naming schemas, as well as under a wider variety of landing page templates, including document download pages. Most of the credentials that the DanceVida-based kits’ harvesting pages gather are exfiltrated to accounts using free email services, such as GMail, Yahoo!, and Yandex.

One of the more notable kits that also reference DanceVida and share components with what we observed in the TodayZoo credential phishing campaigns is “Office-RD117,” which is related to an online seller known as “Fud Tool.” This seller also offers other phishing kits and email and SMS delivery tools on various forums and other websites.

Screenshot of FUD Tool website

Figure 6: Screenshot of the now-defunct Fud Tool website from the Wayback Machine Internet Archive

It is interesting to note that when analyzing the Office-RD117 kit, we also saw signatures from multiple sellers within its packaged resources. There are also instances of dead links, such as a reference to a GitHub account that was only live for less than a day in January 2020 (the said account is still carried over to kits online as of this writing). This goes to show that even commercially available phishing kits reuse and repurpose elements from other ones. Such mixing and matching also make it quite challenging to determine where one kit ends and another one begins.

Comparing TodayZoo with DanceVida and other kits

In the case of TodayZoo, we observed that its implementations only match the larger superset of kits referencing DanceVida at about 30-35%. As seen in the figures below that compare a TodayZoo sample with a randomly selected DanceVida sample, both initially have similar structure and pieces of code until TodayZoo deviated in the credential harvesting component:

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 7. A comparison of DanceVida and TodayZoo kits, showing matching source codes

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 8. A comparison of DanceVida and TodayZoo kits showing highly similar source codes. Note how TodayZoo has changed its variables.

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 9. A comparison of DanceVida and TodayZoo kits showing slightly different implementation for credential posting

To further illustrate the “Frankenstein’s monster” characteristic of TodayZoo, the table below expands the comparison of one of its current phishing pages with Office-RD117, as well as with four other landing pages. These landing pages are unattributed to specific operators and reference DanceVida or use the same credential-harvesting POST statements. While all these samples share code segments in their imitation, obfuscation, or credential harvesting components, they each still have unique elements that differentiate them.

Table comparing different phishing kits and their similarity with TodayZoo

Table 1. Similarity areas and percentages of related phish kits to a recent TodayZoo sample

Visual representation of similarity of code between TodayZoo and other phishing kits

Figure 10. Graphical representation of the similarity areas of related phish kits to a recent TodayZoo sample

The above comparisons show a history of alterations and suggest an existence of a “core” set of codes being reused by these phishing kits. They are also reminiscent of how remote access Trojans (RAT) and other malware families are continuously retooled by threat actors yet retain large chunks of code blocks across the board.

How threat intelligence enriches anti-phishing technologies in Microsoft Defender for Office 365

Our analysis of TodayZoo, DanceVida, and other phishing kits gives us several insights into the underground economy today. First, this research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit “families.” While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves. The continued presence of dead links and callbacks to other kits indicates that many phishing kit distributors and phishing operators have easy access to these existing kits and use parts of them to make new ones faster.

Secondly, our research shows that the players in the cybercrime economy count on a lack of examination into their products. Whether that is a bane or a boon on their part depends on how the products’ codes are implemented. For example, an unchecked reused kit that still calls back to its original creator with copies of stolen credentials potentially translates into an equivalent of a passive income for the said creator.

Insights such as those presented above enrich our protection technologies. Our intelligence on unique phishing kits such as TodayZoo, phishing services, and other components of phishing attacks allows Microsoft Defender for Office 365 to detect related campaigns and block malicious emails, URLs, and landing pages. Combined with Defender for Office 365’s use of machine learning, heuristics, and advanced detonation technology, such intel also makes it possible to detect kits that attempt to leverage techniques from one or multiple codes, even before a user receives the email or interacts with the content.

Threat intelligence about the latest trends in the phishing landscape also feeds into other Microsoft security solutions, such as Microsoft Defender SmartScreen, which blocks phishing websites and malicious URLs and domains in the browser, and Network protection, which blocks connections to malicious domains and IP addresses. Advanced hunting capabilities allow analysts to search for phishing kit components and other IOAs.

Organizations can configure the recommended settings in Microsoft Defender for Office 365, such as applying anti-phishing, Safe Links, and Safe Attachments policies. These ensure real-time protection by scanning at the time of delivery and at the time of click. They can further strengthen their protection with Microsoft 365 Defender, which correlates signals from emails, endpoints, and other domains, delivering coordinated defense.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

Visit our National Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

 

Microsoft 365 Defender Threat Intelligence Team

 

Advanced hunting queries

Emails with TodayZoo operator patterns

Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure. TodayZoo operators occasionally store URLs in the attachment, so this query would not surface those instances.

EmailUrlInfo
| where Url matches regex "(ujsd)?\\.[a-z]+\\.com\\/\\/.+\\.#"

Endpoint activity where TodayZoo patterns redirect to DigitalOcean

Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure.

DeviceNetworkEvents
| where RemoteUrl matches regex "(ujsd)\\.[a-z]+\\.com\\/\\/.+\\.#" or RemoteUrl endswith "digitaloceanspaces.com"
| extend Domain = extract(@"[^.]+(\.[^.]{2,3})?\.[^.]{2,12}$", 0, RemoteUrl)
| summarize dcount(Domain), make_set(Domain) by DeviceId,bin(Timestamp, 1h), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_Domain >= 2

Indicators of compromise

Sample initial base domains

pentsweser[.]com eurhutos[.]com dalotcii[.]com
buiyosi[.]com gsuouyty[.]com matanictii[.]com
phmakert[.]com brepeme[.]com conncorrd[.]com
sazmath[.]com normmavec[.]com jumperctin[.]com
selfessdas[.]com kurvuty[.]com iotryfuty[.]com
setmakersl[.]com vlogctii[.]com coffimkeer[.]com
mosyeurty[.]com qurythuy[.]com carlssbad[.]com
chovamb[.]com tenssmor[.]com tenssmr[.]com
coffkeer[.]com tamsops[.]com speedoms[.]com
shageneppi[.]com shadain[.]com coffieer[.]com
cofeer[.]com carrtwright[.]com uyfteuty[.]com
slobhurtiy[.]com braingones[.]com beinsmter[.]com
ksfcaghyou[.]com coffkr[.]com rtuatatcty[.]com
lamyot[.]com tenssm[.]com kanesatakss[.]com
brainsdeads[.]com ourygshry[.]com

Sample initial domains with subdomains

1776769042[.]ujsd[.]iotryfuty[.]com 443577567[.]ujsd[.]iotryfuty[.]com
646611056[.]ujsd[.]gsuouyty[.]com 1007183231[.]ujsd[.]gsuouyty[.]com
1469782555[.]ujsd[.]phmakert[.]com 1436029448[.]ujsd[.]buiyosi[.]com
946552600[.]ujsd[.]buiyosi[.]com 1733787821[.]ujsd[.]buiyosi[.]com
1988722677[.]ujsd[.]eurhutos[.]com 255622856[.]ujsd[.]eurhutos[.]com
600774497[.]ujsd[.]sazmath[.]com 1315116569[.]ujsd[.]setmakersl[.]com
1179340144[.]ujsd[.]sazmath[.]com 516942697[.]ujsd[.]setmakersl[.]com
1742965301[.]ujsd[.]setmakersl[.]com 124967719[.]ujsd[.]normmavec[.]com
202271174[.]ujsd[.]pentsweser[.]com 1010306526[.]ujsd[.]iotryfuty[.]com
728156920[.]ujsd[.]iotryfuty[.]com 1244535616[.]ujsd[.]selfessdas[.]com
1227334331[.]ujsd[.]selfessdas[.]com 1229648857[.]ujsd[.]kurvuty[.]com
926765708[.]ujsd[.]kurvuty[.]com 254503147[.]ujsd[.]kurvuty[.]com
1656812361[.]ujsd[.]dalotcii[.]com 100666740[.]ujsd[.]matanictii[.]com
404793834[.]ujsd[.]matanictii[.]com 879643450[.]ujsd[.]matanictii[.]com
658338120[.]ujsd[.]matanictii[.]com 1359496128[.]ujsd[.]dalotcii[.]com
995216045[.]ujsd[.]dalotcii[.]com 1838392685[.]ujsd[.]dalotcii[.]com
9725332[.]ujsd[.]brepeme[.]com 1668463162[.]ujsd[.]conncorrd[.]com
165175575[.]ujsd[.]sazmath[.]com 215852665[.]ujsd[.]brepeme[.]com

