9 A.M., "It's too late to Phish"

Or are the phishes biting the line of the Phisher? It was August 17th, 2016, when I awoke, I slowly took my time waking up to prepare for the day. This morning I checked my work calendar for any meetings scheduled, then decided to switch pace and give my personal email a grooming. That is when a captivating e-mail caught my attention.

Initially, when I received this e-mail, it had not been flagged by google. Thus, the red banner was not visible at the time and the images were displayed. Anyways, I received this e-mail from someone close to me. I initially found it odd that this person would be sending me a "DocuSign" document to sign. I have worked with this person occasionally with non-profit items, so maybe they stepped up their paper game to digital documents right? Nah, after following the link I was directed to what looked like a legitimate web page.

Now, since this e-mail was delivered to my gmail account, why didn't the webpage ask for authorization to use my current logged in account or simply use single sign-on (SSO)? As those thoughts pass by quickly, I immediately notice the url.

I should warn you, at the time of writing this article (17 hours since receiving the e-mail) the IOCs I have published were/are still active. PROCEED WITH CAUTION (when in doubt, don't click about) :) !!!

Malicious URL:  
hxxp://beckerstaxservice.com/aa/GD/index.php  

I took the URL and ran it through my normal tools, Virustotal and good ole "trusty" wget and vim analysis, since URLquery was down and so was my malware RE lab.

Virustotal Results:  
https://www.virustotal.com/en/url/4d5a4644578abaf71dd5ec5d3cea8fc4983705108b78d48c6d7eb58cc1aac39f/analysis/1471505895/  

I must note, when I originally scanned this URL it came back clean (not malicious), but I added comments and down voted to get that changed. Later after a re-scan, a few different anti-virus services updated their definitions to flag the domain as malicious.

Taking a step back to the original e-mail, there are a couple odd things one could have picked up on. Examples, "UCEF" in the title had no meaning to me and hovering over the "View Report" revealed a tinyurl link. If this was a real document to be signed via DocuSign, it would have displayed a docusign owned domain.

Malicious Redirect URL:  
hxxp://tinyurl.com/hhdn8tx  

Of course after seeing the funky tinyurl I did some quick analysis :)

wget --server-response http://tinyurl.com/hhdn8tx  
--2016-08-18 10:27:21--  http://tinyurl.com/hhdn8tx
Resolving tinyurl.com... 104.20.88.65, 104.20.87.65, 2400:cb00:2048:1::6814:5841, ...  
Connecting to tinyurl.com|104.20.88.65|:80... connected.  
HTTP request sent, awaiting response...  
  HTTP/1.1 301 Moved Permanently
  Date: Thu, 18 Aug 2016 10:27:22 GMT
  Content-Type: text/html
  Connection: close
  Set-Cookie: __cfduid=da439c14d7e98675a9ba6c612a7ede3291471516041; expires=Fri, 18-Aug-17 10:27:21 GMT; path=/; domain=.tinyurl.com; HttpOnly
  Set-Cookie: tinyUUID=7b58d8e5ddc9adffc4f90000; expires=Fri, 18-Aug-2017 10:27:21 GMT; path=/; domain=.tinyurl.com
  Location: http://beckerstaxservice.com/aa/GD/index.php
  X-tiny: cache 0.0065820217132568
  Server: cloudflare-nginx
  CF-RAY: 2d44ac3e3f081177-DFW
Location: http://beckerstaxservice.com/aa/GD/index.php [following]  
--2016-08-18 10:27:22--  http://beckerstaxservice.com/aa/GD/index.php
Resolving beckerstaxservice.com... 192.254.190.21  
Connecting to beckerstaxservice.com|192.254.190.21|:80... connected.  
HTTP request sent, awaiting response...  
  HTTP/1.1 200 OK
  Server: nginx/1.10.1
  Date: Thu, 18 Aug 2016 10:27:22 GMT
  Content-Type: text/html
  Connection: close
Length: unspecified [text/html]  
Saving to: `hhdn8tx'

    [ <=>                                                                                                ] 34,503      --.-K/s   in 0.07s

2016-08-18 10:27:22 (503 KB/s) - `hhdn8tx' saved [34503]  

Pulling down the web page with wget showed a redirect from tinyurl services to the suspicious domain beckerstaxservice[.]com, which was either a legitimate website compromised or rogue short lived domain, bought for phishing landing pages.

