Credentials Phishing Attacks

In the last month, researchers at Menlo Security has been observing a steady rise in credential phishing attacks. This is a popular attack method where attackers make use of fake login pages or forms to steal credentials of commonly used services in a corporate environment. 

Apart from commonly targeted cloud services like Office 365, Amazon Prime, Adobe and others, Menlo also noticed credential phishing attacks impersonating commonly used software services from other countries like South Korea and crypto-currency wallets.  

Office365 Continues To Be The #1  Phishing Target

In the last month, it may not be a surprise to learn that the bulk of the credential phishing attacks were serving fake Outlook and Office365 login pages. This is mostly because of the ubiquity of Office365 service across the corporate sector. Other notable phishing attack incidents included:-

Phishing On Cloud Services:    There is an uptick on the number of phishing pages being hosted on popular cloud services. While services like Azure, One Drive, Box, Firebase, and Dropbox continue to be leveraged to host phishing pages, one interesting addition to this list we came across last month was a phishing page hosted on the popular note taking app Evernote

Phishing Tactics:    Attackers are always trying to come up with tactics to bypass detection solutions. Below, we describe a few common tactics that are actively being used to serve phishing content.  

Use of Data URLs/Encoding To Mask Content:   In a specific phishing HTML page content, we observed usage of Data-URLs to:

  • Hide the actual java-script code that posts credentials to a remote URL. 
  • Encode and embed all custom CSS/Images on the page itself

The advantages of using this mechanism is as follows:

  • Allows the entire phishing page content to be rendered on a browser in a single load within the client. 
  • Adding the “Content-Encoding: gzip” header allows the server to send the compressed response. 
  • There would be no additional resource requests (Javascript/CSS/Images etc). 
  • This is an attempt to evade solutions that rely on the “Content-Type” header to determine resources like Javascript/CSS. 

Dynamic Content Generation:  One interesting tactic that was observed with an Office365 phishing campaign: this campaign seems to be appending the user’s email address on the URL,  the phishing page path is dynamically generated, and the user’s email address is automatically filled.

Conclusion

Cyber criminals are trying to add complexity in order to carry out phishing campaigns that steal sensitive information. With free services like Let’s Encrypt, it’s becoming increasingly easier for attackers to host phishing sites behind SSL with a relatively short TTL for maximum hit rate. 

Increasing cyber security awareness through training and education initiatives is very helpful in reducing the impact of credential phishing attacks, but corporate users should always be cautious when a site presents a form that asks for personal or sensitive information.

Menlo Security:      

You Might Also Read:

Every Employee Should Be Considered A Target:

 

 

« Half A Billion LinkedIn Members Found For Sale
The Future Of Blockchain In Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Device Authority

Device Authority

Device Authority specialises in security automation for the Internet of Things (IoT).

Akheros

Akheros

Akheros develops cybersecurity learning algorithms which anticipate, detect and prevent offensive and incongruous behaviors of M2M interactions.

Chainalysis

Chainalysis

Chainalysis provides blockchain analysis software to prevent, detect and investigate cryptocurrency money laundering, fraud and compliance violations.

CyberGhost

CyberGhost

CyberGhost is a Virtual Private Network services provider offering secure encrypted access to the internet.

Accertify

Accertify

Accertify is a leading provider of fraud prevention, chargeback management, and payment gateway solutions.

Pixalate

Pixalate

Pixalate is an omni-channel fraud intelligence company that works with brands and platforms to prevent invalid traffic and improve ad inventory quality.

ArcRan Information Technology

ArcRan Information Technology

ArcRan concentrates on developing comprehensive cybersecurity solutions for smart city applications. We believe that cybersecurity is the fundamental enabler of IoT development.

VectorUSA

VectorUSA

VectorUSA is a premier technology solution provider. We design, build and maintain cybersecurity, data center, wireless and managed solutions – transforming business needs into technology solutions.

Cognyte

Cognyte

Cognyte are a market leader in security analytics software that empowers governments and enterprises with Actionable Intelligence for a safer world.

SEIRIM

SEIRIM

SEIRIM delivers cybersecurity solutions in Shanghai China specializing in Web Application Security, Network Security for SME's, Vulnerability Management, and serving as Managed Security as a Service.

Strivacity

Strivacity

Strivacity lets brands quickly add secure login and identity management capabilities to their customer-facing applications without tying up an army of developers or consultants to do it.

Accelerynt

Accelerynt

Accelerynt was founded with a singular purpose: help teams like yours build cybersecurity resilience.

Glasstrail

Glasstrail

Glasstrail are single-minded about helping organisations gather intelligence and manage vulnerabilities in their attack surface before adversaries exploit them.

Guardian Angel Cyber

Guardian Angel Cyber

Guardian Angel Cyber, is your trusted ally in safeguarding your digital assets and online presence.

Sage IT

Sage IT

Sage IT offer a wide range of professional and consulting services to help organizations overcome the challenges of today's ever-changing business environment.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.