Phishing attacks are great first-entry vectors with technical details which are frequently overlooked by both white and blackhat hackers.
Having participated in multiple phishing campaigns over the years, both in offensive as well as defensive teams, I’ve learned from trial and error a lot of these things to pay attention to. This article will try to summarize them.
Even if phishing campaigns are often associated with Social Engineering, they have technical components which you need to be aware of in order to be successful. Some of the topics we will cover (superficially) are:
I know a big percentage of the readers just go through the first lines of an article, so let me give you the best advice I can give you now. The first thing that you need to understand is that a phishing attack doesn’t necessarily have to start with an email. Yes, we will cover mostly phishing attacks through email in this story, but there are multiple ways in which you could arrive to a phishing site.
Also, not every phishing site is looking for your credentials or your credit card, or for you to download a malicious file. I’ve heard a lot of people say that as long as you don’t download any file, and you don’t input your credentials / credit card details anywhere, you could go around clicking everything you get sent. This is not true.
I’ve participated on multiple assessments where our entry point was someone clicking on a URL they shouldn’t have, and running a script through an XSS.
Or maybe they want you to send a request and perform an action on your behalf, exploiting a CSRF attack.
Or maybe they just want to exploit your outdated browser with something like metasploit’s browser autopwn (https://blog.rapid7.com/2015/07/15/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter-part-1/).
Maybe they want to beef hook you (https://beefproject.com/).
Maybe the link doesn’t even have a URL but rather a UNC and someone inside your network is trying to relay your credentials (https://github.com/lgandx/Responder-Windows).
Maybe it’s one of the multiple relay attacks that have recently showed up on remote conference software due to the quarantine, in both zoom (https://thehackernews.com/2020/04/zoom-windows-password.html) and team viewer (https://thehackernews.com/2020/08/teamviewer-password-hacking.html)
I could go on, but I’ll stop and hope I’ve given you enough examples to prove the point.
#infosec #devops #security #pentesting #red-team
A pair of recent campaigns aim to lift credentials and other personal information under the guise of Amazon package-delivery notices.
Amazon in the era of COVID-19 has become a staple of many people’s lives, as they order everything from sourdough starter to exercise equipment. Cybercrooks have latched onto the delivery behemoth as a lure for phishing emails, knowing that plenty of legitimate delivery messages are also making it into people’s inboxes and offering cover.
Researchers at Armorblox recently spotted a pair of savvy campaigns leveraging Amazon: A credential-phishing attempt using a purported Amazon delivery order failure notice; and a voice phishing (vishing) attempt also using Amazon delivery order. Both are examples of the ever-more sophisticated phishing efforts being developed by fraudsters that are aimed at gaming traditional email security efforts, researchers said.
In the first campaign, the email came from a third-party vendor email account that had been compromised or otherwise domain-spoofed, according to Armorblox – specifically, Blomma Flicka Flowers, which is a floral design company based out of Vermont (now alerted to the issue). Thus, if a recipient checked the sender domain, they would find it to be legitimate.
“The sender name and domain seem to point that the email came from a legitimate third-party vendor’s account, allowing it to successfully pass [standard] authentication checks,” said Arjun Sambamoorthy, co-founder and head of engineering at Armorblox, writing in a Thursday post.
The email informed readers that their order would be cancelled if they didn’t update their payment details within three days, contributing a sense of urgency (one of the oldest tactics used in phishing). It also included a link to “update Amazon billing information.”
Clicking on the link led victims to a full-fledged Amazon lookalike site with a phishing flow that aimed to steal login credentials, billing address information and credit-card details, according to Armorblox. Once the phish was complete, victims were redirected to the real Amazon home page, none the wiser about being compromised.
The phishing site fell into the category of what researchers call “zero-day” sites – i.e., newly created domains that haven’t been around long enough to be flagged as suspicious. In this case, the parent domain for the Amazon lookalike page – sttppcappr[.]com – had been created and pressed into service almost immediately using website-in-a-box software, according to the researchers.
“There is very little to separate the phishing site from the legitimate Amazon website,” explained Sambamoorthy. “The first page victims see after clicking the link in the email is a login portal. Upon closer inspection, you will notice the ‘Dangerous’ warning on the browser tab next to the domain; you will also notice the domain itself – sttppcappr[.]com – is clearly not an Amazon domain. But attackers bank on victims being in a rush and not engaging with the email or the phishing flow with the rational, slower-thinking part of their brains.”
