urlscan.io logo urlscan.io
SecurityTrails logo

research.checkpoint.com Open in urlscan Pro
141.193.213.21  Public Scan

Back to summary
URL: https://research.checkpoint.com/2020/phishing-campaign-exploits-samsung-adobe-and-oxford-servers/
Submission: On May 27 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

 * CheckPoint.com
 * 
 * 
 * 
 * 
 * 
 * 

 * Publications
   * Threat Research
   * CPRadio
   * Attack Reports
 * Tools
   * CPR Zero- Vulnerability Repository
   * Evasion techniques Encyclopedia
   * Anti-Debug Tricks
   * SandBlast File Analysis
   * How-To Guides
   * URL Categorization
   * Instant Security Assessment
   * Live Threat Map
 * About Us
 * Contact Us
 * Subscribe
 * 

MENU




OFFICE 365 PHISHING CAMPAIGN EXPLOITS SAMSUNG, ADOBE AND OXFORD SERVERS

June 18, 2020




INTRODUCTION

Over the last few years, the adoption of Office 365 in the corporate sector has
significantly increased. Its popularity has attracted the attention of
cybercriminals who launch phishing campaigns specifically to attack the
platform. As 90% of cyber-attacks start with a phishing campaign, Office 365 is
an attractive target for threat actors who work to evade the continuously
introduced security solutions.

Recently, a seemingly unsophisticated Office 365 phishing campaign caught our
attention. The attackers abused an Adobe Campaign redirection mechanism, using a
Samsung domain to redirect victims to an O365 themed phishing website. The
hackers took advantage of the fact that access to a reputable domain, such as
Samsung’s, would not be blocked by security software.

To expand their campaign, the attackers also compromised several websites to
inject a script that imitates the same mechanism offered by the Adobe
redirection service. Further investigation revealed that the actors behind the
campaign implemented a few other interesting tricks to hide the phishing kit and
avoid detection at each stage of the attack. This report will describe what we
discovered about this Office 365 phishing campaign which used trusted services
to allow a new attack.




BEFORE WE START

Neither Adobe nor Samsung were compromised in the sense of exploiting a
vulnerability. Samsung’s Adobe Campaign server was left available for managing
campaigns that were not necessarily part of the company’s marketing efforts.

A redirection mechanism redirects users to a destination specified in the URL
they just clicked. This allows campaign managers, for example, to gauge and
monitor ongoing advertisement efforts by logging every successful visit before
redirecting the user to an ad page.




ATTACK FLOW

In early April of 2020, we detected a phishing campaign that delivered “missed
voice message” emails to its victims. Roughly 43% of these attacks targeted
European companies while the rest were seen in Asia and the Middle East. The
emails prompted users to click on a button that would allegedly take them to
their Office 365 account. These emails use some very basic customization, such
as a subject line with the target domain name and the username included in the
body of the email. Despite the “Message from Trusted server” notification at the
top, a vigilant user would have noticed some inaccuracies. Here is an example of
one of the phishing emails:


Office 365 Voice-Mail phishing email.

After the victims clicked the button, they were redirected to a phishing page
masquerading as the Office 365 login page. Behind the scenes, this redirection
consists of two stages:  the first stage abused an existing redirection scheme
on the legitimate domain (e.g. samsung[.]ca), and the second stage redirected
the user to a compromised WordPress site.

Phishing attack scheme.

Most of the emails came from multiple generated addresses belonging to
legitimate subdomains from different departments in the University of Oxford
(UK).

xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk

Example of an auto-generated email address used in this campaign.

The email headers showed that the attackers found a way to abuse one of Oxford’s
SMTP servers. The email originated from the NordVPN IP address 194.35.233.10 and
then passed to the Oxford SMTP server and the Oxford Relay server as displayed
below:

Authentication-Results: spf=pass (sender IP is 129.67.1.166)
smtp.mailfrom=paediatrics.ox.ac.uk; xxx; dkim=none (message not
signed) header.d=none; xxx; dmarc=bestguesspass action=none
header.from=paediatrics.ox.ac.uk;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of paediatrics.ox.ac.uk
designates 129.67.1.166 as permitted sender) receiver=protection.outlook.com;
client-ip=129.67.1.166; helo=relay13.mail.ox.ac.uk;

