There are plenty of phish in the sea and they’re back with new tricks! Dark Lab responds to multiple business email compromise campaigns targeting Hong Kong. We outline two recent incidents, sharing the Tactics, Techniques, and Procedures (TTPs) observed, and recommendations on how to prevent, detect, and respond to a phishing attack.

Business email compromise (BEC) is a social engineering attack which broadly refers to a malicious threat actor attempting to defraud organisations by hacking into their email accounts and impersonating employees and third parties. These phishing attacks have existed for many years, though remain prevalent due to their ability to continuously illicit emotional reactions of victims, thereby triggering an unintended response such as performing actions that lead to undesirable consequences. This is further exacerbated by the fact that BEC attacks typically yield a high return on investment given the low cost of setup and ability to scale operations globally.

The impact of BEC attacks are most evident in the amount of reported losses. The Federal Bureau of Investigation (FBI) reported that BEC attacks amounted to a staggering US$43 billion financial loss globally between 2016 to 2021.[1] Meanwhile, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) reportedly handled 3,737 phishing incidents in 2021, which represented almost half of the total reportedly handled incidents and was up 7 percent from 2020, rising for the fourth consecutive year.[2]

PwC’s Dark Lab also responded to an increased number of BEC campaigns in 2022. Two particular incidents stood out for their automated “spray and pray” approach to achieve initial access, followed by performing calculated and stealthy manual actions to persist in the Microsoft 365 environment to facilitate ongoing reconnaissance with the aim of effectively impersonating their victim to convince other staff members to approve fund transfers to the threat actor’s bank account. We elaborate the tactics, techniques and procedures (TTPs) that these threat actors leveraged and provide our recommendations on how to prevent, detect, and respond to BEC attacks should they befall your organisation. We further examine the rising trend of phishing kits in large scale phishing operations, enabling low-skilled threat actors to develop compelling phishing campaigns and bypass multi-factor authentication.

Case Study: Global Campaign by Opportunistic Cybercriminal of Unknown Origin

PwC’s Dark Lab responded to an incident in 2Q 2022 that involved a local property investment, management, and development company. The victim’s Microsoft Office 365 account was compromised via a phishing email from the sender domain macopas[.]com, with a link re-directing the victim to a fake Outlook login portal developed and hosted by the threat actor. To convince the victim to provide their password, the Outlook page pre-populated their email address. Given the victim’s mailbox did not have multi-factor authentication (MFA) enabled, the threat actor could obtain full access to the mailbox with a valid password.

The threat actor proceeded to perform three (3) manual actions to persist in the environment and gain more insights on the business operations while remaining hidden. First, the threat actor created various mail rules for moving and/or deleting emails with keywords associated with the threat actor’s access activities. Second, the malicious billing email was sent directly from the victim’s mailbox to various internal staff. Third, a malicious Azure enterprise application named “Newsletter Software SuperMailer” was created by the victim’s account for persisted access; this was particularly useful as the threat actor successfully performed re-logon to the compromised account even after the password was updated. The threat actor was only denied re-entry after MFA for the victim’s mailbox was enforced.

Through review of the available logs, we were able to observe through email trace that the attacker-controlled IP address delivered the same phishing emails to over three hundred (300) addresses of the victim organisation in alphabetical order. Meanwhile, we discovered through open-source information that similar emails had been sent to at least twenty (20) additional organisations globally. Combined with the fact that the threat actor was observed to only perform the first login two days after the password was inputted suggested they spent time to retrieve, study, and utilise their haul of phished credentials. These indicators and behaviour are more reflective of an opportunistic “spray and pray” campaign given the lack of urgency to quickly establish persistence. This is also evident in the end-to-end incident period lasting just under ten (10) days.

Case Study: Nigerian Cybercriminals Exploit Trusted Relationships with Hong Kong Branch Employee to Commit Cyber Fraud

PwC’s Dark Lab responded to a second BEC incident in 3Q 2022 involving a Chinese e-payment terminal solutions service provider with global operations. Similar to the case above, MFA was not enabled, and the threat actor was observed to host phishing domains imitating the Outlook login portal, enabling the threat actor to obtain initial access with valid credentials. This case left a lasting impression for three reasons.

First, the threat actor spent up to three (3) weeks familiarising themselves with ongoing operations by logging in remotely from multiple geolocations (including United States, Australia, Germany, and Nigeria) and modifying various mail rules and contact lists before executing their attack. The inbox rules hide emails specific to the transaction being targeted (e.g. emails from the legitimate parties, emails with transaction references numbers or bank accounts in the body). The emails are moved to a lesser viewed “RSS Feeds” folder with “Mark as Read” enabled in attempt to hide legitimate emails from the victim’s sight.

