• Product
    • Overview
    • Why Area 1
      • Customer Reviews
      • Case Studies
    • Technology
    • Pricing
    • Free Trial
  • Solutions
    • Phishing Attacks
    • Business Email Compromise
    • Cloud Email Security
      • Office 365
      • Gmail
    • Autonomous Phish SOC
    • COVID-19 Phishing
    • Election Security
  • Partners
    • Find a Technology Partner
    • Find a Channel Partners
    • Become a Partner
  • Resources
    • Resources
    • Blog
    • Events | Webinars
    • Newsletter
    • Phishing Glossary
  • Company
    • About
    • Trust Center
    • News
    • Careers
    • Contact
  • Search
Area 1

Request a FREE Demo Today!

  • KEY USE CASES

    Area 1’s cloud-native SaaS solution supports three key use cases: preemptive anti-phishing across all threat vectors (email, web, social, network); cloud email security / SEG replacement; and phishing security automation for SOC teams.

    Learn More
    Area 1

    Request a FREE Demo Today!

  • THE CHALLENGE

    SEGs, cloud email and DMARC struggle against the most sophisticated phishing attacks. Area 1 is the only company that preemptively blocks Type 1-3 BEC phishing, and other highly targeted attacks.

    Learn More

    PHISH OF THE WEEK

    This much should be clear by now – we at Area 1 absolutely detest phish! But in some weird karmic way, we exist because phish exist…and we exist to quell each and every one of the attacks hitting our customers.

    Well, it just got a lot harder on those pesky creatures, and a lot better for our current — and future — customers.

    View Now
    Area 1

    Request a FREE Demo Today!

  • FIND A TECHNOLOGY PARTNER

    Area 1 is a Microsoft Certified Partner and a Google Cloud Security Technology Partner of the Year. We also integrate with a number of SIEM, SOAR, SEG and firewall technology providers to fit your unique infrastructure.

    Learn More

    FIND A CHANNEL PARTNER

    Work with trusted cybersecurity experts across the globe to secure your business. Learn about our partnerships with Legato Security, Optiv, SADA Systems, SYNNEX and others.

    Learn More
  • NEW ON THE BLOG

    A rapidly evolving phishing campaign is on the loose.

    Read Blog

    UPCOMING WEBINAR

    How did one million phishing emails bypassed Office 365 defenses?

    Register Here
  • WHO WE ARE

    At Area 1 Security, We Stop Phish. We’re accountable to you: that means we believe you should pay only to cybersecurity company that works. If it doesn’t protect you, why invest in it?

    Learn More

    IN THE NEWS

    Read Here

    Need to Contact Us?

    We’re here to help

    Area 1
Area 1 Security
  • Product
    • OVERVIEW
      • Why Area 1
        • WHY AREA 1
          • Customer Reviews
          • Case Studies
      • Technology
      • Pricing
      • Free Trial
  • Solutions
    • SOLUTIONS
      • Phishing Attacks
      • Business Email Compromise
      • Cloud Email Security
        • CLOUD EMAIL SECURITY
          • Office 365
          • Gmail
      • COVID-19 Phishing
      • Autonomous Phish SOC
      • Election Security
  • Partners
  • Resources
    • RESOURCES
      • Blog
      • Resource Library
      • Newsletter
      • Events | Webinars
      • Phishing Glossary
  • Company
    • COMPANY
      • About
      • Trust Center
      • News
      • Careers
      • Contact
  • Search
  • Try Area 1

Are You GDPR Compliant?

Area 1 Security - Threat Research Team September 23, 2020

A new campaign is attempting to harvest credentials from several businesses across industry verticals using the European Union’s General Data Protection Regulation (GDPR) compliance as a lure. This phishing message, first caught by Area 1 Security on August 31st, leverages misconceptions regarding GDPR compliance in an effort to steal email login credentials from unsuspecting targets.

The phish uses a classic tactic of creating a false sense of urgency to fool recipients into complying with the request. The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message.

As shown below, the attacker makes use of graphics and clever formatting to give the message a more credible, authoritative appearance. To maintain the illusion that the email originated from a legitimate source, the sender email address is spoofed to appear as an automated message from the security department of the targeted company. In order to stay relevant, the attacker also regularly updates the comply – or “Action required” – date included in the body of the message.


