“All-in-One” Phish Gives Malaysians a Choice…of Phony Sites

Recently, PhishMe® recorded suspicious messages that spoofed bnm.gov.my, the domain for the central bank of Malaysia, Bank Negara. The emails concerned a Funds transfer.

Figure 1  Initial phishing message

Red Flags Right Away

The spoofed sending address belongs to a U.S.-based employee account on a high-reputation .ORG domain.  (Red Flag number 1: The friendly portion of sender name does not match the email address.)  Addresses on .ORG and addresses on university (.EDU) domains are frequently used to bypass spam filters that are set to allow messages through only when they appear to be coming from a sending domain with a good reputation.

However, the email headers reveal that the messages originated from the Chinese IP addresses 113.0.71[.]105 (Unicom) and 183.166.66[.]188 (Chinanet).

The brief message suggested that the recipient view the attached Word document. (Red Flag number 2: The recipient is not expecting a file from this sender.)  But the attached document[1] delivered a URL shortener link[2] to verify an account credit over $10,000.  (Red Flag number 3: We know that phishers try to appeal to our emotions, including greed.)

Figure 2  PDF document attached to the phishing message

Which Bogus Site Would You Prefer?

Because the URL was shortened using the Bit.ly service, some brief statistics are publicly-available that reveal over 8,000 clicks on the link since it was established on October 23rd at approximately 3pm Malaysia Time, about 3.5 hours before sending the phishing messages.

Figure 3  Statistics viewable at hxxps://bit[.]ly/2z0apph+

Oddly, less than 5% of the clicks recorded by Bit.ly were made by Malaysians, and about one-fourth of the clicks were made in the Czech Republic.

The link led to a landing page (see Figure 4 below) on the compromised domain polymaxtpe[.]com [3] spoofs the central bank of Malaysia and allows the victim to click on their preferred bank. This is what some researchers call an all-in-one phish.

Figure 4  Landing page of the phishing scam

Each of the bank links initially led to customized phishing pages on the domain techliveassist[.]com [4]but later redirected to pages on the compromised domain missmmarketing[.]com[.]au,[5] like the one below for victims who select the Standard Chartered link.

Figure 5  Standard Chartered branch of larger scam impersonating several banks with users in Malaysia

Just the Latest in a Series of Malaysian Banking Scams

This is not the first time we have seen such an all-in-one phish that apparently targets Malaysians with links to several phishing pages for various banks with a presence in Malaysia. The bank selection this time included Affin Bank Berhad, Agro Bank, Alliance Bank, AmBank, Bank Islam, Bank Rakyat, CIMB Bank, Citi, Hong Leong Bank, Bank Muamalat, Kuwait Finance House, Maybank, OCBC Bank, Public Bank Berhad, RHB Bank, Standard Chartered, and United Overseas Bank.

PhishMe analysts recorded every step for one of the banks and noted that the criminals are collecting several pieces of personally identifiable information (PII), including online banking username and password, date of birth, mobile phone number, the concurrently-generated one-time PIN, and email address. The final step warns the victim not to try to log in for the next 24 hours while the database is being updated.

Banks whose customers are being targeted by these phish can examine their logs for attempts to access multiple bank accounts online from one IP address in a short time frame. Enterprises can check logs to identify whether employees may have visited these phishing sites by looking for connections to the hosts previously mentioned and to the URLs of the 17 bank logos.[6]

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.

References:

[1] “BNM.docx” MD5 hash value: 43e6ec275168125ce334a253831316d6

[2] hxxps://bit[.]ly/2z0apph

[3] In dynamically-generated directories under hxxp://polymaxtpe[.]com/LNcNFsKg

[4] In bank-specific directories under hxxps://www.techliveassist[.]com/NXYu3qQR This domain also hosted an Apple phish three days prior.  The Apple phish was reached from a redirector on the host www.clubrougeva[.]com.

[5] In bank-specific directories under hxxps://missmmarketing[.]com[.]au/wip/mLwMY8uM This domain also hosted a Wells Fargo phish four days prior.