Second, the threat actor registered a new domain to impersonate the victim in Hong Kong to send emails to European counterparts . Notably, the threat actor embedded their phishing emails within existing conversations – an evasive tactic to exhibit legitimacy by using conversations with established trust. One of the seven (7) phishing emails contained a malicious link (secure[.]membra[.]co[.]uk) that appeared “clean” as it had not been reported as suspicious. However, through deeper inspection we observed the underlying IP address (45[.]153[.]240[.]153) was reported to be malicious, previously associated with other subdomains mimicking as the Microsoft O365 login page, likely used for global phishing campaigns.

Associated domains – likely past phishing campaigns

login-mso[.]cscsteelsusa[.]com

ogin-mso[.]cscsteelsusa[.]com

wwwoffice[.]cscsteelsusa[.]com

login[.]cscsteelsusa[.]com

Third, the threat actor practiced poor operational security including the inconsistent use of a virtual private network (VPN); as a result, they may have potentially disclosed that they operate out of Nigeria. While none of the Nigerian IP addresses were reported as malicious across various open-source security tools, Nigeria has been widely reported by security researchers to be a hotspot for cybercrime activity related to business email compromise attacks.[1] Overall, based on the investigation on open-source platforms leveraging the indicators of compromise from the incident, we conclude with high confidence that the incident was part of a larger-scale mass phishing campaign that opportunistic cybercriminals – likely out of Nigeria – conducted without the intention to target a specific sector or country, and with the motivation of transferring illicit funds to fraudulent bank accounts for financial gain.

Nigerian IP addresses

41[.]184[.]152[.]104

41[.]217[.]70[.]163

154[.]118[.]65[.]105

Phishing Kits bypass MFA

PwC’s Dark Lab observe the prevalent development of phishing kits (also known as adversary-in-the-middle (AiTM)), with over 10,000 organisations targeted by phishing kit attacks since September 2021. AiTMs provide a phishing toolkit as a service for attackers with low technical skills to execute a convincing phishing attack. AiTM phishing kits are easily accessible for attackers on the dark web with various open-source phishing kits available, including prominent providers Evilginx2[4], Modlishka[5], and Muarena[6].

AiTM phishing sites exercise a strong capability, as they enable attackers to deploy a proxy server between a target user and the website the user is attempting to visit – intercepting the connection by redirecting to the attacker’s phishing site. By targeting the authentication token, rather than raw credentials and/or MFA tokens, the phishing kit enables the attacker to steal a fully authenticated session from the victim, effectively bypassing MFA.[7]

As the trend of MFA enforcement by organisations and individuals continue to rise, it is expected that phishing campaigns will move away from traditional phishing methods towards the use of AiTM to overcome the barrier that MFA presents. As threat actors evolve to find innovative ways to circumvent controls and lower the barriers to entry, it becomes even more important for defenders to keep pace with these trends and understand how to prevent, detect, respond, and recover from such attacks.

Conclusion

As evidenced in both case studies, threat actors orchestrating large scale phishing campaigns pose a significant challenge for targeted victims. This can be observed in the actors’ willingness to wait up to three (3) to four (4) weeks before taking action, using the buffer period to build a strong understanding of the victim’s processes to effectively imitate their victim and evade suspicion.

In both cases, we observed oversights in the victim organisations’ security stance which ultimately resulted in their exposure to a BEC attack. In both cases, if multi-factor authentication (MFA) had been enabled, this could have prevented the threat actor from gaining access. Similarly, had the second victim organisation established rules to detect abnormal logins, such as flagging an IP address for suspicious activity if observed to have multiple geolocations over the span of a week, the organisation could have detected the suspicious activity at an earlier stage and prevented further action.

To effectively protect against phishing and BEC attacks, it is vital that organisations enforce a layered defense strategy – combining robust preventative measures with intuitive detective protocols.

Recommendations

While phishing legitimate brands and business email compromises will remain a problem, companies can take action to mitigate and prevent the threat they pose.

