In July 2020, researchers at ThreatLabZ observed an increase in the use of voicemail as a theme for social engineering attacks. Through the intelligence gathered from the Zscaler cloud, we discovered several newly registered domains that use VoIP and voicemail as themes for their credential-stealing phishing campaigns. In the most recent instance we saw, attackers were spoofing Cisco’s Unity Connection voicemail platform.
This social engineering campaign is specifically designed to reach end users in large enterprises. The use of voicemail delivered in an email message, and the use of phishing pages that spoof enterprise applications, such as Office 365 and Outlook, signal the attackers’ motives. If successful in obtaining a user’s credentials, attackers can access confidential data from the enterprise, potentially selling it or holding it for ransom. They can also leverage company information to launch targeted attacks, which can give them an even greater foothold in the network and cause extensive damage and potential loss for the enterprise.
In this blog, we will describe how the current attacks are being carried out, the campaign’s variants and evasion techniques, and the various social engineering tactics in use.
Contents of the email are crafted to mimic a system-generated voicemail notification, luring the user to open the attachment to access the recorded voice message as shown in Figure 1.
Figure 1: Email message spoofing a voicemail notification
HTML attachment analysis
We observed different variants of HTML attachments used in these credential-phishing campaigns.
Figure 2: Contents of HTML attachment
We discovered more than 200 HTML email attachments of this variant, and we observed the following similarities between them.
- All of these HTML attachments followed the naming convention: Play_VN_<string_of_11_digits>.html
- An icon of a telephone was used in the filename for social engineering purposes
- All these HTML attachments have a very low detection rate on VirusTotal as shown in Figure 3 below.
Furthermore, the first sample of this variant was observed in the wild on April 21, 2020; the fact that this theme is still being used suggests that the threat actors have achieved decent success with it.
Figure 3: No detection against AV engines, as seen on VirusTotal
The decoded content shown in Figure 5 uses the meta-refresh tag to redirect the user to the target credential phishing site.
Figure 5: Decoded content which uses meta-refresh tag to redirect
Unlike common credential-phishing landing pages, we can see in this case that there is no information related to the brand being targeted. This allows the threat actors to bypass many automated URL analysis engines and extend its survival.
Figure 8 shows a sample packet capture which highlights the method used to exfiltrate the stolen credentials to the attacker’s site. It sends the credentials in the Base64-encoded format.
It is important to note that in the first attempt, this phishing page will always give the "password incorrect" message, which prompts users to enter their passwords more cautiously the next time.
Figure 8: Packet capture showing credentials being exfiltrated
Captcha-based evasion technique
In one of the campaigns related to voicemail, attackers used Google’s reCAPTCHA on the landing page to evade automated URL analysis, as shown in Figures 9 and 10.
Figure 9: Google’s reCAPTCHA used for evading automated URL analysis
Figure 10: Google reCAPTCHA used as a security challenge on the phishing page for evasion
Users will be redirected to the main credential-phishing page after solving the captcha. The final phishing page spoofs the Microsoft Office 365 login page, as shown in Figures 11 and 12.
Figure 11: Credential-phishing landing page to steal Office 365 credentials
Figure 12: Office 365 phishing page
XYZ top-level domain abuse
Below is a list of domains we identified that were registered between June and mid-July 2020 and were used by the threat actor(s) for conducting credential-phishing campaigns using the voicemail theme.
These domains share some similarities in their naming convention:
- All the domains were using the top-level domain (TLD) of XYZ
- The domain names contained keywords such as “voip,” “voicemail,” and “sms” for social engineering purposes
- Most of these domains were registered with the German-based hosting service: “1und1”
- The URL pattern used for credential phishing is: hxxp://domain_name.xyz/?e=<email_address>
- The parameter e in the URL corresponds to the recipient's email address
- If the URL is accessed directly without the email address in the URL as a parameter, the user will be redirected to the office.com site
We can see that the attackers took several measures to ensure that automated URL analysis cannot be performed and the URLs look convincing to the end user.
Other TLDs that were abused by the threat actor in this campaign are: .club and .online. The complete list of domains used in this variant of the campaign are mentioned in the Indicators of Compromise (IOCs) section at the end of this blog.
Cisco Unity Connection spoofed theme
On July 6, 2020, we observed in the Zscaler cloud several connection attempts to the domain: secure.ciscovoicemail.cf which is a site created by the threat actor to spoof Cisco’s Unity Connection voicemail portal, as shown in Figure 13.
Figure 13: Web page spoofing Cisco Unity Connection – voicemail portal
An icon of an audio file is displayed to the user. Once this icon is clicked, the user is redirected to the credential-phishing landing page, which is designed to target multiple brands, as shown in Figure 14.
Figure 14: Landing page targeting multiple brands
Below is the list of brands targeted by this campaign.
- Office 365
- Outlook Web Access (OWA)
- Others (generic)
Once the user clicks on any of the above links, a corresponding phishing page is displayed. As an example, the OWA phishing page is displayed (Figure 15) when the user clicks the “Outlook Web Access” link on the web page.
Figure 15: OWA phishing page
Zscaler’s detection status
Zscaler’s multilayered cloud security platform detects indicators at various levels, as seen here:
This threat actor leverages well-crafted social engineering techniques and combines them with evasion tactics designed to bypass automated URL analysis solutions to achieve better success in reaching users and stealing their credentials.
As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials.
The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe.
Indicators of Compromise (IOCs)
Domains using voicemail and VoIP themes