cybersecurity, phishing

Looking at a Voicemail Phishing Campaign – June 2020

Posted by Jackson Nestler

Abstract

I wanted to share some IOCs I had found recently about a phishing email claiming that the user has a new voicemail. I am totally open to feedback; this is my first-time sharing research. As always, I am speaking on behalf of myself and not my employer nor my employer’s customers; all IOCs were found on my own time and are not endorsed by my employer.

Initial Sample

A phishing email was making its rounds and I gained access to a sample. After digging around on Joesandbox and Hybrid-Analysis, I found that this is a recurring campaign that is affecting a lot of organizations, both inside the US and outside.

The attacker sends an email whose subject is “Voicemail” (as written), and a link to what appears to be a voicemail.

(Begin screenshot)

(End screenshot)

In the space I marked, the following image is included:

(Begin screenshot)

(End screenshot)

That hyperlink goes to what seem to be compromised domains. They are legitimate domains that have a flaw that allows the attackers to upload arbitrary files. For example, a Brazilian family law firm is serving the phishing kit in a directory a few levels deep. I have been unable to find a solid correlation between the web servers to isolate the possible exploits the attacker is abusing. Some are CMS-based, others are simply web servers whose permissions permit file uploads.

Analysis

Samples always include “NewAudioMessage” in the HTML file that is uploaded to sandboxes. I am not sure where that shows up, perhaps it’s in the title of the webpage?

In addition, this campaign is on-going, so samples are being uploaded to Joesandbox and Hybrid-Analysis often:

Common Traits

Each domain/URL seen had characteristics that were identical across one another. This further suggests that this phishing kit is used by the same actor or is available for sale on “blackmarkets” for cyber criminals.

  • While the domain changes, it is always a Microsoft phishing page. I have not observed GSuite phishing attempts from this same actor.
  • The HTML page that’s loaded is obfuscated (using JavaScript’s deprecated “unescape()” function)
  • A few legitimate domains are contacted. The attacker is using the legitimate assets that MSFT provides (JavaScript, pngs, etc.)
  • A lot of random noise is generated. In a single sample, the web page made DNS queries for Twitter, Amazon, Facebook, NYTimes, and Reddit. The pages requested were always the home pages and occurred at random intervals during the analysis.
    • These queries were made in such close succession that it is highly unlikely a user legitimately opens that many different websites that quickly.
    • Verified by running a sample in Joesandbox with no human interaction, and those domains were still contacted.

Legitimate Domains Contacted

  • cdnjs.cloudflare[dot]com is contacted; I assume the attacker is using CloudFlare to mask their collection server’s IPs, and they are delivering JS over CloudFlare to make it near impossible to block.
  • At least four legitimate MSFT domains are also contacted: “login.microsoftonline[dot]com“, “aadcdn.msftauth.net“, “aadcdn.msauth[dot]net“, and “secure.aadcdn.microsoftonline-p[dot]com
    • I ran a packet capture on a clean VM with host-only access for 24h to see how often it tried to contact these domains; each were contacted no less than 15 times. I have no reason to believe they are malicious.
  • code.jquery[dot]com is jQuery’s CDN, another impossible-to-block domain.

IOCs

Please review the list of the following IOCs. These are a subset of “all” IOCs associated with this campaign. The rotation of domains makes it especially difficult to track from organization-to-organization, and constantly changes this IOC list.

Domains

I have gone through some of the Joesandbox and Hybrid-Analysis reports and assembled a list of domains that appear to be compromised/abused, and that I believe most organizations should have no need to access. Please review the entries for any that may affect your organization’s on-going operations. Simply Googling these domains will often lead to many URLScan/AlienVault OTX/Joesandbox/etc. results where these domains are contacted.

DomainNotes
linebargain[.]comHas an open directory with “next.php” and “test.php.” The “test.php” file seems to be an email form that may send the contents of the textbox to the attacker.
xcfd54dcx-delightful-wallaby-gv.us-south.cf.appdomain[.]cloud(Randomly generated?) domain name for a customer on IBM’s cloud. Index is a “Hello World” page.
bestnewsworld[.]infoMany results by Googling the domain, but is found in several AlienVault OTX “Pulses.”
newof9a.bestnewsworld[.]infoSubdomain of the previous.
blumenauto.com[.]brBrazilian car dealership that previously delivered phishing pages.
monogrambd[.]comPossibly typo-squatting of “monogram.com”, which sells kitchen appliances. Page previously served a phishing page. Google Safe Browsing warning is posted, and the web hosting account is suspended.
ezzhelmy[.]comGoogle Safe Browsing flagged this domain. Previously served a phishing page.
d26p066pn2w0s0.cloudfront[.]netAWS CDN domain, highly negative reputation. May cause collateral damage by blocking, but negative reports are overwhelming.
santoropopper.adv[.]brBrazilian law firm, serving a phishing kit and receiving the credentials of victims that fall for the phish.
sanketindia[.]inIndian online tech shop. Previously served a phishing page but has since been removed.
mastramix[.]comBosnian cleaning company that was compromised and served the phishing kit.
cs1227.wpc.alphacdn[.]netAnother CDN with negative reputation. Be aware of collateral damage.
URLs that were noted in my small sample set.