Based on Area 1 Security’s analysis, this campaign is predominantly launched at public-facing emails of the targeted companies, e.g. <info>@<target company domain>.com. However, to a lesser extent, there are instances when individuals are targeted, typically executives and upper management. These individuals often work in the sales department, demonstrating the attacker is purposefully choosing targets who are likely to have access to client data and need to comply with GDPR regulations.

In the initial wave of the campaign, the attacker sent phishing messages from a Virtual Private Server (VPS) IP address belonging to ReadyIDC, 103[.]22[.]183[.]95. Using a VPS allows the attacker a greater degree of anonymity when conducting phishing campaigns since it is extremely difficult to pinpoint their physical location. They are able to leverage all the benefits of using a cloud-based service, as well as the ability to easily spin up new servers in the event that their IP address gets blocked or otherwise identified as phishing infrastructure.

A careful inspection of the headers in one of the first instances of this phish reveals a misstep by the threat actor when launching their campaign. As detailed below, despite successfully spoofing the visible FROM header, the envelope MAIL FROM address divulges that the attacker sent their malicious messages via a Gmail account.

MAIL FROM:<redacted>@gmail.com>
From: [email protected]<targeted company’s domain>
To: <public-facing targeted company’s email account>
Subject: User account security alert
Date: 31 Aug 2020 22:17:43 +0700

This mistake is quickly rectified in subsequent phishing messages, where the attacker successfully spoofs not only the visible From address but also the envelope MAIL FROM domain of the targeted companies. However, these “stealthier” messages expose yet another blunder, as evidenced by the presence of a “Disposition-Notification-To” header. This header indicates that read-receipts are enabled, meaning the attacker will be notified when a target opens the malicious email. This once again discloses the sender account, which happens to be the same Gmail address as identified in the first wave of the campaign.

On the second day of the campaign (September 1st) the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions. Shown in the following headers, the true origin of the email is the IP address 196[.]53[.]250[.]243:

[email protected]<targeted company’s domain>; spf=None
[email protected]<targeted company’s domain>; spf=None
[email protected]<targeted company’s domain>
Received: from unknown (HELO <targeted company’s domain>)
([196[.]53[.]250[.]243])
by <redacted>.com with ESMTP; 01 Sep 2020 05:19:33 -0400
From: [email protected]<targeted company’s domain>
To: <email of employee at targeted company>
Subject: Email User security alert
Date: 1 Sep 2020 16:19:07 +0700

The attacker switched to this IP address to launch the second wave of the campaign. Depicted below is a screenshot of a vulnerable and shoddy gaming site, Ran Smok, which is directly accessible via this IP (i.e., hxxp://196[.]53[.]250[.]243). The site links to various web pages that result in “Access denied,” and the IP address has been associated with numerous suspicious websites over the years. An analysis of available services running on the IP address reveals that port 25 (used by the Simple Mail Transfer Protocol, or SMTP) is running in a filtered state, and is most likely how the attacker is sending the phishing messages. A closer look at the list of open ports on the IP address reveals a number of additional services that should never be open to the internet, thus leaving the host at this IP exceedingly vulnerable, and all-the-more enticing to an attacker.


Analysis of Link

The malicious payload in this phish is a link to a credential harvester, located at hxxps://www[.]techgaia[.]
com/wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff6668eyrtsaaadaf8/completesrvr/
verification/Src/[email protected]<redacted>. The value of the “email” parameter in the URL will vary depending on the recipient, wherein the threat actor tailors each phishing message by setting this parameter equal to the target’s email address. The link opens up to a simple web page, hosted on a compromised WordPress site, as shown below.

The HTML form on the malicious webpage auto-populates the username field based on the email address found in the URL’s “email” parameter. After clicking “Next,” the page will prompt the user to enter a password. Based on Area 1 Security’s analysis, the page appears to return an error regardless of whether or not the victim enters a correct password. Stolen credentials are then sent to the attacker via a script located at, hxxps://www[.]techgaia[.]com//wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff66
68eyrtsaaadaf8/completesrvr/verification/Src/l0gin[.]php.

