A pair of related phishing campaigns this year took the unusual step of intentionally avoiding malicious links or attachments in its emails – a sign that threat actors may recognize the challenges posed by secure email gateways and sandbox rules and increasingly savvy users.
In a blog post this week, Cofense reported that actors using the BazarBackdoor malware have been experimenting with roundabout ways of getting users to self-infect. One campaign featured a fraudulent invoice referencing a malicious website, but not directly linking to it. Instead, the attackers are counting on users typing or pasting the URL into their browsers. A second campaign included a phone number that, if called, reaches a fake company representative who will try to trick the user into visiting an attacker-controlled website.
"The notable part about this is that we don't usually see this sort of thing," said Joseph Gallop, an intelligence analysis manager at Cofense, in an interview with SC Media. "Usually, threat actors try to make the path to compromise as simple as they can for the victim to follow."
While perhaps unusual, it might become more commonplace over time. "There is an increase in fileless, linkless attacks that are engineered toward luring users to do something they are not supposed to do outside of the scope of clicking on links or opening attachments," said Ironscales CEO Eyal Benishti. "Most of these attacks are BEC attacks, impersonating a known internal or external sender trying to lure users into wiring money, paying fake invoices, changing bank account details records, buying gift cards or other goods, and the defenders’ challenge now is to detect and block communications with malicious intent and not necessarily malicious content."
The BazarBackdoor campaigns' circuitous path to infection relies on the victim being will to do a little extra work, but there's a strategy behind this risk: "More and more, corporate network users are being conditioned to recognize malicious links and attachments," the Cofense report states. Thus, "the absence of apparently malicious links and attachments may lull potential recipients into complacency... Failure to recognize the roundabout engagement tactics at play here could result in a compromise going unnoticed."
Indeed, "threat actors know what they are running up against and in most cases, they know what most companies are using to defend their environment," Benishti added. "They know that companies are better protected against malware and have better threat intel capabilities, but that the human link is still a weak link. They know that most current technical controls and filters have a blind spot to social engineering and BEC and that sending the right message in the right context will bypass those solutions and lure engagement from the end users."
One email example from the campaign, spotted in early February, featured a purported order-confirmation message from a fake pharmaceutical firm. In similar communications the attackers also pretended to be from office supply, flower delivery and lingerie companies. Inside the email was an order number and fake PDF-based invoice, none of which contained any malware. However, the invoice alluded to the domain fiercepharma[.]net.
Users type this domain into their browsers and subsequently click over to the "Cancel Order" page are prompted to enter their order number and are then taken to yet another site that delivers an Excel spreadsheet. The site attempts to fool victims into enabling malicious macros so that the BazarBackdoor malware can be delivered. This first-stage malware can later lead to significant secondary payloads, including Ryuk ransomware.
Cofense researcher found version two of the phishing scam in March. These emails used lures that warned of cancelled subscriptions, subscription fees or free trials ending, with a phone number for users to call.
Upon calling the phone number, users would be greeted by a fake representative from the company that had supposedly reached out. At that point, the phony rep attempts get the prospective victim to visit a website where again they can be infected by BazarBackdoor.
"Of course, there are a number of variations on the technique threat actors could use, like replacing order confirmation with a gift certificate," said Gallop. "But essentially, it's the same thing. Getting people to navigate to the website or call a number, without giving them a direct way to do so."
So how to spot and stop this scam? "As with any other type of message that seems suspicious, go directly to the website for contact information," said Gallop. "Do you even use the product being referenced in the scam? Many of these have a 'consumer' theme for products that are not likely used in your organization, so report these to your security team or just delete as you would with any other type of spam."
Benishti also dispensed some advice: "Never call a number you receive on an email and never follow the email link. Always go straight to the vendor’s website yourself, look for the 'Contact us' page and use publicly available email addresses, phone numbers and URLs. Remember how easy is to create a fake email and pretend to be anybody."
Additionally, "look for common methods to hide URLs (there will be no link and it will be colored as simple text, [and] look for special characters that were planted in order to fool filters, weird spacing and anything that seems like it was designed to bypass pattern detection. Remain skeptical and vigilant and, most of all, equip your organization with the right tools and educate your employees continuously."