Since this person was rather close to me, it was probably safe to assume they had quite the contact list, it was vital to see if their account was breached or if this was a spoofed e-mail. To validate the previous statement I must look at the e-mail headers, or in this case snippet of the "Show original".

X-Received: by 10.36.7.68 with SMTP id f65mr28426876itf.39.1471449587816; Wed,  
 17 Aug 2016 08:59:47 -0700 (PDT)
MIME-Version: 1.0  
Received: by 10.36.26.142 with HTTP; Wed, 17 Aug 2016 08:59:47 -0700 (PDT)  
From: Trusted Victim <victim@victim.com>  
Date: Wed, 17 Aug 2016 16:59:47 +0100  
Message-ID: <CANp=bYHXm6T69b3EdwGmTnbghqvAzCBox9rE=suYQuPnx+582Q@mail.gmail.com>  
Subject: UCEF Spreadsheet & Sole Agreement.  
To: undisclosed-recipients:;  
Content-Type: multipart/alternative; boundary=001a1143eedcfccb34053a468df8  
Bcc: [my-email-addr]@gmail.com

--001a1143eedcfccb34053a468df8
Content-Type: text/plain; charset=UTF-8

[image: DocuSign]


   UCEF Spreadsheet & Sole Agreement.


VIEW REPORT <hxxp://tinyurl.com/hhdn8tx>

--001a1143eedcfccb34053a468df8
Content-Type: text/html; charset=UTF-8  
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><table style=3D"line-height:normal;font-size:12.8px;border=  
-collapse:collapse;max-width:640px"><tbody><tr><td style=3D"padding:10px 24=
px"><img src=3D"https://na2.docusign.net/Member/Images/email/logo-DS-116x33=  
@2x.png" alt=3D"DocuSign" width=3D"116" style=3D"border: none;"></td></tr><=
tr><td style=3D"padding:0px 24px 30px"><table align=3D"center" border=3D"0"=  
 cellpadding=3D"0" cellspacing=3D"0" width=3D"100%" style=3D"color:rgb(255,=
255,255);background-color:rgb(30,76,161)"><tbody><tr><td align=3D"center" s=  
tyle=3D"font-family:helvetica,arial,&#39;sans serif&#39;;padding:28px 36px =  
36px;border-top-left-radius:2px;border-top-right-radius:2px;border-bottom-r=  
ight-radius:2px;border-bottom-left-radius:2px;font-size:16px;width:264px;te=  
xt-align:center"><img src=3D"https://na2.docusign.net/member/Images/email/d=  
ocInvite-white.png" height=3D"75" width=3D"75" style=3D"width: 75px; min-he=  
ight: 75px;"><br><table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" wi=  
dth=3D"100%"><tbody><tr><td align=3D"center" style=3D"font-family:helvetica=  
,arial,&#39;sans serif&#39;;padding-top:24px;border:none">=C2=A0 =C2=A0=C2=
=A0<br>=C2=A0 =C2=A0UCEF Spreadsheet &amp; Sole Agreement.<br><br><br></td>=
</tr></tbody></table><table border=3D"0" cellpadding=3D"0" cellspacing=3D"0=  
" width=3D"100%"><tbody><tr><td align=3D"center" style=3D"padding-top:30px"=
><table cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><td height=3D"44" al=
ign=3D"center" style=3D"font-family:helvetica,arial,&#39;sans serif&#39;;fo=  
nt-size:15px;color:rgb(51,51,51);font-weight:bold;text-align:center;border-=  
top-left-radius:2px;border-top-right-radius:2px;border-bottom-right-radius:=  
2px;border-bottom-left-radius:2px;display:block;background-color:rgb(255,19=  
6,35)"><a href=3D"hxxp://tinyurl.com/hhdn8tx" target=3D"_blank" style=3D"co=  
lor:rgb(51,51,51);text-decoration:none;border-top-left-radius:2px;border-to=  
p-right-radius:2px;border-bottom-right-radius:2px;border-bottom-left-radius=  
:2px;display:inline-block"><span style=3D"padding:0px 24px;line-height:44px=
">VIEW REPORT</span></a></td></tr></tbody></table></td></tr></tbody></table=
></td></tr></tbody></table></td></tr></tbody></table></div>

