Phishing, Other Threats Target Email and Video App Users

May 04, 2020
Insights and analysis by Paul Christian Pajares

We have seen several threats abusing tools utilized in work from home (WFH) setups. Cybercriminals are using credential phishing sites to trick users into entering their credentials into fake login pages of email and collaboration platforms and videoconferencing apps. Although these threats are not new, the need for better solutions is heightened due to the current experience and landscape.

Over the years, cybercriminals have remained active in propagating credential phishing campaigns. The Trend Micro 2019 Cloud App Security Report showed a 35% increase in the number of credential phishing attempts involving unknown phishing links from 2018 to 2019. This may mean that threat actors continuously produce new phishing links to evade detection by security software. Credential phishing attacks detected and blocked by Trend Micro Cloud App Security also increased by 59%; from 1.5 million in the second half of 2018 to 2.4 million in the first half of 2019.

[Related: The Rising Tide of Credential Phishing]

Here, we analyzed some of the tools that many companies use for WFH arrangements: Outlook on the web (formerly known as Outlook Web Access) and other Office 365 applications such as SharePoint, and videoconferencing apps WebEx and Zoom.


Phishing campaigns using Outlook on the web and Office 365 as lures

Credential phishing using Outlook on the web and Office 365 as bait has hit users in several countries. Data from our Smart Protection Network indicates over 50,000 phishing detections from January 2020 to April 27 of the same year, with the threats affecting users in the United States, Germany, Canada, Taiwan, Japan, Australia, Hong Kong, and other countries.

Figure 1. Phishing detections related to Office365 and Outlook from January to April 2020

Figure 2. Top countries with users encountering phishing attempts related to Office365 and Outlook

Employees commonly use Outlook mailbox in the office but some use the Outlook for the web version when accessing email outside the office. If not careful, they may mistakenly attempt to log in to a phishing page designed to look like Outlook’s login page.

 
Figure 3. Fake login page of Outlook for the web

Many employees are accessing files and collaborating online through Office 365. Sites associated with this are also spoofed and used as phishing campaign lures. The 2019 Cloud App Security Report also found that the number of unique Office 365-related phishing links blocked in 2019 jumped to more than double 2018’s total, according to data from the Trend Micro Smart Protection Network infrastructure. We also found that these threats not only targeted users, but also those who have administrator accounts.

Figure 4. Fake Microsoft login page

Phishing campaigns and other threats using WebEx and Zoom as lure

Threat actors deploy phishing campaigns that use videoconferencing apps such as WebEx and Zoom as bait. Besides phishing, other threats such as adware, cryptocurrency miners and other malware, and fraud also use these apps as lure. Data from the Trend Micro Smart Protection Network revealed an estimated 4,000 detections for threats targeting Zoom and WebEx users from January 2020 to April 27 of the same year. These affected users from Germany, the United States, China, Japan, Taiwan, Hong Kong, Singapore, and other countries.

Figure 5. Threat detections for Zoom and WebEx from January to April 2020

Figure 6. Top countries with users encountering phishing attempts and other threats related to Zoom and WebEx

 

WFH setups rely on videoconferencing apps for better communication. Cybercriminals take advantage of this by attempting to harvest credentials through phishing pages. Other threats using these apps as bait include malicious domains and fake apps.



Figure 7. Fake pages for logging in and joining a meeting in WebEx


Figure 8. Spoofed login page of Zoom

Threat actors either compromise legitimate sites or create malicious domains to host phishing pages. We traced the IP hosting locations of the sources of these domains and found that the United States has the highest unique IP count, with at 833. Trailing far behind is the Netherlands at 78 and Germany at 44.

Recommendations

One of the ways threat actors spread credential phishing pages is through email. Below are some of the best practices for defending against this threat:
  • Never click links in emails coming from untrustworthy sources.
  • Examine URLs embedded in emails by hovering the mouse pointer over it. This may reveal that it leads to another URL.
  • Check for grammatical errors and spelling mistakes, which are common indicators that the email did not come from reputable companies.
  • Even if a page looks like a legitimate login page, inspect the URL to confirm its legitimacy.
  • Avoid sharing sensitive personal information online.
Security solutions for email and collaboration can also help defend against credential phishing.

Indicators of Compromise

Phishing pages targeting Office365 and Outlook on the web users

  • 0utlook-owa.eu-gb.cf[.]appdomain[.]cloud
  • alfazos.linkpc[.]net.
  • authe1-microsoftmailaccounts[.]ml
  • comeliveonvacation[.]com/outlook/
  • covid939[.]com
  • eronginshop[.]com/owa/
  • helpdeskowa[.]at[.]ua
  • kitchoan.co[.]th/.owa/
  • mailboxfull[.]website
  • micosfotsharepoint[.]xyz
  • microsharepont[.]cf
  • microsharepont[.]tk
  • my.sharepoint.lee.elegance[.]bg
  • office365[.]it.support[.]emailblox[.]com
  • outlook.winmail01[.]cn
  • web-outlooks[.]com
  • wwedvm[.]appspot[.]com/outlook/

Phishing pages targeting WebEx and Zoom users

  • crag-group[.]com/zoom/
  • darenthvaley[.]co[.]uk/zoom/index.html
  • globalpagee-prod-webex[.]com
  • globalpagee-prod-webex[.]com
  • global-prod-meetsolutions[.]com
  • webexhost[.]191078[.]ru
  • zoom-appointment.myftp[.]org

Download sites of fake WebEx and Zoom apps

  • d11udsutejoxdq.cloudfront.net/{redacted}/zoom-us-zoom_2544611106.exe
  • d36rrippt2k8a8[.]cloudfront[.]net/{redacted}/cisco-webex-meetings[.]exe
  • dlnow[.]co/cisco-webex-meetings
  • zoom-download[.]com
  • zoom-us-zoom[.]dlnow[.]co

Other malicious sites related to WebEx and Zoom

  • cccconferzoom[.]com
  • ccconferzoom[.]org
  • meeting-zoom[.]hopto[.]org
  • suppot-webex-cisco[.]com
  • videoconferencestore[.]com
  • zoomcloud[.]xyz
  • zoomeetup[.]com
  • zoomvirtualbackgrouns[.]com

SHA-256 Trend Micro
Pattern Detection
2e3fc390e6b74d86e3535cd2cc0fd864c8cae0b9434cce12063a289d03e7ba10
PUA.Win32.InstallCore.THCCABO
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Cybercrime & Digital Threats

We Recommend