PhishMe Triage Catches and Mitigates a Phishing Attack on Day 1

BY JOHN TRAVISE AND NICOLAS OCTAVIANI

PhishMe Triage™ immediately reveals an active, ongoing phishing attack against a new customer during a configuration and deployment.

Summary

Talk about immediate results!

During a recent PhishMe Triage configuration and deployment engagement, our professional services team could help a customer identify and respond to an ongoing attack. The customer was a high-value target – a global payment processing company and was under a deliberate and sustained phishing attack. With the use of PhishMe Triage and help from PhishMe® consultants, the customer could see the attack happening and effectively respond to the threat.

The Attack

On the first day of the deployment engagement, our PhishMe consultants noticed that users were reporting several different types of phishing emails which all contained URLs from several domains all in the format of hxxp://domainname.com/f.php?d=<base 64 encoded email of recipient>. This URL lead to a Microsoft Word® document with embedded macros that acted as a malware dropper. Perhaps to derail analysis, the attacker used methods where any browser user agent with the OS not set to Windows received a 404 error instead of a file. The Word file appeared to be a variant of Hancitor that downloaded DELoader/ZLoader. The Word document asked the user to turn on macros to start the infection process. Virus total links to files can be found here and here.

Upon further investigation, we discovered all of the domains were registered with Go Daddy® and had recently changed their DNS entry. Typically, when malicious links are found, organizations filter them at the proxy by domain name.  The threat actors took advantage of this by using compromised Go Daddy accounts to rapidly deploy new phishing links. However, as all domains pointed to the same IP address blocking became trivial using the IP address instead of the constantly changing domains.  Our consultants then created a rule to identify URLs with the offending f.php in them, and processed almost 200 matching emails targeted at this customer.

The following day delivered more reported emails with the same f.php in the PhishMe Triage inbox and quickly discovered that the domains from the current campaign pointed to an entirely different IP address. Upon checking the domain from the previous day, we discovered the attacker had updated the DNS entries to match the IP addresses of the current campaign.  By using the rule, we created in PhishMe Triage, we were able to quickly identify the new domains and prevent the attack.  Using the IOCs (indicators of compromise), the analysts identified any users who had received an email from the phishing campaign and removed almost 300 additional emails, as well as using the SIEM and proxy to identify any users who may have clicked the links and take appropriate action.

The Result

Without PhishMe Triage, the customer would have not have been able to see the common indicators as easily, and may not have been able to identify other emails that were part of the campaign – at least not in time to avoid an incident.  Because of PhishMe Triage, the client could use the IOCs to make sure they could respond in real-time to the ever-changing campaign and mitigate any of the users that may have been enticed to open the document.  By leveraging the internal human attack intelligence delivered by users conditioned with PhishMe Simulator™ and alerting the team with PhishMe Reporter®, PhishMe Triage was the final piece needed for a comprehensive anti-phishing defense system –  finding an active threat as it bypassed perimeter defenses designed to stop it.

Curious to learn more? Sign up for a free demo of PhishMe Triage today!

Human Phishing Defense Tackle Box – PhishMe Intelligence™ and IBM QRadar®
NanoCore Variant Delivered Through UUE Files

Leave a Reply