[6] Bank logo URLs:

hxxps://www.gmkfreelogos[.]com/logos/A/img/Affin-bank-logo.gif

hxxps://www.imoney[.]my/sites/default/files/agrobank.png

hxxps://new.biji-biji[.]com/wp-content/uploads/2017/02/alliance-bijibiji.jpg

hxxps://s3-ap-northeast-1.amazonaws[.]com/cgblogassets/wp-content/uploads/sites/8/2017/06/21072040/ambank-group.png

hxxps://2.bp.blogspot[.]com/-v3-bLfMmzHs/Vv3daZd5PnI/AAAAAAAAD2g/OjlT_tzO3W4pdVJ3CMhBxTdEY2kaP8PPA/w1200-h630-p-k-no-nu/Bank%2BIslam%2BVector%2Blogo.png

hxxp://stories[.]coop/wp-content/uploads/sites/stories.coop/files/cooperative/profile/1350/bank_rakyat_01.png

hxxps://www.khmeronlinejobs[.]com/images/logo/cimb-bank.jpg

hxxp://blog.coachingassembly[.]com/wp-content/uploads/2015/09/2000px-Citibank.png

hxxps://siva.jsstatic[.]com/my/2317/images/banner/2317_banner_0_7341128.jpg

hxxp://1.bp.blogspot[.]com/-3Z-0qqfpv1w/T9oohzIIAqI/AAAAAAAAAOk/KCccreNf7zk/s640/Muamalat+Bank(1).jpg

hxxp://www.pinjamanperibadi[.]me/wp-content/uploads/2014/08/KFH-logo.jpg

hxxp://www.buymarimo[.]com/wp-content/uploads/Maybank.png

hxxp://www.ehsanauctioneers[.]com/home/images/bank_ocbc.jpg

hxxp://www.ijnfoundation[.]com/wp-content/uploads/2012/06/pb_logo.jpg

hxxps://s3-ap-northeast-1.amazonaws[.]com/cgblogassets/wp-content/uploads/sites/8/2017/06/21072015/RHB-banking-group.png

hxxps://www.mumbrella[.]asia/content/uploads/2017/01/scb.png

hxxps://i.forbesimg[.]com/media/lists/companies/united-overseas-bank_416x416.jpg

 

 

10 Ways to Defend Against Business Email Compromise / CEO Email Fraud Scams

Cybercriminals continue to successfully hack and spoof emails to impersonate supervisors, CEOs, and suppliers and then request seemingly legitimate business payments. Because the emails look authentic and seem to come from known authority figures, many employees comply. But later they discover they’ve been tricked into wiring money or depositing checks into criminals’ bank accounts.

Even the “Smart Ones” Fall for Phishing

It’s easy to believe that phishing only happens to people who aren’t smart enough to detect it. This simply isn’t true. As the tech-savvy developers at software company a9t9 have indicated in their statement[1] about a phishing incident last week, even smart developers can be fooled with a phish.

As reported by Tripwire, a Chrome plugin developer fell for a phishing attack that allowed the threat actor to take control of a9t9’s account in the Chrome Store.  This means that the Copyfish plugin built by a9t9 was no longer under its control.  Meanwhile, the plugin has already been used to “insert ads/spam into websites” according to the statement by a9t9.

The original phishing message that lured the developer carried a link on the URL shortening service called Bit.ly.  As Tripwire explained, the victim did not notice the odd link because he was viewing the message in webmail.  However, in the screenshot of the message in its text format, the Bit.ly link is clearly-visible.  One of the great features of Bit.ly for those creating “bitlinks” is that you can view statistics about the locations and user agents of who clicks on your link.  Others can also see a few stats by appending a plus (+) sign to the end of the URL.  Below is what we saw when we did this:

The stats tell us that the bitlink was created on July 28th and leads to a URL on rdr11.top, a domain first registered on that same day via NameCheap but under privacy protection.  Once the victim clicked on the link, he was redirected to the rdr11.top URL which itself then redirected to a URL on chrome-extensions.top, to the page[2] seen below:

The domain chrome-extensions.top was also registered via NameCheap using privacy protection on July 28th.

The rdr11.top and chrome-extensions.top hosts resolve to Saint Petersburg, Russia, IP address 31.186.103.146, part of a /23 net block owned by Moscow Selectel Service.

Also known to resolve to have resolved to 31.186.103.146 is the domain chrome-extensions.pro, registered July 21st with NameCheap, using privacy protection.