I scrubbed data from this snippet, so we can limit personally identifiable information or PII. I examine the headers looking for an item called, "Reply-To" which was not found. In short, this header tells recipients who they will be sending their reply emails to. If there is an email in this field that doesn't match the "FROM" address, that potentially means the e-mail was spoofed. Another tip off from the headers was the identification of the Blind Carbon Copy or BCC containing my email address and the "TO" address field which displayed "undisclosed-recipients:;". These headers let me know this was possibly sent out to a massive group of recipients.

If you are looking for more validation on if the email was sent from a trusted source, I recommend taking a look at the email IP/domain path and using DomainKeys Identified Mail or DKIM. This will allow you to determine if an email came from a trusted source, but this part of analysis is out of scope for this article as there are other edge cases that could be revealed.

Looking back at one of my earlier wgets of the malicious phishing domain's URI, "/aa/GD/index.php", I was able to save a copy of the landing page and check the hash against services such as virusshare, virustotal and a quick google search to find the below items.

Google Search: results
Virustotal: https://www.virustotal.com/en/file/8dc294fcf6c0e1fbf8a45b851becdc3c3a81eb98996bd448270fce830c2c5807/analysis/1453306705/

Without diving deeper, It was clear I had found a newer sample but it had connections to other variants as far back as February 2016.

Giving the scope and context around this phishing sample, I wanted to help the possibly affected parties with the proper steps to a quick remediation. So I wrote a fairly short but direct email explaining what phishing is, the dangers behind it, mitigations and remediations that could be use to prevent further attacks. Then I proceeded to send it to the party via another "secured" channel, so they may forward it along to affected parties.

To Whom it May Concern,

You are receiving this email because you have potentially received or opened a recent malicious phishing email from an [insert affective party here]. What is Phishing you might ask? Phishing is the attempt to obtain sensitive information such as usernames, passwords, credit card or personal identifiable information, which could be used for malicious purposes. Phishing attacks typically takes place via an unsolicited e-mail which might contain deep embedded links redirecting to a rogue site that might pose as a legitimate domain. 

To take precaution from possible compromise, we ask that you visit your email's providers website and rotate (change) your e-mail passwords to lock out unsuspecting users that might have access to your account. If you are using a shared password or a password that is the same for other websites, it is recommended that you rotate those websites passwords to lessening the chance/impact of breach.

As good practice, remember to always verify the sender of email's, do not click links, hover over links to see if they actually redirect to the correct website, do not provide username/password on an untrusted website and if you are not expecting an email from the sender or do not know them disregard or trash the email.

For information please feel free to reach out with any questions.  

Usernames and passwords are only a step in proving what you know. It is much more effective to have some type of two factor authentication (2FA) or multi-factor authentication (MFA). As an example, having a hardware or virtual based token in conjunction with usernames and passwords, which offers unique one time passcode. When attempting to provide secure services for end-users remember the below phrases:

Something you know: usernames, passwords  
Something you have: yubikey, rsa token, virtual tokens  
Something you are: biometrics (fingerprint, retina scan)  

Wrapping this all up, training, clear communication and intelligible solutions will help drive organizations on a better breach response and remediation plan as they continue to improve detection capabilities.

If these basic steps are not a part of your organization, you can expect a massive breach of more critical systems because of shared or password reuse factors.

And yet, all this before the workday even began...

I have included a few resources below, that might help point some readers in the right direction.

Resources

https://twofactorauth.org/
https://www.yubico.com/
https://duo.com/
https://zeltser.com/customer-emails-like-phishing/
https://www.cs.cornell.edu/courses/cs513/2005fa/nnlauthpeople.html