Skip to the main content.
Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

5 min read

The Phishing Adventures of Huck Phinn, Another School of Phish

Chapter 7

It's Cybersecurity Awareness Month, so we thought it was a good time to bring back our good friend Huck Phinn for another adventure in phishing. 

It has been a while since poor Huck got tricked by that phishing email from Tom in the previous chapter, and has made sure to be very careful ever since.  Things were looking up, and it was the perfect time to go on a little vacation. After his shift at St. Petersburg Wildlife Foundation, Huck got online and scheduled a trip to visit his favorite aunt, Polly.  While planning his trip, Huck received an email from Jim, another one of his most trusted pals. Jim is a known attorney at the Pearl Law Firm in Missouri, and he has a lot of contacts throughout the state of Missouri.  Since Jim is a close pal, Huck quickly opened the email from Jim. It said “Please find your invoice attached” and had an Excel document attachment.

Figure 1 - The original phishing email that Huck received from JimFigure 1 - The original phishing email that Huck received from Jim

Just when Huck was about to click on the attached Excel document, he took pause. This seemed strange and oddly like a phishing email hoping to steal his precious information. He took a moment to think and decided to call his assigned Primary Analyst within the Ingalls SOC who encouraged him to forward this email to his Ingalls Information Security Phishing Email Helpdesk for analysis.

Figure 2 - VirusTotal results for the Excel document attachment

Figure 2 - VirusTotal results for the Excel document attachment

 

The email did not contain any malicious macros or exploits. It only contained an image claiming to be a “Citrix Attachment” and a button named “Click Here to View Documents” linking to www.evernote[.]com/shard/s516/sh/953c2874-f4b0-1e6f-eb9a-beb7fed2bfc5/4ffdc5a82661e539 6f311f4e6fe42e82.

Figure 3 - Malicious benign Excel document with a button leading to Evernote page.

Figure 3 - Malicious benign Excel document with a button leading to Evernote page.

 

 

What are the “red flags” for this email and Excel document? 

Fake “Invoices” are common lures used to bait phishing victims. The sender is sending an unexpected invoice and, in this case, is not even the individual who would likely send a legitimate invoice. The attachment doesn’t even contain the actual invoice but contains a link to an Evernote[.]com address. The attachment says that it is a Citrix Attachment and to “Use Citrix Files to share documents securely”, but it doesn’t link to a Citrix address. A legitimate invoice is unlikely to be delivered by being delivered via Evernote[.]com.

 

By sending the email from a trusted colleague’s legitimate, although compromised, email address, the threat actor avoided suspicion of some recipients and their email security systems, and the threat actor also evaded quarantine of the attachment because the attachment itself did not contain any malware. Finally, the threat actor managed to prevent the network traffic from the link being considered malicious by linking to an Evernote page. Evernote is a great vehicle for malicious delivery of payloads because it is a very popular mobile device and web notekeeping application that is unlikely to arouse suspicion or result in alerts in network logs and is unlikely to be blocked by security teams.  The Ingalls Phishing Helpdesk clicked the link.

Figure 4 - Evernote page linked to from the Payment101.xlsx Excel document

Figure 4 - Evernote page linked to from the Payment101.xlsx Excel document

 

The Evernote page has a subject stating “Payment Review” with an image of the Excel logo and the text “View Invoice”, which contains a link to another website with the actual “payload” of this phishing campaign. At the time that Huck submitted the email to the Ingalls SOC, this link went to a compromised WordPress website at uncommonroadmusic[.]com/otzozukadzima/index.html.

Huck-Phinn-Ch7-Fig_05

Figure 5 - “Microsoft” credential harvesting page linked to from the Evernote page

 

When the analyst clicked on the “View” button, the Ingalls Phishing Helpdesk was taken to the credential harvesting form designed to look like a Microsoft login.

Figure 6 - Credential harvesting form on the compromised uncommonroadmusic[.]com website

Figure 6 - Credential harvesting form on the compromised uncommonroadmusic[.]com website

 

What is so phishy about this “Microsoft” web page? 

It is not hosted at a valid Microsoft domain. The login form is not the actual form presented to user’s logging into a Microsoft domain. The payment101.xlsx file says that the invoice document name is EFT Number 202206063377997.pdf, but this document is apparently named “INV-40211.pdf” instead. A legitimate invoice is unlikely to be delivered by being delivered via Microsoft One Drive.

