Phishing

Watch Out for the Adversary-in-the-Middle: Multi-Stage AiTM Phishing and Business Email Compromise Campaign

Posted on by darklabhk

PwC’s Dark Lab recently responded to a Business Email Compromise incident, leading to the discovery of an opportunistic multi-stage Adversary-in-the-Middle campaign.

Business Email Compromise (BEC) attacks persist as one of the most popular scam strategies among opportunistic cybercriminals. BEC attacks refer to a form of social engineering whereby malicious actors attempt to defraud organisations by hacking into legitimate business email accounts and impersonating employees and third parties for direct monetary gains.

Though these attacks have existed since the dawn of the Internet, they continue to be a highly lucrative avenue for attackers given the ability to scale operations target multiple victims simultaneously at a low setup cost. Furthermore, as organisations have heavily prioritised efforts to mature their cyber postures over the last few years, we observe a significant shift away from malware towards identity-based attacks as attackers leverage valid credentials to disguise their activities. In the past few years, an increasingly common strategy is to leverage phishing toolkits to steal valid credentials as well as login sessions, bypassing multi-factor authentication (MFA).

In this two-part series, we showcase two classic Adversary-in-the-Middle (AiTM) campaigns targeting Hong Kong-based victims. In part one, we shared our technical analysis on the ongoing campaign leveraging the Evil QR tool to hijack Hong Kong and Macau-based victims’ WhatsApp accounts.[1] This blog piece provides a technical analysis on our incident response experience with a multi-stage Adversary-in-the-Middle (AiTM) phishing and BEC attack, which led to the discovery of a wide-scale, opportunistic campaign weaponising a sophisticated phishing toolkit, Evilginx and EvilProxy.  

Initial Access

The attack initiated via the delivery of a phishing email from joingreatlife[.]com, with a lure masquerading as a DocuSign notification for document review and signature.

Figure 1: Screenshot of phishing email

The phishing emails originated from the joingreatlife[.]com sender domain, which we assessed to be a legitimate business based on the WHOIS records indicating the domain was registered in 2013, and multiple linked social media accounts, including an actively updated Facebook account, and no malicious flagging by security solutions.[2],[3],[4],[5] Due to their lack of valid SPF, DKIM, or DMARC record as at the time of investigation[6], we hypothesise that the legitimate business was likely spoofed or compromised to deliver phishing emails.

Figure 2: Flagged malicious joingreatlife[.]com sub-domains

Through further review of the victim’s mailbox, it was observed that the victim was repeatedly targeted by multiple phishing emails from senders such as ‘cv@service[.]bosszhipin[.]com’ between March 2022 and June 2023. Pivoting on the email address, we discovered that cv@service[.]bosszhipin[.]com has been historically flagged for sending spam and phishing emails.[7] Consistent with observations of the joingreatlife[.]com domain, we validated the bosszhipin[.]com domain to be serving legitimate business content[8], and was likely spoofed by malicious actors as a result of the lack of valid DKIM or DMARC record.[9]

Upon clicking on the ‘Review Document’ button within the phishing email, the victim was redirected to a Ticketmaster domain (engage.ticketmaster.com) before redirecting to the actual phishing URL hosted on an online coding sandbox website (hx5g6s.codesandbox[.]io), which then further redirected the user to their phishing site hosted at IP address 134.209.186[.]170. We hypothesise that the multi-redirect approach initiated via the legitimate intermediate domains was employed to evade detection, confuse security analysis and blocking by the victim organisation’s spam filters.

Investigation into 134.209.186[.]170 revealed the IP address to be flagged as malicious and reported in multiple occasions in July 2023.[10] Furthermore, the same IP address (134.209.186[.]170) was noted to be historically hosting a phishing site resembling a OAuth-based login portal – a matching indicators of a credentials- or session-harvesting site leveraging the AiTM attack.[11]

Figure 3: 134.209.186[.]170 flagged malicious, hosting OAuth phishing site

The phishing site served as a proxy between the victim and the legitimate Microsoft login page. As the victim performed a legitimate login with multi-factor authentication (MFA), the attacker operated as an adversary-in-the-middle, using the captured OAuth access token to bypass MFA and obtain the victim’s valid logon session, resulting in a successful impersonation with the victim’s identity to the legitimate resources on M365, including Outlook, SharePoint, or other applications as accessible by the victim.[12]

Persistence and Defense Evasion

Subsequent to logging into the victim’s mailbox, the attacker (85.209.176[.]200) registered a new MFA authentication method and attempted to access the victim’s mailbox via a legitimate, external application (PerfectData Software) to establish persistent access. To maintain stealth, the attacker (147.124.209[.]237) modified mailbox rules to reroute emails to the victim’s RSS Subscriptions folder, altered email folder arrangements, and accessed two SharePoint files. As observed at each stage of their attack,  the threat actor was logged using a different IP address  for each activity to conceal their identity and location, and further evade detection.

Impact

Leveraging the compromised email account, the attacker (104.254.90[.]195) impersonated the victim’s identity to send two phishing emails. The first email was sent to an external contact, containing no contents. The second email was sent to an internal employee containing a fraudulent transaction invoice attachment, indicating an attempt to facilitate unauthorised fund transfers. At this stage, the victim organisation detected and blocked the fraudulent fund request attempt and proceeded to conduct containment measures to reset the compromised credentials and revoke the unauthorised login sessions. Based on our observations, we assessed that the malicious actor conducted the AiTM attack to perform the email account takeover for financially-motivated intent.

Uncovering the wide-scale AiTM campaign

Pivoting on the phishing email subject title “Completed: Complete Doc viaSign: #2,” we identified over 50 files uploaded between 3 July and 18 July 2023[13] which contained redirects to the same embedded URL (http://links[.]engage[.]ticketmaster[.]com). Paired with the observed existence of the phishing email structure since December 2021, this indicated that the victim was phished as a part of an ongoing opportunistic campaign which researchers have reported as a multi-stage AiTM phishing and business email compromise (BEC) campaign.

Potential Use of the Caffeine Phishing Toolkit

Pivoting on the malicious link, we assessed that the link was likely launched from a phishing toolkit to steal valid sessions. We observed that the malicious link leveraged the Ticketmaster domain to obfuscate the malicious payload to bypass mail detection rules and deliver malicious payloads via browser redirects to codesandbox.io.[14] Further  pivoting on the Ticketmaster domain, we observed potential relations to a Phishing-as-a-Service (PhaaS) platform “Caffeine”, which provides subscribers phishing email templates with legitimate URLs to contain malicious payloads that operate to steal credentials (e.g. passwords, session tokens) through third-party sites such as codesandbox.io to evade detection.[15] [16] This is consistent with the observations in this phishing campaign and corresponding telemetry, as evidenced in Figure 4.

Figure 4: Phishing email redirects leveraging legitimate services to redirect to payloads hosted on codesandbox.io

Weaponising Evilginx and EvilProxy

Through deeper inspection, we discovered that the IP (134.209.186[.]170) address associated with the attackers were involved with several other phishing submissions submitted by other users. These submissions revealed that the domains used by the attackers serve pages that are consistent with our observed victim’s sessions stealing activities. The user emails passed in the web request were also observed to be consistent with other relevant schemes. Through these observations, we assessed with high confidence that the threat actors leveraged Evilginx and EvilProxy as a means to bypass two-factor authentication (2FA) and that these session stealing methods were the initial foothold that enabled the threat actor to gain access to the victim’s corporate resources.