A third resolution to the same IP, 31.186.103.146, was the phishy-sounding domain cloudflaresupport.site, also registered via NameCheap under privacy protection, on July 18th.  A similar domain, cloudflaresupport.info, was registered with NameCheap on June 21st and even used the Cloudflare service for phishing Cloudflare accounts, but it is now under Cloudflare’s control.  See the tweet[3] below that included screenshots of the phishing message and spoofed Cloudflare login page:

 

In the Comments of that tweet are screenshots showing further redirection to a Google login phishing page on webstoresupport.top, registered with NameCheap using privacy protection on June 20th.  Other comments reveal that on June 21st CloudFlare actively engaged the customer support software ticketing service being used by the threat actor to send the phishing messages, FreshDesk.  However, a9t9’s statement mentions that FreshDesk was still being used on July 28th when the a9t9 developer was lured in by a phishing email message.

Bottom-line

There are some lessons that can be learned about two factor authentication for such important accounts as your Chrome Store or Cloudflare logins; however, the main issue here is that the victim was not even thinking about the possibility of phishing while responding to his email messages. Phishing, now commonly used against all types of accounts and for increasingly-creative purposes, is known to be the number one way that attackers breach our critical processes, steal our intellectual property, and bring businesses to a screeching halt.  We can also thank a9t9 for owning up to its mistakes so that we can all learn from them.  Their share helps us to connect the dots and discover more about the phisher and his methods and infrastructure.

You can use PhishMe to make sure your employees know how to recognize, report, and respond to these growing threats.

References:

[3] https://twitter.com/LawrenceAbrams/status/877666254974316544

[2] hxxps://login.chrome-extensions.top/ServiceLogin/?https://accounts.google.com/ServiceLogin?service=chromewebstore&passive=1209600&continue=https://chrome.google.com/webstore/developer/dashboard&followup=https://chrome.google.com/webstore/developer/dashboard

[1] https://a9t9.com/blog/chrome-extension-adware/

With apologies to Led Zeppelin fans: The (BEC) Song (Still) Remains the Same

Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam. Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.

Just last week, yet another phisher tried to phish PhishMe. Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.

Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani. These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer.  Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works.  It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.

The Song

With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills.  But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button.  The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages.  We knew that we should have a look right away at her report, shown in Figure 1 below.  The subject line of the message was the accountant’s first name, and the salutation included her first name.

Figure 1  Initial message from BEC phisher

Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition.  (Ah!  The Intrigue!)

Figure 2  BEC phisher makes plea for a wire transfer

In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.”  She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher.  Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.

Figure 3  The BEC phisher sends wire transfer instructions

Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location.  From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.

The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more.  In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.

Figure 4  The BEC phisher returns the next day to request more money

The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.

The Investigation

Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity.  It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address garyrabine@rabinagroup.com.  When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.

We took the list of domain names and guessed at which real company each domain was meant to imitate.  We then notified the administrative contacts of record for those legitimate domain names.  Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.

We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains.  We notified 1&1 on December 19th and requested that all the names be de-activated.  (see list at this link)

Takeaways

Though the song remains the same, phishers are constantly evolving their tactics to lead to more success.  In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message.  He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured.  Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.

We also want you to understand that this does not just affect large companies.  Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons.  And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.

PhishMe also wants everyone to understand how simple but effective these scams can be.  Learn how to spot them, and make sure your employees are great reporters.  Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.

The (BEC) Song Remains the Same

I had a dream, a crazy dream, that we stopped responding to ridiculous email messages demanding that a wire be sent immediately.  Also in that dream, all the bad guys were caught and had to pay restitution and go to jail.

While that second part may never happen, there has been definite progress toward the dream goal and there are definite steps to take to ensure that you – and others in your company – do not fall victim to a BEC email.

Coordinated by the National Cyber-Forensics & Training Alliance (NCFTA), contact information and incident details are being swapped quickly in the business and financial communities, allowing wires to be successfully recalled from far-flung places, facilitating the identification of fraudster activity, and preventing additional victimizations.  However, the typical scenario involves the disappearance of money into the hands of criminals much faster than the victim realizes that they have made a grave mistake in acting upon a fraudulent email message.

The FBI has now released three major advisories* regarding the Business Email Compromise scam.  The below charts illustrate how the estimated number of victims and the estimated volume of dollar losses have increased dramatically with each Public Service Announcement.

chart-1

chart-2And, though the Internet Crime Complaint Center (IC3) first noticed an uptick in related complaints in October 2013, the ruse has been a common one in Europe for even longer.  A fellow security researcher in France, where they call this ‘The President’s Scam’, has been closely tracking a certain group since 2011.

