APT-Like Phishing Threat Mirrors Landing Pages

  /     /     /  
Publicated : 23/11/2024   Category : security


APT-Like Phishing Threat Mirrors Landing Pages


By dynamically mirroring an organization’s login page, threat actors are propagating legitimate-looking phishing attacks that encourage victims to offer up access to the corporate crown jewels.



A phishing campaign is underway that uses mirror images of target organizations landing pages to trick victims into entering login credentials.
According to a report from security firm Avanan, the malicious actors are then able to use these harvested credentials to gain access to a treasure trove of personal or company files, and access to other applications and other places in the network.
The attack flow starts with emails telling targets that its time to update their passwords, with a button to click. That takes them to a phishing page that appears to be the organizations Google domain, with a pre-populated email address and a Google reCAPTCHA form, further adding to the veneer of authenticity.
Heres the interesting part: The landing page is dynamically rendered, so that it changes the logo and background presented to match the legitimate domain from the users email address.
Though the URL is completely unrelated to the company website, the page looks exactly like the real deal, according to the
report, out today
. In fact, it’s a bit-for-bit mirror of the actual company site. The end user will have their email address pre-populated and see their traditional login page and background, making it incredibly convincing.
From there, the phishing page will either request the email twice as validation or, use the credentials in real time in order to verify the password. If the password is good, the user will be directed to a real document or to the organizations home page.
Meanwhile, the users browser receives a cookie that renders the phishing page unreachable, preventing any further analysis.
Jeremy Fuchs, cybersecurity research analyst at Avanan, explains that the attackers are after usernames and passwords because of what they can access later.
They are after these credentials because they are incredibly valuable, he says. Passwords are keys to the kingdom. They can open financial documents, personnel files, employee records; they can lead to bank accounts and medical records. By stealing credentials, the attackers have a whole bevy of information at their fingertips.
Fuchs says hes seen this page-mirroring approach off and on for about two years, in attacks from the
SPAM-EGY
phishing-as-a-service group as well as advanced persistent threats (APTs). 
This current spate of attacks follows the SPAM-EGY groups trademarks, but Avanan researchers note that these attacks differ by targeting Google domains instead of Microsoft 365.
This represents an evolution of this type of attack and thus may be carried out by a different group, according to the report.
Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet’s FortiGuard Labs, agrees page-mirroring is not a new tactic but certainly an effective one. He points out such mirrored sites are often included in phishing kits that are sold through the crime-as-a-service (CaaS) model
A recent
report from Kaspersky
says that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications. But Fuchs says that, as with most phishing attacks, there are some telltale signs on which organizations need to train users.
Its important to remind employees to take two seconds and do two quick things: look at the sender address and the URL of the page, he advises. The sender address is often amiss; thats clue one that something is off. The URL will also likely be off; thats clue two. Infusing that into everything employees do is critical.
Manky adds that any credential transactions should be done securely (HTTPS/SSL), and the certificate should be checked, as the certificate is unique and would not be mirrored.
Of course, a site that looks completely legitimate will cause the victim to trust further — however, they should not be trusting the content rather the flow, he adds.
Manky also notes that cyber-hygiene training is a necessity for everyone in the organization, with home workers, not just organizations, being targets of cyberattacks.
Multifactor authentication and password protection can help protect remote workers’ personal information, and knowing how to spot phishing emails and malvertising schemes will help employees avoid falling for these social engineering ploys, he says.
Kristina Balaam, senior threat researcher of threat intelligence at Lookout, says as the general public’s awareness of phishing threats increases, threat actors seem to recognize that they need to improve their tactics to successfully compromise their targets.
Users are becoming more discerning and aware of the risks that phishing campaigns pose to their personal and financial security, she explains. When page-mirroring is used to help ensure a phishing page closely replicates a legitimate authentication portal, users are more likely to place trust in the Web application and miss more sophisticated indicators of compromise.
She adds that while some phishing campaigns may use incorrect branding or contain extensive grammatical errors, these more sophisticated pages may only reveal themselves through less obvious indicators, like slightly misspelled domains (that is, 
typosquatting
) domains or missing SSL certificates.
Phishers take what works and amplify it. If something works, theyll keep at it, Fuchs says. Given that many of these attacks are available as downloadable kits, the barrier to entry is far lower.
From his perspective, that means there will likely be a continued proliferation of these types of attack spread by various groups, both APT and non-APT alike. Balaam agrees and says she believes this convergence reflects a shift in the willingness of financially motivated threat actors to increase their investment in their campaigns to improve their success rates and generate a greater return on their investments.
For IT security, this shift seems to be leading us toward a marked increase in the number of everyday users targeted by more sophisticated campaigns with TTPs previously employed primarily by APT actors, she says.
Other recent phishing campaigns from the current
avalanche of attacks
 also show ever-greater sophistication, including the
Ducktail spear-phishing campaign
and a phishing kit that
injects malware
into legitimate WordPress sites.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
APT-Like Phishing Threat Mirrors Landing Pages