Evilginx is an advanced AiTM attack framework capable of bypassing 2FA and intercepting legitimate session cookies.[17] This is a significant capability for attackers who can consequently conduct their phishing campaigns without capturing credentials, as attackers can impersonate victims without password knowledge to gain unauthorised access.

EvilProxy is a Phishing-as-a-Service (PhaaS) toolkit operating as a powerful proxy tool, redirecting victims’ web traffic through attacker-controlled servers.[18] The tool enables attackers to not only capture login credentials but also manipulate web content in real-time, presenting victims with malicious payloads or further deceptive content.

Conclusion

Based on our findings, we assessed with high confidence that the victim was compromised as part of a wide-scale, opportunistic social engineering campaign utilising Evilginx and EvilProxy to bypass MFA and subsequently perform a BEC attack via internal spear phishing. Due to the lack of information and reporting on the specific IOCs collected during the incident, and the use of widely adopted techniques and toolkits, we did not derive conclusive evidence to ascertain the specific threat actor responsible for the attack.

The two campaigns explored in this two-part blog series are just two of the many case studies supporting our observations that the cyber threat landscape is rapidly evolving, with threat actors increasingly shifting towards-identity based attacks. As organisations worldwide have prioritised efforts to harden their cybersecurity posture, we observe threat actors adapt by weaponising valid credentials to bypass defences under the guise of trusted identities. Furthermore, in both cases, we observed that threat actors are not only targeting passwords, but valid sessions to maintain persistent, elusive access to victim environments.

Whilst identity-based attacks are by no means novel, they continue to pose a significant threat to organisations given the complexity of distinguishing between legitimate and malicious use of authorised access. To effectively protect against identity-based attacks, it is vital that organisations and individuals enforce a layered defence strategy combining robust preventative measures with behavioural-based detection.  

Join us on November 7 2023 for PwC’s annual Hack A Day Conference: Register Here

Recommendations

Preventive

  • Implement sender authentication measures including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication (DMARC) to reduce susceptibility to phishing and spoofing attacks.
  • Review existing Microsoft 365 configuration and update their security solutions and network devices (including external firewall, web proxies). For example, enforcing spam filters configurations to ensure all inbound emails are processed by spam filtering policies prior to delivery, reviewing email forwarding rules to identify any potential external malicious email forwarding, and restricting O365 access via geo-fencing to prevent authorised access or account brute-force over O365.
  • While this incident highlighted how threat actors can potentially bypass multi-factor authentication (MFA), MFA remains a critical layer of protection against credential-abuse attacks. Best practices include:
    • Ensuring MFA solutions restrict the number of failed authentication attempts, login attempts are monitored and alerted for anomalous activity, and enforcing strong password policy requirements.
    • Leveraging features such as conditional access to setup session timeouts or block sign-ins from illegitimate access to the resources by third party devices, or overseas where applicable, in combination with features such as Mobile Device Management (MDM).
  • Enhance business security controls by establishing procedures for financial transactions and their respective handling procedures. For example, automatic bank notifications for outbound transaction verifications and mandatory out-of-band verifications of bank account changes.
  • Regularly conduct user awareness training to educate employees on the latest social engineering techniques deployed, indicators to identify potentially malicious activity, and process for reporting suspicious activity.
  • Organisations should conduct young domain monitoring to proactively uncover potential phishing campaigns targeting, or likely to target, your organisation.

Detective

  • Monitor user account activity for email forwarding, excessive document downloads or deletions and excessive file sharing. Depending on the user (e.g. users operating within functions more likely to be targeted in phishing attacks, such as HR, Finance, C-Suite personnel), setup monitoring for specific activities, such as monitoring for the creation of mail rules that involve moving to folders to RSS.
  • Establish behavioural-based detection rules that will expire tokens and disable sign in when suspicious account behaviour is detected. Indicators of suspicious behaviour could include access from abnormal geolocations and accessing servers not typically accessed by the user identity. Further, leverage features such as “risky sign-in” to receive notifications of suspicious authentication attempts and respond in-time to threats.
  • We further advise organisations to establish an O365 mailbox rule to detect and block inbound/outbound traffic from the malicious IPs listed in our Indicators of Compromise (IoC) section.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques from the campaign:

  • T1589.002 – Gather Victim Identity Information: Email Addresses Resource Development
  • T1584.004 – Compromise Infrastructure: Server
  • T1588.002 – Obtain Capabilities: Tool
  • T1566.002 – Phishing: Spear Phishing Link
  • T1189 – Drive-by Compromise
  • T1204.001 – User Execution: Malicious Link
  • T1098.005 – Account Manipulation: Device Registration

Indicators of Compromise (IoCs)

We include the observed IoCs:

IoCTypeDescription
brad.hansen[@]joingreatlife[.]comEmail SenderEmail Sender of phishing email
Completed: Complete Doc viaSign: #2Email SenderEmail Sender of phishing email
hx5g6s.codesandbox[.]ioDomainOnline coding sandbox website
lmo-halbacea.halbacea[.]comDomainDomain associated with phishing web server
lmolmoworked-inc-docs-signedservices.remmellsp.]comDomainDomain associated with phishing web server
134.209.186[.]170IP AddressIP Address of OAuth phishing web server, threat actor logon
85.209.176[.]200IP AddressIP Address of threat actor logon, deliver phishing email, register Authenticator App and attempt to connection to external application “PerfectData Software”
147.124.209[.]237IP AddressIP Address of threat actor logon, create new inbox rule
51.195.198[.]33IP AddressIP Address of threat actor logon, access SharePoint files
104.254.90[.]195IP AddressIP Address of threat actor logon, deliver phishing email, create new inbox rule

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Watch Out for the Adversary-in-the-Middle: WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers

Posted on by darklabhk

PwC’s Dark Lab investigates the local WhatsApp account hijacking attacks, uncovering multiple campaigns targeting Hong Kong and Macau consumers.

Over the last few months, the community has seen a surge in attacks against individuals’ collaboration and communication applications that offers the use of mobile devices as a means of authentication. By taking over accounts on such platforms through means such as phishing, threat actors can easily gain access to personal or event-sensitive information shared across such platforms or carry out attempts to defraud legitimate business partners or contacts of individuals.

In this two-part series, we showcase two classic Adversary-in-the-Middle (AiTM) campaigns targeting Hong Kong-based victims. This blog piece provides a technical analysis and actionable steps to protect yourself against the ongoing campaign leveraging the Evil QR toolkit to hijack WhatsApp accounts locally.

Stay tuned for part two, as we share our incident response experience with a multi-stage AiTM phishing and business email compromise (BEC) attack weaponizing Evilginx and EvilProxy, leading to our discovery of the wide-scale, opportunistic campaign.

WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers

In October 2023, we observed multiple reports of WhatsApp account hijacking cases impacting Hong Kong- and Macau-based victims. Upon successful account takeover, malicious actors have been observed to impersonate the owners of the compromised WhatsApp accounts, contacting the victim’s WhatsApp contacts to request fund transfers under the guise of their trusted relationship. Breaking down the attack, we observe that the Evil QR tool was deployed to facilitate the WhatsApp account takeovers, targeting unsuspecting victim.

