Wednesday, 15 April 2020

Outlook Calendar File (ICS file format) used for Wells Fargo Phishing

Attackers are always trying to find ways to evade security detection mechanisms. Even for credential phishing attacks, attackers find ways to evade the URL detection mechanisms used in security products.

One such method is embedding URLs in different file formats such as PDF, MS Office files such as doc, xls and so on.

Today I found an instance of a phishing attack where the attackers embedded a malicious phishing URL inside an ICS file. ICS file is the Outlook calendar format and it corresponds to an entry on the calendar appointment.

MD5 hash of the ICS file: 0986e7cbdef080dada8dee9c55542c37

At the time of writing there are 0 detections on VT for this file.

Figure 1: 0 detections on VT.

The malicious URL is present inside the calendar appointment.

Below are the different stages in this attack.

Stage 1: Calendar invitation opened and displayed in MS Office Outlook.

Figure 2: ICS file opened in MS Office Outlook.

Stage 2: The URL is present inside the Calendar appointment.

Figure 3: Phishing URL present inside calendar appointment.

Sharepoint Phishing URL: hxxps://

Stage 3: Sharepoint site is used to host the phishing content as shown below.

Figure 4: Sharepoint page hosting the content and phishing link.

The contents of this page pretends to be from the Fraud Prevention Team of Wells Fargo that requires the user to click on a link to take further action.

Stage 4: When the user clicks on the link in the above page, it redirects to the URL: hxxps://

Contents of the page are shown below.

Figure 5: Wells Fargo phishing page.

This page requests several sensitive information from the user such as username, password, email address, 4 digit cards PIN and Account Number details.

Conclusion: Users should pay extra attention while opening Calendar invitations and security products should take essential measures to scan ICS files. As can be seen, there are 0 detections on VT for this file format even though it contains a live phishing URL.


No comments:

Post a comment