Nobelium-style Phishing Tactics Used to Spread Malware
In May, Microsoft reported on a Nobelium campaign that involved malicious emails being sent to roughly 3,000 accounts across over 150 organizations in 24 countries. All the malicious emails were sent via the Constant Contact mailing service using the compromised account of the United States Agency for International Development (USAID).
The new campaign was discovered by the Inky anti-phish firm, and the volume is likely to represent just a subset of the total number of emails. Inky states in its report that it doesn’t yet know whether the new campaign was instigated by the same threat actor, or simply copycat criminals using the same technique as Nobelium – but is investigating.
The technique involves compromising the account of a genuine mail service user. In the latest incident, the account was that of fast-food firm Chipotle and the mail service was Mailgun. This technique generally has a high success rate because the emails appear to be genuine from high reputation sources. The emails pass many automated phish detection systems since they come from a high reputation IP address (Mailgun: 188.8.131.52) and pass SPF and DKIM authentication.
“Analysis of the email headers revealed that the messages originated from Mailgun servers (postgun.com and mailgun.net) and passed email authentication for chipotle[.]com,” says Inky.
Of the 121 phishing emails detected, two were vishing attacks (fake voicemail notifications with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft. Inky does not indicate the malware included with the vishing attempts, nor does it specify the phished target organizations. It does, however, analyze the phishing emails.
The 14 USAA bank impersonations contained a mail.chipotle[.]com link that redirected to a forged and malicious USAA Bank credential harvesting site. The credential harvesting site is a good impersonation of the genuine bank site, including a perfect copy of the USAA logo. “The black hats can make these pages by simply cloning the real page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born,” comment the researchers.
USAA Credential Harvesting Page
The majority of the phishing emails impersonate Microsoft. This is unsurprising since almost everyone has a Microsoft account, and almost all of them contain large amounts of valuable detail (such as other logins, trade secrets, financial details and more).
In the example provided by Inky, the mail is sent by ‘Microsoft 365 Message center <[email protected]>’. The subject says, “You have (7) clustered/undelivered emails 16 July 2021”. This should not fool an observant user who should question why Microsoft is sending emails via a fast-food firm – but could fool automated detections that rely heavily on sender reputations.
The email content is a typical scam lure. The target has seven emails held up by storage issues, but now available for collection (the curiosity trigger). Ignoring the message could disable the account (the fear trigger). This is followed by a button labelled ‘Release messages to inbox’. Clicking this button takes the user to a credential harvesting fake Microsoft login page.
The clue to detecting this type of phishing email lies in the discrepancy between the sender’s name (in these instances, Microsoft, USAA and VM Caller ID), and the actual email sender (in this instance postmaster[@]chipotle[.]com). The former is not likely to use the latter to send out emails. The problem, however, is that secure email gateways often rely on checking solely whether the sending domain is legitimate, and the email is coming from an approved range of IP addresses.
College Park, MD-based phish prevention firm INKY was founded in 2008 by Dave Baggett (CEO) and Simon Smith (COO). In June 2020 it raised $20 million in a Series B funding round led by Insight Partners, bringing the total raised to $31.6 million.