Understanding how Evil QR works

Evil QR, first reported in July 2023, is a browser extension that enables attackers to exploit legitimate QR codes to intercept and steal their cookie session, providing access to the victim’s account.[1]

How Evil QR operates[2]:

  • The attacker open the legitimate WhatsApp Web login page (https://web.whatsapp.com/).
  • The attacker enables the Evil QR browser extension, which  extracts the legitimate QR code from WhatsApp Web and proxies it to the Evil QR server, which hosts the attacker’s phishing page.
  • The attacker’s phishing page dynamically displays the latest QR code extracted from the WhatsApp Web login page.
  • When the unsuspecting victim visits the phishing page impersonating WhatsApp Web login and scans the QR code, the attacker successfully obtains access to the victim’s WhatsApp account.
  • Due to proxying, the victim will be unaware of the existence of these sessions, unless they manually check their WhatsApp settings (Settings > Linked Devices).

Figure 1: Attack path for WhatsApp account takeover using Evil QR

Weaponization of Evil QR by malicious actors

Due to the relatively simple setup of the QR code and phishing site using Evil QR, it is a highly lucrative and incentivising means for attackers to obtain access to sensitive information and perform malicious activities, as reflected in the recent surge of attacks against collaboration and communication applications.

We observe search results on Google, which indicate dedicated efforts to promote phishing sites impersonating WhatsApp to defraud unsuspecting victims. Search engine optimisation (SEO) poisoning is a technique commonly deployed by threat actors to improve the ranking of their malicious websites on search engine result pages.[3]

To improve the SEO ranking of their phishing site and deceive unsuspecting visitors of their ‘legitimacy’, threat actors may deploy an array of techniques, such as keyword stuffing, whereby threat actors overload their phishing sites with keywords in a repetitive manner to manipulate search engine rankings to assess their website has relevant content. Another common technique is typosquatting, whereby threat actors capitalise on human error by registering domains with variations of potential spelling errors, that could accidentally be typed (“typo”) by unsuspecting users (e.g. watsap web). Further, attackers commonly abuse sponsored listings and advertisements to direct users to their phishing sites.

Figure 2: Search results for the typo ‘watsapp web’

Referencing the first sponsored search result, ws6.whmejjp[.]com, we observe the domain to be actively impersonating the WhatsApp Web login webpage.

Figure 3: Screenshot of ws6.whmejjp[.]com as of 19 October 2023

Pivoting on structurally similar websites, we observe the host IP (2a06:98c1:3121:[:]3) hosting over 10,000 domains with a similar HTML structure. Based on the newly registered domains associated with the host IP, we observed multiple typosquatted domains targeting users of various gaming and communications platforms, such as Twitch, Steam, Valorant, and Telegram. 

Referencing public reports of the ongoing attacks against Hong Kong consumers[4], we pivoted on the waacad[.]cyou domain which continues to display a WhatsApp Web login page.

Figure 4: Screenshot of waacad[.]cyou as of 19 October 2023

Analysing the host IP (103.71.152[.]102) for waacad[.]cyou, we observe it to be serving 14 newly registered domains within the last month starting from 22 September 2023. The domains were observed follow a similar domain naming convention, all displaying an identical WhatsApp Web phishing page.

Figure 5: Newly registered domains hosted by 103.71.152[.]102 [5]

Through further investigation of 103.71.152[.]102, we observed multiple domains created between 27 August and 1 September 2023, which appear to impersonate Sands casino. Based on observations that 103.71.152[.]102 and multiple of its hosted domains have been flagged as malicious for phishing, consistent naming conventions, contents of the WhatsApp Web phishing pages written in Chinese, and the ongoing suspected phishing campaign impersonating Sands, we assess with high confidence that the threat actor is conducted an ongoing, targeted phishing campaign against Hong Kong and Macau citizens.

Potential impact upon successful WhatsApp account takeover

Upon a successful WhatsApp account takeover, the attacker has full access to the user’s conversations and contact list. In the ongoing campaign targeting Hong Kong users, we observe the primary goal to be victim impersonation to request fund transfers from unsuspecting people who would typically trust the victim, including family, loved ones, and friends.

Figure 6: Sample of fraudulent fund transfer request via WhatsApp

Further, attackers may scan the victim’s conversation for sensitive information, such as personally identifiable information (“PII”) and shared passwords, depending on what sensitive information has been disclosed by the individual to other parties. In addition, the attacker could further leverage the account to send phishing links (“smishing”) to the victim’s contacts, to perform additional credential theft activities.

Conclusion

PwC’s Dark Lab observes that Hong Kong and Macau are being actively targeted by multiple opportunistic phishing campaigns. We strongly encourage citizens to exercise caution and awareness when interacting with untrusted sources. Refer to our recommendations below for general best practices and advice on how to detect and respond to a potential WhatsApp account takeover.

We continue to observe the cyber threat landscape evolve, with threat actors increasingly shift towards identity-based attacks not only weaponizing passwords, but sessions to maintain persistent access to compromised accounts. Stay tuned for part two, as we share key learnings from a recent incident response case involving a multi-stage AiTM phishing and business email compromise (BEC) attack.

Join us on November 7 2023 for PwC’s annual Hack A Day Conference: Register Here

Recommendations

How to detect if you are visiting a phishing website impersonating WhatsApp Web:

  • When searching for “WhatsApp Web” or any other website, avoid sponsored links and double check before clicking on a link for any spelling errors which could indicate it is a typosquatted (phishing) domain.
  • When visiting the website, while the website may appear similar to the legitimate domain, look out for the slight differences.

For example, if we compare the legitimate WhatsApp Web domain (web.whatsapp.com) with the malicious domain (waacad[.]cyou), we notice four (4) differentiators:

  1. If you were to check the URL of the phishing page, you would immediately notice it is suspicious and unlikely to be the actual WhatsApp login page.
  2. On the legitimate webpage, the WhatsApp logo and name exists, which is not observed on the malicious page.
  3. The instruction wordings differ.
  4. The legitimate webpage has a ‘Tutorial’ section with advice on ‘how to get started’. It should be noted that whilst this phishing domain does not display this section, other more convincing phishing sites could include this section to further deceive you into trusting their phishing site is legitimate.

How to check and respond if you suspect your WhatsApp account has been compromised:

1. Check and log out any unauthorised devices:

  • In WhatsApp, check if any unauthorised devices are logged in (Settings > Linked Devices).
  • For any suspicious or unknown logins, tap the device to log out. This will remove their access to your account.

2. Perform additional checks to identify any potential activities performed by the malicious actor during their access to your account:

  • Check archived messages to see if any conversations were archived by the malicious actor.
  • Check if any messages have been sent or deleted in the chat without your knowledge.
  • Check if any voice recordings or files were shared to your contacts.

3. Inform any of your contacts if they have been contacted by the malicious actor.

Whether your contact unknowingly sent money or not, it is important to notify them that they were communicating with the malicious actor and not you so they can remain aware and exercise caution when receiving unusual or suspicious messages from you or other contacts.