Area 1 Security’s analysis revealed that www[.]techgaia[.]com is the older, now-defunct site for a revamped IT consulting services company. The site was running an outdated version of WordPress (version 4.9.7), making it susceptible to a number of vulnerabilities. Its content has since been removed, and navigating to the domain now results in an HTTP 301 redirect. The vulnerable nature of this site made it easy prey, providing the perfect opportunity for an attacker to insert themselves into the fray and leverage the historic legitimacy of the site to bypass detections. With the ease of compromising unmaintained, vulnerable WordPress sites, it will only take the attacker a matter of days (at most) to resume operations with a new, otherwise legitimate site. As a result, legacy vendors that rely on deny lists to block suspect messages will be one step behind the attacker.

Recommendations

For companies that deal with sensitive customer data, it is important to be knowledgeable in the latest data security and privacy regulations for the respective industry and region. New data privacy laws, such as the California Consumer Protection Act, are requiring businesses to ensure that consumers residing in California are able to opt-out of data collection. All the while, GDPR currently remains the most stringent regulation in consumer data privacy. It is vital to communicate with all employees any updates regarding new protocols for handling Personally Identifiable Information (PII) to help ensure those in your organization do not fall victim to phishing attacks that rely on confusion from unclear or nonexistent communication regarding these regulations.

Additionally, it is imperative that employees understand the risks of clicking on unsolicited links and entering sensitive data into unauthorized login portals. However, current technology allows an attacker to easily create a phish that is a pixel-perfect forgery of a legitimate login page. Therefore, the safer, more secure option is to utilize a dedicated security solution; one that uses bleeding-edge technology to verify emails before they arrive in a user’s inbox, removing the risk of accidentally clicking a malicious link or file.

Area 1 Security’s advanced detection techniques, such as blind URL inspection, help stop phishing messages like those seen in this GDPR campaign from reaching customers’ inboxes. Our comprehensive anti-phishing solution includes sophisticated pattern-matching algorithms that allow us to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Indicators of Compromise

Credential Harvesters:

https://www[.]techgaia[.]com/wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff6668eyrts
aaadaf8/completesrvr/verification/Src/?email=<redacted>

https://www[.]techgaia[.]com//wp-content/email/ID/sign_in/dc0b80571c76818f4f5916ff6668eyrt
saaadaf8/completesrvr/verification/Src/l0gin[.]php
Sender IP Addresses:

196[.]53[.]250[.]243

103[.]22.183[.]95

Want to keep up to date with the latest phishing trends?

Subscribe to our newsletter here!


Subscribe

A new campaign is attempting to harvest credentials from several businesses across industry verticals using the European Union’s General Data Protection Regulation (GDPR) compliance as a lure.

  • Brand Spoofing
  • Credential Phishing
  • GDPR Compliance
  • Gmail Phishing
Related Blogs
 

Blog

Latest SBA Phishing Attempt

Congress may be in a deadlock over a second stimulus package, but malicious actors are always ready to pounce on …

 

Blog

Your Summer Bonus!?

Microsoft SharePoint Phishing schemes have increasingly plagued companies using the Microsoft Office 365 Suite in recent years.”

 

Blog

Don’t Trust that Tweet…or that Email from “Bill Gates”

Each day, hundreds of thousands of new domains are registered by users around the world. Unfortunately, the simplicity of domain …

View More Blogs >
Detect. Disrupt. Defeat.

No-Phishing Zone

Schedule A Demo
Area 1 Security

[email protected]

Sales 650.381.1647

142 Stambaugh Street
Redwood City, CA 94063

Partners
  • Product
  • Overview
  • Why Area 1
  • Technology
  • Demo Request
  • Solutions
  • Resources
  • Company
  • About
  • News
  • Events
  • Careers
  • Contact Us
  • Blog
Area 1 Security
  • Product
  • Overview
  • Why Area 1
  • Technology
  • Demo Request
  • Solutions
  • Resources
  • Company
  • About
  • News
  • Events
  • Careers
  • Contact Us
  • Blog

[email protected]

Sales 650.381.1647

142 Stambaugh Street
Redwood City, CA 94063

Partners
© 2021 Area 1 Security
  • Trust Center
  • Privacy