Sample initial URLs

  • odghyuter[.]com//wfvmlpxuhjeq[.]#aHR0cHM6Ly9wb2dmaHJ5ZXQuY29tL2VkZmgua2VyZnEvI25vLXJlcGx5QG1pY3Jvc29mdC5jb20=
  • ujsd.coffimkeer[.]com//0jw7yklk[.]#aHR0cHM6Ly9sdWh5cnR5ZS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • ujsd.pentsweser[.]com//iojjyaqw[.]#aHR0cHM6Ly9saW1lc3RvbmVzbS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • ujsd.brepeme[.]com//bnxvhyex[.]#aHR0cHM6Ly92YWVwbGVyLmNvbS9lZGZoLmtlcmZxLyNuby1yZXBseUBtaWNyb3NvZnQuY29t

Sample secondary (redirector) URLs

  • pogfhryet[.]com/edfh[.]kerfq/#no-reply@microsoft[.]com
  • luhyrtye[.]com/edfh[.]kerfq/#no-reply@microsoft[.]com

Sample final landing page

  • nyc3[.]digitaloceanspaces[.]com/bnj/25_40_24_5E_40_26_40_26_28_29_23_23_5E_23_24_26_5E_25_26_40_5E_28_23_26_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25[.]html#no-reply@microsoft[.]com

Sample credential harvesting page

  • lcspecops[.]com/psl/vcoominctodayq[.]php

References

 

The post Franken-phish: TodayZoo built from other phishing kits appeared first on Microsoft Security Blog.

Franken-phish: TodayZoo built from other phishing kits

October 21st, 2021 No comments

A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. We uncovered this phishing kit while examining an extensive series of credential phishing campaigns that all sent credentials to a set of endpoints operated by the attackers.

We named the kit “TodayZoo” because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.

Today’s phishing attacks operate on a landscape fueled by an evolved service-based economy filled with efficient, reliable, and profitable offerings. Attackers who wish to launch a phishing campaign may rent their resource and infrastructure needs from phishing-as-a-service (PhaaS) providers, who do the legwork for them. Alternatively, they can make a one-time purchase of a phishing kit that they can “plug and play.”

That’s not to say that attackers who build their kits from the ground up are at a disadvantage. If anything, the abundance of phishing kits and other tools available for sale or rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits. They put these functionalities together in a customized kit and try to reap the benefits all to themselves. Such is the case of TodayZoo: because of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, we believe that the actors behind it came across an old phishing kit template and replaced the credential harvesting part with its own exfiltration logic to make TodayZoo solely for their nefarious purposes.

Since the first observed instances of the TodayZoo phishing kit last December, large email campaigns leading to it have continued without significant pause. Our analysis of its phishing page artifacts, redirection routines, and domain generation algorithm (DGA) methods for the initial sites helps ensure Microsoft Defender for Office 365 effectively protect customers from the said campaigns.

Microsoft tracks unique phishing kits, phishing services, and other components used in phishing to better protect customers from malicious emails at a larger scale. Combined with our monitoring of individual credential campaigns and the latest evasion techniques, our research into kits and services provides us with a better understanding of the structure of phishing email messages. Such threat intelligence and insights, in turn, feed into our protection technologies, such as Defender for Office 365 and Microsoft 365 Defender.

This blog post details some of the technical aspects of a phishing campaign based on the TodayZoo kit. It also provides information about “DanceVida,” a potential parent family of kits based on a shared resource link, and how it and other historical patterns figure in TodayZoo’s code structure.

What’s in a kit?

A “phishing kit” or “phish kit” can refer to various parts of a set of software or services meant to facilitate phishing. The term refers most commonly to an archive file containing images, scripts, and HTML pages that enable an attacker to quickly set up an undetectable phishing page and collect credentials through it. However, “phishing kit” can also be used to refer specifically to the unique page itself that spoofs a brand and interacts with a user, collects the user’s credentials, and posts them to an asset the attacker owns.

Phishing kits are generally split into the following major components based on function:

  • Imitation: These components help make the login pages appear legitimate. These can include imagery to imitate welcome banners, as well as dynamically generated logos and branding that are fetched based on the target’s email address. These components may also include legitimate links and “help” or “password reset” buttons that navigate cautious users out of the page and onto legitimate sites.
  • Obfuscation: These components hide the pages’ true purpose from scanners or automated security detection systems. Obfuscation techniques can be through encoding or individual functions designed to make the extraction of resources more difficult. Obfuscation can also include anti-sandboxing resources on the page or on the site that are called to enforce geofencing, CAPTCHAs, and others.
  • Credential harvest: These components facilitate the entry, collection, and exfiltration of the credentials the target user provides. These components also include information about where said credentials are sent, how they are stored, and which sites the user is sent to after giving their credentials.

These components are seen in the TodayZoo phishing kit, which we will discuss in the following sections.

Breaking down a TodayZoo-based phishing campaign

The use of the TodayZoo phishing kit was initially seen in December 2020. Then, in March 2021, we observed a series of phishing campaigns abuse the AwsApps[.]com domain to send the email messages that eventually directed users to the final landing pages, leading us to examine the kit more closely. As of this writing, we have already notified Amazon about the abovementioned abuse in their domain, and they promptly took action.

The attackers created malicious accounts at scale. Initially, the sender emails appeared with randomly generated domain names such as wederfs76y3uwedi3uy89ewdu23ye87293eqwhduayqw[.]awsapps[.]com. This contrasts legitimate emails—and even some spoofed phishing ones—where the subdomain would represent a company hostname.

The email message itself was relatively simple: it impersonated Microsoft and leveraged a zero-point font obfuscation technique in an attempt to evade detection. For example, in the early iterations of their campaign, the attackers used the <ins></ins> tags to insert the date of the message every few characters invisibly, as shown below:

Screenshot of HTML code showing zero-point font technique

Figure 1. Example of zero-point font obfuscation to insert the date into the HTML code of the email message

The social engineering lures in the message body repeatedly changed over the months. Campaigns in April and May used password reset, while more the recent campaigns in August were leveraging fax and scanner notifications.

Screenshot of email used in this campaign

Figure 2. Example of an email lure leading to TodayZoo phishing kit

Regardless of the lure, the following attack chain is consistent, with initial and secondary redirectors, a final landing page, and a credential harvesting page. Below is a sample of TodayZoo’s attack chain URLs:

  • Initial redirector: hxxp://2124658742[.]ujsd[.]pentsweser[.]com//fhwpp8sv[.]#aHR0cHM6Ly9saW1lc3RvbmVzbS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • Secondary redirector: hxxps://limestonesm[.]com/edfh.kerfq/#no-reply@microsoft[.]com
  • Final landing page: hxxps://fra1[.]digitaloceanspaces[.]com/koip/25_40_24_5E_40_26_40_26_28_29_23_23_5E_23_24_26_5E_25_26_40_5E_28_23_26.html#no-reply@microsoft[.]com
  • Credential harvesting page: hxxps://nftduniya[.]com/cas/vcoominctodayq[.]php

The initial and secondary URLs are either compromised or attacker-created sites and serve as redirectors to funnel the more extensive set of URLs used in the emails to the final landing page where the phishing kit is hosted. The initial URL used infinite subdomains, a previously discussed technique that allows attackers to use a unique URL for each recipient while only purchasing or compromising one domain. The URL also leveraged malformed URLs that consisted of multiple forward slashes at the demarcation of the path, as well as the secondary URL that is encoded along with the recipient’s email address.

