We have been observing a steady rise in credential phishing attacks over the last month. This method of attack is quite popular, where attackers make use of fake login pages or forms to steal credentials of commonly used services in a corporate environment.
Apart from commonly targeted cloud services like Office 365, Amazon Prime, Adobe, etc., we are also seeing credential phishing attacks impersonating commonly used software services from other countries like South Korea and cryptocurrency wallets.
Here we take a look at some of the very latest developments and tactics being used by attackers.
Office 365 continues to be the top phishing target
In the last month, the bulk of the credential phishing attacks were serving fake Outlook and Office 365 (O365) login pages, which is due primarily to the ubiquity of Office 365 services bing across corporate environments.
Looking at the distribution of Office 365 credential phishing campaigns targeting industry sectors, we can see airline duty-free shop login credentials being targeted, which explains the significant contribution of the travel industry to this – in fact, more than 50 percent overall. The other industry sectors observed include Health & Medicine at 26.8 percent, followed by Science & Technology, Energy, and Insurance, all representing 7.3 percent of the Office 365 phishing campaign targets.
Phishing on cloud services
There has also been an uptick in the number of phishing pages being hosted on popular cloud services. While services like Azure, One Drive, Firebase, Box, and Dropbox continue to be leveraged to host phishing pages, one interesting addition to this list that we came across last month was a phishing page hosted on the popular note-taking app Evernote.
Evernote is a trusted personal app, which is used by corporate users for tracking daily tasks, and for storing and organizing personal documents and notes in a single place. This makes it a viable platform for attackers to host phishing content and links, and also makes it easier for them to lure the user into giving away their credentials.
Phishing tactics
Attackers are always trying to come up with different tactics to bypass detection solutions. Below, we look at some of the common tactics that are actively being used to serve phishing content.
1. Usage of data URLs and/or encoding to mask content
In a specific phishing HTML page content, we observed the use of Data-URLs to hide the actual javascript code that posts credentials to a remote URL, and to encode and embed all custom CSS/Images on the page itself.
The advantages of using this mechanism include the following:
- Allows the entire phishing page content to be rendered on a browser in a single load within the client.
- Adding the “Content-Encoding: gzip” header allows the server to send the compressed response.
- There would be no additional resource requests (Javascript/CSS/Images etc).
- This is an attempt to evade solutions that rely on the “Content-Type” header to determine resources like Javascript/CSS.
2. Dynamic content generation
One interesting tactic that was observed with an Office 365 phishing campaign: this campaign seems to be appending the user’s email address on the URL, the phishing page path is dynamically generated, and the user’s email address is automatically filled.
Given the path for the phishing landing page is dynamically generated, the path name is fairly long with random characters. There are two parts separated by the slash (/) character. The first part is a randomly generated folder name, followed by a randomly generated .php file.
The advantages of using this mechanism include the following:
- Individual files in a Phishing Kit are usually bundled together as a ZIP archive and hosted on the Phishing Domain server.
- Phishing Kit signatures look for file patterns inside the ZIP archive (for e.g. submit2.php).
- This dynamic generation of .php files is a mechanism used by the Phishing Kit to evade signatures that rely on filename/filepath patterns.
3. Downloading local files as a decoy for serving the phishing page
Another commonly used tactic seen was to use local HTML/PDF decoy files to load phishing content. In a specific example targeting Daum, a popular web service provider in South Korea, visiting the phishing landing page first downloads a decoy HTML file to the endpoint. The email is appended to the URL as a parameter, and on visiting, immediately triggers a download to the endpoint. Once the local HTML file is opened, the actual phishing form is loaded with the filled username. Having a decoy file like this to load the phishing form is an attempt to evade detection solutions that might use machine learning or pattern matching on the HTTP response content.
The advantages of using this mechanism include the following:
- Decoy files allow loading content on the client machine, without fetching remote content from a server.
- Content Inspection mechanisms will be bypassed since the content is loaded locally.
- Any phishing solution relying on logo detection mechanisms will also be bypassed.
4. Dynamic loading of brand logos
Phishing pages often make use of APIs like ClearBit to dynamically load company-specific logos instead of generic Microsoft or Outlook logos. In this case, the phishing page tries to search for a company-specific logo using the Clear Bit Logo API. If not found, regular Microsoft or Office logos are used.
The advantages of using this mechanism include the following:
- Allows attackers to dynamically impersonate brand logos without making an API call to the original site (for example microsoft.com/paypal.com)
Cybercriminals are trying to add complexity in order to carry out phishing campaigns to steal sensitive information. With free services like Let’s Encrypt, it is becoming easier for attackers to host phishing sites behind SSL with a relatively short TTL for maximum hit rate.
Increasing cybersecurity awareness through the use of training and education initiatives is often helpful in reducing the impact of credential phishing attacks, but corporate users should be cautious when a site presents a form that asks for personal or sensitive information.
Source: ITProPortal
Let The Cloud Consultancy Help Keep Your Organisation Secure