As Old as the Hills
Phishing attacks are well known and still the most popular and most successful type of attack used by cyber criminals. The design remains to be simple, as this attack is aimed at the most vulnerable components of information systems – the users. Startups launching Initial Coin Offerings are experiencing an increasing number of phishing attacks. As a result of these attacks, we see multiple reports in which invested funds have been lost in recent days.
Until recently, most of these attacks were delivered through spam messages with a majority of the attacks halted at the user’s inbox. In some cases the messages will be ignored because the signs of phishing are very obvious. Other times, the messages are forwarded to I.T support with the question “Is it safe to enter a password on this page?”. Of course, some of these users will be successfully phished, but the number is quite small compared to the amount of spam sent. In a recent incident in which the Coindash website was hacked, the attack involved tricking users to send funds to an address that the company has identified as belonging to the hacker. There are also new attacks against crypto currency users through the Slack platform. We’ve seen recent spearphishing attacks contain no links or exploits in the message body. Instead there is only a title/subject and googling this title leads to an exploit site. All of these show how fast new phishing attacks are emerging among malicious actors.
At Cisco Umbrella, one way that we’ve been monitoring emerging attacks and new trends is by using NLP Rank. In this blog post, we’re sharing some of the latest detected threats.
An Old Dog Learns New Tricks
Punycode encoding
One trend is the use of punycode characters to encode internationalized domain names to impersonate well known domain names. We’ve seen this technique in the past before it has gained the recent wide adoption by malicious actors. The use of an additional OCR based filter has helped us to recognize suspicious domains names once the suggested block appears as a result of NLP based analysis on the domain name and it’s content.
Free domain names
Most of these abused domains are from TLDs that offer the domains free of charge. In this scenario, it’s not the price, but instead it’s the opportunity to get the domain name without leaving any trace in the form of payment information that is important. All you need is an email address that can later be discarded, and that’s it. Similarly, bullet proof hosting or abused large providers have been used.
In the example below, trying to register spoofing domain for one of the Ethereum wallet providers, we can see domain name myetherwallet[.]cf is already taken.
Compromised and Obfuscated Emails Used for Registering
Since setting up multiple emails for domain registration can be difficult, we often see compromised email addresses are used for registering domains. Another trick is to have one email for registering multiple domains and replace or “guard” such email addresses with different whois data anonymity services. In these cases, the whois provider will return a message similar to: “Due to restrictions in the Privacy Statement, personal information about the user of the domain name can not be released.” Services that allow users to register absolutely anonymously, such as Protonmail, are being abused for this technique.
SSL certificates and free hosting
In general, people still think that the combination of HTTPS+SSL means the domain is trustworthy. In reality, this only means that your connection is private and that the traffic is protected while in transit. Another false belief exists that it is impossible to get a web server with a valid ssl certificate from CA, and leave no traces. As it turns out, this is not true. In many cases, the attackers are taking advantage of free SSL provided by hosting providers. A brief analysis of the available functions of a free package from SSL service providers reveals a storehouse of opportunities which can be abused by phishing actors:
- Completely anonymous registration. Any valid email address is more than enough. Theoretically, an identity can be found from the analysis of the IP address used for registration, but sophisticated attackers are more than capable to hide their true IP address.
- Abused free certificates from CAs. Some of them are not only free, but are also issued within a few minutes of registering, without any additional verification being performed.
- The real IP address of the web server is hidden. All traffic goes through a CDN like infrastructure.
- SSL offloading. A malicious web server can be configured to work with http, but with a service like Cloudflare, all of the traffic
will go through SSL. This is important because you can easily get free hosting with HTTP, whereas you would have to pay for hosting with the HTTPS and SSL-payments, and this can be traced.
- With rare exceptions, CA services do not sign certificates for domains at .ga, .cf, .tk, etc. And once again Cloudflare-like services solve this problem for the attacker, with the ease of which the certificate is issued.
Ads Poisoning
While AdWords phishing is not a new threat, it is one of the most used in the case of phishing cryptocurrency users, as well as other financial institutions. Google and Bing are aware of the malicious use of their advertising platforms, but recent campaigns have proven that these attacks are frequently able to surpass detection. We observed the below campaign over the past 6-9 months. There are targeted companies that rotate through the campaign duration but the rest of the scheme stayed the same. This type of campaign has been covered in detail in our previous publications. The latest iteration of this campaign targets users of MyEtherWallet.


Unvalidated Redirects
Phishing emails are getting better and using a lot more targeted social engineering tactics. We have analyzed links within phishing emails that would at first not seem to be malicious or be an attempt at phishing. However, the link leads to a compromised website, that makes us of an “Unvalidated Redirects” vulnerability. The exploitation of this vulnerability helps to defeat many, if not all of the anti-spam filters commonly used. In an email the link would appear similar to:
hxxps://company.com/unvalidated_redirect.php?url=http://login.company.cf/
The user sees the link directing to the original trusted site (company.com) and does not realize the redirection that could take place
Abuse of URL shorteners
In recent mass spam campaigns, we have seen a surge in the use of shortened url links in the e-mail body to drive traffic to spoofed domains. Once again this technique helps to defeat a significant amount of standard defenses and creates problems for typical users. Many people believe the responsibility rests on the URL shortener’s shoulder’s to guarantee safety of a shortened link. While many URL shorteners are working to decrease malicious links in their system, to totally eliminate such abuse is a very challenging problem. These schemes typically aim not only to harvest account credentials, but also used to deliver malware.
Defeat the Phish
How do we take down malicious domains? It is the goal of many security researchers in our industry, but a unified solution does not yet exist. Conviction and punishment of the suspected phishing actor seems to be a hard goal to achieve. With the given complexity of the malicious infrastructure behind these attacks, a researcher would need to work in close collaboration with the Registrar, Cloud Service Provider, and the Email Service Provider being abused to find the actor behind such attacks. However, this approach could still leave you with only an IP address as an indicator. How would it be possible to “identify” a criminal by only their assumed IP address? I would say impossible.

Conclusion
Given the research being done to identify the scale of the problem behind simple typosquatting domains, we can see there are many users exposed to this threat. The amount of phishing attacks is growing and the criminal’s methods are constantly evolving. Cisco Umbrella is able to detect and block such domains using our high frequency classifiers like NLPRank. Additionally, user’s and companies themselves are strongly encouraged to enable two-factor authentication when possible and implement layered security controls.
IOCs
This blog is a result of collaboration between Artsiom Holub of Cisco Umbrella research team and Jeremiah O’Connor of Cisco country digitization team.