In almost every instance of the TodayZoo-based campaign we’ve seen, the final landing page is hosted within the service provider DigitalOcean. This page bears a few tangible differences from a standard Microsoft 365 sign-in page. Notably, it has not substantially changed in appearance from the start of the year to the time of publication of this blog. This lack of change is because, despite the numerous changes in the delivery method, lures, and sites used as indicators of attack (IOAs), the TodayZoo kit stayed nearly identical with only a few strings changing.

Screenshot of phishing page where credentials are stolen

Figure 3. An example of TodayZoo’s fake sign-in page in August 2021

There was little of the obfuscation component within the TodayZoo kit because the landing page’s source code revealed where the stolen credentials would be exfiltrated, which was another compromised site ending in TodayZoo.php. Typically, credential harvesting pages process the credentials and forward them to additional email accounts owned by sellers or purchasers of the kit for collection later. It’s unusual for campaigns to store the credentials locally on the site itself.

Screenshot of code for credential harvesting

Figure 4. An excerpt from the TodayZoo HTML source depicting credential exfiltration

It should be noted that based on our analysis, the file name TodayZoo.php appears to be derived from a previous version of the phishing kit whose credential processing page ends in Zoom.php. The said version also has markers like “Today Zoom Meetings,” indicating that it was initially targeting users of a popular video conferencing application.

The succeeding TodayZoo-based campaigns follow the attack killchain pattern and source code discussed above. While for the first few months of operation, TodayZoo.php was utilized, the most recent harvesting pages have maintained the word “today” but now may use vcoominctodayq.php instead.

The attackers have also moved from abusing a single legitimate mailing service to compromising mailing service accounts for their email campaigns. However, they maintain specific leftover character patterns in their URL paths and subdomains that work with the other TTPs described.

Piecing the puzzle

Typically, phishing kits that are resold or reused have indicators of multiple actors using them through their generated email campaigns. For example, these campaigns will have varying redirection techniques and hosting domains for their final landing pages. In the case of TodayZoo, as previously mentioned, there is consistency in the patterns, domains, and TTPs of the related campaigns. While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own.

Within the source code of the TodayZoo landing page we analyzed, there were several static references at the very start to external sources. Generally, these external links help a phishing kit properly imitate the login page and other branding elements of the site they are spoofing. However, in TodayZoo’s case, many of these site connections were “dead links” and did not serve a relevant function within the page. Littered throughout the source code as well were various markers like <!– FORM 1111111111111111 –> and <!– FINISHHHHHHHHHHHHHHHHHHHHH –>. Some portions of the source code also utilized multiple languages in different sections, making clear indications of which ones have been replaced.

Upon further investigation, we identified the dead links and markers as holdovers from many other commoditized kits available for free or purchase. We then compared TodayZoo with other phishing kits we have analyzed previously and found that even these kits also contained references to sites like Dancevida[.]com but would have different code blocks for their obfuscation or credential harvest components.

Screenshot of TodayZoo code showing references to DanceVida

Figure 5. An excerpt from a TodayZoo landing page source code referencing DanceVida[.]com

The DanceVida connection

“DanceVida” is more of a code block than a full-fledged phishing kit. As such, kits that use DanceVida are rather diverse in their delivery, lures, and location because they are directly for sale on various forums under kit-naming schemas, as well as under a wider variety of landing page templates, including document download pages. Most of the credentials that the DanceVida-based kits’ harvesting pages gather are exfiltrated to accounts using free email services, such as GMail, Yahoo!, and Yandex.

One of the more notable kits that also reference DanceVida and share components with what we observed in the TodayZoo credential phishing campaigns is “Office-RD117,” which is related to an online seller known as “Fud Tool.” This seller also offers other phishing kits and email and SMS delivery tools on various forums and other websites.

Screenshot of FUD Tool website

Figure 6: Screenshot of the now-defunct Fud Tool website from the Wayback Machine Internet Archive

It is interesting to note that when analyzing the Office-RD117 kit, we also saw signatures from multiple sellers within its packaged resources. There are also instances of dead links, such as a reference to a GitHub account that was only live for less than a day in January 2020 (the said account is still carried over to kits online as of this writing). This goes to show that even commercially available phishing kits reuse and repurpose elements from other ones. Such mixing and matching also make it quite challenging to determine where one kit ends and another one begins.

Comparing TodayZoo with DanceVida and other kits

In the case of TodayZoo, we observed that its implementations only match the larger superset of kits referencing DanceVida at about 30-35%. As seen in the figures below that compare a TodayZoo sample with a randomly selected DanceVida sample, both initially have similar structure and pieces of code until TodayZoo deviated in the credential harvesting component:

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 7. A comparison of DanceVida and TodayZoo kits, showing matching source codes

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 8. A comparison of DanceVida and TodayZoo kits showing highly similar source codes. Note how TodayZoo has changed its variables.

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 9. A comparison of DanceVida and TodayZoo kits showing slightly different implementation for credential posting

To further illustrate the “Frankenstein’s monster” characteristic of TodayZoo, the table below expands the comparison of one of its current phishing pages with Office-RD117, as well as with four other landing pages. These landing pages are unattributed to specific operators and reference DanceVida or use the same credential-harvesting POST statements. While all these samples share code segments in their imitation, obfuscation, or credential harvesting components, they each still have unique elements that differentiate them.

Table comparing different phishing kits and their similarity with TodayZoo

Table 1. Similarity areas and percentages of related phish kits to a recent TodayZoo sample

Visual representation of similarity of code between TodayZoo and other phishing kits

Figure 10. Graphical representation of the similarity areas of related phish kits to a recent TodayZoo sample

The above comparisons show a history of alterations and suggest an existence of a “core” set of codes being reused by these phishing kits. They are also reminiscent of how remote access Trojans (RAT) and other malware families are continuously retooled by threat actors yet retain large chunks of code blocks across the board.

How threat intelligence enriches anti-phishing technologies in Microsoft Defender for Office 365

Our analysis of TodayZoo, DanceVida, and other phishing kits gives us several insights into the underground economy today. First, this research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit “families.” While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves. The continued presence of dead links and callbacks to other kits indicates that many phishing kit distributors and phishing operators have easy access to these existing kits and use parts of them to make new ones faster.

Secondly, our research shows that the players in the cybercrime economy count on a lack of examination into their products. Whether that is a bane or a boon on their part depends on how the products’ codes are implemented. For example, an unchecked reused kit that still calls back to its original creator with copies of stolen credentials potentially translates into an equivalent of a passive income for the said creator.

Insights such as those presented above enrich our protection technologies. Our intelligence on unique phishing kits such as TodayZoo, phishing services, and other components of phishing attacks allows Microsoft Defender for Office 365 to detect related campaigns and block malicious emails, URLs, and landing pages. Combined with Defender for Office 365’s use of machine learning, heuristics, and advanced detonation technology, such intel also makes it possible to detect kits that attempt to leverage techniques from one or multiple codes, even before a user receives the email or interacts with the content.

Threat intelligence about the latest trends in the phishing landscape also feeds into other Microsoft security solutions, such as Microsoft Defender SmartScreen, which blocks phishing websites and malicious URLs and domains in the browser, and Network protection, which blocks connections to malicious domains and IP addresses. Advanced hunting capabilities allow analysts to search for phishing kit components and other IOAs.

