Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
On July 26th, ThreatConnect published an analysis of a coordinated phishing attack against Bellingcat, an investigative journalism website that specializes in fact-checking and open-source intelligence. Known for their work investigating Russia, Bellingcat researchers were carefully chosen targets, as stated by Bellingcat’s Eliot Higgins on Twitter.
Highly focused, the phishing campaign targeted only ten individuals, who have been identified by investigative journalist Christo Grozev. These include some researchers who do not work for Bellingcat but do investigate Russia.
ProtonMail, the email service used in the phishing attack, published a short statement, which included some fascinating details on the phishing attack from their perspective.
In this article, we’ll explore a different angle to this campaign by analyzing it from the unique outside-in perspective of RiskIQ. RiskIQ data reveals multiple phishing campaigns involving different tactics beyond the analysis by ThreatConnect.
The earliest cyber threat activity we see for this campaign was when the cyber attackers registered mailprotonmail.com on June 27th, 2019. They also issued a Lets Encrypt certificate on the same day which we observed on 184.108.40.206, the same IP to which the mailprotonmail.com domain pointed.
We then observed the same certificate being served from 220.127.116.11 at the beginning of July. This IP address was mainly used later in the campaign for other phishing domains (more on this in the infrastructure investigation portion of this article).
The cyber attackers sent emails to a very select pool of targets indicating a possible breach of the integrity of the target’s ProtonMail account. Under the subject line, “Someone exported your encryption keys,” the cyber attackers sent the following message:
The July emails contained links to mail.protonmail.sh, with links to /password and /keys. These URLs redirected targets towards the final phishing pages on a new host, mailprotonmail.ch. Interestingly, the exact visited URLs wouldn’t matter; the server behind mail.protonmail.sh was instructed to always 301 redirect visitors to mailprotonmail.ch:
The final landing page was a copy of the real ProtonMail app. We can see they didn’t depend on the caching mechanism ProtonMail has in place typically, but all other resources will match up perfectly:
The design of the phishing page shown to the visitor matched the ProtonMail app login prompt:
As we stated at the beginning of this article, the recent coverage looked explicitly at the July campaign and its activity and associated infrastructure. We can confirm these spear-phishing attacks have been happening since late June.
On June 27th, we observed the above registration, for mailprotonmail.com, which the cyber attackers used in earlier spear-phishing emails. The lure in these emails was slightly different from the July campaign: simple log in pages. The emails contained links to /login on the mailprotonmail.com.
We observed our first hits for these phishing emails soon after the domain was set up. Here is a crawl from the end of June:
The setup for this phishing page was the same as the later cyber attacks in July, the lure sent to the targets was just slightly different. The targets identified in the July cyber attacks might be part of a broader set, but we do not think it will expand beyond individuals who investigate Russia.
There was another campaign before the June and July campaigns using phishing pages hosted through my.secure-protonmail.com. This continuation of phishing attempts tells us the cyber attackers were highly focused on their targets. The duration of their campaign might also tell us they weren’t quite finished.
While there are a lot of suspected infrastructure points to this group, including those used in other cyber threat campaigns, we will only list the infrastructure confirmed by RiskIQ crawlers.
Additionally, all infrastructure pieces provided here are also available in a RiskIQ Community project (no need to register or authenticate) here:
The earliest IP infrastructure we have pinned down this campaign was in April when 18.104.22.168 started to be used for a few domains:
The second IP address 22.214.171.124 started to get used by the actors between half of June into early July:
The domains registered by the attackers tell a different story, however. Domain infrastructure was being registered back in March of this year. Here is the full set of associated domains sorted on registration/creation date with the registrar used:
Additionally, the cyber attackers make use of the free Let’s Encrypt certificate service. You can track parts of the infrastructure by looking up the domain names against our expansive SSL certificate database. For example, here are two serial numbers for two of the domains that can be tracked through infrastructure (serial numbers will not be updated/changed for extending certificates with Let’s Encrypt):
What’s in a #malvertisement? We found more #magecart and a 186% spike in drive-by delivery https://t.co/rsl9GGiRUZ
.@TechCrunch's @zackwhittaker found that thousands of MoviePass customer card numbers were exposed because a critical server was left unsecured. With @ydklijnsma and RiskIQ data in @passivetotal, he discovered the exposure began all the way back in May https://t.co/blde3p21dU
Can you spot the phish? In tomorrow's PassiveTotal Thursday, we’ll take a real-life #phishing page targeting a popular brand and break it down to show how it differs from the genuine. Register today: https://t.co/EP2q6On5vE #ThreatHunting
We're thrilled to welcome Dean Ćoza, who will lead our product and technology teams as RiskIQ Chief Product Officer. Read more about Dean's appointment here:
Check out the brand new @RiskIQ Threat Hunting course on @CybraryIT
Manage Your Attack Surface Management using the "Mark of the Web"
https://t.co/ZGDBGyecJr #cybersecurity #magecart #course #cybrary