The GoSecure Titan Inbox Detection and Response (IDR) team recently discovered yet another targeted spear-phishing campaign. The campaign targeted over 150 organizations encompassing a varying array of industries from Financial, Automotive, Technology, and Defense Contractors.

The samples utilize many common Business Email Compromise traits. The From is masked to look like it is coming from within the company, there is an attachment of a

targeted-spear-phishing_image-feature
“receipt”, and the Subject denoting that a file is being received. The bad actor went further and attempted to mask it as a Microsoft Office 365 automated email by putting in the Body of the message “Sent Via Microsoft OneDrive”.
targeted-spear-phishing_image-feature
The GoSecure Titan Inbox Detection and Response (IDR) team recently discovered yet another targeted spear-phishing campaign. The campaign targeted over 150 organizations encompassing a varying array of industries from Financial, Automotive, Technology, and Defense Contractors.

The samples utilize many common Business Email Compromise traits. The From is masked to look like it is coming from within the company, there is an attachment of a “receipt”, and the Subject denoting that a file is being received. The bad actor went further and attempted to mask it as a Microsoft Office 365 automated email by putting in the Body of the message “Sent Via Microsoft OneDrive”.

targeted-spear-phishing_image-1
Upon examination of the attachment, it opens the browser and shows a “Secured Document” page prompting the user to log in to view the file. The page looks similar to that of many digital signature sites.
targeted-spear-phishing_image-2
Here is where it gets interesting. Investigating further, we find that the targeted user’s email address and company name are hardcoded into the HTM file. This hardcoding indicates that each attack was uniquely generated to target specific users within their respective organizations.

Further analysis showed that the credentials entered would be sent to hxxps://tradershost[.]com/REDACTED/send.php:

targeted-spear-phishing_image-3
When visiting this page, the browser displays a JSON reply of {“msg”:”empty”} which indicates this phishing kit has its own API. Removing send.php from the URL returns a directory index that lists other pages in the kit. This novice or possibly lazy move of not turning off the directory index display helped in the investigation. One of the pages hosted was marked “admin@paperfoxla.com.txt”. This file appears to be the ‘database’ file of all the usernames and passwords collected so far by this campaign.

GoSecure Titan IDR analyst investigation discovered the Tradershost[.]com website is hosted on an Apache server and appeared to be solely for the use of malicious activity. The content of the website was a PHP web application masked to look like a Stock Trading company.

targeted-spear-phishing_image-4
targeted-spear-phishing_image-5
Through all our research, one thing, in particular, stood out. In the credential files was a name that was taking claim for the spear phishing:
– by *DH4 VIP3R L337 –
Searching for that name on Google revealed multiple websites which contained the same string. One such website was “viperserver11[.]xyz” and included copies of the same phishing kit. These kits, however, appeared to be testing the bad actor’s phishing kit.

GoSecure Titan IDR analysts discovered another website, “uswidefiinancial[.]com”, which appeared to be another hosted phishing campaign.

targeted-spear-phishing_image-6
Our investigation identified one possible slip-up by the bad actor. On the testing that the bad actor did, the same IP addresses showed up. The first IP address, 45.41.180.81, was used by a consumer VPN provider. However (and noted in the above picture), a second address was found. That address, 105.161.23.111, was owned by Safaricom Limited, an ISP in Nairobi, Kenya.

Wrapping up our investigation, we were able to find the bad actor’s name as a YouTube channel. While activity was limited to a single upload from 2016, it is a video from the country we all know when it comes to spam and phishing, Nigeria. Just maybe our Nigerian Prince friend finally ran out of money and changed his occupation.

Using Privacy as a Shield

The bad actor used products and services commonly used to host websites, email, and e-commerce safely, securely, and privately. For example, many hosting companies, including NameCheap, have a service that provides privacy on the WHOIS of a domain. For most, this helps small companies and individuals not to be bombarded with emails and phone calls telling them they can make you the most amazing website or try and push services that are not necessarily needed. However, in the hands of a bad actor, this allows them to mask the information that could help track them down.

All three domains “viperserver11[.]xyz”, “tradershost[.]com”, and “uswidefiinancial[.]com” were masked behind these services to make it harder to gather information. “viperserver11[.]xyz” was utilizing Cloudflare, so the IP address of the server running the site could not be easily discovered. The other two were registered and hosted with NameCheap, a registrar who has a very strict policy of privacy.

Final Thought

The organizations targeted by the campaign come in all sizes, including some very well-known Fortune 500 and Government organizations. It’s comforting to believe that, given the size and cybersecurity budget, some of these organizations are protected from such attacks. As this campaign illustrates, cybercriminals continue to find ways to bypass traditional email gateway solutions, leaving imperfect humans as the organization’s final line of defense. By the time GoSecure Titan IDR analysts discovered the primary server behind this attack, the cybercriminals had already collected 211 unique usernames and passwords from 159 different organizations. Imperfect humans indeed.

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Network Detection and Response (NDR)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

24/7 Emergency – (888)-287-5858