Phishing, the process of acquiring personal information and important credentials via deceptive emails, websites, or a combination of both, is still an effective tactic employed by hackers. Malware like Emotet is almost solely distributed spam emails which are socially engineered to get victims to click and approve all the wrong things so that its infection routine can begin, however often passwords and usernames are needed to deeper penetrate corporate networks. Other malware operators need your credentials to complete their tasks here emails will often redirect to what appears to be a legitimate website, the victim will enter their credentials and the site will subsequently harvest those credentials possibly leading to account compromise and a whole host of other problems.
This week, security researchers revealed two new tactics that have been added to phishing’s arsenal which further cement the threat level posed by the attack method. The first was discovered by security researcher and bug bounty hunter Craig Hays, who has subsequently published an article detailing the discovery which he described as the “greatest password theft” that he had ever seen. The event started when his security team received an alert from a user, which the team believed to be a run of the mill alert. Going through the relevant procedures the team locked the account and began their investigation. However, more alerts began to be received by the team from other users and it was discovered that the emails received by users made it past the same filtering rules as the initial alert.
While not in itself unusual and can be seen during an attack campaign, the researchers were stunned to see that the incidents appeared to relate to a campaign of massive account takeovers. Accounts were being accessed from strange locations across the globe, once accessed those same accounts were then being used to send out large numbers of emails. Hays believes that to conduct such an efficient and wide-ranging phishing attack the attacker must have been harvesting credentials for some time and then waited for the right time to strike.
Given that none of the victims had received an email from a new contact on the day of the attack and no immediate credential theft vector could be found, this would be the logical conclusion. However, when the credential theft vector was discovered it painted a worrying picture.
Researchers discovered that the phishing emails were being sent as replies to genuine emails between employees, suppliers, and internal email conversations. How this was done can only be described as ingenious, in a supervillain kind of way. Once credentials had been successfully stolen, they were sent to a bot. The remote bot would then sign into the account and analyze emails sent within the past several days. Once a unique email chain was found it would reply to the last email with a link to a credential phishing web page, made to appear like a document. The wording used in the email was generic enough not to warrant suspicion. All in all, this resulted in a worm-like account takeover that manages to capture a staggering number of accounts in only a couple of hours. However, it was too efficient.
As the bot grew in size it took over accounts outside of the targeted company’s scope and people outside of the company began receiving emails. This ultimately meant that the bot grew too fast in too short a period of time and became out of control. Researchers were able to find a pattern in the URL phishing pages and were able to create a quarantine rule, effectively putting a halt to proceedings and preventing any further damage. Once email accounts lacking two-factor authentication were enabled with the extra security measure the attack had lost all momentum. Ultimately, by being too effective a lot of the attack occurred too quickly raising several red flags. Hays concluded,
“The goal for this attacker was probably to harvest credentials to sell on the dark web. They achieved their goal of harvesting a lot of credentials, but they were too noisy about how they went about it and immediately raised alarms, losing any value they had gained,”
Captchas Used to add Legitimacy
The second incident involved a campaign aimed at stealing corporate Microsoft Office 365 usernames and passwords. The campaign was seen targeting a wide range of organizations and is trying to use captchas as an unusual technique to lull victims into a fall sense of security. A captcha is a challenge response used to determine if the inputs being received on a website is being done by a human or automated bot. Common ones are the I am not a robot or pick the images containing an item test. Now it would seem that hackers are using these to add legitimacy to phishing campaigns. Corporate Microsoft Office 365 credentials are highly prized as they grant the attacker a foothold onto the network to drop malware onto it, be they banking trojans so that funds can be stolen or ransomware to extort the company in question.
The phishing campaign was discovered by Menlo Security, and targeted companies within the finance, technology, manufacturing, government, pharmaceuticals, oil and gas, and hospitality sectors. Writing about the incident on their blog, Menlo noted that the campaign centered around sending out emails that would redirect users to a webpage that looked like the Microsoft Office 365 login page, which was in turn used to harvest credentials. Further, the emails appear to be tailored depending on which company was being targeted. To further trick recipients of the email, the recipient would first be taken to a fake captcha to give it an air of legitimacy, then once the captcha was passed, they were redirected to the fake login page.
This appears to work as users have become so used to picking out bicycles or crosswalks from captcha images as a security check that this would be done automatically. Users would also believe that the request to enter in credentials is legitimate as they have already passed one security check. To further add legitimacy the user has to pass not just on captcha check but a couple. First, they would need to check the box confirming that they are not a bot, then a second stage asking the user to identify images of bicycles and a third stage asking users to identify the tiles containing a crosswalk would trigger before redirecting them to what they now assume is a legitimate login page.
The multiple checks performed a secondary function other than appearing legitimate. These checks effectively prevented automated security services from reaching the fake login page and detecting the phishing attempt giving the attackers more of a chance to harvest the credentials they want. Researchers concluded,
“Phishing is the most prevalent attack vector affecting enterprises. These attacks take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks very successful.”
Often phishing emails can be tricky to spot if not aware of the tricks used by the attacker, however, they are far from automatically causing users to become victims. The following recommendations can be easily adopted to mitigate the threat posed by phishing:
- Always check the spelling of the URLs in email links before you click or enter sensitive information
- Watch out for URL redirects, where you're subtly sent to a different website with identical design
- If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply
- Don't post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media
It should also be company policy to enable two-factor authentication wherever possible as an added security measure. This can effectively prevent stolen and phished credentials been used to compromise a network as the attacker lacks the second authentication method. IT departments and network administrators can further use sandboxing technology to intercept all inbound mail and check the links and attachments contained with the emails. Further, employees also need to be educated about what to look for and respond correctly to anything that looks suspicious.