A recent phishing campaign is specifically aimed at top managers employed in firms situated in the United States. This campaign utilizes a well-known phishing toolkit called EvilProxy, which operates as an adversary-in-the-middle (AiTM) technique. The primary objective of this campaign is to gather login credentials and execute account takeover attempts.
According to Menlo Security, the observed activity commenced in July 2023, with a particular focus on the banking and financial services, insurance, property management & real estate, and manufacturing sectors.
According to a report published last week, security researcher Ravisankar Ramprasad stated that the individuals responsible for the attack utilized an open redirection vulnerability present on the job search portal ‘indeed.com’. This weakness allowed the threat actors to redirect unsuspecting users to fraudulent phishing pages that were designed to imitate Microsoft.
The EvilProxy, which was initially identified by Resecurity in September 2022, operates as a reverse proxy that is strategically placed between the intended recipient and an authentic login page. Its purpose is to intercept sensitive information such as login passwords, two-factor authentication (2FA) codes, and session cookies, with the ultimate goal of compromising targeted user accounts.
The individuals responsible for the AiTM phishing kit are monitored by Microsoft, referred to as Storm-0835, and are believed to possess a considerable customer base.
According to the statement provided by the IT giant, these cyber criminals engage in daily phishing campaigns and make monthly payments for license fees, which can range from $200 to $1,000 USD. Due to the widespread utilization of these services by several threat actors, the process of attributing campaigns to individual actors becomes unfeasible.
According to the recent findings reported by Menlo Security, individuals have been targeted by a series of attacks involving the use of phishing emails. These emails contain a misleading hyperlink that appears to bring recipients to the legitimate website Indeed. However, once they click the link, victims are redirected to a malicious page known as EvilProxy. The primary objective of this fraudulent page is to illicitly collect and gather the login credentials entered by unsuspecting users.
The achievement of this objective is facilitated by exploiting an open redirect vulnerability, wherein the absence of proper validation of user input enables a susceptible website to redirect users to arbitrary web pages, so circumventing established security measures.
According to Ramprasad, the subdomain ‘t.indeed.com’ is equipped with parameters that facilitate the redirection of the client to a different target, such as ‘example.com’.
The parameters appended to the URL after the ‘?’ symbol encompass a collection of parameters specific to indeed.com, together with the target parameter, which contains the argument representing the desired destination URL. Consequently, when the user clicks on the provided URL, they are subsequently forwarded to the website example.com. During a real-life cyber attack, the user would be directed towards a fraudulent webpage designed to deceive and extract sensitive information, also known as a phishing website.
The emergence of a concerning trend involves threat actors utilizing Dropbox to fabricate counterfeit login pages including embedded URLs. These URLs, upon being visited by unsuspecting users, route them to fraudulent websites specifically designed to illicitly get Microsoft account credentials. This malicious activity is conducted as part of a larger operation known as a business email compromise (BEC).
Check Point stated that this occurrence serves as an additional illustration of how hackers are employing lawful services in what is referred to as BEC 3.0 attacks. The prevention and detection of these threats pose significant challenges for both security services and end users alike.
According to the Digital Defense Report published by Microsoft, it has been observed that threat actors are modifying their social engineering approaches and leveraging technology to execute increasingly intricate and financially burdensome Business Email Compromise (BEC) assaults. These attacks involve the misuse of cloud-based infrastructure and the exploitation of trusted business relationships.
Additionally, the Police Service of Northern Ireland has issued a warning regarding an increase in phishing emails. These emails employ a strategy of sending a PDF document or a PNG image file that includes a QR code. The intention is to evade detection and deceive recipients into visiting harmful websites and divulging their credentials.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More News Here