On the social-engineering front, he added, “The email sender name was ‘Support Reply’, which isn’t an exact replication of an Amazon automated email but still ‘robotic’ enough to pass our subconscious eye tests.”
In the second campaign, attackers sent emails purporting to communicate about an Amazon delivery order. The email included a phone number for the ‘Fraud Protection Team’ to call in case the order was fraudulent.
The “vish” part comes in because the call to action is for recipients to make a call – which connected to a real person on the other end whose goal was to extract as much information from the victim as possible.
“Adversaries set up a phone line to follow through on this attack,” Sambamoorthy said in another posting on Thursday. “The Armorblox research team called the number listed for the ‘Fraud Protection Team’ from a disposable Google Voice number. A real person answered the call and pretended to be from the Amazon fraud protection team. They asked for the order number, name and credit-card details before cutting our call and blocking our number. The full vishing flow might well have involved the extraction of other sensitive personal information as well.”
According to Armorblox, the initial emails came from a Gmail account that impersonated Amazon, informing readers that their Amazon order had shipped.
#web security #amazon #armorblox #bloom flicka #credential theft #dmarc #domain spoofing #email campaign #email security #information stealing #order notices #package delivery #phishing #security bypass #social engineering #vishing #voice phishing
Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials.
Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic – making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday.
“Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis.
The initial phishing email displays the name “There’s new activity in Teams,” making it appear like an automated notification from Microsoft Teams.
As seen in the picture below, the email tells recipient that their teammates are trying to reach them, warning them they have missed Microsoft Team chats and showing an example of a teammate chat that asks them to submit something by Wednesday of next week.
Erin Ludert, data scientist at Abnormal Security, told Threatpost researchers suspect attackers are using more of a “spray” tactic here, as the employee referenced in the chats doesn’t appear to be an employee of the company that received the attack.
The phishing emails. Credit: Abnormal Security
To respond, the email urges the recipient to click on the “Reply in Teams” button – However, this leads to a phishing page.
“Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” according to researchers. “Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.”
Researchers said that the phishing landing page also looks convincingly like a Microsoft login page with the start of the URL containing “microsftteams.” If recipients are convinced to input their Microsoft credentials into the page, they are unwittingly handing them over to attackers, who can then use them for an array of malicious purposes – including account takeover.
With the ongoing pandemic, worries about cyberattackers leveraging enterprise friendly collaboration brands like Microsoft Teams, Zoom and Skype have been piqued. In May, a convincing campaign that impersonated notifications from Microsoft Teams in order to steal the Office 365 credentials of employees circulated, with two separate attacks that targeted as many as 50,000 different Teams users.
#hacks #vulnerabilities #web security #credentials #malicious email #malicious link #microsoft #microsoft teams #office 365 #phishing campaign #phishing emails #phishing link
Every day, on average, 56 million phishing emails are sent, and it takes just 82 seconds for a person to be victimised by such attacks. Phishing is one of the oldest yet effective forms of a cybersecurity threat. Over time it has graduated from scamming emails from a Nigerian prince to more sophisticated and sly techniques, such as Distributed Spam Distraction, polymorphic attacks, and visual similarity attack.
Artificial intelligence has played a great role in thwarting attacks of such nature. Let us look at a few such examples.
#cybersecurity #ai phishing #cyber attack #malware #phishing #spear phishing
Facebook has been a top cybercriminal favorite in phishing attacks so far this year, with recent research shedding light on 4.5 million phishing attempts that have leveraged the social media platform between April and September 2020.
Behind Facebook, messenger app WhatsApp is the second-top platform leveraged by attackers (with 3.7 million phishing attempts), followed by Amazon (3.3 million attempts), Apple (3.1 million attempts) and Netflix (2.7 million attempts).
Google’s offerings (including YouTube, Gmail and Google Drive) took sixth position, with 1.5 million phishing attempts altogether according to a Tuesday analysis released by Kaspersky.
Of note, many of these targeted web services are also frequently accessed by employees of small and medium businesses while working — potentially opening up risks for sensitive corporate data, researchers warned.