Received: from relay13.mail.ox.ac.uk (129.67.1.166) by
MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130)

Received: from smtp5.mail.ox.ac.uk ([163.1.2.207])
by relay13.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.89)
(envelope-from
<xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>)

Received: from [194.35.233.10] (helo=[127.0.0.1])
by smtp5.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.89)
(envelope-from
<xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>)

From: "XXX VOIP"
<xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>
Authentication-Results: spf=pass (sender IP is 129.67.1.166)
smtp.mailfrom=paediatrics.ox.ac.uk; xxx; dkim=none (message not signed)
header.d=none; xxx; dmarc=bestguesspass action=none
header.from=paediatrics.ox.ac.uk;compauth=pass reason=109 Received-SPF: Pass
(protection.outlook.com: domain of paediatrics.ox.ac.uk designates 129.67.1.166
as permitted sender) receiver=protection.outlook.com; client-ip=129.67.1.166;
helo=relay13.mail.ox.ac.uk; Received: from relay13.mail.ox.ac.uk (129.67.1.166)
by MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130) Received: from
smtp5.mail.ox.ac.uk ([163.1.2.207]) by relay13.mail.ox.ac.uk with esmtps
(TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from
<xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>)
Received: from [194.35.233.10] (helo=[127.0.0.1]) by smtp5.mail.ox.ac.uk with
esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from
<xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>) From:
"XXX VOIP"
<xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>


Authentication-Results: spf=pass (sender IP is 129.67.1.166)
 smtp.mailfrom=paediatrics.ox.ac.uk; xxx; dkim=none (message not
 signed) header.d=none; xxx; dmarc=bestguesspass action=none
 header.from=paediatrics.ox.ac.uk;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of paediatrics.ox.ac.uk
 designates 129.67.1.166 as permitted sender) receiver=protection.outlook.com;
 client-ip=129.67.1.166; helo=relay13.mail.ox.ac.uk;

Received: from relay13.mail.ox.ac.uk (129.67.1.166) by
 MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130) 

Received: from smtp5.mail.ox.ac.uk ([163.1.2.207])
	by relay13.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>)

Received: from [194.35.233.10] (helo=[127.0.0.1])
	by smtp5.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.89)
	(envelope-from <xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>)

From: "XXX VOIP"
 <xXbxiFzmbHpUBkFgaDKrcNFFwDwzmIDJEaHlPAEsgFqxaInjJX@paediatrics.ox.ac.uk>



Using legitimate Oxford SMTP servers allowed the attackers to pass the
reputation check for the sender domain. In addition, there was no need to
compromise actual email accounts to send phishing emails because they could
generate as many email addresses as they wanted.




FIRST STAGE: ABUSING SAMSUNG’S EMAIL REDIRECT

The technique of using Adobe Campaign open redirect was initially discovered in
September 2019 on the domain belonging to Adobe itself. In the last few months,
it’s been widely abused for phishing purposes. To evade detection, attackers
abuse open and reputable Adobe Campaign servers to redirect potential victims to
their own phishing websites. This means  that the link embedded in the phishing
email is part of a trusted domain – one that unknowingly redirects victims to
the phishing website.
In this case, the Adobe Campaign server belongs to Samsung Canada.

https://t.email1.samsung[.]ca/r/?id=ff1b346f,303d531,303d53e&p1=8107023398&p2=8107023398&p3=DM15290&p4=https://compromised.site#user@company.com

How does this work?
t.email1.samsung[.]ca is a subdomain for Samsung-Canada email campaigns, which
hosts an Adobe Campaign server. The specially crafted URL contains a parameter
called p4 which provides the server with a different redirect destination for
each victim.

In our case, the attackers took the existing link from an old, but legitimate
Samsung Cyber Monday themed email campaign dating back to 2018. By changing the
p4 parameter, they repurposed it to redirect the victim to a domain they
controlled instead of https://samsung.com/ca/:

https://t.email1.samsung.ca/r/?id=hf1b346f,303d531,303d53e&p1=8107023398&p2=8107023398&p3=DM15290&p4=https://www.samsung.com/ca/?mkm_rid=8107023398&mkm_mid=DM15290&cid=ca_email_newsletter_holidaycybermonday_20181126_fr-x-x-viewproducts-x-x

 By using the specific Adobe Campaign link format and the legitimate domain, the
attackers increased the chances for the email to bypass email security solutions
based on reputation, blacklists and URL patterns.

