The Phishing Adventures of Huck Phinn, Another School of Phish

Chapter 7

It's Cybersecurity Awareness Month, so we thought it was a good time to bring back our good friend Huck Phinn for another adventure in phishing. 

It has been a while since poor Huck got tricked by that phishing email from Tom in the previous chapter, and has made sure to be very careful ever since.  Things were looking up, and it was the perfect time to go on a little vacation. After his shift at St. Petersburg Wildlife Foundation, Huck got online and scheduled a trip to visit his favorite aunt, Polly.  While planning his trip, Huck received an email from Jim, another one of his most trusted pals. Jim is a known attorney at the Pearl Law Firm in Missouri, and he has a lot of contacts throughout the state of Missouri.  Since Jim is a close pal, Huck quickly opened the email from Jim. It said “Please find your invoice attached” and had an Excel document attachment.

Figure 1 - The original phishing email that Huck received from Jim

Just when Huck was about to click on the attached Excel document, he took pause. This seemed strange and oddly like a phishing email hoping to steal his precious information. He took a moment to think and decided to call his assigned Primary Analyst within the Ingalls SOC who encouraged him to forward this email to his Ingalls Information Security Phishing Email Helpdesk for analysis.

Figure 2 - VirusTotal results for the Excel document attachment

The email did not contain any malicious macros or exploits. It only contained an image claiming to be a “Citrix Attachment” and a button named “Click Here to View Documents” linking to www.evernote[.]com/shard/s516/sh/953c2874-f4b0-1e6f-eb9a-beb7fed2bfc5/4ffdc5a82661e539 6f311f4e6fe42e82.

Figure 3 - Malicious benign Excel document with a button leading to Evernote page.

What are the “red flags” for this email and Excel document? 

By sending the email from a trusted colleague’s legitimate, although compromised, email address, the threat actor avoided suspicion of some recipients and their email security systems, and the threat actor also evaded quarantine of the attachment because the attachment itself did not contain any malware. Finally, the threat actor managed to prevent the network traffic from the link being considered malicious by linking to an Evernote page. Evernote is a great vehicle for malicious delivery of payloads because it is a very popular mobile device and web notekeeping application that is unlikely to arouse suspicion or result in alerts in network logs and is unlikely to be blocked by security teams.  The Ingalls Phishing Helpdesk clicked the link.

Figure 4 - Evernote page linked to from the Payment101.xlsx Excel document

The Evernote page has a subject stating “Payment Review” with an image of the Excel logo and the text “View Invoice”, which contains a link to another website with the actual “payload” of this phishing campaign. At the time that Huck submitted the email to the Ingalls SOC, this link went to a compromised WordPress website at uncommonroadmusic[.]com/otzozukadzima/index.html.

Figure 5 - “Microsoft” credential harvesting page linked to from the Evernote page

When the analyst clicked on the “View” button, the Ingalls Phishing Helpdesk was taken to the credential harvesting form designed to look like a Microsoft login.

Figure 6 - Credential harvesting form on the compromised uncommonroadmusic[.]com website

What is so phishy about this “Microsoft” web page? 

It is not hosted at a valid Microsoft domain. The login form is not the actual form presented to user’s logging into a Microsoft domain. The payment101.xlsx file says that the invoice document name is EFT Number 202206063377997.pdf, but this document is apparently named “INV-40211.pdf” instead. A legitimate invoice is unlikely to be delivered by being delivered via Microsoft One Drive.

The Ingalls Phishing Helpdesk entered fake credentials into the form and clicked on the “View” button to submit the form:

• Username - test@gmail[.]com
• Password - testtesttest 

The fake credentials that the analyst entered, could be seen being delivered, in plain text, to the threat actor via another page on the compromised domain.

Figure 7 - Harvested credentials delivered to the threat actor

The Ingalls Phishing Helpdesk then used Endpoint Detection and Response (EDR) tools to check if the Excel document or traffic to the uncommonroadmusic[.]com domain was seen in other client environments, and it was seen in at least five other Ingalls’ client environments throughout Missouri: Hospital of Cottlevalley Association, St. Charles Center, Missouri Decatur College, Springfield Clerks Association, and St. Louis Law firm.  Unfortunately, a couple of these clients had accounts compromised and the email had been sent to all their email contacts.

During the investigation, Ingalls SOC noticed that while the Evernote page was seen linking to a compromised uncommonroadmusic[.]com address, it originally linked to majesticmasonry[.]org. However, it appears that once the majesticmasonry[.]com domain became marked by Google Chrome and security tools as malicious, they switched to uncommonroadmusic[.]com. Having the credential harvesting site hosted on multiple compromised domains, allowed the threat actors to quickly change the payload linked on the Evernote page in order to avoid being blocked and losing potential phishing victims.

In order for this campaign to work, the victim needed to 1) open the phishing email, 2) download and open the Excell document, 3) click on the link to Evernote in the Excel document, 4) click on the “View Invoice” link in the Evernote document, 5) click “View” on the credential harvesting page, 6) enter their credentials into the fake login form, and 7) not have MFA enabled for their email account. Having so many steps involved might make a user less likely to follow through to the end and to have their credentials harvested, but they also provide layers of abstraction that allow the threat actors to avoid detection, ensuring the long-term success of their campaign.

As an additional precaution, Ingalls globally quarantined the filehash of the Excel document and blocked the IP addresses and domains of the credential harvesting pages within their Client environments. The Ingalls SOC also notified Clients who were known to have received or downloaded the document about the campaign and provided them with recommendations to keep their environments safe. Finally, the Ingalls SOC also reached out to the system administrator of Jim’s organization to inform them about the phishing campaign.

What are some remediation tactics to help protect against or to mitigate phishing email campaigns?

• Blocking known-malicious IPs and domains is a quick and easy way to mitigate the spread of the campaign, but as was seen in this campaign, it’s relatively quick and easy for the threat actors to shift to another compromised domain.
• Enable MFA for email logins.
• Organizations should also have established procedures for:
  • Tracing and quarantining known malicious emails, senders, and/or attachments sent to users within their organization.
  • Remediating compromised accounts.
  • Educating users on phishing and how to spot indicators of phishing.
  • Investigating whether other users or devices within their organization have downloaded attachments or visited domains known to be associated with a phishing campaign targeting their organization.

Would you have spotted all of the red flags? Do you know someone who might have taken the bait? Download and share our “How to Spot a Phish” checklist to elevate security awareness and keep more people safe online.

Author Bio: