This is a blog on some of the latest phishing threats that are out there and ones I have recently, personally experienced and reverse engineered.
On 1 May I received this SMS text:
To me, it was quite clearly a phish, as I'm not with HSBC, however, someone who is may have been easily fooled. The trick the phishermen used here is via a subdomain. Average users may be able to recognise their usual bank domain and feel safe. However, the threat actors who sent this to me could use a domain like 'digitalbanking.com' (which is for sale) and simply insert my bank's full URL as a subdomain - making it quite convincing. Plus, they can add a free digital certificate from Let's Encrypt CA to give it HTTPS and now we have a pretty convincing phish.Just received this: (1 May)— Will | BushidoToken 👁🗨 (@BushidoToken) May 1, 2020
http://security[.]hsbcuk[.]confirm-securekey[.]com@HSBC_UK #phishing #smishing
(I’m not with HSBC) pic.twitter.com/HU3sqBlPhz
I chucked the domain into VirusTotal and found it's IP address, along with a few other phishing URLs that contact it. It appears Nationwide and HSBC customers are targeted:
You can view for yourself here: https://www.virustotal.com/gui/ip-address/126.96.36.199/relations
On 28 April I received this email:
This phish was a little more cunning as it used a hyperlink on the text (support.apple.com) which was actually a shortened URL. It uses an Indonesian service similar to Grabify that logs your IP address, geo-location, and user-agent. I searched online to see if anyone had received an email from the same sender and found a few posts on Apple forums as far back as December 2019. They also rightly pointed out that Apple will never send you a PDF - don't open it or click on the link!Another classic @Apple #phishing scam:— Will | BushidoToken 👁🗨 (@BushidoToken) April 30, 2020
- Email arrives from web[.]appsupport[.]com saying “someone may have accessed your account”
- PDF with a malicious link that looks like support[.]apple[.]com or appleid[.]apple[.]com but takes you to s[.id] instead.https://t.co/VodGCl6pte pic.twitter.com/jq7PEvavdz
I put the link in VirusTotal and found 33 other phish with similar URLs that were likely used in the same campaign. I added them to my OTX feed here.
Who's behind all this phishing?
Well, I can't say who is behind these exact phishing emails and texts, but there is one cybercriminal gang which is responsible for hundreds of thousands around the world. The gang, also known as the IndonesianCyberArmy, produces and sells '16Shop' phishing kits which are sold as-a-service. Aspiring cybercriminals can buy the 16Shop kit, pick a target or brand and immediately begin phishing. Instructions and guidance will be provided by the gang, as with many Malware-as-a-Service offerings.
The @phishingreel bot on Twitter provides detection of commercial phishing kits, with 16Shop featuring heavily. (source)
@JCyberSec_ has also produced an insightful 16Shop Intelligence Thread here:
The @phishingreel bot on Twitter provides detection of commercial phishing kits, with 16Shop featuring heavily. (source):: 16Shop Intelligence Thread ::#16Shop is a prolific and one of the first #Phishing-as-a-Service (PaaS) offerings.— Jake (@JCyberSec_) April 30, 2020
⚠️This is an intelligence thread on notable elements of the kit, the operation, how to test and detect the scam.#THREAD pic.twitter.com/mTFeByFx5a
How phishing is evolving:
Newer phishing campaign are becoming even more advanced that actively block security tools from detecting the landing pages and leverage custom targeting lists.
@MalwareTraceKr uncovered a new Korean SMiShing campaign which uses a database of phone numbers (likely stolen) that only permits the recipients from downloading the malware. This means if a security researcher wants to view the content, they need to have a phone number which is present in the database. This means campaigns can carry on for longer, before a sample can be analysed and it can be stopped. (source)
Researchers at Barracuda have also discovered cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns. (source)
I predict that SMiShing campaigns will eventually overtake traditional email campaigns as more users move towards mobile and tablets only, leaving desktops and laptops behind. Instant messaging apps like WeChat (Weixin) has replaced email almost entirely in China and they are seeing more mobile-based threats because of it.
In the Western hemisphere and across EMEA countries, email does appear to show signs of slowing with collaborative apps like Microsoft Teams and Slack taking over, as well as video conferencing software like Zoom. This has been spurred on due to lockdown during the coronavirus pandemic.
For now though, email is still an effective communication method that is still used professionally. Although, the FBI's IC3 report for 2019 found that businesses lost an estimated $1.7 billion from BEC attacks. This may help shape future IT department budgets and encourage the move away from email.
Subscribe for more blogs 🙂