Credentials Phishing Attacks

Uploaded on 2021-04-09 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

In the last month, researchers at Menlo Security has been observing a steady rise in credential phishing attacks. This is a popular attack method where attackers make use of fake login pages or forms to steal credentials of commonly used services in a corporate environment. 

Apart from commonly targeted cloud services like Office 365, Amazon Prime, Adobe and others, Menlo also noticed credential phishing attacks impersonating commonly used software services from other countries like South Korea and crypto-currency wallets.  

Office365 Continues To Be The #1  Phishing Target

In the last month, it may not be a surprise to learn that the bulk of the credential phishing attacks were serving fake Outlook and Office365 login pages. This is mostly because of the ubiquity of Office365 service across the corporate sector. Other notable phishing attack incidents included:-

Phishing On Cloud Services:    There is an uptick on the number of phishing pages being hosted on popular cloud services. While services like Azure, One Drive, Box, Firebase, and Dropbox continue to be leveraged to host phishing pages, one interesting addition to this list we came across last month was a phishing page hosted on the popular note taking app Evernote

Phishing Tactics:    Attackers are always trying to come up with tactics to bypass detection solutions. Below, we describe a few common tactics that are actively being used to serve phishing content.  

Use of Data URLs/Encoding To Mask Content:   In a specific phishing HTML page content, we observed usage of Data-URLs to:

  • Hide the actual java-script code that posts credentials to a remote URL. 
  • Encode and embed all custom CSS/Images on the page itself

The advantages of using this mechanism is as follows:

  • Allows the entire phishing page content to be rendered on a browser in a single load within the client. 
  • Adding the “Content-Encoding: gzip” header allows the server to send the compressed response. 
  • There would be no additional resource requests (Javascript/CSS/Images etc). 
  • This is an attempt to evade solutions that rely on the “Content-Type” header to determine resources like Javascript/CSS. 

Dynamic Content Generation:  One interesting tactic that was observed with an Office365 phishing campaign: this campaign seems to be appending the user’s email address on the URL,  the phishing page path is dynamically generated, and the user’s email address is automatically filled.

Conclusion

Cyber criminals are trying to add complexity in order to carry out phishing campaigns that steal sensitive information. With free services like Let’s Encrypt, it’s becoming increasingly easier for attackers to host phishing sites behind SSL with a relatively short TTL for maximum hit rate. 

Increasing cyber security awareness through training and education initiatives is very helpful in reducing the impact of credential phishing attacks, but corporate users should always be cautious when a site presents a form that asks for personal or sensitive information.

Menlo Security:      

You Might Also Read:

Every Employee Should Be Considered A Target:

 

 

« Half A Billion LinkedIn Members Found For Sale
The Future Of Blockchain In Cyber Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Association of Slovakia (ITAS)

IT Association of Slovakia (ITAS)

ITAS is a professional association of domestic and foreign companies operating in the field of information and communication technologies

PizzlySoft

PizzlySoft

PizzlySoft is a global company that is seeking convergence of network and security / software and hardware. We put our value on creating the best security.

IP2Location

IP2Location

IP2Location provide services to identify geolocation by IP address, and to detect IP addresses associated with anonymous proxy servers, which are often used for fraud and spamming purposes.

Polymer

Polymer

Polymer is a Data Governance & Privacy Platform for third party SaaS apps. A modern Data Loss Protection (DLP) approach to remove sensitive data exposure on collaboration tools in real-time.

Rede Nacional CSIRT

Rede Nacional CSIRT

Rede Nacional CSIRT is a national network of CSIRTs in Portugal aimed at cooperation and mutual assistance in the handling of incidents and in the sharing of good security practices.

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

Jisc

Jisc

Jisc is a membership organisation working in partnership with the UK’s research and education communities to develop the digital technologies they need to teach, discover and thrive.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Quzara

Quzara

Quzara provides trusted advisory services and highly adaptive cybersecurity services to federal, commercial and Defense Industrial Base customers to meet their security compliance and cyber needs.

Alethea

Alethea

Alethea is a technology company helping companies, nonprofits, and democracies protect themselves from harms stemming from disinformation and social media manipulation.

Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions is an Enterprise Cyber Security Platforms company offering Cyber Security & Technical Education and Compliance & Penetration Testing Services.

OryxLabs

OryxLabs

OryxLabs provide advanced enterprise digital risk protection solutions. Learn more about how 24x7 continuous assessment, monitoring, and improvement can secure your network.

Orbis Cyber Security

Orbis Cyber Security

Orbis is one of the leading cybersecurity company in USA. Our cybersecurity specialist defends your data, combat threat, and modernize your compliance.

Defendis

Defendis

Defendis develops AI-powered cybersecurity solutions for Government Agencies, Banks, and Businesses, designed to helps them contain data leaks, minimise damage, and proactively hunt for new threats.

InterSources

InterSources

InterSources is a trusted partner, leading the way in Cloud Security, Cybersecurity, PLG Consulting, Digital Transformation, and Professional Services.

Cyber Security Unity (CSU)

Cyber Security Unity (CSU)

Cyber Security Unity (formerly the UK Cyber Security Association) is a new global community which has been set up to help unite the industry and combat the growing cyber threat.