Credentials Phishing Attacks

In the last month, researchers at Menlo Security has been observing a steady rise in credential phishing attacks. This is a popular attack method where attackers make use of fake login pages or forms to steal credentials of commonly used services in a corporate environment. 

Apart from commonly targeted cloud services like Office 365, Amazon Prime, Adobe and others, Menlo also noticed credential phishing attacks impersonating commonly used software services from other countries like South Korea and crypto-currency wallets.  

Office365 Continues To Be The #1  Phishing Target

In the last month, it may not be a surprise to learn that the bulk of the credential phishing attacks were serving fake Outlook and Office365 login pages. This is mostly because of the ubiquity of Office365 service across the corporate sector. Other notable phishing attack incidents included:-

Phishing On Cloud Services:    There is an uptick on the number of phishing pages being hosted on popular cloud services. While services like Azure, One Drive, Box, Firebase, and Dropbox continue to be leveraged to host phishing pages, one interesting addition to this list we came across last month was a phishing page hosted on the popular note taking app Evernote

Phishing Tactics:    Attackers are always trying to come up with tactics to bypass detection solutions. Below, we describe a few common tactics that are actively being used to serve phishing content.  

Use of Data URLs/Encoding To Mask Content:   In a specific phishing HTML page content, we observed usage of Data-URLs to:

  • Hide the actual java-script code that posts credentials to a remote URL. 
  • Encode and embed all custom CSS/Images on the page itself

The advantages of using this mechanism is as follows:

  • Allows the entire phishing page content to be rendered on a browser in a single load within the client. 
  • Adding the “Content-Encoding: gzip” header allows the server to send the compressed response. 
  • There would be no additional resource requests (Javascript/CSS/Images etc). 
  • This is an attempt to evade solutions that rely on the “Content-Type” header to determine resources like Javascript/CSS. 

Dynamic Content Generation:  One interesting tactic that was observed with an Office365 phishing campaign: this campaign seems to be appending the user’s email address on the URL,  the phishing page path is dynamically generated, and the user’s email address is automatically filled.

Conclusion

Cyber criminals are trying to add complexity in order to carry out phishing campaigns that steal sensitive information. With free services like Let’s Encrypt, it’s becoming increasingly easier for attackers to host phishing sites behind SSL with a relatively short TTL for maximum hit rate. 

Increasing cyber security awareness through training and education initiatives is very helpful in reducing the impact of credential phishing attacks, but corporate users should always be cautious when a site presents a form that asks for personal or sensitive information.

Menlo Security:      

You Might Also Read:

Every Employee Should Be Considered A Target:

 

 

« Half A Billion LinkedIn Members Found For Sale
The Future Of Blockchain In Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Nimbusec

Nimbusec

Nimbusec scans your website around the clock and informs immediately if it has been hacked or manipulated

ATSEC Information Security

ATSEC Information Security

ATSEC is an independent, privately-owned company that focuses on providing laboratory and consulting services for information security.

Risk Ident

Risk Ident

RISK IDENT specializes in supporting enterprises in identifying and preventing criminal activity like payment fraud, account takeovers and identity theft.

DeepCyber

DeepCyber

DeepCyber supports its customers, with an “intelligence-driven” approach, to improve their proactive detection and response "capability" of cyber threats.

Standards Council of Canada (SCC)

Standards Council of Canada (SCC)

SCC leads and facilitates the development and use of national and international standards and accreditation services in Canada.

Get Safe Online

Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety.

Asia ICS Cyber Security Conference

Asia ICS Cyber Security Conference

Asia ICS Cyber Security Conference is a day of intense presentations and panel discussions on the latest Cyber Security threats and solutions targeted at industrial control systems.

Zacco

Zacco

Zacco offer a 360° perspective on intellectual property: From patent filing and trademark registration to software development, digital brand protection, cyber security and portfolio management.

Shift5

Shift5

Shift5 focus on securing operational technology (OT) by building best-in-class, dual-use products serving military and commercial entities.

Cyber Risk Institute (CRI)

Cyber Risk Institute (CRI)

CRI is a not-for-profit coalition of financial institutions and trade associations working to protect the global economy by enhancing cybersecurity and resiliency through standardization.

Blue Lance

Blue Lance

Blue Lance is a global provider of cybersecurity governance solutions. Our software solutions automatically collect and store the information necessary for investigations, audit and compliance.

Isovalent

Isovalent

Isovalent deliver the most advanced Kubernetes networking & security capabilities to the most demanding of enterprise users.

SEIRIM

SEIRIM

SEIRIM delivers cybersecurity solutions in Shanghai China specializing in Web Application Security, Network Security for SME's, Vulnerability Management, and serving as Managed Security as a Service.

Wazuh

Wazuh

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Verica

Verica

Verica uses chaos engineering to make systems more secure and less vulnerable to costly incidents.

IDECSI

IDECSI

IDECSI delivers cutting-edge technology and engages all employees in the security system for effective and cost-efficient data protection.