General Best Practices

Visiting websites:

  • Check links before clicking to validate their legitimacy (e.g. spelling errors) and always remain wary of the legitimacy of webpages and their branding.
  • Access websites via the global webpage as opposed to the URL shortened link if in doubt.
  • If you accidentally visit a phishing site,
    • Do not click on any links and double check your device to see if any files were downloaded.
    • If any files were downloaded, do not open it. Delete the file immediately and clear your recycling bin.
  • If you believe you may have fallen victim to a phishing attack,
    • Monitor your email’s “sent” folder to identify any unauthorised emails that have been issued from your account. If any, alert the receiver as well as your wider contact list that you may have fallen victim to a phishing attack, so they can be on alert that incoming messages from your account may not be legitimate.
    • Perform a password reset, enable multi-factor authentication (MFA), and report the suspected phishing activity immediately to your credit card issuers (and organisation if accessed the site through your work device) to monitor and restrict potentially suspicious activity.

Communication platforms:

  • If you have received a suspicious or unusual message from your contact requesting funds or sensitive information, exercise caution to determine if the request is legitimate. Potential signs that your contact has been compromised could include:
    • Unusual nature of the request – e.g. your contact asking you to urgently send money
    • Deviating from their normal typing or speaking pattern – if their message does not sound like them – it might not be them!
    • Often times, malicious actors use artificial intelligence (“AI”) to generate messages, which may sound robotic or unnatural in nature. For voice messages, malicious actors may alter the AI-generated message (e.g. speeding it up or adding background noise) to attempt to make the voice message seem less robotic.
    • Do not disclose sensitive information via WhatsApp or other communication channels. Whilst these channels may be encrypted, we continue to observe malicious actors attempting to perform account takeovers, granting them with full access to compromised users’ accounts.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques from the campaign:

  • T1583.001 – Acquire Infrastructure: Domains
  • T1583.008 – Malvertising
  • T1586 – Compromise Accounts
  • T1608.006 – Stage Capabilities: SEO Poisoning
  • T1566 – Phishing
  • T1189 – Drive-by Compromise

Indicators of Compromise (IoCs)

We include the observed IoCs:

IOCType
clooe[.]cyouWhatsApp phishing site
kkgee[.]icuWhatsApp phishing site
waacad[.]cyouWhatsApp phishing site
www[.]waacad[.]cyouWhatsApp phishing site
clooeapp[.]cyouWhatsApp phishing site
kkgegroup[.]icuWhatsApp phishing site
bbhes[.]cyouWhatsApp phishing site
gooe8[.]cyouWhatsApp phishing site
xxeez[.]icuWhatsApp phishing site
gooer[.]icuWhatsApp phishing site
waacad[.]icuWhatsApp phishing site
weeae[.]icuWhatsApp phishing site
weeaet[.]cyouWhatsApp phishing site
wyyadinc[.]icuWhatsApp phishing site
bbyaysc[.]cyouWhatsApp phishing site
5565m[.]vipPotential Sands phishing site – not flagged malicious
5565k[.]vipPotential Sands phishing site – not flagged malicious
5565v[.]vipPotential Sands phishing site – not flagged malicious
5565f[.]vipPotential Sands phishing site – not flagged malicious
5565t[.]vipPotential Sands phishing site – not flagged malicious
5565z[.]vipPotential Sands phishing site – not flagged malicious
5565c[.]vipPotential Sands phishing site – not flagged malicious
5565r[.]vipPotential Sands phishing site – not flagged malicious
5565i[.]vipPotential Sands phishing site – not flagged malicious
5565a[.]vipPotential Sands phishing site – not flagged malicious
5565p[.]vipPotential Sands phishing site – not flagged malicious
5565w[.]vipPotential Sands phishing site – not flagged malicious
5565g[.]vipPotential Sands phishing site – not flagged malicious
5565u[.]vipPotential Sands phishing site – not flagged malicious
5565e[.]vipPotential Sands phishing site – not flagged malicious
5565l[.]vipPotential Sands phishing site – not flagged malicious
5565d[.]vipPotential Sands phishing site – not flagged malicious
5565s[.]vipPotential Sands phishing site – not flagged malicious
5565j[.]vipPotential Sands phishing site – not flagged malicious
5565q[.]vipPotential Sands phishing site – not flagged malicious
5565x[.]vipPotential Sands phishing site – not flagged malicious
5565h[.]vipPotential Sands phishing site – not flagged malicious
5565o[.]vipPotential Sands phishing site – not flagged malicious
ws6.whmejj[.]comWhatsApp phishing site
dxweb.whasatcp[.]lifeWhatsApp phishing site
uaa.whxmcwd.topWhatsApp phishing site
103.71.152[.]102IP Address

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Hong Kong and Singapore Citizens Actively Targeted by Large-Scale Global Smishing Campaign

Posted on by darklabhk

PwC’s Dark Lab uncovers a large-scale smishing campaign actively targeting Hong Kong and Singapore citizens by masquerading as trusted and reputable locally based public and private postal service providers.

On 21 September 2022 , PwC’s Dark Lab observed SMS phishing (smishing) activity targeting mobile users in Hong Kong. The message masqueraded as the postal service Hongkong Post – a government department of Hong Kong responsible for postal services – delivering a package to the victim. We posit that the intended purpose was to steal victims’ personally identifiable information (PII) and credit card details, based on similar information posted on social media.

Smishing campaigns via the fraudulent use postal services are far from uncommon and has increased at an alarming rate as a result of the Covid-19 pandemic. We previous reported on a global campaign impacting Hong Kong, Macau, and Singapore users per our March 2022 blogpost “Smells SMiShy to me…”.[1] This latest campaign caught our attention primarily as it seemed to be an active, large-scale smishing campaign impacting multiple Asia Pacific countries, including Hong Kong and Singapore. We release this blog post concurrent to the ongoing campaign to raise awareness among enterprises and individuals and will continue tracking the threat actor’s activities as the campaign progresses.

Impersonating Hongkong Post

On 21 September 2022, PwC’s Dark Lab observed that Hongkong Post’s Track and Trace portal was being imitated by the newly registered domain hkpoieq[.]com. The domain was no more than one (1) day of age, and requested victims to ‘change their delivery address’ for a fake order “AS658237789HK”. We did not observe the domain to have a mail exchanger (MX) record, which indicated that the threat actor did not intend for this domain to be received via email.

Figure 1: Screenshot of the fraudulent Hongkong Post webpage that was hosted on hkpoieq[.]com

Upon further inspection of the domain, we observed that hkpoieq[.]com resolved to the IP address 155[.]94[.]163[.]222. The threat actor subsequently leveraged the same IP address to register an additional three (3) domains between 22 to 29 September 2022 – hkpoist[.]com, hkpoivt[.]com, and hkpoiec[.]com. The domains seemingly adopted a consistent naming convention whereby the alpha-2 ISO country code[2] was prefixed with an additional five (5) seemingly randomised letter characters. These domains were also registered across a short period of time and proceeded to be unresolvable relatively quickly (under 3 days), thus we were not able to obtain further information beyond the first screenshot to verify the objective of the impersonation. The short time in which the domains remained unresolvable meant that security vendors did not have opportune time to detect the domains and IP address as malicious as of the time of writing[3], which increases the challenge to detect and respond in a timely manner.

However, we were able to retrieve a separate smishing message with a separate domain hkrocit[.]com that also impersonated Hongkong Post on 9 October 2022.