Organizations can configure the recommended settings in Microsoft Defender for Office 365, such as applying anti-phishing, Safe Links, and Safe Attachments policies. These ensure real-time protection by scanning at the time of delivery and at the time of click. They can further strengthen their protection with Microsoft 365 Defender, which correlates signals from emails, endpoints, and other domains, delivering coordinated defense.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

Visit our National Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

 

Microsoft 365 Defender Threat Intelligence Team

 

Advanced hunting queries

Emails with TodayZoo operator patterns

Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure. TodayZoo operators occasionally store URLs in the attachment, so this query would not surface those instances.

EmailUrlInfo
| where Url matches regex "(ujsd)?\\.[a-z]+\\.com\\/\\/.+\\.#"

Endpoint activity where TodayZoo patterns redirect to DigitalOcean

Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure.

DeviceNetworkEvents
| where RemoteUrl matches regex "(ujsd)\\.[a-z]+\\.com\\/\\/.+\\.#" or RemoteUrl endswith "digitaloceanspaces.com"
| extend Domain = extract(@"[^.]+(\.[^.]{2,3})?\.[^.]{2,12}$", 0, RemoteUrl)
| summarize dcount(Domain), make_set(Domain) by DeviceId,bin(Timestamp, 1h), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_Domain >= 2

Indicators of compromise

Sample initial base domains

pentsweser[.]com eurhutos[.]com dalotcii[.]com
buiyosi[.]com gsuouyty[.]com matanictii[.]com
phmakert[.]com brepeme[.]com conncorrd[.]com
sazmath[.]com normmavec[.]com jumperctin[.]com
selfessdas[.]com kurvuty[.]com iotryfuty[.]com
setmakersl[.]com vlogctii[.]com coffimkeer[.]com
mosyeurty[.]com qurythuy[.]com carlssbad[.]com
chovamb[.]com tenssmor[.]com tenssmr[.]com
coffkeer[.]com tamsops[.]com speedoms[.]com
shageneppi[.]com shadain[.]com coffieer[.]com
cofeer[.]com carrtwright[.]com uyfteuty[.]com
slobhurtiy[.]com braingones[.]com beinsmter[.]com
ksfcaghyou[.]com coffkr[.]com rtuatatcty[.]com
lamyot[.]com tenssm[.]com kanesatakss[.]com
brainsdeads[.]com ourygshry[.]com

Sample initial domains with subdomains

1776769042[.]ujsd[.]iotryfuty[.]com 443577567[.]ujsd[.]iotryfuty[.]com
646611056[.]ujsd[.]gsuouyty[.]com 1007183231[.]ujsd[.]gsuouyty[.]com
1469782555[.]ujsd[.]phmakert[.]com 1436029448[.]ujsd[.]buiyosi[.]com
946552600[.]ujsd[.]buiyosi[.]com 1733787821[.]ujsd[.]buiyosi[.]com
1988722677[.]ujsd[.]eurhutos[.]com 255622856[.]ujsd[.]eurhutos[.]com
600774497[.]ujsd[.]sazmath[.]com 1315116569[.]ujsd[.]setmakersl[.]com
1179340144[.]ujsd[.]sazmath[.]com 516942697[.]ujsd[.]setmakersl[.]com
1742965301[.]ujsd[.]setmakersl[.]com 124967719[.]ujsd[.]normmavec[.]com
202271174[.]ujsd[.]pentsweser[.]com 1010306526[.]ujsd[.]iotryfuty[.]com
728156920[.]ujsd[.]iotryfuty[.]com 1244535616[.]ujsd[.]selfessdas[.]com
1227334331[.]ujsd[.]selfessdas[.]com 1229648857[.]ujsd[.]kurvuty[.]com
926765708[.]ujsd[.]kurvuty[.]com 254503147[.]ujsd[.]kurvuty[.]com
1656812361[.]ujsd[.]dalotcii[.]com 100666740[.]ujsd[.]matanictii[.]com
404793834[.]ujsd[.]matanictii[.]com 879643450[.]ujsd[.]matanictii[.]com
658338120[.]ujsd[.]matanictii[.]com 1359496128[.]ujsd[.]dalotcii[.]com
995216045[.]ujsd[.]dalotcii[.]com 1838392685[.]ujsd[.]dalotcii[.]com
9725332[.]ujsd[.]brepeme[.]com 1668463162[.]ujsd[.]conncorrd[.]com
165175575[.]ujsd[.]sazmath[.]com 215852665[.]ujsd[.]brepeme[.]com

Sample initial URLs

  • odghyuter[.]com//wfvmlpxuhjeq[.]#aHR0cHM6Ly9wb2dmaHJ5ZXQuY29tL2VkZmgua2VyZnEvI25vLXJlcGx5QG1pY3Jvc29mdC5jb20=
  • ujsd.coffimkeer[.]com//0jw7yklk[.]#aHR0cHM6Ly9sdWh5cnR5ZS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • ujsd.pentsweser[.]com//iojjyaqw[.]#aHR0cHM6Ly9saW1lc3RvbmVzbS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • ujsd.brepeme[.]com//bnxvhyex[.]#aHR0cHM6Ly92YWVwbGVyLmNvbS9lZGZoLmtlcmZxLyNuby1yZXBseUBtaWNyb3NvZnQuY29t

Sample secondary (redirector) URLs

  • pogfhryet[.]com/edfh[.]kerfq/#no-reply@microsoft[.]com
  • luhyrtye[.]com/edfh[.]kerfq/#no-reply@microsoft[.]com

Sample final landing page

  • nyc3[.]digitaloceanspaces[.]com/bnj/25_40_24_5E_40_26_40_26_28_29_23_23_5E_23_24_26_5E_25_26_40_5E_28_23_26_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25[.]html#no-reply@microsoft[.]com

Sample credential harvesting page

  • lcspecops[.]com/psl/vcoominctodayq[.]php

References

 

The post Franken-phish: TodayZoo built from other phishing kits appeared first on Microsoft Security Blog.

Catching the big fish: Analyzing a large-scale phishing-as-a-service operation

September 21st, 2021 No comments

In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.

With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators.

This comprehensive research into BulletProofLink sheds a light on phishing-as-a-service operations. In this blog, we expose how effortless it can be for attackers to purchase phishing campaigns and deploy them at scale. We also demonstrate how phishing-as-a-service operations drive the proliferation of phishing techniques like “double theft”, a method in which stolen credentials are sent to both the phishing-as-a-service operator as well as their customers, resulting in monetization on several fronts.

Insights into phishing-as-a-service operations, their infrastructure, and their evolution inform protections against phishing campaigns. The knowledge we gained during this investigation ensures that Microsoft Defender for Office 365 protects customers from the campaigns that the BulletProofLink operation enables. As part of our commitment to improve protection for all, we are sharing these findings so the broader community can build on them and use them to enhance email filtering rules as well as threat detection technologies like sandboxes to better catch these threats.

Understanding phishing kits and phishing-as-a-service (PhaaS)

The persistent onslaught of email-based threats continues to pose a challenge for network defenders because of improvements in how phishing attacks are crafted and distributed. Modern phishing attacks are typically facilitated by a large economy of email and false sign-in templates, code, and other assets. While it was once necessary for attackers to individually build phishing emails and brand-impersonating websites, the phishing landscape has evolved its own service-based economy. Attackers who aim to facilitate phishing attacks may purchase resources and infrastructure from other attacker groups including:

  • Phish kits: Refers to kits that are sold on a one-time sale basis from phishing kit sellers and resellers. These are packaged files, usually a ZIP file, that come with ready-to-use email phishing templates designed to evade detection and are often accompanied by a portal with which to access them. Phish kits allow customers to set up the websites and purchase the domain names. Alternatives to phishing site templates or kits also include templates for the emails themselves, which customers can customize and configure for delivery. One example of a known phish kit is the MIRCBOOT phish kit.
  • Phishing-as-a-service: Similar to ransomware-as-a-service (RaaS), phishing-as-a-service follows the software-as-a-service model, which requires attackers to pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution. BulletProofLink is an example of a phishing-as-a-service (PhaaS) operation.