However, this is not the first time an Adobe Campaign on Samsung infrastructure
was used as a relay for phishing. According to urlscan, the
t.info.samsungusa[.]com domain has been used for phishing-related redirects
since February 2020.




SECOND STAGE: REDIRECT THE USER TO A COMPROMISED WORDPRESS SITE

The second layer of redirection is used to distance the final phishing page from
the original email.

In this case, the attackers used several compromised WordPress sites which
contain malicious redirect code.

Introducing another redirection layer enables the attackers to circumvent
security solutions that investigate the links within the email. Thus the URL
within the email points to a WordPress site instead of a suspicious-looking
phishing page.

The redirect code, which is added to the compromised site’s homepage HTML code,
also checks if the requested URL contains a # sign followed by an email address.
If this condition is met, it redirects the victim to the final phishing kit.

Redirection code on compromised WordPress sites.

As a result, only users that have an email address in the link will be
redirected, while users that enter the WordPress site directly do not notice any
changes. This trick can prevent the site owners from detecting the abuse of
their pages.




MORE REDIRECTS

A few days after the campaign launched, the attackers changed the URL inside the
emails to the following one:

https://t-email1.ottawashowers[.]ca/r/?id=ff1b346f,303d531,303d53e&p1=8107023398&p2=8107023398&p3=DM15290&p4=https://compromised.site&p5=user@company.com

This time, the compromised WordPress site wasottawashowers[.]ca. The attacker
set up the subdomain t-email1 and a redirection script in the /r/ folder to
mimic Adobe Campaign URLs. The parameters from the original Samsung campaign
were left unchanged.



Indication that the domain t-email1.ottawashowers[.]ca was created for the
purpose of the campaign.



Phishing attack scheme with compromised WordPress site for first redirect.

Later on in the campaign, the attackers changed the redirection method to be
independent of a specific domain or Adobe Campaign server. They compromised and
set up a similar redirect on multiple WordPress sites (to see the full list, go
the IOCs section).



Timeline of campaign with different redirect servers.

In addition to changing the redirect domains, the threat actors started to
change other (previously constant) parameters in the URL while preserving the
basic Adobe URL structure. The parameters are used to check the integrity of the
link, as well as to avoid detection by pattern-based engines (which will not
automatically block all Adobe Campaign redirects). If a parameter is manually
changed in this link, the server returns the message: AUTH FAILED.



Opendir on one of compromised WordPress sites contains newly created redirect
folder r/.




PHISHING KIT

The final phishing kit was located on compromised WordPress sites. In some
cases, the phishing kit was located on sites designed to look like a Microsoft
login page. A separate virtual directory is created for each victim, so the
final URL is different for every victim, even on the same server.



Microsoft phishing page.

Most of the HTML code of the phishing pages is generated by JavaScript. The
phishing page is divided into multiple sections, and each section is obfuscated
with multi-byte XOR. For example, the <HEAD> section of the HTML page is a piece
of JavaScript code containing 2 hex blobs that are unescaped and evaluated.



Part of an obfuscated phishing page.

Decoding the first eval() statement reveals the decoding function.



First eval() statement after hex decoding.

This decoding function extracts encoded data (stored in tmp[0]) and XOR key
(stored in tmp[1]) from the argument and performs XOR between the data and the
key (loop in the code above).

The second eval() statement calls this decoding function and writes the final
HTML to the page with document.write():



Second eval() statement after hex decoding



Decoded <HEAD> section of HTML code

Generated HTML code means that all the pages look the same, but they have
completely different source codes. Together with obfuscation, this method helps
hide the code and its malicious intents from security software.




CONCLUSION

In this campaign, the attackers used multiple mechanisms to bypass security
solutions at each stage.

 * Utilizing an Oxford email server to send spam allows them to bypass the
   sender reputation filters and use generated email accounts instead of
   compromised actual accounts.
 * Links within the email point to a high reputation domain owned by Samsung.
 * A chain of redirects lead to a fully-obfuscated phishing page.

During the short campaign period, the attackers continuously developed and
improved the redirection method to be independent of a specific domain and the
Adobe Campaign servers.

