Blue Hexagon Blog

Deep Learning Threat Detection Reveals Details Behind Targeted Phishing Campaigns – Part One

Blue Hexagon Threat Lab Detects Two Phishing Sites, Including One In Development

Phishing scams continue to be a popular attack vector for hackers for three simple reasons: they’re easy to execute, they’re effective, and they make money. They are also becoming more sophisticated. 

Phishing scams use crafty emails with malicious links or attachments to trick people into handing over their sensitive data, such as electronic credentials to financial accounts, by creating rogue websites that are almost indistinguishable from their legitimate counterparts. Stolen credentials are then used to gain control of the accounts to steal money, commit fraud, or gain access to information that hackers can use to escalate an attack. 

Most of the domains used in sophisticated phishing scams only last for a short duration—typically four to eight hours—in order to avoid being detected as malicious by traditional cybersecurity defenses. Even in this short window, however, these sites are effective in infecting a large enough pool of victims that the effort involved in this practice is lucrative. In fact, hackers have become so efficient at creating, launching, and taking down new phishing sites that it is difficult for traditional cyber defense technologies to keep up. That means most newly created phishing sites will not be detected and blocked once they are activated. Note the low scores from Virustotal from domains associated with this research (Figs 1.1, 1.2, 1.3).

Figure 1.1: Low Virustotal Detection for the phishing url hxxp://hastilyfing.co.kr/x/
Figure 1.1: Low Virustotal Detection for the phishing url hxxp://hastilyfing.co.kr/x/

Figure 1.2: Low Virustotal Detection for the phishing url hxxp://hastilyfing.co.kr/x/surf2.php

Figure 1.3: Low Virustotal Detection for the phishing url hxxp://hastilyfing.co.kr/cgi-bin/

Detailed Analysis

Using deep learning-based threat detection techniques, however, Blue Hexagon Threat Lab not only detected and blocked a new phishing domain in the wild, but also detected a phishing attack under development. Today we’ll look at the two domains we found, and tomorrow we’ll examine the killchain our analysis tracked as the attack unfolded. 

Case One: Rogue Chase Bank Login Page 

The first phishing website we discovered was a rogue Chase Bank site, created for the purpose of tricking unsuspecting targets into logging in to their accounts and thus providing credentials to the hackers. Chase Bank is one of the so-called “big four” banks in the U.S. That hackers would impersonate the Chase brand is not a surprise. According to the 2017 WebRoot Quarterly Threat Trends Report, in the first half of 2017 Chase Bank ranked 2nd on the list of top 10 impersonated domains. 

The rogue Chase Bank landing (Figure 2) and login (Figure 3) pages are superficially indistinguishable from the actual pages. This level of design detail greatly increases the chances of a Chase Bank customers falling prey to this attack. The rogue Chase site also had an option to reset the victim’s username. When clicked, the victim would be prompted for their email address and email password. In both the cases, upon entering the prompted credentials the victim would be redirected to the real Chase Bank website. 

It is interesting to note that the threat actor behind this site was not only interested in stealing the user’s bank account login details, but also in harvesting their personal email account details. Active email addresses have additional value to hackers who can use them in other campaigns or, bundled, for sale on the open market.


Figure 2: Rogue Chase Bank Login Page

Figure 3: Rogue Chase Bank Login Page identity verification process

Figure 4: Real Chase Bank Login Page

Case Two: Phishing Website Under Development 

In Case One, the impersonation of a well-known financial brand for the purpose of plundering a bank account is what you might expect of a phishing scheme. But in the process of analyzing the fraudulent Chase Bank attack, our researchers observed activity that led to the discovery of a new campaign under development. The second instance included completed fraudulent phishing websites as well as a site under development, all part of a larger campaign, in progress, targeting organizations in the healthcare industry. Before it could be activated and used in the ongoing scam, the domain (Fig. 5) was taken offline. But we gained a lot of interesting insights through our investigation and analysis.


Figure 5: Phishing website under development hxxp://hastilyfing.co.kr/cgi-bin/

In the attack we detected, which targeted a health insurance company, a single threat actor assumed five distinct identities, each made to appear like a company involved in legitimate business with the target organization. These identities included pharmaceutical companies based in Hong Kong and Germany, a Hong Kong-based property management firm, and two Italian hospitality companies. 

Tomorrow we will provide more details, including screenshots of the websites involved and emails used, registration and hosting information, a stolen identity used for registration, the type of malware and delivery method, SMTP servers used for exfiltration, and an extensive list of indicators of compromise revealed in this campaign. 

Despite the techniques used to obfuscate the nature of these attacks and the resulting low threat scores associated with both the active site and the site in development, the Blue Hexagon deep learning platform, powered by our HexNet architecture, demonstrated once again that deep learning-based threat detection is able to recognize even previously unknown threats before they can affect an organization under attack.