One of the goals of cybercriminals is to remain hidden for as long as possible. With the vast number of threat intelligence platforms available, there are many organizations always hunting for signs of nefarious activity. The longer criminal activity can remain off the radar, the greater the potential haul, be it money, credentials, or intellectual property (to name a few). In this blog, we’ll walk through a recent example where the malicious activity is hidden but connecting a few key data points paints a very suspicious picture.

The target of this phishing campaign was a U.S.-based biotech company. The campaign starts with a very basic “Message Sending Failed” email.

blog-061919-hiding-in-plain-sight

Clicking any of the links redirects the user to an easywp.com site. Interestingly the top link (email address) redirects to a generic page, while the other two take the user to a page showing nothing more than a traditional CAPTCHA.

blog-061919-img-2-hiding-in-plain-sight

No identifying information of any kind is displayed. EdgeWave analysts believe the CAPTCHA is likely used for other purposes beyond merely validating a live person is visiting the site. One possibility is to remain hidden from web crawlers used by security organizations. EdgeWave submitted the suspicious URL to Google Safe Browsing immediately but at the time we published this blog, the site was still not listed as malicious. Perhaps the CAPTCHA is preventing Google Safe Browsing from performing a thorough analysis?

Email addresses are usually appended to the end of the phishing URL to auto-populate the credential scraping login page. Clicking past the CAPTCHA returns a login page, with the company logo included, and the email address pre-populated. Attempting to bypass the CAPTCHA and browse directly to the suspicious page redirects back out to a generic Google page, so the criminals want the victims to pass through the CAPTCHA. As the email address was not part of the URL, we surmise there is backend database cross-checking the alpha/numeric data against a list of email addresses. Could this be another attempt to fool traditional URL protection schemes that are looking for the email address in the URL?

Researching the domains involved in the campaign reveals some instrumental insight.

  • Sckdnmcdlj.com hosts the credential scrape page
    • 4-month old domain
      • Age is suspicious combined with the seemingly random letter combination
    • Registered at namecheap.com
  • Namecheap.com
    • Many malicious domains have been purchased here
  • Easywp.com
    • WordPress offered by NameCheap.com
    • WordPress continues to be a prime target for malicious activities
  • Colocrossing.com
    • Malicious email is regularly sent from this hosting provider
    • Malicious web pages from this campaign are hosted here

Any one of these is questionable by itself, but not a full indictment. But when combined, the suspicion level increases dramatically. Correlating these elements also demonstrates the challenge for traditional email security gateways to stop messages like this. There is no malicious content within the email, and each element can be construed as “safe”. Buying a domain from NameCheap, for example, does not automatically make it a malicious domain. And automating the correlation of data points has a high chance of creating a false positive, a very poor outcome for administrators and users. It’s only through the human review performed by trained email security professionals like the EdgeWave Threat Detection Analysts that good from bad can be defined with certainty.