Threat Advisory - June 12 2024

THREAT ADVISORY

The URL https://punchbowllinvtt.life/ has been determined to be malicious by BitDefender, MalwareBytes, and ScamAdviser as of June 12^th, 2024.

June 18, 2024

Presentation: 

The URL is associated with a phishing website that has been found to impersonate Adobe. 

Suspicious Indicators: 

There are clues in the ways that the phishing website presents itself that can be used to detect and avoid similar phishing websites. Antivirus software can’t detect all phishing attacks. So, it’s useful for human beings to learn how a phishing website can present itself. Here’s what to look for:

• A spoofed Adobe Document Cloud OAuth login screen asks users to choose an email provider in order to open their document-- Outlook, AOL, Office365, Yahoo!, or “Other Mail”. A legitimate SaaS (Software-as-a-Service) provider would never ask a user to enter their email provider credentials. If any email related information is needed from a user, a legitimate SaaS provider will only ask for a user’s email address, which is a lot less sensitive than a username and password. The former only facilitates an entity to send an email to a user, the latter would grant an entity access to the user’s email account, especially if MFA (multifactor authentication) isn’t enabled.

• If a user chooses one of the listed email providers, a new popup will appear that will impersonate an OAuth interface for the spoofed provider. For instance, Outlook is confirmed to be impersonated in this attack.

• The spoofed Adobe Document Cloud OAuth login screen contains some incorrect usage of English. Specifically, the copyright notice at the bottom: “CopyRight© 2022 Adobe system incorporated, All right reserved.” For comparison, here’s the copyright notice on the legitimate Adobe Document Cloud login screen at https://auth.services.adobe.com: “Copyright © 2024 Adobe. All rights reserved.”

• None of the domains and URLs that are shown in the address bar when on the phishing website are associated with Adobe. The phishing website uses these domains: “https://punchbowllinvtt.life”. If the domain name doesn’t contain “adobe.com”, it’s not the real Adobe. Legitimate Adobe SaaS authentication screens use the “auth.services.adobe.com” subdomain. 

• These clues can be used to spot other phishing websites. Always look at the address bar in the web browser carefully. Never give a third-party SaaS application your full email service credentials. Be on the lookout for imperfect English. Not all phishing websites will present these indicators.

MITRE ATT&CK Techniques:

This attack has been found to use five of the techniques in the MITRE ATT&CK database. 

• T1583.001 Domains, “Adversaries may acquire domains that can be used during targeting.”
  
• T1553.002 Code Signing, “Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.”
• T1566 Phishing "Adversaries may send phishing messages to gain access to victim systems."
  
• T1071, T1568.002, T1071.004, Command & Control, these three techniques are all associated with command and control servers. Threat actors use command and control servers to send additional malware and malicious commands to compromised endpoints. Command and control servers are also often used by threat actors to conduct espionage on compromised endpoints.