This blog explores some of the latest phishing threats currently circulating, including those I have personally encountered and reverse-engineered recently.
https://platform.twitter.com/embed/Tweet.html?dnt=false&embedId=twitter-widget-1&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1256174876093808640&lang=en-gb&origin=https%3A%2F%2Fblog.bushidotoken.net%2F2020%2F05%2Fgone-phishing.html&sessionId=0b481ab2417863ef3fe1091447084932f33678ea&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=550px
To me, it was quite clearly a phish, as I’m not with HSBC, however, someone who is may have been easily fooled. The trick the phishermen used here is via a subdomain. Average users may be able to recognise their usual bank domain and feel safe. However, the threat actors who sent this to me could use a domain like ‘digitalbanking.com’ (which is for sale) and simply insert my bank’s full URL as a subdomain – making it quite convincing. Plus, they can add a free digital certificate from Let’s Encrypt CA to give it HTTPS and now we have a pretty convincing phish.
I chucked the domain into VirusTotal and found it’s IP address, along with a few other phishing URLs that contact it. It appears Nationwide and HSBC customers are targeted:
You can view for yourself here: https://www.virustotal.com/gui/ip-address/180.215.199.52/relations
On 28 April I received this email:
https://platform.twitter.com/embed/Tweet.html?dnt=false&embedId=twitter-widget-2&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1255991471506948098&lang=en-gb&origin=https%3A%2F%2Fblog.bushidotoken.net%2F2020%2F05%2Fgone-phishing.html&sessionId=0b481ab2417863ef3fe1091447084932f33678ea&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=550px
This phish was a little more cunning as it used a hyperlink on the text (support.apple.com) which was actually a shortened URL. It uses an Indonesian service similar to Grabify that logs your IP address, geo-location, and user-agent. I searched online to see if anyone had received an email from the same sender and found a few posts on Apple forums as far back as December 2019. They also rightly pointed out that Apple will never send you a PDF – don’t open it or click on the link!
I put the link in VirusTotal and found 33 other phish with similar URLs that were likely used in the same campaign. I added them to my OTX feed here.
Who’s behind all this phishing?
Well, I can’t say who is behind these exact phishing emails and texts, but there is one cybercriminal gang which is responsible for hundreds of thousands around the world. The gang, also known as the IndonesianCyberArmy, produces and sells ’16Shop’ phishing kits which are sold as-a-service. Aspiring cybercriminals can buy the 16Shop kit, pick a target or brand and immediately begin phishing. Instructions and guidance will be provided by the gang, as with many Malware-as-a-Service offerings.
The @phishingreel bot on Twitter provides detection of commercial phishing kits, with 16Shop featuring heavily. (source)
@JCyberSec_ has also produced an insightful 16Shop Intelligence Thread here:
https://platform.twitter.com/embed/Tweet.html?dnt=false&embedId=twitter-widget-3&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1255902497782317056&lang=en-gb&origin=https%3A%2F%2Fblog.bushidotoken.net%2F2020%2F05%2Fgone-phishing.html&sessionId=0b481ab2417863ef3fe1091447084932f33678ea&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=550px
The @phishingreel bot on Twitter provides detection of commercial phishing kits, with 16Shop featuring heavily. (source)
How phishing is evolving:
Newer phishing campaign are becoming even more advanced that actively block security tools from detecting the landing pages and leverage custom targeting lists.
@MalwareTraceKr uncovered a new Korean SMiShing campaign which uses a database of phone numbers (likely stolen) that only permits the recipients from downloading the malware. This means if a security researcher wants to view the content, they need to have a phone number which is present in the database. This means campaigns can carry on for longer, before a sample can be analysed and it can be stopped. (source)
Researchers at Barracuda have also discovered cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns. (source)
I predict that SMiShing campaigns will eventually overtake traditional email campaigns as more users move towards mobile and tablets only, leaving desktops and laptops behind. Instant messaging apps like WeChat (Weixin) has replaced email almost entirely in China and they are seeing more mobile-based threats because of it.
In the Western hemisphere and across EMEA countries, email does appear to show signs of slowing with collaborative apps like Microsoft Teams and Slack taking over, as well as video conferencing software like Zoom. This has been spurred on due to lockdown during the coronavirus pandemic.
For now though, email is still an effective communication method that is still used professionally. Although, the FBI’s IC3 report for 2019 found that businesses lost an estimated $1.7 billion from BEC attacks. This may help shape future IT department budgets and encourage the move away from email.
Subscribe for more blogs 🙂