Check Point recommends organizations to use cloud and mail security solutions.
The fact these campaigns thrive proves native security solution are easy to
bypass – such solutions are essential to remove threats getting into your email
and protecting you cloud infrastructure.

Adobe took the relevant actions to prevent this type of attack through its
server across all customers.




APPENDIX A: IOCS

Redirect servers:

t.email1.samsung[.]ca/r/
t-email1.ottawashowers[.]ca/r/
t-email1.instantytpresence[.]com/r/
flycloud.co[.]il/r/
cosmos.org[.]in/r/
iyak.org[.]tr/o/
ankit-gupta.co[.]in/r/
istern.co[.]il/r/

Compromised WP sites hosting Office 365 phishing kits or intermediate redirects:

junestore[.]club
popskill[.]net
yourhindinews[.]com
mrdigitalduniya[.]com
vrpublicnews[.]com
learndigitalseo[.]com
ghassociates.co[.]in
yournewstv[.]com
codewithjustin[.]com
pretrendy[.]com
dalelaganj[.]com
getfasternews[.]com
bloggingthenews[.]com
wpbasket.co[.]il
acornmagic[.]club
heaccountabilitycollective[.]com
legaltax[.]in
cbcvietnam[.]org
zeriio[.]com
ww.indoxxi[.]pl
espinozaweb[.]net
rumahcendekiaunj[.]com
beatanyinvestment[.]club
activedomain53[.]com
absoluteaesthetics.co[.]uk
tremplinedu[.]com
iamkongu[.]com
www.kwentongnoypi[.]com

 

 


RELATED ARTICLES


TWISTED PANDA: CHINESE APT ESPIONAGE OPERATION AGAINST RUSSIAN’S STATE-OWNED
DEFENSE INSTITUTES


NEW MALWARE CAPABLE OF CONTROLLING SOCIAL MEDIA ACCOUNTS INFECTS 5,000+ MACHINES
AND IS ACTIVELY BEING DISTRIBUTED VIA GAMING APPLICATIONS ON MICROSOFT’S
OFFICIAL STORE


NEW WORMABLE ANDROID MALWARE SPREADS BY CREATING AUTO-REPLIES TO MESSAGES IN
WHATSAPP


VULNERABILITY IN GOOGLE PLAY CORE LIBRARY REMAINS UNPATCHED IN GOOGLE PLAY
APPLICATIONS


GRAPHOLOGY OF AN EXPLOIT – HUNTING FOR EXPLOITS BY LOOKING FOR THE AUTHOR’S
FINGERPRINTS


KEEPING THE GATE LOCKED ON YOUR IOT DEVICES: VULNERABILITIES FOUND ON AMAZON’S
ALEXA


NEW JOKER VARIANT HITS GOOGLE PLAY WITH AN OLD TRICK


WOULD YOU LIKE SOME RCE WITH YOUR GUACAMOLE?


“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN


REMOTE CLOUD EXECUTION – CRITICAL VULNERABILITIES IN AZURE CLOUD INFRASTRUCTURE
(PART I)


CANADIAN BANKS TARGETED IN A MASSIVE PHISHING CAMPAIGN


23RD MAY – THREAT INTELLIGENCE REPORT


#ALHACK: ONE CODEC TO HACK THE WHOLE WORLD


16TH MAY – THREAT INTELLIGENCE REPORT


RANSOMVERSARY : WANNACRY’S 5TH ANNIVERSARY SPECIAL AND THE EVOLUTION OF
RANSOMWARE

Publications
 * GLOBAL CYBER ATTACK REPORTS
 * RESEARCH PUBLICATIONS
 * IPS ADVISORIES
 * CHECK POINT BLOG
 * DEMOS

Tools
 * SANDBLAST FILE ANALYSIS
 * URL CATEGORIZATION
 * INSTANT SECURITY ASSESSMENT
 * LIVE THREAT MAP

About Us
Contact Us
Subscribe

© 1994-2022 Check Point Software Technologies LTD. All rights reserved.
Property of CheckPoint.com | Privacy Policy

×
Tweet
Share
Share
Share
Email
Pin
Share
Share

We'd like to show you notifications for the latest news and updates.


AllowCancel