Phishing, namely the fraudulent attempt to gain an individual's personal information or credit card information via the use of emails and fake websites, continues to be a favored tactic employed by hackers to part users with money and information that can be used for identity theft. In a recent blog post has revealed three of the more cunning phishing operations they discovered for the year of 2019.
Over the years protections against phishing have increased and become incredibly effective, preventing billions of malicious phishing emails from reaching end-users. This has in a sense created an arms war between cybercriminals and those looking to secure machines and networks. Researchers at Windows’ Office 365 Advanced Threat Protection noticed an escalation in the tactics used as well as techniques involving the abuse of legitimate cloud services like those offered by Microsoft, Google, Amazon, and others. The first cunning case study involves the use of URLs that point to legitimate but compromised websites.
One such attack used links to Google search results that were poisoned so that they pointed to an attacker-controlled page, which eventually redirected to a phishing page. The threat actors in this instance used a traffic redirector to help make sure that the attacker-controlled page would always be on top of the search results for certain keyword searches. The threat actors also employed another cunning technique to avoid discovery. They used location specific search results which ultimately would redirect to the controlled website. For instance, if the user resided somewhere in Europe they would eventually be redirected to the controlled phishing website. If outside of Europe no search results would be returned.
The second operation researchers felt was worth mentioning involves the abuse of 404 Error Codes. For some time now, a favorite way threat actors behind phishing campaigns would evade detection is by using multiple URLs and domains. This technique has now evolved somewhat to include threat actors using custom 404 pages. The practical result of this is that it gives phishers a limitless source of URLs. Researchers explained that,
“Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers could use random URLs for their campaigns. For example, we saw these two URLs used in phishing campaigns; the attackers added a single character to the second one to generate a new URL but serve the same phishing page,”
The last novel technique involves a man in the middle component. Traditionally man in the middle attacks involves injecting malware onto a victims system mostly down via phishing campaigns. Critical to these attacks is making the initial email appear to be legitimate. Something that threat actors are becoming increasingly good at. The level of impersonation was taken to new heights this year when one attack involved a man in the middle component which managed to capture company-specific information like logos, banners, text, and background images from Microsoft’s rendering site. Researchers explained that,
“Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages. The server identified certain specific information based on the recipient’s email address, including the target company, and then gathered the information specific to that company. The result was the same experience as the legitimate sign-page, which could significantly reduce suspicion.”
Security Intelligence Report
It is not only novel phishing techniques that have taken up researchers’ time at Microsoft. Earlier this month Microsoft released its Security Intelligence Report detailing the year in cybersecurity incidents. This report can be seen as a vital piece of intelligence in that all current versions of Windows ships with Windows Defender, this provides the Redmond tech giant with a treasure trove of cybersecurity information other firms would envy. On the whole, the report shows that ransomware, crypto miners, and other malware infections are down across the board for Windows users.
Microsoft showed that the number of Windows machines were malware has been spotted has gone down from 6-7% of the total Windows ecosystem in early 2017 to 4.15% in October 2019. This decrease has been attributed to both Windows 10 and Defender receiving important security improvements over the past half-decade, improvements that are making malware campaigns less efficient when targeting modern Windows 10 systems. Such stats inevitably lead to questions asking whether certain malware families are dead in the water? The reality, as normal for the murky realm of cybersecurity is not black and white. For instance, although ransomware infections across the board are down, with similar findings been echoed by other security firms, how ransomware is deployed has changed. Rather than trying to infect as many home users as possible hacker groups now target business enterprises and government organizations. Meaning that a smaller pool is being targeted but one able to pay higher ransoms.
Another factor that has contributed to detections being lower but malware campaigns still existent is how cybercriminals have responded. Rather than employing one kind of malware attackers have diversified their activities to include multiple malware types and a wider variety of techniques. Importantly phishing increased from under 0.2% in January 2018 to around 0.6% in October 2019 illustrating this point of a more diversified approach. Further, the size of average TCP-based DDoS attacks increased from 75 Gbps in May to over 200 Gbps by October this year. Microsoft also provided a stark warning to those who reuse passwords across numerous accounts, stating
“Reusing passwords across multiple account-based services is common. According to a 2018 study of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behavior puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.”