Figure 2: Smishing Message from threat actor to Hongkong Post customer. Translation: “The courier delivery failed to be delivered by the courier without a signature. Please update your address at hkrocit[.]com

Though the naming convention of the domain hkrocit[.]com followed a similar format as hkpoieq[.]com, we could not immediately correlate the two as the second domain resolved to a different IP address 155[.]94[.]140[.]247. Yet upon deeper inspection, we observed that both domains had been registered under the same Internet Service Provider (ISP) QuadraNet Enterprises LLC (QuadraNet) with an Autonomous System Number (ASN) 8100. Furthermore, the threat actor continued the same pattern of operations by registering new domains, though with greater frequency amounting to a total of 12 domains over 14 days (details in the Indicator of Compromise section). As of the time of writing, we have not observed further domains resolving to this IP address since they were flagged malicious on 14 October 2022.[4]

Given both a similar naming convention, a similar ASN and ISP, as well as the similar pattern of newly registered domains impersonating the same service provider, we assess with moderate confidence that it is the same threat actor conducting a persistent smishing campaign targeting Hong Kong citizens.

During our pivoting, we also observed that there were three (3) domains registered between 29 September 2022 and 10 October 2022 that began with “sg” and resolved to 155[.]94[.]140[.]247. We extended our logic that the domain’s first two letters were the alpha-2 ISO country code, and through open-source investigation was able to observe that sgpoist[.]com had previously impersonated Singapore Post Limited (SingPost), which is the designated public postal licensee for Singapore. This gave weight to our hypothesis on the domain naming convention and increased our confidence level that it is a campaign that extends targeting beyond Hong Kong and to other countries such as Singapore.

Figure 3: Observing from records of previously conducted public searches on sgpoist[.]com to validate our hypotheses on the domain naming convention and identifying that the threat actor also impersonated Singapore Post Limited

The Final Confirmation…

The final confirmation that the threat actor has previously targeted other Asia Pacific countries such as Japan with an objective of steal victims’ PII and credit card details was obtained through various posts on the social media platform Twitter. A simple search on 155[.]94[.]140[.]247 revealed that security researchers previously alerted the public in April 2022 of phishing campaigns impersonating reputable retailers such as AEON[5] and Amazon Japan[6], highlighting QuadraNet as the questionable ISP.

Figure 4: Twitter posts that flag 155[.]94[.]140[.]247 as suspicious in April 2022 given impersonation of AEON and Amazon Japan

Similarly, on 23 September 2022, local news station Channel C HK reported on a similar case whereby four (4) teenagers were detained by Hong Kong Police Force for using stolen credit cards to purchase electronic devices. Their investigation found that the group allegedly obtained the stolen credentials by operating a fake Hongkong Post website and linking a mobile payment tool to the site to make purchases with the stolen credit card information.[7] While there is insufficient information to draw a correlation between both cases, this incident provides further insight into the likely motivations and intended impact of the threat actors behind QuadraNet. This is the final validation to strengthen our assessment that this is a large-scale phishing campaign likely initiated by cybercriminals that sought to gain profit via sale of PII and credit card information.

Target Shifted: Observing the Threat Actor Impersonating S.F. Express

As of the time of writing, we observed that the campaign is likely ongoing though the behaviors of the threat actor has slightly changed. For example, S.F. Express is now the organisation being impersonated, with domains such as hkrzit[.]com, hkrmit[.]com, and hkrlit[.]com being registered between 13 and 14 October 2022. The naming convention has also altered slightly, with the alpha-2 ISO country code now only prefixed with an additional four (4) seemingly randomised letter characters instead of the original five (5) letter characters. We posit that the threat actor will continue to conduct smishing to obtain PII and credit card information from unsuspecting victims, likely those based in Hong Kong.

Figure 5: Screenshot of the fraudulent S.F. Express webpage that was hosted on hkrzit[.]com

Conclusion – To Be Continued…

PwC’s Dark Lab observes that Hong Kong and Singapore are actively being targeted by a global large-scale persistent smishing campaign. We strongly encourage citizens to practice caution and awareness when interacting with communications, particularly of SMS origin as a result of the recent campaign. PwC’s Dark Lab will continue to monitor campaigns of varying scales, not just those that may target enterprises but also those that impact individuals. We will continue to investigate this ongoing campaign and invite readers to stay tuned for further updates and insights.

Recommendations for Individuals

  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt.
  • If you accidentally visit a phishing site, do not click on any links and check if any files were downloaded. Monitor your email’s ‘sent’ folder to identify if any unauthorized emails have been issued from your account. Alert the receiver, as well as your wider contact list that you may have fallen victim to a phishing attack so they can be on alert that incoming messages from your account may not be legitimate.
  • If you believe you have fallen victim to a phishing attack, we recommend that you perform a password reset, enable MFA, and report the suspected phishing activity immediately to your credit card issuers (and organisation if accessed the site through your work device) to monitor and restrict potentially suspicious activity.

Recommendations for Organisations

  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action – this is typically conducted by your Security Operations Centre. For this particular case, we suggest to look for domains that have four (4) or five (5) randomised letter characters appended to alpha-2 ISO country codes for the countries they operate in. We have already informed Hongkong Post and S.F. Express to investigate, and if necessary perform takedown of fake domains.
  • Organisations should enforce a layered defense strategy, incorporating both defensive and preventative protocols. This includes enforcing a zero trust network and organisation-wide.
  • Organisations should update their email security solution and network devices (including external firewall, web proxies) to detect for potential inbound/outbound connections from the known-bad domains and IP addresses in this post.
  • Registrars should enhance their onboarding due diligence to reduce the risk of provisioning domains impersonating legitimate brands and conduct regular review activities of those domains to ensure their use for ethical and non-malicious activities. 
  • Read our blog about Business Email Compromise (BEC) to learn more about targeting against organisations and the recommendations of how to prevent, detect and respond to a BEC attack.[8]

Indicators of Compromise (IoCs)

IoCType
155[.]94[.]140[.]247 IP Address
155[.]94[.]163[.]222IP Address
hkpoivt[.]comMalicious Domain
xiewen[.]xyzMalicious Domain
hkpoiec[.]comMalicious Domain
hkpoieq[.]comMalicious Domain
hkpocn[.]comMalicious Domain
hkpoir[.]comMalicious Domain
hkpoie[.]comMalicious Domain
hkpoet[.]comMalicious Domain
hkpoik[.]comMalicious Domain
hkpoim[.]comMalicious Domain
hkpois[.]comMalicious Domain
hkpoei[.]comMalicious Domain
hkrmit[.]comMalicious Domain
hkrzit[.]comMalicious Domain
hkrlit[.]comMalicious Domain
hkrxit[.]comMalicious Domain
hkrcit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkromit[.]comMalicious Domain
hkroist[.]comMalicious Domain
hkpoist[.]comMalicious Domain
hkporut[.]comMalicious Domain
linkblti[.]comMalicious Domain
hkrqit[.]comMalicious Domain
hkrwit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkrzit[.]comMalicious Domain
hkrlit[.]comMalicious Domain
cadpoxit[.]comMalicious Domain
hkrxit[.]comMalicious Domain
cadpocit[.]comMalicious Domain
hkrcit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkromit[.]comMalicious Domain
hkroist[.]comMalicious Domain
sgpardrt[.]comMalicious Domain
hkpoist[.]comMalicious Domain
hkporut[.]comMalicious Domain
sgporut[.]comMalicious Domain
sgpoist[.]comMalicious Domain
cadporv[.]comMalicious Domain
cadporc[.]comMalicious Domain
mazsn[.]comMalicious Domain
anazch[.]comMalicious Domain
anazc[.]comMalicious Domain
anazcm[.]comMalicious Domain
aeomn[.]comMalicious Domain
anazsm[.]comMalicious Domain
singpirt[.]comMalicious Domain
hkpoivt[.]comMalicious Domain
hkpoiat[.]comMalicious Domain
hkpoiec[.]comMalicious Domain
hkpoieq[.]comMalicious Domain
foodpre[.]comMalicious Domain
likntbl[.]comMalicious Domain
gobmxp[.]comMalicious Domain
xwssr[.]xiewen[.]xyzMalicious Domain
ssr[.]xiewen[.]xyzMalicious Domain
xiewen[.]xyzMalicious Domain
cloud[.]thexw[.]cnMalicious Domain
ssr[.]thexw[.]cnMalicious Domain

