CrowdStrike recently conducted an investigation for a client operating in the healthcare sector that was subject to an ongoing phishing scam focused on harvesting credentials for cloud email providers such as Google (Gmail), Yahoo, and Hotmail. The client requested CrowdStrike’s help to investigate the incident in order to determine if there was a legal obligation to report the theft of customer financial or personally identifiable information data. From a technical perspective the campaign initially seems unsophisticated, however, when analyzing their tradecraft, the attackers have architected a phishing campaign with an enduring strategy that evolves faster than domain registrars and defenders can track. Your mission if you choose to accept it is a two-part series: first CrowdStrike’s research into the phishing campaign; and second the forensic analysis and investigative techniques used to investigate the activity using cloud resources.
While technically unsophisticated this campaign is remarkably effective at harvesting credentials for the purpose of conducting financial fraud. The campaign begins with a phishing email disguised as a DocuSign document awaiting signature, the subject line in our most recent case was “*Please DocuSign this document ~ Signed Agreement ~11/25/2015.pdf*.” Once the user accesses the link he or she is redirected to an unencrypted web page that resembles an official login page.
Once at the page the user enters his or her credentials and they are posted to a function inside an internal form not accessible externally. In an effort not to arouse suspicion from the unwitting user, after their credentials are collected, the user is redirected to a legitimate webpage in line with the theme of the campaign, in this case DocuSign.
You’ve been had…So What?
Domains used in an overt campaign like the one described here are unlikely to survive longer than the first round of phishing emails unless the attacker can stay on the move. So while technically unsophisticated the adversaries employed the type of intrusive tradecraft needed to keep their scam on the run from investigators, continuing their credential collection operation. CrowdStrike examined three domains linked to the campaign. The first domain “confidentialfolder.net” was registered on November 23, 2015 just two days before our client received the phishing email as part of a larger campaign. Five days later on November 30, 2015 new domain infrastructure was registered using our client’s personal information. Rapidly transitioning domain names, infrastructure, and registrant data circumvents reputation databases and security technology that allows these phishing domains to stay alive just long enough to ensnare a few victims and move on.
Rapidly transitioning domains present a challenge to attackers because as domains are shutdown or repossessed, that round of phishing emails is rendered obsolete. To be successful the adversary must maintain a large list of email addresses to phish in order to keep the scam going. Where can they get emails to target? Why not your contact list? A few days after the initial email, with credentials in hand, our adversary logged into the client’s email account with a few objectives in mind. First, erase forensic evidence of the phishing campaign. Our investigation showed that forensic evidence inside the inbox was erased from the server. The data lost included the phishing email, trash, and an email from Google about a suspicious login from an unrecognized device, part of Google’s device tracking. Second, if the attacker wants to use the compromised account to establish new infrastructure, an email filter is emplaced preventing the compromised user from obtaining any physical indicators of their user account being used for nefarious purposes. In this case an email filter for “GoDaddy.com” was used to prevent the user from receiving emails after their information was used to register new attack infrastructure.
What are they after?
Once they secure long term access to a victim’s inbox, without the threat of discovery, they rapidly begin propagating their campaign and pilfering the victim’s inbox for financial information. Our research shows this campaign thrives off the attacker’s access to the victims contact list. The adversary harnesses the victims contact list to propagate their campaign and further their objectives to obtain financial information from additional victims, such as Paypal and credit card data.
How long can this continue?
Our analysis provided some insight into the duration of this type of phishing campaign. The domain “consultwing.com” overlapped with the confidentialXXXX.com domains using the same infrastructure, server, domain registrar, and technical implementation to orchestrate a credential harvesting campaign.
Consultwing.com was created on October 7, 2013 and last updated on October 2, 2014. Open source research shows the site has been associated with phishing since July 8, 2015. Once the victim accesses the site and provides his credentials they are redirected to the legitimate website “morganstanleyclientserv.com” to the Adobe PDF document onthmarkets.pdf, assumed to be in line with their phishing theme. While working with GoDaddy.com CrowdStrike did notice one significant difference in the infection vector of “consultwing.com,” as opposed to the other domains used in this campaign. The “consultwing.com” domain appears to be hacked legitimate infrastructure. The site appeared to be hosting a version of WordPress with some outdated plugins. This could mean that the perpetrator of this campaign has the capability to identify vulnerable infrastructure and exploit known vulnerabilities.
Phishing campaigns like the one discussed in this post are commonplace. Adversaries motivated by financial gain augment their tradecraft staying one step ahead of investigators. By quickly transitioning attack infrastructure to new domains and using hacked web hosting accounts, they stay off the radar just long enough to get a few more victims on the hook. As these domains are discovered, their lifespan is limited and new domains and new email campaigns are required. Stay tuned for the second blog post discussing the use of cloud and host based logs to investigate this type of incident.