Posted on August 5, 2022 at 7:09 PM
Security researchers at Zscaler’s ThreatLabz group have uncovered a large-scale phishing campaign that utilizes the adversary-in-the-middle (AiTM) attack method to bypass multi-factor authentication (MFA).
The researchers stated that the main goal of the large-scale attack is to breach corporate accounts to carry out business email compromise (BEC) attacks. The attack usually redirects payments towards the hackers’ bank accounts using fake documents.
According to the researchers, the attack is a highly sophisticated one that is deceitful enough to bypass MFA used in different stages of the attack. ThreatLabs said the threat actor designed an attack method to bypass network security solutions and conventional email activity. This gives the attackers unrestricted access to the victim’s network for a long time.
The main targets of the phishing attack include industries in different sectors, such as Accounting, Insurance, Finance, Lending, FinTech, Energy, as well as Federal Credit Union organizations.
The Campaign Is Still Very Active
The researchers stated that the campaign is still very active and the attackers are creating more phishing emails daily to continue their attacks.
The new campaign was discovered by ThreatLabz researchers in June 2022. The analysts stated that they discovered an increased use of advanced phishing kits on a broader basis against users of Microsoft email services.
The attack starts with the issuance of an invoice-based email delivered to the unsuspecting victim. But in essence, the information contains malicious links embedded within the attached HTML files or as buttons in the message body. Once the target or user clicks on the link, it redirects them to the phishing pages.
The malicious phishing page impersonates the Microsoft Office login page. However, before that, the phishing page determines whether the visitor is a targeted victim of the campaign or someone else.
The Hackers Use Different Methods To Target Victims
The threat actors deploy different ways to determine their prospective victims. They also use several techniques to make the phishing method look like a genuine request or activity to the targets.
They use DoubleClick, Snapchat, and open redirect pages hosted by Google Ads. The goal is to plant the phishing URL in a way to make the user click on it. These threat actors succeed in some cases because several platforms do not see open redirects as a vulnerability or threat to security. This makes them open to abuse by hackers.
Additionally, some of the domains registered by the threat actors were typo-squatted versions of genuine Federal Credit Unions in the U.S.
The ThreatLabz researchers stated that they observed an interesting pattern from their initial analysis of the emails/ They noted that the emails were part of the email addresses of the chief executives of the Federal Credit Union organizations.
It shows that the hacker may have compromised the corporate emails of the heads of these organizations via a phishing attack. They then used the mail to hack into business emails as part of the same phishing campaign. Additionally, some of the fake domain names contain keywords related to ‘password expiry’ and ‘password reset’ reminders, which is part of their email phishing campaign.
The researchers also noted that there are several other domains used in the phishing campaigns, with some of them not conforming to any specific pattern and being completely randomized.
The campaign utilizes different types of redirection methods while authentic online code editing services like Glitch and CodeSandbox are abused to prolong the campaign as much as possible.
BEC Attackers Are Constantly Updating Their Tactics
The attacker’s sophistication is also seen in their method of hosting redirection codes using web code hosting and editing services. The researchers noted that the threat actor could use the sites meant to be used by web developers to design new code pages they will use for their campaign. They further try to mail the link to the hosted redirect code to the victims in large numbers.
Business email compromise (BEC) is growing in popularity among threat actors looking to launch attacks on business organizations and corporate networks. It’s an increasing attack method that business organizations need to protect against. More importantly, hackers are constantly evolving and updating their techniques and tactics to circumvent security protocols. This has made it more difficult to easily spot these types of attacks.
As a result, organizations have been advised to enhance their security apparatus, including monitoring and mitigation systems to protect their networks.