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Phishing for Profit: Business Email Compromises

Posted on by darklabhk

There are plenty of phish in the sea and they’re back with new tricks! Dark Lab responds to multiple business email compromise campaigns targeting Hong Kong. We outline two recent incidents, sharing the Tactics, Techniques, and Procedures (TTPs) observed, and recommendations on how to prevent, detect, and respond to a phishing attack.

Business email compromise (BEC) is a social engineering attack which broadly refers to a malicious threat actor attempting to defraud organisations by hacking into their email accounts and impersonating employees and third parties. These phishing attacks have existed for many years, though remain prevalent due to their ability to continuously illicit emotional reactions of victims, thereby triggering an unintended response such as performing actions that lead to undesirable consequences. This is further exacerbated by the fact that BEC attacks typically yield a high return on investment given the low cost of setup and ability to scale operations globally.

The impact of BEC attacks are most evident in the amount of reported losses. The Federal Bureau of Investigation (FBI) reported that BEC attacks amounted to a staggering US$43 billion financial loss globally between 2016 to 2021.[1] Meanwhile, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) reportedly handled 3,737 phishing incidents in 2021, which represented almost half of the total reportedly handled incidents and was up 7 percent from 2020, rising for the fourth consecutive year.[2]

PwC’s Dark Lab also responded to an increased number of BEC campaigns in 2022. Two particular incidents stood out for their automated “spray and pray” approach to achieve initial access, followed by performing calculated and stealthy manual actions to persist in the Microsoft 365 environment to facilitate ongoing reconnaissance with the aim of effectively impersonating their victim to convince other staff members to approve fund transfers to the threat actor’s bank account. We elaborate the tactics, techniques and procedures (TTPs) that these threat actors leveraged and provide our recommendations on how to prevent, detect, and respond to BEC attacks should they befall your organisation. We further examine the rising trend of phishing kits in large scale phishing operations, enabling low-skilled threat actors to develop compelling phishing campaigns and bypass multi-factor authentication.

Case Study: Global Campaign by Opportunistic Cybercriminal of Unknown Origin

PwC’s Dark Lab responded to an incident in 2Q 2022 that involved a local property investment, management, and development company. The victim’s Microsoft Office 365 account was compromised via a phishing email from the sender domain macopas[.]com, with a link re-directing the victim to a fake Outlook login portal developed and hosted by the threat actor. To convince the victim to provide their password, the Outlook page pre-populated their email address. Given the victim’s mailbox did not have multi-factor authentication (MFA) enabled, the threat actor could obtain full access to the mailbox with a valid password.

The threat actor proceeded to perform three (3) manual actions to persist in the environment and gain more insights on the business operations while remaining hidden. First, the threat actor created various mail rules for moving and/or deleting emails with keywords associated with the threat actor’s access activities. Second, the malicious billing email was sent directly from the victim’s mailbox to various internal staff. Third, a malicious Azure enterprise application named “Newsletter Software SuperMailer” was created by the victim’s account for persisted access; this was particularly useful as the threat actor successfully performed re-logon to the compromised account even after the password was updated. The threat actor was only denied re-entry after MFA for the victim’s mailbox was enforced.

Through review of the available logs, we were able to observe through email trace that the attacker-controlled IP address delivered the same phishing emails to over three hundred (300) addresses of the victim organisation in alphabetical order. Meanwhile, we discovered through open-source information that similar emails had been sent to at least twenty (20) additional organisations globally. Combined with the fact that the threat actor was observed to only perform the first login two days after the password was inputted suggested they spent time to retrieve, study, and utilise their haul of phished credentials. These indicators and behaviour are more reflective of an opportunistic “spray and pray” campaign given the lack of urgency to quickly establish persistence. This is also evident in the end-to-end incident period lasting just under ten (10) days.

Case Study: Nigerian Cybercriminals Exploit Trusted Relationships with Hong Kong Branch Employee to Commit Cyber Fraud

PwC’s Dark Lab responded to a second BEC incident in 3Q 2022 involving a Chinese e-payment terminal solutions service provider with global operations. Similar to the case above, MFA was not enabled, and the threat actor was observed to host phishing domains imitating the Outlook login portal, enabling the threat actor to obtain initial access with valid credentials. This case left a lasting impression for three reasons.

First, the threat actor spent up to three (3) weeks familiarising themselves with ongoing operations by logging in remotely from multiple geolocations (including United States, Australia, Germany, and Nigeria) and modifying various mail rules and contact lists before executing their attack. The inbox rules hide emails specific to the transaction being targeted (e.g. emails from the legitimate parties, emails with transaction references numbers or bank accounts in the body). The emails are moved to a lesser viewed “RSS Feeds” folder with “Mark as Read” enabled in attempt to hide legitimate emails from the victim’s sight.

Second, the threat actor registered a new domain to impersonate the victim in Hong Kong to send emails to European counterparts . Notably, the threat actor embedded their phishing emails within existing conversations – an evasive tactic to exhibit legitimacy by using conversations with established trust. One of the seven (7) phishing emails contained a malicious link (secure[.]membra[.]co[.]uk) that appeared “clean” as it had not been reported as suspicious. However, through deeper inspection we observed the underlying IP address (45[.]153[.]240[.]153) was reported to be malicious, previously associated with other subdomains mimicking as the Microsoft O365 login page, likely used for global phishing campaigns.

Associated domains – likely past phishing campaigns
login-mso[.]cscsteelsusa[.]com
ogin-mso[.]cscsteelsusa[.]com
wwwoffice[.]cscsteelsusa[.]com
login[.]cscsteelsusa[.]com
Live Screenshot (as of 6/10/22) of login-mso[.]cscsteelsusa.com

Third, the threat actor practiced poor operational security including the inconsistent use of a virtual private network (VPN); as a result, they may have potentially disclosed that they operate out of Nigeria. While none of the Nigerian IP addresses were reported as malicious across various open-source security tools, Nigeria has been widely reported by security researchers to be a hotspot for cybercrime activity related to business email compromise attacks.[1] Overall, based on the investigation on open-source platforms leveraging the indicators of compromise from the incident, we conclude with high confidence that the incident was part of a larger-scale mass phishing campaign that opportunistic cybercriminals – likely out of Nigeria – conducted without the intention to target a specific sector or country, and with the motivation of transferring illicit funds to fraudulent bank accounts for financial gain.