Table showing differences between phishing kits and phishing-as-a-service

Figure 1. Feature comparison between phishing kits and phishing-as-a-service

It’s worth noting that some PhaaS groups may offer the whole deal—from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele. Many phishing service providers offer a hosted scam page solution they call “FUD” Links or “Fully undetected” links, a marketing term used by these operators to try and provide assurance that the links are viable until users click them. These phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials.

Breaking down BulletProofLink services

To understand how PhaaS works in detail, we dug deep into the templates, services, and pricing structure offered by the BulletProofLink operators. According to the group’s About Us web page, the BulletProofLink PhaaS group has been active since 2018 and proudly boasts of their unique services for every “dedicated spammer”.

Screenshot of About Us page on the BulletProofLink website

Figure 2. The BulletProofLink’s ‘About Us’ page provides potential customers an overview of their services.

The operators maintain multiple sites under their aliases, BulletProftLink, BulletProofLink, and Anthrax, including YouTube and Vimeo pages with instructional advertisements as well as promotional materials on forums and other sites. In many of these cases, and in ICQ chat logs posted by the operator, customers refer to the group as the aliases interchangeably.

Screenshot of video tutorials posted by BulletProofLink

Figure 3. Video tutorials posted by the Anthrax Linkers (aka BulletProofLink)

BulletProofLink registration and sign-in pages

BulletProofLink additionally hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions.

Over the course of monitoring this operation, their online store had undergone multiple revisions. The source code for the site’s pages contained references to artifacts elsewhere on the site, which included ICQ chat messages and advertisements. While those references are still present in newer versions, the sign-in page for the monthly subscription site no longer contains service pricing information. In previous versions, the sites alluded to the cost for the operator to host FUD links and return credentials to the purchasing party.

Screenshot of BulletProofLink registration page

Figure 4. BulletProofLink registration page

Just like any other service, the group even boasts of a 10% welcome discount on customers’ orders when they subscribe to their newsletter.

Screenshot of 10% discount offered to those who will sign up for newsletter

Figure 5. BulletProofLink welcome promotion for site visitors’ first order

Credential phishing templates

BulletProofLink operators offer over 100 templates and operate with a highly flexible business model. This business model allows customers to buy the pages and “ship” the emails themselves and control the entire flow of password collection by registering their own landing pages or make full use of the service by using the BulletProofLink’s hosted links as the final site where potential victims key in their credentials.

The templates are designed to evade detection while successfully phishing for credentials, but may vary based on the individual purchasing party. Likewise, the wide variety of templates offered does not guarantee that all BulletProofLink facilitated campaigns will look identical. Instead, the campaigns themselves can be identified with a mixture of phishing page source code, combined with the PHP password processing sites referenced therein, as well as the hosting infrastructure used in their larger-scale campaigns. These password-processing domains correlate back to the operator through hosting, registration, email, and other metadata similarities during domain registration.

The templates offered are related to the phishing pages themselves, so the emails that service them may seem highly disparate and handled by multiple operators.

Services offered: Customer hosting and support

The phishing operators list an array of services on their site along with the corresponding fees. As OSINT Fans noted in their blog, the monthly service costs as much as $800, while other services cost about $50 dollars for a one-time hosting link. We also found that Bitcoin is a common payment method accepted on the BulletProofLink site.

In addition to communicating with customers on site accounts, the operators display various methods of interacting with them, which include Skype, ICQ, forums, and chat rooms. Like a true software business dedicated to their customers, the operators provide customer support services for new and existing customers.

Screenshot of phishing templates being sold by BulletProofLink

Figure 6. Screenshot of the BulletProofLink site, which offers a wide array of phishing services impersonating various legitimate services

Screenshot of BulletProofLink website showing DocuSign services

Figure 7. DocuSign scam page service listed on the BulletProofLink site

The hosting service includes a weekly log shipment to purchasing parties, usually sent manually over ICQ or email. Analysis of individual activity on password-processing replies from the collected infrastructure indicates that the credentials are received on the initial template page and then sent to password-processing sites owned by the operator.

Screenshot of a BulletProofLink ad

Figure 8. An advertisement from BulletProofLink that showcases their weekly log shipment

At the time of this report, BulletProofLink continues to operate active phishing campaigns, with large volumes of redirections to their password-processing links from legitimate web hosting providers. In the next section, we describe on such campaign.

Tracking a BulletProofLink-enabled campaign

As mentioned, we uncovered BulletProofLink while investigating a phishing campaign that used the BulletProofLink phishing kit on either on attacker-controlled sites or sites provided by BulletProofLink as part of their service. The campaign itself was notable for its use of 300,000 subdomains, but our analysis exposed one of many implementations of the BulletProofLink phishing kit:

Diagram showing BulletProofLink-enabled attack chain

Figure 9. End-to-end attack chain of BulletProofLink-enabled phishing campaigns

An interesting aspect of the campaign that drew our attention was its use of a technique we call “infinite subdomain abuse”, which happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains. “Infinite subdomains” allow attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end. It is gaining popularity among attackers for the following reasons:

  • It serves as a departure from previous techniques that involved hackers obtaining large sets of single-use domains. To leverage infinite subdomains for use in email links that serve to redirect to a smaller set of final landing pages, the attackers then only need to compromise the DNS of the site, and not the site itself.
  • It allows phishing operators to maximize the unique domains they are able to use by configuring dynamically generated subdomains as prefix to the base domain for each individual email.
  • The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact matching for domains and URLs.

The phishing campaign also impersonated (albeit poorly) the Microsoft logo and branding. The impersonation technique used solid colors for the logo, which may have been done intentionally to bypass detection of the Microsoft logo’s four distinct colors. It is worth noting that later iterations of the campaign have switched to using the four colors in the Microsoft logo.

Screenshot of recent lure used in a BulletProofLink campaign

Figure 10. Phishing lure from a recent credential phishing campaign

These messages also used a technique called zero-point font, which pads the HTML of the message with characters that render as invisible to the user, to obfuscate the email body and attempt to evade detection. This technique is increasingly used by phishers to evade detection.

Screenshot of email and HTML code showing zero-point font technique

Figure 11. HTML showing zero-point font date stuffing in an email

We found that the phishing URL in the email contained Base64-encoded victim information along with an attacker-owned site where the user is meant to be redirected. In this campaign, a single base domain was used for the infinite subdomain technique to initiate the redirects for the campaign, which leveraged multiple secondary sites over several weeks.

Screenshot of encoded URLs and the decoded URL

Figure 12. The format and an example of the phishing URL, which when decoded redirects to the compromised site.

The compromised site redirected to a second domain that hosted the phishing page, which mimicked the Outlook sign-in screen and is generated for each user-specific URL. We found that the page is generated for any number of email addresses entered into the URI, and had no checking mechanisms to guarantee that it wasn’t already used or was related to a live phishing email.

There can be one or more locations to which credentials are sent, but the page employed a few obfuscation techniques to obscure these locations. One attempt to obfuscate the password processing site’s location was by using a function that decodes the location based on calling back to an array of numbers and letters:

Screenshot of a function that decodes the location based on calling back to an array of numbers and letters

We reversed this in Python and found the site that the credentials were being sent to: hxxps://webpicture[.]cc/email-list/finish-unv2[.]php. The pattern “email-list/finish-unv2.php” came in one of these variations: finish-unv2[.]php, finish-unv22[.]php, or finish[.]php. These variations typically used the term “email-list” as well as another file path segment referencing a particular phishing page template, such as OneDrive or SharePoint.