The most common sequence of events is that a C-level employee email address is either compromised or spoofed in order to send a convincing message to someone in the company with the authority to send a wire.  It appears that oftentimes the fraudsters have done their homework on who’s who also, gleaning names, titles, and even travel schedules of executives from social media accounts.  We have shared examples before; just over a year ago, PhishMe CTO, Aaron Higbee, described an attempt against PhishMe.

graphic-3

Also around this same time last year, Centrify CEO, Tom Kemp, detailed EIGHT different attempts against his company, which itself provides multi-factor authentication services.

Unfortunately, the number of victims continues to rise.  Think about it…every business is a potential victim; so, until everyone knows how to spot this scam, we will keep hearing more horror stories.

The following are some things to keep in mind when you review an email asking you to move money on behalf of your company:

  1. Is the message really from the person that it appears to be from? Review the headers carefully. What is the reply-to address? Was the message actually sent from a lookalike domain name, such as PHlSHME.com with the letter L in place of the letter I?
  1. Does the tone and writing style of the author match what you know of the purported sender of the message?
  1. Are you being asked to reply directly to the message, instead of crafting a new email message? Are you being pressured to keep the transaction to yourself for some reason? Does the email message have a strong sense of urgency?
  1. Is there a link to click or an attachment to open, supposedly containing the wire instructions? As part of this scam, wiring instructions are typically sent to the victim in a subsequent message, after they have initially hooked you into responding.  Usually they are in the body of the follow-up message, but sometimes they are in a PDF attachment.
  1. Don’t think that the receiving bank will necessarily be overseas. Money mules in the United States are operating domestic bank accounts, helping to launder the money while sometimes thinking they are performing a legitimate work-from-home service.
  1. Be willing to stand your ground when something seems ‘off’ about a request. Demand that you personally speak to the person requesting the urgent wire transfer.  When you save the company millions, the CEO will be glad you bugged her for a moment.

And below are some Action Items that you can take today to help prevent becoming the next victim:

  1. Enable two-factor authentication on your email account. If your email provider does not offer this, change providers.
  1. Establish a DMARC record on your company domain so that messages spoofing your real domain do not get delivered.
  1. Use different passwords for each online service; use a password manager if needed.
  1. Require dual approval and out-of-band authentication for all wires. Understand that wire transfers are one of the most risky transactions and usually cannot be recalled because they are designed to provide immediate access to and an irrevocable settlement of funds.
  1. The PhishMe Simulator/Reporter combination conditions your employees to spot and submit fraudulent email messages. Contact PhishMe to sign up for Simulator and Reporter so that you can start shoring up your first line of defense.

If you realize that you may have fallen for this scam, call your bank immediately.  Also call your local FBI office and ask for assistance (Find contact information here.) Even if you never wired the money, report the attempt by filing a complaint form with IC3 because this helps the NCFTA track and correlate attacks, improving the likelihood of an eventual prosecution.

*Links to the full FBI PSAs:

New Tactic Bypasses Existing Security Controls – Most Recent PayPal Phish Reveals Stealthy HTML Attachment

Incident response is always a cat and mouse game.  Organizations spend heavily on people and technology to help protect their enterprise, while threat actors continue to find new and unique ways to bypass those controls.  We’ve seen this trend continue over time, whether it be with the shift to MHTML files by Locky or the delivery of malicious PowerPoint show files.  The PhishMe intelligence team has noticed another change, this one by the actors who are phishing for login credentials, and their tactics reveal that they are actively working to bypass security controls.

Tax Time is Phishing Time: Here’s How to Help!

Important disclaimer: THE IRS DOES NOT INITIATE CONTACT WITH TAXPAYERS BY EMAIL, TEXT MESSAGE, OR SOCIAL MEDIA CHANNELS TO REQUEST PERSONAL OR FINANCIAL INFORMATION. (See: https://www.irs.gov/uac/Report-Phishing )

The IRS has a very active security team, currently part of the U.S. Treasury Inspector General for Tax Administration (TIGTA), that is responsible for fighting phishing and tracking down the criminals who prey on U.S. tax payers.  If you believe you have received a Phishing email, please help them by reporting the email you received to phishing@irs.gov.  Additionally, please also consider sending a copy to our team.  PhishMe Brand Intelligence automatically processes any URLs found in emails sent to Report@phishIQ.com (not just IRS phish – we love gathering global intelligence on all phish).