Nigerian IP addresses
41[.]184[.]152[.]104
41[.]217[.]70[.]163
154[.]118[.]65[.]105

Phishing Kits bypass MFA

PwC’s Dark Lab observe the prevalent development of phishing kits (also known as adversary-in-the-middle (AiTM)), with over 10,000 organisations targeted by phishing kit attacks since September 2021. AiTMs provide a phishing toolkit as a service for attackers with low technical skills to execute a convincing phishing attack. AiTM phishing kits are easily accessible for attackers on the dark web with various open-source phishing kits available, including prominent providers Evilginx2[4], Modlishka[5], and Muarena[6].

AiTM phishing sites exercise a strong capability, as they enable attackers to deploy a proxy server between a target user and the website the user is attempting to visit – intercepting the connection by redirecting to the attacker’s phishing site. By targeting the authentication token, rather than raw credentials and/or MFA tokens, the phishing kit enables the attacker to steal a fully authenticated session from the victim, effectively bypassing MFA.[7]

As the trend of MFA enforcement by organisations and individuals continue to rise, it is expected that phishing campaigns will move away from traditional phishing methods towards the use of AiTM to overcome the barrier that MFA presents. As threat actors evolve to find innovative ways to circumvent controls and lower the barriers to entry, it becomes even more important for defenders to keep pace with these trends and understand how to prevent, detect, respond, and recover from such attacks.

Conclusion

As evidenced in both case studies, threat actors orchestrating large scale phishing campaigns pose a significant challenge for targeted victims. This can be observed in the actors’ willingness to wait up to three (3) to four (4) weeks before taking action, using the buffer period to build a strong understanding of the victim’s processes to effectively imitate their victim and evade suspicion.

In both cases, we observed oversights in the victim organisations’ security stance which ultimately resulted in their exposure to a BEC attack. In both cases, if multi-factor authentication (MFA) had been enabled, this could have prevented the threat actor from gaining access. Similarly, had the second victim organisation established rules to detect abnormal logins, such as flagging an IP address for suspicious activity if observed to have multiple geolocations over the span of a week, the organisation could have detected the suspicious activity at an earlier stage and prevented further action.

To effectively protect against phishing and BEC attacks, it is vital that organisations enforce a layered defense strategy – combining robust preventative measures with intuitive detective protocols.

Recommendations

While phishing legitimate brands and business email compromises will remain a problem, companies can take action to mitigate and prevent the threat they pose.

  • Enhance security controls by establishing procedures in defining “significant” financial transactions and their respective handling procedures, for example automatic bank notifications for outbound transaction verifications and mandatory out-of-band verifications of bank account changes.
  • Develop and exercise a layered defense strategy, incorporating well-defined preventative and detective measures.
  • Organisations should review their Microsoft 365 configuration and update their email security solutions and network devices (including external firewall, web proxies).
  • Implement conditional access rules configuring with Geo-location/IP address restriction to reduce the risk of unauthorised overseas access to O365. For example, a regular review of authentication records for key financial staff members (i.e. Chief Financial Officer, Financial Controller, etc.)
  • Organisations should establish rules to restrict unauthorised devices from accessing company resources. For example, enforcing limitations on what devices can access company resources and creating onboarding procedures to enrol authorised devices, such as an employee’s personal mobile phone, before they are able to access company resources.
  • Enforce strong multi-factor authentication (MFA), such as number matching, for all users.
  • To protect against AiTM attacks, it is advised that organisation implement a layered defense strategy that incorporates MFA in conjunction with various preventative and defensive measures. This includes implementing MFA that supports Fast ID Online (FIDO) v2.0 and certificate-based authentication, enabling conditional access policies, and continuous monitoring for abnormal activities.
  • Implement periodic checking process to detect suspicious behaviour such as abnormal logins, mailbox rules, email forwarding rules, and application consent activities.
  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action (e.g., domain takedown). This task is typically conducted by our Security Operations Centre for subscription clients, and supported by our Cyber Threat Operations function which includes the Threat Intelligence and Incident Response pillars.
  • Conduct regular awareness training to educate the workforce on how to detect suspicious activity, highlighting new TTPs and clear warning signs, and provide clear instructions on the steps to take if they believe they have been targeted by a phishing email. Awareness training can also be completed in the form of phishing simulations to test employees’ susceptibility to phishing emails and fraud (i.e. simulate a sudden change of bank account information to determine if the relevant team detects the unusual behaviour and responds accordingly).
  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt. BEC-impacted companies should issue circulars and alerts as necessary when impersonation attempts are detected .
  • We further advise organisations to establish a O365 mailbox rule to detect inbound/outbound traffic from the malicious IP listed in our Indicators of Compromise (IoC) section.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

  • Acquire Infrastructure: Domains – T1583.001
  • Virtual Private Server – T1583.003
  • Botnet – T1583.005
  • Compromise Email Accounts – T1586.002
  • Phishing – T1566
  • Spear Phishing Link – T1566.001
  • Trusted Relationship – T1199
  • Email Hiding Rules – T1564.008
  • SharePoint – T1213.002
  • Remote Email Collection – T1114.002

Indicators of Compromise (IoCs)

IndicatorType
www[.]yinqsite[.]comKnown bad domains
login-microsoftonnex-mso[.]yinqsite[.]comKnown bad domains
yinqsite[.]comKnown bad domains
ogin-mso[.]wonjiinco[.]coKnown bad domains
glprop-okta-2f0bc4a0[.]wonjiinco[.]comKnown bad domains
stscn-lenovo-c9b8a5aa[.]wonjiinco[.]comKnown bad domains
msaauth-msasafety-95cce817[.]wonjiinco[.]comKnown bad domains
sts-glb-nokia-a6db40b3[.]wonjiinco[.]comKnown bad domains
sts-posteitaliane-694c6373[.]wonjiinco[.]comKnown bad domains
gas-mcd-37816100[.]wonjiinco[.]comKnown bad domains
login-mso[.]wonjiinco[.]comKnown bad domains
wonjiinco[.]comKnown bad domains
ogin-mso[.]cscsteelsusa[.]comKnown bad domains
wwwoffice[.]cscsteelsusa[.]comKnown bad domains
login[.]cscsteelsusa[.]comKnown bad domains
sts01-nestle-382a43f3[.]cscsteelsusa[.]comKnown bad domains
stscn-lenovo-a3ae4e78[.]cscsteelsusa[.]comKnown bad domains
fs-ncoc-a241b101[.]cscsteelsusa[.]comKnown bad domains
login-mso[.]cscsteelsusa[.]comKnown bad domains
www[.]cscsteelsusa[.]comKnown bad domains
kolroff[.]comKnown bad domains
xsbrane[.]comKnown bad domains
cscsteelsusa[.]comKnown bad domains
belasting-betalen[.]financeKnown bad domains
domain macopas[.]comKnown bad domains
95[.]216[.]126[.]229IP address
15.204.25.141IP address
Newsletter Software SuperMailerEnterprise application created by threat actor
45[.]153[.]240[.]153IP address
185[.]54[.]228[.]88IP address
185[.]202[.]175[.]6IP address
103.231[.]89[.]230IP address
41[.]184[.]152[.]104IP address
155[.]94[.]141[.]30IP address

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Smells SMiShy to me…

Posted on by darklabhk

Macau SMS Phishing Unveils Threat Actor Close to Home

On 2 March 2022, Darklab observed SMS phishing (smishing) activity targeting mobile users in Macau. The message masqueraded as the courier service DHL delivering a package to the victim. The intended purpose was to steal victims’ credentials, personally identifiable information (PII), and credit card details.