Occasionally, multiple locations were used to send credentials to, including some that could be owned by the purchasing party instead of the operator themselves, which could be called in a separate function. This could be an example of legacy artifacts remaining in final templates, or of double-theft occurring.

Screenshot showing patterns of final site URL

Figure 13. The final site’s format comes in either of these pattern variations

Analyzing these patterns led us to an extensive list of password-capturing URIs detailed in an OSINT Fans blog post about the BulletProofLink phishing service operators. We noticed that they listed patterns similar to the ones we had just observed, enabling us to find the various templates BulletProofLink used, including the phishing email with the fake Microsoft logo discussed earlier.

One of the patterns we noted is that many of the password-processing domains used in the campaigns directly had associated email addresses with “Anthrax”,” BulletProofLink”, “BulletProftLink” or other terms in the certificate registration. The email addresses themselves were not listed identically on every certificate, and were also tied to domains not used exclusively for password-processing, as noted in additional reporting by OSINT Fans.

From then on, we drew even more similarities between the landing pages seen in the infinite subdomain surge campaign we were tracking and the existing in-depth research on the adversaries behind the BulletProofLink operations.

This process ultimately led us to track and expand on the same resources referenced in the OSINT Fans research, as we uncovered even more information about the long-running and large-scale phishing service BulletProofLink. Furthermore, we were able to uncover previous and current password-processing sites in use by the operator, as well as large segments of infrastructure hosted on legitimate hosting sites for this operation’s other components.

“Double theft” as a PhaaS monetization effort

The PhaaS working model as we’ve described it thus far is reminiscent of the ransomware-as-a-service (RaaS) model, which involves double extortion. The extortion method used in ransomware generally involves attackers exfiltrating and posting data publicly, in addition to encrypting them on compromised devices, to put pressure on organizations to pay the ransom. This lets attackers gain multiple ways to assure payment, while the released data can then be weaponized in future attacks by other operators. In a RaaS scenario, the ransomware operator has no obligation to delete the stolen data even if the ransom is already paid.

We have observed this same workflow in the economy of stolen credentials in phishing-as-a-service. With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.

In both ransomware and phishing, the operators supplying resources to facilitate attacks maximize monetization by assuring stolen data, access, and credentials are put to use in as many ways as possible. Additionally, victims’ credentials also likely to end up in the underground economy.

For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes.

How Microsoft Defender for Office 365 defends against PhaaS-driven phishing attacks

Investigating specific email campaigns allows us to ensure protections against particular attacks as well as similar attacks that use the same techniques, such as the infinite subdomain abuse, brand impersonation, zero-point font obfuscation, and victim-specific URI used in the campaign discussed in this blog. By studying phishing-as-a-service operations, we are able to scale and expand the coverage of these protections to multiple campaigns that use the services of these operations.

In the case of BulletProofLink, our intelligence on the unique phishing kits, phishing services, and other components of phishing attacks allows us to ensure protection against the many phishing campaigns this operation enables. Microsoft Defender for Office 365—which uses machine learning, heuristics, and an advance detonation technology to analyze emails, attachments, URLs, and landing pages in real time—recognizes the BulletProofLink phishing kit that serves the false sign-in pages and detects the associated emails and URLs.

In addition, based on our research into BulletProofLink and other PhaaS operations, we observed that numerous phishing kits leverage the code and behaviors of existing kits, such as those sold by BulletProofLink. Any kit that attempts to leverage similar techniques, or stitch together code from multiple kits can similarly be detected and remediated before the user receives the email or engages with the content.

With Microsoft 365 Defender, we’re able to further expand that protection, for example, by blocking of phishing websites and other malicious URLs and domains in the browser through  Microsoft Defender SmartScreen, as well as the detection of suspicious and malicious behavior on endpoints. Advanced hunting capabilities allow customers to search through key metadata fields on mailflow for the indicators listed in this blog and other anomalies. Email threat data is correlated with signals from endpoints and other domains, providing even richer intelligence and expanding investigation capabilities.

To build resilience against phishing attacks in general, organizations can use anti-phishing policies to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. Enabling SafeLinks ensures real-time protection by scanning at time of delivery and at time of click.

In addition to taking full advantage of the tools available in Microsoft Defender for Office 365, administrators can further strengthen defenses against the threat of phishing by securing the Azure AD identity infrastructure. We strongly recommend enabling multifactor authentication and blocking sign-in attempts from legacy authentication.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

 

Microsoft 365 Defender Threat Intelligence Team

 

Indicators of compromise

Password-processing URLs

  • hxxps://apidatacss[.]com/finish-unv22[.]php
  • hxxps://ses-smtp[.]com/email-list/office19999999/finish[.]php
  • hxxps:// ses-smtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps:// ses-smtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://smtpro101[.]com/email-list/onedrive25/finish[.]php
  • hxxps://smtpro101[.]com/email-list/office19999999/finish[.]php
  • hxxps://plutosmto[.]com/email-list/office365nw/finish[.]php
  • hxxps://smtptemp[.].site/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://smtptemp[.]site/email-list/office365nw/finish-unv22[.]php
  • hxxps://apidatacss:com/finish-unv22[.]php
  • hxxps://smtptemp.site/email-list/otlk55/finish[.]php
  • hxxps://smtptemp.site/email-list/onedrive25/finish[.]php
  • hxxps://plutosmto[.]com/email-list/kumar/finish[.]php
  • hxxps://laptopdata.xyz/email-list/office365nw/finish[.]php
  • hxxps://jupitersmt[.]com/email-list/office365nw/finish[.]php
  • hxxps://plutosmto[.]com/email-list/onedrive25/finish[.]php
  • hxxps://plutosmto[.]com/email-list/sharepointbuisness/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://jupitersmt[.]com/email-list/otlk/finish[.]php
  • hxxps://earthsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://earthsmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/defaultcustomers/johnphilips002021/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/universalmail/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/otlk/finish[.]php
  • hxxps://moneysmtp[.]com/hxxp://moneysmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://feesmtp[.]com/email-list/office365rd40/finish[.]php
  • hxxps://feesmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://Failedghostsmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://bomohsmtp[.]com/email-list/office365-21/finish[.]php
  • hxxps://bomohsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://foxsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://dasmtp[.]com/email-list/dropboxoffice1/finish[.]php
  • hxxps://rosmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/adobe20/finish[.]php
  • hxxps://josmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com:443/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://winsmtp[.]com/email-list/excel/finish[.]php
  • hxxps://linuxsmtp[.]com/email-list/adobe20/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/office1/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/onedrive23/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/excel5/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/adobe3/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/office1/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://panelsmtp[.]com/email-list/onedrive-ar/finish[.]php
  • hxxps://mexsmtp[.]com/email-list/onedrive23/finish[.]php?phishing-processor
  • hxxps://racksmtp[.]com/email-list/domain-au1/finish[.]php
  • hxxps://racksmtp[.]com/email-list/finish[.]php
  • hxxps://racksmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://mainsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php?i-am-a-phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php?this-is-a-phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/office1/finish[.]php
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://apiserverdata1[.]com/email-list/office1/finish[.]php
  • hxxps://webpicture.cc/email-list/excel/finish[.]php
  • hxxps://webpicture.cc/email-list/office1/finish[.]php?this-is-a=phishing-processor
  • hxxps://valvadi101[.]com/email-list/office1/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://foxsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://bomohsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://rosmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://linuxsmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://voksmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://webpicture.cc/email-list/finish-unv2[.]php
  • hxxps://Faileduebpicture.cc/email-list/finish-unv2[.]php
  • hxxps://Failedsendapidata[.]com/email-list/finish-unv2[.]php
  • hxxps://webpicture.cc/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://webpicture.cc/email-list/finish-unv2.ph
  • hxxps://apiserverdata1[.]com/email-list/finish-unv2[.]php
  • hxxps://sendapidata[.]com/email-list/finish-unv2[.]php

