TxTag Takedown: Busting Phishing Email Schemes
By: Ethan Hermanns & Cole Adkins, Cofense Phishing Defense Center
Have you received any alerts in your inbox recently telling you that your account will be suspended unless you pay the balance immediately? Interacting with emails like this could jeopardize not only your personal info but also your company’s reputation. As summer approaches, threat actors are ramping up their phishing efforts, launching numerous targeted campaigns. Below, we highlight an example to help you recognize these tactics and empower you to be the first line of defense against phishing threats.
The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that leverages a .gov domain to trick employees into believing they owe an unpaid toll. It employs a sense of urgency, letting the employee know that if the balance is not paid immediately, it could lead to penalties or vehicle registration holds. The main objective of the threat actor is to capitalize on the situation by making the employee feel like it is urgent, so they can harvest the employee’s personal information/credentials.
Figure 1: Email Body
The threat actors use of the GovDelivery system, (a system for several government agencies to communicate broadly with the public across a variety of topics), is an attempt to increase the legitimacy though in this case with a notable discrepancy in that the email claims to be from Texas but uses Indiana’s GovDelivery instance.
After attempting to establish legitimacy with a known tool, it then uses fear to provoke the user to action and click on the link included in the email through the mention of penalties or issues with vehicle registration. Hovering over the link shows txtag-help[.]xyz (defanged) as the domain. This is another attempt at establishing legitimacy by using ‘txtag’ in the domain name, albeit under the .xyz TLD (top-level domain), while less common is one that Cofense has observed in use at various stages by threat actors as part of phishing campaigns.
.PNG "TXtag_figure2-(1).PNG")
Figure 2: Phishing Page
Once the user clicks the link in the email, they are taken to the webpage shown above. In this instance of txtag-help[.]xyz, where the user is shown an image of a tag, a welcome message, and a short notice including an additional attempt to instill fear via late fees. The user is then presented with a link to the next page.
Figure 3: Phishing Page
This is when the phish begins levying a toll of its own. Through the use of a form, it seeks to collect contact information, including the user’s name, email address, phone number, and mailing address, and then prompts the user onward to the next page. It keeps the TxTag branding and uses the same domain. One of the potential indicators that this isn’t legitimate, beyond the domain being unrelated to the State of Texas, is a lack of certain factors, including the fact that it doesn’t require the user to log in. Under legitimate toll systems, the user is typically prompted to log in. Additionally, this information would already be present as the user would have signed up for the service before this interaction in most cases.
Figure 4: Phishing Page
After the user fills in the requested information and moves on to the next page, they’re shown the crux of the phish: a form gathering credit card credentials. During the investigation, the PDC found that the user must input the correct number of digits on the back of a credit card to be able to progress to the next part of the phishing scam.
Figure 5: Phishing Page
Lastly, the phishing page will, upon submission, appear as if it’s attempting to process the payment and may potentially display an error message stating the card is not supported. Then it will ask the user to try a new card, which, if the details are provided, the attackers would then possess as well.
Campaigns such as these effectively exploit two key tactics: instilling fear of consequences for non-compliance, as well as mimicking a well-known service. When combined, these strategies create a highly effective approach for threat actors to achieve their goals, making such campaigns likely to persist. This highlights the importance of going beyond traditional perimeter defense by integrating human expertise into the email security process. By doing so, organizations can identify and mitigate threats that bypass conventional malicious indicators. Solutions such as Cofense’s Managed Phishing Detection and Response offer a powerful combination of human intelligence and advanced technology to help detect phishing attacks that SEGs miss.
|
Observed Email Infection URL: |
Infection URL IP(s): |
|
hXXps://txtag-help[.]xyz/ hXXps://txtag-help[.]xyz/address hXXps://txtag-help[.]xyz/login hXXps://txtag-help[.]xyz/pay |
43.166.239.78
|
All third-party trademarks referenced by Cofense, whether in logo form, name form, or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of endpoint protections are based on observations at a point in time, based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.
*** This is a Security Bloggers Network syndicated blog from Cofense authored by Cofense. Read the original post at: https://cofense.com/blog/txtag-takedown-busting-phishing-email-schemes
