Posted on August 24, 2022 at 8:13 PM
A recent report by the Palo Alto Networks Unit 42 noted that Threat actors are taking advantage of legitimate software-as-a-service (SaaS) platforms like personal branding spaces and website builders. The hackers are abusing these platforms to launch malicious phishing sites that steal login credentials.
The report revealed that there has been a significant increase in abuse. The data collected by the research firm shows that from June 2021 To June 2022, the activities of these threat actors on the SaaS platforms have increased by an astonishing 1,100%.
SaaS Provides Several Benefits For The Attackers
These threat actors are increasingly using SaaS for phishing because it gives them several advantages. One of the benefits is bypassing the need to understand coding that will create websites that look genuine. Other benefits include enjoying high availability and evading alerts from email security systems.
Additionally, SaaS platforms streamline and simplify the processes of creating new sites. This makes it easier for threat actors to move between different themes, diversify and scale up their operations, as well as react quickly to takedowns. It enables them to stay in the game while remaining persistent in their attacks on systems.
Unit 42 divided the compromised platforms into six categories. They include personal portfolio spaces, note-taking and documentation, writing platforms, website builders, file sharing and hosting sites, as well as form and survey builders.
The filtering system of Palo Alto Networks discovered an increase in abuse across all categories. However, form builders, website builders, and collaboration platforms have been identified as the most significant categories.
There Is A Notable Rise In Form Builders
The stats also show a significant increase in October 2021 mainly due to a quick surge in the abuse of form builders.
Last year, Cyren reported about the unbridled abuse of “typeform.com” for phishing. To corroborate the story, an older report by Trend Micro reported the abuse as “formtools.com” and 123formbuilder.com.” also, Cofense highlighted the exploit of Canvacom” and placed them on a similar structure with others.
During the same period, another surge was discovered. This time it was augmented by the abuse of a personal branding site that the report did not mention.
Additionally, Unit 42 explained further that in several instances, the threat actors host their credential stealing pages directly on the abused services this allowed them to easily deliver email to targets with a URL leading to the page.
However, in other instances, the credential-stealing forms are not found on the landing pages that are hosted n the abused servers. Rather, they redirect the victim to another site to continue their hacking activities.
The threat actors can use the bulletproof service provider to host the phishing site since it doesn’t respond to takedown requests. As a result, the phishing actors can follow the practice to raise the campaign uptime while forfeiting the conversion rate. The researchers noted that the phishing actors are well organized and use all types of actions to stay under the radar and evade security programs.
Additionally, the threat actors are using a different approach to prevent a takedown even if the phishing page is not well protected. They can hide it behind an additional layer to reduce the work required to set everything up again in the case of a takedown.
Also, even if the last credential-stealing age is pulled down, the threat actor can alter the link and redirect to a new credential stealing page. This keeps the effectiveness of the main campaign intact.
The Attack Could Persist For A Long Time
The researchers also admitted that it will be very difficult to stop the abuse of a legitimate SaaS platform. Even implementing an aggressive email filter against the services will not do any good. That is why they have become the best option for phishing actors and the reason why their abuse has increased since last year. More and more threat actors are discovering the method and using them to gain a foothold on SaaS platforms
As a result, researchers have cautioned users and advised them on what to do in these situations. They should avoid clicking a message that requests or claims it requires urgent action from the user.
Instead of responding to such messages via their email, users should use search engines to locate the legitimate website of the potentially spoofed platform. Users who are requested to enter their account details on a particular site should be very careful. They should ensure that they are filling in the boxes on the legitimate website to avoid being the unfortunate victims of the phishing actors.