Credential harvesting attack via Ray White Real Estate

A friend forwarded me an email that she was suspicious of that she received from Ray White Real Estate. As a member of their mailing list, and not a direct correspondent of the sender, she was rightfully suspicious of the content of the email and had already contacted the Ray White branch who confirmed they were experiencing an incident, but on advice from IT were not planning to notify their customers at the current moment in time.

Ignoring the discussion for the need of mandatory breach notification in Australia, we’ll run through the stages of the attack below.

Although the language in the email (seen below) is a little rough, there is mention of an important attachment and a “confidential” document attached, and the sender and headers of the email appear to legitimate.

raywhite_malware

The phishing email with a legitmite headers and signature. You can click the images to enlarge.

confidential_po

Click here to access the Secured Document. Clicking would link to a Goo.gl address.

I ran the attached PDF file through our local ThreatAnalyzer dynamic analysis sandbox to run the file in a safe environment and determine if the file contained an exploit. In this case, the document itself was benign, however it masquerades as Acrobat Secure document, with a Goo.gl shortened link which redirected to a compromised website containing a credential harvesting portal. If the recipient enters credentials into the form they are stored by the server, and the user is redirected to a legitimate website hosting a journal article on sustainable investing which may be of interest to the recipient.

With credentials harvested the attacker would be then be able to access the online service that credentials were provided for at their leisure.

credential_harvesting

The credential harvesting landing page. What don’t you want to give us credentials for? Gmail? Dropbox? Yahoo?

ray_white_journal_article

The page the user is redirected to after entering credentials, thinking they have logged on to gain access.

The fact that the attackers used a Goo.gl shorted domain allows us to run analytics on the URL using the Google API. These gave very interesting metadata of visitors who had visited the link from the PDF document. The results showed at the time of writing there had been 701 visits to the credential harvesting portal via the document and that large majority of targets (667) were from Australia. This aligns with target mailing database of an Australian Real Estate database. Also of interest was that the API revealed the timestamp of when the shorted URL was created (2015-08-18T01:11:32 – Today).

raywhite_phishing_anaytics

Suprisingly you can get detailed analytics from a Google shortened URL, even if you are not the creator.

 

In this case there was not actual malware in the attack, rather it was a multi-stage social engineering attack using a “trusted” sender as the source. Blocking Goo.gl shortcodes, often used in malware, may possibly interfere with other valid uses for them, and the domain for the harvesting portal were not known bad (at least via VirusTotal) at the time of this post being published.

We will keep an eye on our OSINT feeds over the next couple of days to see if the domain ends up being flagged as malicious/compromised and continue to monitor the analytics for the URL.

Westpac phishing email

westpac_fishing_email

Another suspicious phishing email was forwarded to me this morning for analysis.  This one was a Westpac Phishing Email.  That is, an email pretending to be from Westpac with malicious intent.

The body of the email is below:

From: WBC [mailto:[email protected]]
Sent: Wednesday, 6 May 2015 11:31 AM
To: <target email address>
Subject: 1 New payment message.

This email is to confirm that you recently made a Funds Transfer to a payee with account ending 0371 for the first time.
For more information about this payment please see your transaction history.

Please click here if you did not perform this transfer.

Customer <target email address>
Sincerely,
Westpac Support Team

Please do not reply to this email. If you have questions regarding this email please contact our support area on 1300 666 656 (7am to 9pm) Monday-Friday or 9am to 6pm Saturday-Sunday AEST/AEDT).

Visiting the link takes you to a compromised Joomla site (A cafe in the Netherlands) hosting the fake website presumably used to collect Westpac customer account details to be used at a later point in time by the attacker.

If a user enters account details they will be redirected to the to real Westpac website where they will receive an error message. Redirecting the user takes the user off the site hosting the fake website, and gives them the a secure connection showing them the “Green bar” for peace of mind.

Interestingly this redirect could allow Westpac to parse their log files, or website referral analytic to determine how many of their customers may have been at risk.

westpac_fishing_redirect

The redirect to the real Westpac site

emt Distribution distributes ThreatAnalyzer, a dynamic behavioural sandboxing solution that can be used to safely analyse these emails and  and also ThreatQ:  An on-premise threat intelligence platform (TIP) that automates, structures, and manages all of your cyber threat intelligence in a central analytical repository.