Posted on March 8, 2021 at 11:18 AM
The malicious hacking space is never quite asleep, constantly innovating to try and take from their victims even more effectively. Zscaler gave out a report about the latest iteration of this innovation: A phishing campaign impersonating Microsoft and using phony Google ReCAPTCHA.
Zscaler Quick To Take Credit
The aim of the game with this campaign, in particular, seems to be to steal the credentials of various organizations’ senior employees. Most likely, this can be attributed to these malicious actors trying to gain as much access with as little credentials as possible.
If even one of those senior employees fell for it, they’d boast good access to whatever system the employee was from. Not to miss the opportunity, the security firm made it abundantly clear that it had taken part in preventing an excess of 2,500 phishing emails to be sent out, as well
A Targeted Campaign
Now, ThreatLabZ, the official threat research team of Zscaler, was the one that actually caught on to the campaign. In their report, they reveal that this phishing campaign has been ongoing since December of 2020.
It also seems that the main target for this phishing campaign isn’t just the average Joe, but Senior employees of the banking sector primarily. The IT industry is another primary target of this phishing campaign, but the campaign itself is spread across numerous industries.
This makes it clear that this was a targeted phishing attack. It should be noted that phishing campaigns leveraging fake ReCAPTCHAs have always been around these past few years, but this attack stands out with its targeted, concise nature
As for how the campaign operates: Victims get sent an email from the attackers, with the phishing emails managing to seem like it comes from one of the unified communication systems corporations use for streamlined communication. Of course, this email contains a malicious attachment, where all the nasty stuff begins from.
The FIner Details
The attachment itself is an HTML file, and redirects the victim to a .xyz phishing domain once opened. This page disguises itself as a legitimate ReCAPTCHA Google page, all in a bid to deceive the victims into thinking they’re someplace official.
After the users verify this face ReCAPTCHA, they are directed to a fake login page for Microsoft. There, the victims are prompted to enter their respective private credentials. In order to seem more legitimate, the page adds a “Validation Successful” message after the information was put in.
Gayathri Anbalagan stands as Zscaler’s Lead Researcher and gave a statement about the matter at large. In their statement, the phishing campaign was officially classified as a BEC attack. Anbalagan warned that no specific threat actor could be attributed to this new campaign, but warns that this had to be a coordinated action due to the target profiles and operational theme.
Chaos Leads To Oppertunity
Ever since the COVID-19 pandemic struck, hackers across the globe have found themselves with brand-new opportunities. In particular, more advanced tactics could be used within the social engineering front to start targeting people for their credentials and finances.
Some of the more notable campaigns include one that occurred in January of this year. Trend Micro, another security firm, managed to uncover yet another targeting phishing, or “spearphishing” campaign. This one disguised itself as a fake update for Microsoft Office 365. This campaign targeted business officials, trying to steal their private credentials
That campaign occurred back in May of 2020. The attack’s entire schtick revolved around a compromised Virtual Private Network, or VPN, coupled with malicious URLs. In the statement, it was revealed that the malicious actors managed to re-use compromised hosts in order to create phishing pages.
These pages, in turn, targeted various organizations from numerous industries, such as real estate, manufacturing, government, finance, and even technological industries. The attacks also went wide in terms of nations, targeting the US, Japan, Canada, the UK, Australia as well as Europe.
As always, it’s encouraged that users refrain from responding or clicking on attachments and URLs from any email that even seems remotely suspicious. This day and age is one where your entire account can be drained because you clicked the wrong attachment within it. The more money in a sector, the more likely that sector is to be attacked with targeted phishing campaigns such as these two mentioned above.