Image: sebastiaan stam (unsplash)
Top executives within U.S.-based enterprises are on the radar of an emerging phishing campaign. This campaign harnesses the capacities of a renowned adversary-in-the-middle (AiTM) phishing toolkit, EvilProxy, which is notorious for credential theft and account hijackings.
Menlo Security highlighted that this campaign’s onset traces back to July 2023. The primary sectors in the crosshairs of these threat actors are banking, financial services, insurance, property management and real estate, along with manufacturing.
A significant point of exploitation for these threat actors was an open redirection vulnerability present in the job search platform ‘indeed.com.’ This flaw facilitated the redirection of potential victims towards dubious phishing pages that masqueraded as Microsoft-affiliated sites.
Resecurity’s documentation from September 2022 unveils the workings of EvilProxy. The toolkit acts as a reverse proxy, strategically positioned between a target and a legitimate login page. Its main operation revolves around intercepting credentials, two-factor authentication (2FA) codes, and session cookies, ultimately resulting in the compromise of sought-after accounts.
Microsoft’s security teams have been monitoring the perpetrators of this AiTM phishing toolkit, branding them as Storm-0835. This collective reportedly services hundreds of clients. The tech conglomerate shared insights about these criminals, stating that they engage in frequent phishing activities, while investing in monthly licenses that vary between $200 to $1,000 USD. The multiplicity of these malicious entities renders any direct attribution of campaigns to distinct entities a challenge.
Menlo Security’s recent findings indicate that potential victims receive phishing emails embedded with misleading links to Indeed. This eventually steers the individual towards an EvilProxy page designed to extract entered credentials. The exploitation revolves around an open redirect vulnerability, where poor user input validation leads a susceptible website to redirect users to unvalidated web pages, effectively sidestepping security protocols.
A case in point, provided by Ramprasad, was the subdomain ‘t.indeed.com’ that was manipulated with parameters to channel the client to a different destination like ‘example.com’. Here, parameters after the ‘?’ in the URL serve a dual role: being exclusive to indeed.com and determining the endpoint URL. Consequently, unsuspecting users find themselves redirected to the intended target; in most scenarios, a deceptive phishing page.
Recent trends have witnessed malicious elements harnessing platforms like Dropbox. They devise counterfeit login pages embedded with URLs. On being accessed, these URLs reroute users to sham sites aiming to pilfer Microsoft account details, typically within a broader business email compromise (BEC) framework.
Check Point elucidated the modus operandi, emphasizing the adept use of legitimate services by these criminals, branding these tactics as BEC 3.0 attacks. The inherent complexity of such attacks poses substantial challenges for both security outfits and the general user base.
Microsoft’s Digital Defense Report shed light on the evolving landscape. It underscored the increasing sophistication of threat actors, who now seamlessly blend social engineering and advanced technological ploys. Their agenda: executing intricate and financially damaging BEC assaults by manipulating cloud infrastructure and leveraging established business associations.
Additionally, the Police Service of Northern Ireland has alerted the masses to a surge in qishing attempts. This technique typically employs emails containing PDFs or PNG images embedded with QR codes. The objective is clear – evade detection mechanisms and mislead victims into accessing malevolent sites and credential-stealing platforms.