The Ingalls Phishing Helpdesk entered fake credentials into the form and clicked on the “View” button to submit the form:

  • Username - test@gmail[.]com
  • Password - testtesttest 


The fake credentials that the analyst entered, could be seen being delivered, in plain text, to the threat actor via another page on the compromised domain.

Figure 7 - Harvested credentials delivered to the threat actor

Figure 7 - Harvested credentials delivered to the threat actor

 

The Ingalls Phishing Helpdesk then used Endpoint Detection and Response (EDR) tools to check if the Excel document or traffic to the uncommonroadmusic[.]com domain was seen in other client environments, and it was seen in at least five other Ingalls’ client environments throughout Missouri: Hospital of Cottlevalley Association, St. Charles Center, Missouri Decatur College, Springfield Clerks Association, and St. Louis Law firm.  Unfortunately, a couple of these clients had accounts compromised and the email had been sent to all their email contacts.

During the investigation, Ingalls SOC noticed that while the Evernote page was seen linking to a compromised uncommonroadmusic[.]com address, it originally linked to majesticmasonry[.]org. However, it appears that once the majesticmasonry[.]com domain became marked by Google Chrome and security tools as malicious, they switched to uncommonroadmusic[.]com. Having the credential harvesting site hosted on multiple compromised domains, allowed the threat actors to quickly change the payload linked on the Evernote page in order to avoid being blocked and losing potential phishing victims.

In order for this campaign to work, the victim needed to 1) open the phishing email, 2) download and open the Excell document, 3) click on the link to Evernote in the Excel document, 4) click on the “View Invoice” link in the Evernote document, 5) click “View” on the credential harvesting page, 6) enter their credentials into the fake login form, and 7) not have MFA enabled for their email account. Having so many steps involved might make a user less likely to follow through to the end and to have their credentials harvested, but they also provide layers of abstraction that allow the threat actors to avoid detection, ensuring the long-term success of their campaign.

As an additional precaution, Ingalls globally quarantined the filehash of the Excel document and blocked the IP addresses and domains of the credential harvesting pages within their Client environments. The Ingalls SOC also notified Clients who were known to have received or downloaded the document about the campaign and provided them with recommendations to keep their environments safe. Finally, the Ingalls SOC also reached out to the system administrator of Jim’s organization to inform them about the phishing campaign.

 

What are some remediation tactics to help protect against or to mitigate phishing email campaigns?

  • Blocking known-malicious IPs and domains is a quick and easy way to mitigate the spread of the campaign, but as was seen in this campaign, it’s relatively quick and easy for the threat actors to shift to another compromised domain.
  • Enable MFA for email logins.
  • Organizations should also have established procedures for:
    • Tracing and quarantining known malicious emails, senders, and/or attachments sent to users within their organization.
    • Remediating compromised accounts.
    • Educating users on phishing and how to spot indicators of phishing.
    • Investigating whether other users or devices within their organization have downloaded attachments or visited domains known to be associated with a phishing campaign targeting their organization.

 

Would you have spotted all of the red flags? Do you know someone who might have taken the bait? Download and share our “How to Spot a Phish” checklist to elevate security awareness and keep more people safe online.

Our “How to Spot a Phish” checklist can help you identify phishing emails and provides advice on what to do with them.

How to Spot a Phish Download

 

 

 

Author Bio:
Henry Chester is currently a Tier 1 SOC Analyst Intern at Ingalls Information Security. His professional career began in the non-profit sector specializing in project management and business systems administration as a Regional Business Director. Mr. Chester’s experience includes projects in business procurement and accounting cloud technologies. He holds a M.S. of Cybersecurity from University of Dallas and a B.B.A. of Business Analytics from Texas A&M Commerce.
 
The Phishing Adventures of Huck Phinn, Deep Water Spear Phishing

The Phishing Adventures of Huck Phinn, Deep Water Spear Phishing

Chapter 3 In the previous chapter, Huck Phinn, who works for an environmental group, narrowly escaped a phishing email trap by recognizing red flags....

Read More
The Phishing Adventures of Huck Phinn, Another Kettle of Phish

The Phishing Adventures of Huck Phinn, Another Kettle of Phish

Chapter 4 Huck had narrowly eluded several phishing traps, and he now routinely screened his work Outlook email inbox for suspicious messages. He...

Read More
The Phishing Adventures of Huck Phinn, Dangling Bait in Open Waters

The Phishing Adventures of Huck Phinn, Dangling Bait in Open Waters

Chapter 2 In Chapter One we mentioned that the most common phishing attacks are mass emails sent to as many recipients as possible in hopes that even...

Read More