“We can’t imagine our daily lives, and work, without different web services, including social media, messenger apps and file-sharing platforms,” said Tatyana Sidorina, security expert at Kaspersky, in a statement. “However, it is important for any organization to understand where threats may come from, and what technology and awareness measures are needed to prevent them. Businesses also need to provide their employees with comfortable use of services they require, so it is crucial to get the balance right.”
Facebook’s incredible user base — with more than 2.7 billion monthly active users as of the second quarter of 2020 – makes it an attractive brand for cybercriminals to tap into. The social-media giant’s access to a slew of private data, such as private messages, is another reason why attackers are leveraging Facebook.
In fact, just this week a report shed light on a Facebook phishing campaign that hit at least 450,000 victims. The attack sent Facebook users a link via Messenger that appeared to be a YouTube video. However, when victims clicked on the link, they were redirected to multiple websites and ultimately led to a Facebook phishing page. The attackers were then able to collect victims’ Facebook credentials.
Previous cybercriminals have also targeted Facebook over the years with new tricky tactics, including reproducing a social login prompt in a “very realistic format” inside an HTML block, and targeting Facebook’s ad platform for years in an attack that siphoned $4 million from users’ advertising accounts.
Facebook is also one of the most-used services by corporate employees, with Kaspersky finding that YouTube and Facebook are the top two services that employees at small and medium businesses access on their corporate devices (Google Drive, Gmail and WhatsApp follow closely behind).
“With the two lists sharing many of the services, these results only confirm the trend that popular applications have become valuable platforms for fraudsters’ malicious actions,” according to researchers.
#facebook #vulnerabilities #web security #amazon #apple #blacklisted acts #block applications #cybercriminals #facebook. phishing #kaspersky #netflix #phishing attack #small and medium business #top phishing apps #whatsapp
A credential-phishing attempt that relies on impersonating Bank of America has emerged in the U.S. this month, with emails that get around secure gateway protections and heavy-hitting protections like DMARC.
The campaign involves emails that ask recipients to update their email addresses, warning users that their accounts could be recycled if this isn’t done.
“The email language and topic was intended to induce urgency in the reader owing to its financial nature,” according to analysis from Armorblox. “Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.”
The messages contain a link that purports to take visitors to a site to update their information – but clicking the link simply takes the recipients to a credential-phishing page that closely mirrors a legitimate Bank of America home page, researchers said.
The attack flow also included a page that asked readers for their ‘security challenge questions’, both to increase legitimacy as well as get further identifying information from targets, researchers said in a posting on Thursday.
“With the enforcement of Single Sign On (SSO) and two-factor authentication (2FA) across organizations, adversaries are now crafting email attacks that are able to bypass these measures,” Chetan Anand, co-founder and architect of Armorblox, told Theatpost. “This credential-phishing attack is a good example. Firstly, it phishes for Bank of America credentials, which are likely not to be included under company SSO policies. Secondly, it also phishes for answers to security-challenge questions, which is often used as a second/additional form of authentication. Asking security-challenge questions not only increases the legitimacy of the attack, but also provides the adversaries with vital personal information about their targets.”
More interesting, the emails are able in some cases to get past existing email security controls – because they don’t follow the patterns of more traditional phishing attacks.
For instance, the campaign, while using a classic “spray-and-pray” lure, is not a mass email effort, according to the firm. In examining one of the emails, researchers noticed that “this was not a bulk email and only a few people in the target organization received it,” they wrote. “This ensured that the email wasn’t caught in the bulk email filters provided by native Microsoft email security or the Secure Email Gateway (SEG).”
Anand told Threatpost, “We’re working on identifying scope of impact outside of our customer base but campaigns like this in the past have been fairly broad in their attack scope since the content is generic enough to cut across organizations and industry verticals. Within our customer base, it was not a mass email but not a single email either. A few key VIPs or VAPs (Very Attacked Persons) got the email.”
Also, the email they examined was able to get past common authentication checks, such as DMARC. DMARC (which stands for Domain-based Message Authentication, Reporting and Conformance) is an industry standard that flags messages where the “from” field in an email header has been tampered with. It ensures emails are authenticated before they reach users’ mailboxes and confirms that they have been sent from legitimate sources. If configured correctly, potential phishing emails can be stopped at the gateway, or redirected to the junk folder.
#web security #armorblox #bank of america #campaign #credential theft #dmarc #email #email protections #impersonation attack #phishing #targeted