Password-processing domains:

  • hxxps://apidatacss[.]com
  • hxxps://apiserverdata1[.]com
  • hxxps://baller[.]top
  • hxxps://datacenter01.us
  • hxxps://f1smtp[.]com
  • hxxps://ghostsmtp[.]com
  • hxxps://gpxsmtp[.]com
  • hxxps://gurl101[.]services
  • hxxps://hostprivate[.]us
  • hxxps://josmtp[.]com
  • hxxps://link101[.]bid
  • hxxps://linuxsmtp[.]com
  • hxxps://migration101[.]us
  • hxxps://panelsmtp[.]com
  • hxxps://racksmtp[.]com
  • hxxps://rosmtp[.]com
  • hxxps://rxasmtp[.]com
  • hxxps://thegreenmy87[.]com
  • hxxps://vitme[.]bid
  • hxxps://voksmtp[.]com
  • hxxps://winsmtp[.]com
  • hxxps://trasactionsmtp[.]com
  • hxxps://moneysmtp[.]com
  • hxxps://foxsmtp[.]com
  • hxxps://bomohsmtp[.]com
  • hxxps://webpicture[.]cc
  • hxxps://Faileduebpicture[.]cc
  • hxxps://Failedsendapidata[.]com
  • hxxps://prvtsmtp[.]com
  • hxxps://sendapidata[.]com
  • hxxps://smtptemp.site
  • hxxps://plutosmto[.]com
  • hxxps://laptopdata[.]xyz
  • hxxps://jupitersmt[.]com
  • hxxps://earthsmtp[.]com
  • hxxps://feesmtp[.]com
  • hxxps://Failedghostsmtp[.]com
  • hxxps://dasmtp[.]com
  • hxxps://mexsmtp[.]com
  • hxxps://mainsmtp[.]com
  • hxxps://valvadi101[.]com
  • hxxps://ses-smtp[.]com

 

The post Catching the big fish: Analyzing a large-scale phishing-as-a-service operation appeared first on Microsoft Security Blog.

Trend-spotting email techniques: How modern phishing emails hide in plain sight

August 18th, 2021 No comments

With the massive volume of emails sent each day, coupled with the many methods that attackers use to blend in, identifying the unusual and malicious is more challenging than ever. An obscure Unicode character in a few emails is innocuous enough, but when a pattern of emails containing this obscure character accompanied by other HTML quirks, strange links, and phishing pages or malware is observed, it becomes an emerging attacker trend to investigate. We closely monitor these kinds of trends to gain insight into how best to protect customers.

This blog shines a light on techniques that are prominently used in many recent email-based attacks. We’ve chosen to highlight these techniques based on their observed impact to organizations, their relevance to active email campaigns, and because they are intentionally designed to be difficult to detect. They hide text from users, masquerade as the logos of trusted companies, and evade detection by using common web practices that are usually benign:

  • Brand impersonation with procedurally-generated graphics
  • Text padding with invisible characters
  • Zero-point font obfuscation
  • Victim-specific URI

We’ve observed attackers employ these tricks to gain initial access to networks. Although the examples we present were primarily seen in credential theft attacks, any of these techniques can be easily adapted to deliver malware.

By spotting trends in the threat landscape, we can swiftly respond to potentially malicious behavior. We use the knowledge we gain from our investigations to improve customer security and build comprehensive protections. Through security solutions such as Microsoft Defender for Office 365 and the broader Microsoft 365 Defender, we deliver durable and comprehensive protection against the latest attacker trends.

Brand impersonation with procedurally-generated graphics

We have observed attackers using HTML tables to imitate the logos and branding of trusted organizations. In one recent case, an attacker created a graphic resembling the Microsoft logo by using a 2×2 HTML table and CSS styling to closely match the official branding.

Spoofed logos created with HTML tables allow attackers to bypass brand impersonation protections. Malicious content arrives in users’ inboxes, appearing to recipients as if it were a legitimate message from the company. While Microsoft Defender for Office 365 data shows a decline in the usage of this technique over the last few months, we continue to monitor for new ways that attackers will use procedurally-generated graphics in attacks.

Figure 1. Tracking data for small 2×2 HTML tables

How it works

A graphic resembling a trusted organization’s official logo is procedurally generated from HTML and CSS markup. It’s a fileless way of impersonating a logo, because there are no image files for security solutions to detect. Instead, the graphic is constructed out a specially styled HTML table that is embedded directly in the email.

Of course, inserting an HTML table into an email is not malicious on its own. The malicious pattern emerges when we view this technique in context with the attacker’s goals.

Two campaigns that we have been tracking since April 2021 sent targets emails that recreated the Microsoft logo. They impersonated messages from Office 365 and SharePoint. We observed the following email subjects:

  • Action Required: Expiration Notice On <Email Address>
  • Action Required: 3 Pending Messages sent <date>
  • New 1 page incoming eFax© message for “<Email Alias>”

Figure 2. Sample emails that use HTML code to embed a table designed to mimic the Microsoft logo

Upon extracting the HTML used in these emails, Microsoft analysts determined that the operators used the HTML table tag to create a 2×2 table resembling the Microsoft logo. The background color of each of the four cells corresponded to the colors of the quadrants of the official logo.

Figure 3. Page source of the isolated HTML mimicking the Microsoft logo

HTML and CSS allow for colors to be referenced in several different ways. Many colors can be referenced in code via English language color names, such as “red” or “green”. Colors can also be represented using six-digit hexadecimal values (i.e., #ffffff for white and #000000 for black), or by sets of three numbers, with each number signifying the amount of red, green, or blue (RGB) to combine. These methods allow for greater precision and variance, as the designer can tweak the numbers or values to customize the color’s appearance.

Figure 4. Color values used to replicate the Microsoft logo

As seen in the above screenshot, attackers often obscure the color references to the Microsoft brand by using color names, hexadecimal, and RGB to color in the table. By switching up the method they use to reference the color, or slightly changing the color values, the attacker can further evade detection by increasing variance between emails.

Text padding with invisible characters

In several observed campaigns, attackers inserted invisible Unicode characters to break up keywords in an email body or subject line in an attempt to bypass detection and automated security analysis. Certain characters in Unicode indicate extremely narrow areas of whitespace, or are not glyphs at all and are not intended to render on screen.

Some invisible Unicode characters that we have observed being used maliciously include:

  • Soft hyphen (U+00AD)
  • Word joiner (U+2060)

Both of these are control characters that affect how other characters are formatted. They are not glyphs and would not even be visible to readers, in most cases. As seen in the following graph, the use of the soft hyphen and word joiner characters has seen a steady increase over time. These invisible characters are not inherently malicious, but seeing an otherwise unexplained rise of their use in emails indicates a potential shift in attacker techniques.

Figure 5. Tracking data for the invisible character obfuscation technique

How it works

When a recipient views a malicious email containing invisible Unicode characters, the text content may appear indistinguishable from any other email. Although not visible to readers, the extra characters are still included in the body of the email and are “visible” to filters or other security mechanisms. If attackers insert extra, invisible characters into a word they don’t want security products to “see,” the word might be treated as qualitatively different from the same word without the extra characters. This allows the keyword to evade detection even if filters are set to catch the visible part of the text.

Invisible characters do have legitimate uses. They are, for the most part, intended for formatting purposes: for instance, to indicate where to split a word when the whole word can’t fit on a single line. However, an unintended consequence of these characters not displaying like ordinary text is that malicious email campaign operators can insert the characters to evade security.