Smishing campaigns via the fraudulent use of the DHL brand is far from uncommon.[1] Indeed, the Macau Polícia Judiciária issued a notice on 24 February 2022 to warn citizens about fraudsters masquerading as counterfeit courier companies to trick victims into providing their personal information.[2]

However, we were interested in this case as the threat actor behind it had also registered several fake domains masquerading as other reputable companies in Hong Kong and Singapore, such as Hongkong Post and Singapore Post. While we are used to phishing and smishing campaigns globally, when this happens in our virtual backyard it draws our attention as it can pose a real threat to users in Hong Kong, Macau, and Singapore.

Smishing Incident in Macau

The initial malicious SMS message came from a sender named INFO. Recipients are requested to click the provided hyperlink to reschedule the package pick-up date and time as the previous attempt was not delivered successfully.

Figure 1 – Initial SMS phishing message sent to the victim
Figure 2 – Image displaying the fraudulent delivery status

Once the victim has opened the link, a page appearing to be the Hong Kong DHL Express displays a phony delivery schedule page with free text fields that the recipient is supposed to complete to schedule a delivery time. Information requested includes user’s full name, contact number, residential address, city, and postal code.

Figure 3 – image of the phony page requesting the victim into inputting their credentials

After inputting the personal information and clicking the submit button, the victim is redirected to another page that requires them to select their preferred delivery option.

Figure 4 – fraudulent DHL HK page asking victims to proceed to the payment card page

Upon selecting the preferred delivery option, the fraudulent DHL HK site requests for the victim to input financial information, including name, credit card number, expiration date, and CVV number. Once in possession of users’ payment card details, criminals can resell them online or conduct financial fraud themselves.

Figure 5 – Final page designed to capture the victims’ credit card details

Something Smelt Smishy…

The risk of smishing has increased at an alarming rate as a result of the Covid-19 pandemic. While this is not entirely a new trend, we observed that the messages are becoming increasingly deceptive as they look to trick victims into providing their personal information.

What threw us off was the fact that the URL within the smishing text redirected users to the URL hongkong-post[.]net/918srx, which was a Russian IP address – 31[.]28[.]27[.]151 – hosting the fake DHL site. The same IP address also hosted the domain dhl-post[.]hk.  Both malicious domains and their associated SSL certificates were created after 28 February 2022, just a few days before the beginning of the smishing campaign.

Additionally, hongkong-post[.]net had mail exchanger (MX) records, which suggested the threat actors’ intent to send and/or receive emails.[3] We also saw MX records for another domain, singapore-post[.]com, hosted on the same IP address and created on 7 March 2022. Overall, the existence of young domains with MX records mimicking legitimate brands is a strong indication of likely phishing intent, which security teams should be monitoring for.

The historical WHOIS lookup for the domains revealed that the registrar company is NiceNIC INTERNATIONAL GROUP CO., LIMITED (NiceNIC.NET) based in Hong Kong.[4] While pivoting through the Registrar Name and NiceNIC.NET’s Chinese company name “耐思尼克國際集團有限公司”, we observed 21 additional domains associated with this registrar as of 8 March 2022. At least four of the domains (xjam[.]hk, canadahq[.]hk, kaddafi[.]hk, and aij[.]hk) were flagged by security scanners as likely malicious. Furthermore, there were newly registered domains (aididas[.]com[.]hk) that were not yet flagged by security scanners, though strongly looked like a fraudulent website.

Meanwhile, we also observed that canadahq[.]hk had relation resolutions to a known bad Russian IP address 185[.]178[.]208[.]186, which hosted files to download the Trojan “Win32.Trojan.Raasj.Auto”. This Trojan was first observed in 2017 per various open source threat exchange platforms[5], and there are various web posts elaborating the various impacts to the victim.

In one instance, the Trojan is elaborated to have performed as the spyware that steals sensitive information such as credit card details and passwords for sale and profitability.[6] On the other hand, the Trojan was deemed to have been altered and linked to the “Trojan-Ransom.Win32.Shade.Ino” ransomware that cybercriminals deliver via phishing emails to conduct online frauds. The ransomware ciphers documents on the hard drive and prevents normal access to the victim’s workstation, with a ransom note locatable on the local drive upon reboot that demands payment to decipher the data.[7] A third web post noted that the “Win32.Trojan.Raasj.Auto” Trojan would hijack victims’ web browser to cause web redirection issues, and slow down the overall System and Network performance speed.[8]

Overall, the links to relatively low level malware suggests a financially motivated campaign spanning multiple years and only recently focusing on Hong Kong and South East Asian targets.

Figure 6 – Pivoting out from 耐思尼克國際集團有限公司 to identify further known-bad malicious domains and IP addresses, along with the Trojan “Win32.Trojan.Raasj.Auto

Conclusion

Through a Macau smishing campaign, we were able to uncover a wider campaign targeting Hong Kong, Macau, and Singapore and involving a network of malicious Hong Kong domains registered by the same local registrar. A specific domain had a resolution history to a Russia-based IP address reportedly linked to Trojans used since at least 2017, suggesting it was likely rented by or associated with multiple cybercriminal threat actors. Our assessment is reinforced by the fact that the original domain exploited for smishing, dhl-post[.]hk, was hosted by a Russian server, which is a relatively rare occurrence in Hong Kong.

Recommendations

While phishing and smishing abusing legitimate brands will remain a problem, companies can take action to mitigate and prevent the threat they pose.

  • Organisations should update their email security solution and network devices (including external firewall, web proxies) to detect for potential inbound/outbound connections from the known-bad domains and IP addresses in this post.
  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt. Impacted companies should issue circulars and alerts as necessary when impersonation attempts are detected.
  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action. This task is typically conducted by our Security Operations Centre for subscription clients. We have already informed both DHL and Hongkong Post to investigate, and if necessary perform takedown of fake domains dhl-post[.]hk and hongkong-post[.]net.
  • Registrars should enhance their onboarding due diligence to reduce the risk of provisioning of domains impersonating legitimate brands, and should regularly reviews activities of those domains to ensure their use for ethical and non-malicious activities.

MITRE ATT&CK TTPs Leveraged

  • Initial Access: Phishing (T1566)
  • Initial Access: Phishing: Spearphishing Link (T1566.001)
  • Execution: User Execution (T1204)
  • Credential Access: Input Capture – Web Portal Capture (T1056.003)
  • Collection: Input Capture (T1056)
  • Collection: Browser Session Hijacking (T1185)
  • Exfiltration: Automated Exfiltration (T1020)
  • Impact: Data Encrypted for Impact (T1486)
  • Impact: Account Access Removal (T1531)
  • Impact: Endpoint Denial of Service (T1499)

Indicators of Compromise (IOCs)

• hxxps://hongkong-post[.]net/e/authID=UEjJc/tracking.php?sessionid=4g3ihd1ej09+6b+27fc58arSZF+27+5p9Ba8+D6Y+Gg3ok+4+1uIEOgCLfMSPmNKwbHwTAaX+J42951997505
• dhl-post[.]hk
• hongkong-post[.]net
• singapore-post[.]com
• xjam[.]hk
• canadahq[.]hk
• kaddafi[.]hk
• aij[.]hk
• aididas[.]com[.]hk
• 31[.]28[.]27[.]151
• 185[.]178[.]208[.]186

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.