Schemers Hide Behind SharePoint to Expose Victims to Phishing Scams
We've often said on these pages that in technical terms, phishing is the simplest form of cybercrime. Even so, pulling off a successful phishing attack still requires some preparation, especially if the crooks are serious about what they're doing. Recently, Cofense's Milo Salvia wrote about a phishing attack aimed at financial institutions in the UK, for example, and it must be said that for the most part, it was rather well-thought-out.
A convincing phishing email
The crooks began by compromising the email account of someone working for Independent Legal Assessors Ltd. (ILA) a London-based company providing legal services. The signature of the phishing email suggested that it was sent by David Philips who, according to LinkedIn, is ILA's Director, though we should point out that because Cofense redacted the sender's address, we can't be sure who at the legal firm lost control of their email account.
Although it's rather short, the email itself doesn't have the usual typos or grammatical errors. It's well-formatted which once again goes to show that the crooks really did want to create a convincing scheme. According to the message, Mr. Philips is sending "a proposal", which the target needs to review before "further arrangements" are made. The said proposal can supposedly be downloaded from a link included in the body of the message.
The link is wrapped with Symantec's Click-time URL protection which is probably done with the intention of putting the target's mind at ease. After all, this service is designed to check the URL it points to every time a user clicks on the link, and if something's wrong, it should block all traffic. The URL the link was pointing to, however, wasn't malicious as such.
In addition to taking over the ILA email account, the hackers compromised a profile at the SharePoint collaboration platform and used it to upload a OneNote document. The file was made to look like a proposal, but the text was deliberately blurred. At the bottom, there was a link which would allegedly let the target download a legible version of the proposal. As you might imagine, it leads to the phishing page.
According to Milo Salvia, the crooks compromised a legitimate website in order to host their phishing page. The whois info on the domain, however, suggests that this might not be the case. The admin email was also used for the registration of a few domains that look as if they were designed specifically for typosquatting.
The source code of the phishing page showed Salvia that the stolen credentials were directly emailed to a Gmail account which, the researcher reckons, was also compromised by the phishers.
A less than convincing phishing page
At this point, it looks like we have a well-thought-out phishing attack. The initial email is coming from a legitimate address, the Click-time URL protection is supposed to assure targets that nothing's wrong, and the SharePoint document further pushes them into a false sense of security. The phishers really did put their back into it, and you'd expect that in light of all this, the whole credential-stealing operation would be finished off with a phishing page that is as close to the original as possible. Surprisingly enough, however, the scammers didn't bother that much with the final, most crucial part of the whole attack.
The phishing portal is made to look like the login page for Office365 for Business, but the screenshot Cofense provided shows that it's a very cheap imitation. Victims were given options of logging in either with their Office365 credentials or with the username and password for any other email provider. Normally, this is done in order to maximize the amount of stolen information. In this particular case, however, anyone who has seen what the original login page looks like would be hard-pressed to believe the phishing portal. It turns out that it's actually a phishing kit sold by a group called Blackshop Tools. Given the low quality, we can imagine that it's one of the cheaper options.
Although the rest of the attack was well-designed, the obviously fake phishing page should be enough of a warning for most people. The next time they try to steal some login credentials, the crooks might decide to go for a higher quality phishing kit, however, which means that you should be as careful as ever, even when the communication in your inbox looks completely legitimate.