Executive Summary

A Safeguard Cyber executive protection client was recently targeted by a threat actor with a spear-phishing message on LinkedIn. The message came from a trusted account that had been compromised, and attempted to lure the victim with a reference to a job opportunity. The lure led to a legitimately hosted document containing a malicious link. This attack methodology subverts traditional link analysis, but Safeguard Cyber was able to detect and respond through the use of Natural Language Processing (NLP).

Key Points

  • Safeguard Cyber observed a spear-phishing attack from a threat actor utilizing a compromised account as a part of a campaign targeting cybersecurity executives.
  • The lure directed victims to a legitimately hosted document which contained a link to a malicious credential skimming site. This was done to circumvent traditional URL analysis.
  • Safeguard Cyber was able to detect and respond to the phishing attack through the use of our social engineering Natural Language Processing (NLP) policies.

Background

Among the biggest threats to cybersecurity, spear phishing continues to be a massive concern for many executives. A SafeGuard Cyber client, who works as a cybersecurity executive, was recently targeted by a LinkedIn social engineering attack in which they received a direct message that baited them with the promise of a "prestigious high profile management position.” 

The link in the message pointed to a legitimate document hosting site that served up a benign document, but within the message was a second link that pointed to another site purportedly containing the job details in an encrypted format. Instead it led to a skimming site where the victim was asked to enter their email credentials.

The attacker leveraged Adobe Spark, a popular document hosting site, to deliver their content. The Spark page displayed an Office365 logo to bolster its legitimacy, and lower down the page the text “CLICK HERE TO REVIEW THE WEB DOCUMENT” was presented. It was this text link that directed the browser to the malicious website.

Screenshots (From top of page to bottom):

 


Redirect URL: https://simoxingenieria[.]com/adminscript/web/login/view/index.php

Summary

VirusTotal, a web-based tool for detecting malicious content, flagged the URL within the doucment as a phishing attempt. The webpage was also automatically blocked by Microsoft SmartScreen as shown below.

If the alerts are bypassed, the page displays a list of email providers that a user can leverage to login. Upon clicking the “Gmail” option, the user is redirected to a website that attempts to look like the legitimate Gmail login screen. We believe this website is used to harvest user account information for use in future campaigns.

Screenshots: 

 






Impact

This attack technique was interesting because it utilized methodology to effectively subvert malicious URL detections. The use of document hosting website provided a level of obscurity that would fool traditional defenses. While the SafeGuard Cyber platform has link and file analysis capabilities to detect phishing links, they were not triggered on this event since the initial link was legitimate.

The way we discovered the social engineering attack was through our Natural Language Processing capabilities, which are tuned to detect social engineering language within messages. This allowed our system to detect and stop the campaign.

Attacks like this demonstrate the methods adversaries use to get around known checks and how defenders need to think creatively to detect these clever tactics.