The animated GIF below shows how the soft hyphen characters are typically used in a malicious email. The soft hyphen is placed between each letter in the red heading to break up several key words. It’s worth noting that the soft hyphens are completely invisible to the reader until the text window is narrowed and the heading is forced to break across multiple lines.

Figure 6. Animation showing the use of the invisible soft hyphen characters

In the following example, a phishing email has had invisible characters inserted into the email body: specifically, in the “Keep current Password” text that links the victim to a phishing page.

Figure 7. Microsoft Office 365 phishing email using invisible characters to obfuscate the URL text.

The email appears by all means “normal” to the recipient, however, attackers have slyly added invisible characters in between the text “Keep current Password.” Clicking the URL directs the user to a phishing page impersonating the Microsoft single sign-on (SSO) page.

In some campaigns, we have seen the invisible characters applied to every word, especially any word referencing Microsoft or Microsoft products and services.

Zero-point font obfuscation

This technique involves inserting hidden words with a font size of zero into the body of an email. It is intended to throw off machine learning detections, by adding irrelevant sections of text to the HTML source making up the email body. Attackers can successfully obfuscate keywords and evade detection because recipients can’t see the inserted text—but security solutions can.

Microsoft Defender for Office 365 has been blocking malicious emails with zero-point font obfuscation for many years now. However, we continue to observe its usage regularly.

Figure 8. Tracking data for emails containing zero-point fonts experienced surges in June and July 2021

How it works

Similar to how there are many ways to represent colors in HTML and CSS, there are also many ways to indicate font size. We have observed attackers using the following styling to insert hidden text via this technique:

  • font-size: 0px
  • font-size: 0.0000em
  • font-size: 0vw
  • font-size: 0%
  • font: italic bold 0.0px Georgia, serif
  • font: italic bold 0em Georgia, serif
  • font: italic bold 0vw Georgia, serif
  • font: italic bold 0% Georgia, serif

Being able to add zero-width text to a page is a quirk of HTML and CSS. It is sometimes used legitimately for adding meta data to an email or to adjust whitespace on a page. Attackers repurpose this quirk to break up words and phrases a defender might want to track, whether to raise an alert or block the content entirely. As with the invisible Unicode character technique, certain kinds of security solutions might treat text containing these extra characters as distinct from the same text without the zero-width characters. This allows the visible keyword text to slip past security.

In a July 2021 phishing campaign blocked by Microsoft Defender for Office 365, the attacker used a voicemail lure to entice recipients into opening an email attachment. Hidden, zero-width letters were added to break up keywords that might otherwise have been caught by a content filter. The following screenshot shows how the email appeared to targeted users.

Figure 9. Sample email that uses the zero-point font technique

Those with sharp eyes might be able to spot the awkward spaces where the attacker inserted letters that are fully visible only within the HTML source code. In this campaign, the obfuscation technique was also used in the malicious email attachment, to evade file-hash based detections.

Figure 10. The HTML code of the email body, exposing the use of the zero-point font technique

Victim-specific URI

Victim-specific URI is a way of transmitting information about the target and creating dynamic content based upon it. In this technique, a custom URI crafted by the attacker passes information about the target to an attacker-controlled website. This aides in spear-phishing by personalizing content seen by the intended victim. This is often used by the attacker to create legitimate-seeming pages that impersonate the Single Sign On (SSO) experience.

The following graph shows cyclic surges in email content, specifically links that have an email address included as part of the URI. Since custom URIs are such a common web design practice, their usage always returns to a steady baseline in between peaks. The surges appear to be related to malicious activity, since attackers will often send out large numbers of spam emails over the course of a campaign.

Figure 11. Tracking data for emails containing URLs with email address in the PHP parameter

In a campaign Microsoft analysts observed in early May 2021, operators generated tens of thousands of subdomains from Google’s Appspot, creating unique phishing sites and victim identifiable URIs for each recipient. The technique allowed the operators to host seemingly legitimate Microsoft-themed phishing sites on third-party infrastructure.

How it works

The attacker sends the target an email, and within the body of the email is a link that includes special parameters as part of the web address, or URI. The custom URI parameters contain information about the target. These parameters often utilize PHP, as PHP is a programming language frequently used to build websites with dynamic content—especially on large platforms such as Appspot.

Details such as the target’s email address, alias, or domain, are sent via the URI to an attacker-controlled web page when the user visits the link. The attacker’s web page pulls the details from the parameters and use that to present the target with personalized content. This can help the attacker make malicious websites more convincing, especially if they are trying to mimic a user logon page, as the target will be greeted by their own account name.

Custom URIs containing user-specific parameters are not always, or even often, malicious. They are commonly used by all kinds of web developers to transmit pertinent information about a request. A query to a typical search engine will contain numerous parameters concerning the nature of the search as well as information about the user, so that the search engine can provide users with tailored results.

However, in the victim identifiable URI technique, attackers repurpose a common web design practice to malicious ends. The tailored results seen by the target are intended to trick them into handing over sensitive information to an attacker.

In the Compact phishing campaign described by WMC Global and tracked by Microsoft, this technique allowed the operators to host Microsoft-themed phishing sites on any cloud infrastructure, including third-party platforms such as Google’s Appspot. Microsoft’s own research into the campaign in May noted that not only tens of thousands of individual sites were created, but that URIs were crafted for each recipient, and the recipient’s email address was included as a parameter in the URI.

Newer variants of the May campaign started to include links in the email, which routed users through a compromised website, to ultimately redirect them to the Appspot-hosted phishing page. Each hyperlink in the email template used in this version of the campaign was structured to be unique to the recipient.

The recipient-specific information passed along in the URI was used to render their email account name on a custom phishing page, attempting to mimic the Microsoft Single Sign On (SSO) experience. Once on the phishing page, the user was prompted to enter their Microsoft account credentials. Entering that information would send it to the attacker.

Microsoft Defender for Office 365 delivers protection powered by threat intelligence

As the phishing techniques we discussed in this blog show, attackers use common or standard aspects of emails to hide in plain sight and make attacks very difficult to detect or block. With our trend tracking in place, we can make sense of suspicious patterns, and notice repeated combinations of techniques that are highly likely to indicate an attack. This enables us to ensure we protect customers from the latest evasive email campaigns through Microsoft Defender for Office 365. We train machine learning models to keep an eye on activity from potentially malicious domains or IP addresses. Knowing what to look out for, we can rule out false positives and focus on the bad actors.

This has already paid off. Microsoft Defender for Office 365 detected and protected customers from sophisticated phishing campaigns, including the Compact campaign. We also employed our knowledge of prevalent trends to hunt for a ransomware campaign that might have otherwise escaped notice. We swiftly opened an investigation to protect customers from what seemed at first like a set of innocuous emails.

Trend tracking helps us to expand our understanding about prevalent attacker tactics and to improve existing protections. We’ve already set up rules to detect the techniques described in this blog. Our understanding of the threat landscape has led to better response times to critical threats. Meanwhile, deep within Microsoft Defender for Office 365, rules for raising alerts are weighted so that detecting a preponderance of suspicious techniques triggers a response, while legitimate emails are allowed to travel to their intended inboxes.

Threat intelligence also drives what new features are developed, and which rules are added. In this way, generalized trend tracking leads to concrete results. Microsoft is committed to using our knowledge of the threat landscape to continue to track trends, build better protections for our products, and share intelligence with the greater online community.

Learn how to protect all of Office 365 against advanced threats like business email compromise and credential phishing with Microsoft Defender for Office 365.

 

Microsoft 365 Defender Threat Intelligence Team

 

The post Trend-spotting email techniques: How modern phishing emails hide in plain sight appeared first on Microsoft Security Blog.