Phishing Email Elements

  • Subject is always “Voicemail” (as written, no quotes).
  • Typically comes from a trusted sender.
    • Once an account is compromised, it starts spamming anyone it has sent emails to or received emails from with the phishing link.
  • The png file shown in Initial Sample is most often named “image02.png”, suggesting it may be inserted after any (legitimate) email signature image is placed.
  • A compromised domain is usually only used once per-victim-organization. Organization A will typically have a different domain hyperlinked to that png than Organization B does, and Organization C will have a different domain than A or B, etc.
  • Some organizations have noted that a compromised user will continue to send phishing emails after a password reset. This is likely due to custom tasks in Outlook.
  • An organization name will precede the HTML file name, and that is seen in the samples uploaded to public sandboxes. I am not sure if the organization name is who is being phished, or the domain that is hosting the phishing kit.
  • Interestingly, the URLs that the victim clicks on seem to autofill the victim’s first + last name and their email domain. If not that, the domain is always filled. You can see this in the “Example URLs” section below.

After-Click Actions

Once the user has clicked on the attacker’s link, the user is redirected to a page that says they will be redirected to their voicemail message within five seconds. The HTML document artificially loads for five seconds, then redirects the user to one of the phishing page URLs (examples shown below). The webpage will artificially “refresh,” giving the user the impression that something was loading in the background.

An annotated copy of the above described process and analysis is available on my GitLab repository.

Example URLs

These URLs are defunct and no longer seem to serve the phishing content but are included to show the ways by which usernames may be passed in the URL. They are sanitized to protect the users and organizations who were affected.

These URLs are all from the same sample on Joesandbox. This leads me to believe that the attacker is using multiple domains to send parts of the gathered credentials back. For example, the first URL may send the username/full name, and the second may send the email address.

URL
https://chillicarrot.com/ztee/Azure2020/realm/send.php?user=
https://rental-room-yokohama.com/office.php?email=
https://sanketindia.in/ztee1/117-Crl.html#firstname.lastname@domain.tld
This table demonstrates some of the URLs that were previously used by this attacker.

Downloadable Lists and IDS Rules

I’ve added all the domains I’ve observed in this activity to my GitLab repository. You can find the IOC lists in varying forms (CSV, txt, STIX, MISP, etc.) as well as IDS signatures/rules. The folder will be updated over time as I come across more domains.

Technical Recommendations

  • Block the domains at the firewall and add them to IDS signatures.
    • Consider subscribing your IDS/firewall to AlienVault OTX pulses, if possible. I found that many domains I came across were already in OTX pulses.
  • Add organization-specific branding to identity providers. Educate employees on this change as a means of user awareness training and phishing prevention.
  • Consider checking HaveIBeenPwned for your domain, and/or subscribe for email notifications when users are found to be breached.
    • Domain search utility – must be able to prove domain ownership. You may receive an email, insert a meta tag to your web page, upload a file, or create a DNS TXT record for verification.
  • Clear custom tasks for users that are suspected of being compromised.
  • Enroll users in MFA.

Employee Training Recommendations

  • If used, remind employees to look for your organization’s logo on sign-in pages.
  • Demonstrate to employees how to tell the difference between an attachment in an email, and an image in an email.

Conclusion

This is a standard phishing campaign but is known to be affecting many public and private organizations within Arizona and the United States, as well as outside the US. Similar attacks have been cataloged before [1], [2], [3], but the M.O. is different in the current campaign (notably the lack of OneDrive/OneNote as a delivery mechanism).

I hope this is helpful for you and your colleagues; please feel free to share with a TLP: WHITE notice. I am hoping to write another blog post on this topic soon, with some more details and hopefully a better understanding of the lingering questions.

My blog and portfolio have recently been constructed, with this report being my first blog post! I appreciate your time; if you would like to send me feedback, please use the “Contact” button on my website.

Special Thanks

I’d like to extend a special thank-you to these individuals for their help with my first report and blog post. If this post interested you, please take a moment to review their works, I think you’ll be interested in theirs as well!

@Retro64xyz for guiding me to understanding that this is information worth sharing, and suggesting platforms for me to share this data.

@Libra for reading through this post and suggesting some very helpful structural changes, and answering my questions about how to format IOCs for distribution.

Leave A Comment