• Enhance security controls by establishing procedures in defining “significant” financial transactions and their respective handling procedures, for example automatic bank notifications for outbound transaction verifications and mandatory out-of-band verifications of bank account changes.
• Develop and exercise a layered defense strategy, incorporating well-defined preventative and detective measures.
• Organisations should review their Microsoft 365 configuration and update their email security solutions and network devices (including external firewall, web proxies).
• Implement conditional access rules configuring with Geo-location/IP address restriction to reduce the risk of unauthorised overseas access to O365. For example, a regular review of authentication records for key financial staff members (i.e. Chief Financial Officer, Financial Controller, etc.)
• Organisations should establish rules to restrict unauthorised devices from accessing company resources. For example, enforcing limitations on what devices can access company resources and creating onboarding procedures to enrol authorised devices, such as an employee’s personal mobile phone, before they are able to access company resources.
• Enforce strong multi-factor authentication (MFA), such as number matching, for all users.
• To protect against AiTM attacks, it is advised that organisation implement a layered defense strategy that incorporates MFA in conjunction with various preventative and defensive measures. This includes implementing MFA that supports Fast ID Online (FIDO) v2.0 and certificate-based authentication, enabling conditional access policies, and continuous monitoring for abnormal activities.
• Implement periodic checking process to detect suspicious behaviour such as abnormal logins, mailbox rules, email forwarding rules, and application consent activities.
• Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action (e.g., domain takedown). This task is typically conducted by our Security Operations Centre for subscription clients, and supported by our Cyber Threat Operations function which includes the Threat Intelligence and Incident Response pillars.
• Conduct regular awareness training to educate the workforce on how to detect suspicious activity, highlighting new TTPs and clear warning signs, and provide clear instructions on the steps to take if they believe they have been targeted by a phishing email. Awareness training can also be completed in the form of phishing simulations to test employees’ susceptibility to phishing emails and fraud (i.e. simulate a sudden change of bank account information to determine if the relevant team detects the unusual behaviour and responds accordingly).
• Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt. BEC-impacted companies should issue circulars and alerts as necessary when impersonation attempts are detected .
• We further advise organisations to establish a O365 mailbox rule to detect inbound/outbound traffic from the malicious IP listed in our Indicators of Compromise (IoC) section.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

• Acquire Infrastructure: Domains – T1583.001
• Virtual Private Server – T1583.003
• Botnet – T1583.005
• Compromise Email Accounts – T1586.002
• Phishing – T1566
• Spear Phishing Link – T1566.001
• Trusted Relationship – T1199
• Email Hiding Rules – T1564.008
• SharePoint – T1213.002
• Remote Email Collection – T1114.002

Indicators of Compromise (IoCs)

Indicator	Type
www[.]yinqsite[.]com	Known bad domains
login-microsoftonnex-mso[.]yinqsite[.]com	Known bad domains
yinqsite[.]com	Known bad domains
ogin-mso[.]wonjiinco[.]co	Known bad domains
glprop-okta-2f0bc4a0[.]wonjiinco[.]com	Known bad domains
stscn-lenovo-c9b8a5aa[.]wonjiinco[.]com	Known bad domains
msaauth-msasafety-95cce817[.]wonjiinco[.]com	Known bad domains
sts-glb-nokia-a6db40b3[.]wonjiinco[.]com	Known bad domains
sts-posteitaliane-694c6373[.]wonjiinco[.]com	Known bad domains
gas-mcd-37816100[.]wonjiinco[.]com	Known bad domains
login-mso[.]wonjiinco[.]com	Known bad domains
wonjiinco[.]com	Known bad domains
ogin-mso[.]cscsteelsusa[.]com	Known bad domains
wwwoffice[.]cscsteelsusa[.]com	Known bad domains
login[.]cscsteelsusa[.]com	Known bad domains
sts01-nestle-382a43f3[.]cscsteelsusa[.]com	Known bad domains
stscn-lenovo-a3ae4e78[.]cscsteelsusa[.]com	Known bad domains
fs-ncoc-a241b101[.]cscsteelsusa[.]com	Known bad domains
login-mso[.]cscsteelsusa[.]com	Known bad domains
www[.]cscsteelsusa[.]com	Known bad domains
kolroff[.]com	Known bad domains
xsbrane[.]com	Known bad domains
cscsteelsusa[.]com	Known bad domains
belasting-betalen[.]finance	Known bad domains
domain macopas[.]com	Known bad domains
95[.]216[.]126[.]229	IP address
15.204.25.141	IP address
Newsletter Software SuperMailer	Enterprise application created by threat actor
45[.]153[.]240[.]153	IP address
185[.]54[.]228[.]88	IP address
185[.]202[.]175[.]6	IP address
103.231[.]89[.]230	IP address
41[.]184[.]152[.]104	IP address
155[.]94[.]141[.]30	IP address

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.