Credentials Phishing Attacks

Uploaded on 2021-04-09 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

In the last month, researchers at Menlo Security has been observing a steady rise in credential phishing attacks. This is a popular attack method where attackers make use of fake login pages or forms to steal credentials of commonly used services in a corporate environment. 

Apart from commonly targeted cloud services like Office 365, Amazon Prime, Adobe and others, Menlo also noticed credential phishing attacks impersonating commonly used software services from other countries like South Korea and crypto-currency wallets.  

Office365 Continues To Be The #1  Phishing Target

In the last month, it may not be a surprise to learn that the bulk of the credential phishing attacks were serving fake Outlook and Office365 login pages. This is mostly because of the ubiquity of Office365 service across the corporate sector. Other notable phishing attack incidents included:-

Phishing On Cloud Services:    There is an uptick on the number of phishing pages being hosted on popular cloud services. While services like Azure, One Drive, Box, Firebase, and Dropbox continue to be leveraged to host phishing pages, one interesting addition to this list we came across last month was a phishing page hosted on the popular note taking app Evernote

Phishing Tactics:    Attackers are always trying to come up with tactics to bypass detection solutions. Below, we describe a few common tactics that are actively being used to serve phishing content.  

Use of Data URLs/Encoding To Mask Content:   In a specific phishing HTML page content, we observed usage of Data-URLs to:

  • Hide the actual java-script code that posts credentials to a remote URL. 
  • Encode and embed all custom CSS/Images on the page itself

The advantages of using this mechanism is as follows:

  • Allows the entire phishing page content to be rendered on a browser in a single load within the client. 
  • Adding the “Content-Encoding: gzip” header allows the server to send the compressed response. 
  • There would be no additional resource requests (Javascript/CSS/Images etc). 
  • This is an attempt to evade solutions that rely on the “Content-Type” header to determine resources like Javascript/CSS. 

Dynamic Content Generation:  One interesting tactic that was observed with an Office365 phishing campaign: this campaign seems to be appending the user’s email address on the URL,  the phishing page path is dynamically generated, and the user’s email address is automatically filled.

Conclusion

Cyber criminals are trying to add complexity in order to carry out phishing campaigns that steal sensitive information. With free services like Let’s Encrypt, it’s becoming increasingly easier for attackers to host phishing sites behind SSL with a relatively short TTL for maximum hit rate. 

Increasing cyber security awareness through training and education initiatives is very helpful in reducing the impact of credential phishing attacks, but corporate users should always be cautious when a site presents a form that asks for personal or sensitive information.

Menlo Security:      

You Might Also Read:

Every Employee Should Be Considered A Target:

 

 

« Half A Billion LinkedIn Members Found For Sale
The Future Of Blockchain In Cyber Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Apcon

Apcon

Apcon's mission is to provide valuable network insights that enable security and network professionals to monitor, secure and protect their data in both physical and virtual environments.

ThreatHunter.ai

ThreatHunter.ai

ThreatHunter.ai (formerly Milton Security) is a business that tracks down and mitigates attacks in real time using our ARGOS Platform and our Elite Threat Hunters.

SK IT Cyber Security

SK IT Cyber Security

SK IT provide services and solutions for cybersecurity and advanced information system engineering.

Keynetic Technologies

Keynetic Technologies

Keynetic focuses on developing cybersecurity solutions for Industry 4.0.

CyberFortress

CyberFortress

CyberFortress is an insuretech startup offering a new kind of online business interruption policy designed for small business.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Griffiss Institute (GI)

Griffiss Institute (GI)

GI's primary role is to advocate and facilitate the co-operation of private industry, academia, and the Air Force Research Laboratory in developing solutions to critical cyber security problems.

Keyless Technologies

Keyless Technologies

Simple, secure, and interoperable authentication. Keyless offers unmatched security, privacy and usability, while reducing risk and infrastructure costs.

Towerwall

Towerwall

Towerwall offers a comprehensive suite of security services and solutions using best-of-breed tools and information security services.

Ironhack

Ironhack

Ironhack provide intensive training courses & bootcamps in Web Development, UX/UI Design, Data Analytics & Cybersecurity.

TopSOC Information Security

TopSOC Information Security

TopSOC Information Security provide a wide range of security consultation, implementation and training services.

Extreme Networks

Extreme Networks

Since 1996, Extreme has been pushing the boundaries of networking technology, driven by a vision of making it simpler and faster as well as more agile and secure.

Moore ClearComm

Moore ClearComm

Moore ClearComm is part of Moore Kingston Smith a leading UK firm of accountants and business advisers. Our services include Data Privacy, Cyber Security, Business Continuity and Information Security.

SignMyCode

SignMyCode

SignMyCode is a one-stop shop for trusted and authentic code signing solutions to safeguard software.

Converged Communication Solutions

Converged Communication Solutions

Converged is an independent Internet Service Provider, telephony, IT support and security specialist.

Icon Information Systems (ICONIS)

Icon Information Systems (ICONIS)

ICONIS is an integrated infrastructure and service provider, offering unified Information Technology (IT) solutions globally.