Credit: Dreamstime
Microsoft research has revealed what it claims are the three most notable phishing attack techniques employed in 2019, with an anti-malware researcher referring to one of the attacks as taking “impersonation to the next level". Here's how the attacks worked.
In common to all three techniques were the abuse of legitimate cloud services, including those from Microsoft, Google and Amazon, according to a blog post by Patrick Estavillo, senior anti-malware researcher at Microsoft.
The attacks were found through the studying of Office 365 ATP signals, which Microsoft use in an attempt to understand attacker activity.
Search result hijacking
The first notable phishing campaign Microsoft picked up on was the utilisation of Google search results links to point towards an attacker-controlled page, which then redirected to a phishing page.
In order to create enough traffic to make the redirector page the top result for specific keywords, traffic generators were used.
By doing this, phishers could send phishing emails that contained legitimate URLs containing a trusted URL. Example URLs listed on the blog included:
- hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EhOJoXatrCPy%3C/a%3E
- hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EyEg5xg1736iIgQVF%3C/a%3E
This was then combined with location-specific research results; European search results would lead to the redirector website c77684gq[.]beget[.]tech¸ which would then go to the phishing page, Meanwhile, non-European search results would turn up empty
This attack worked by ensuring c77684gq[.]beget[.]tech was the top result for the keyword “hOJoXatrCPy” from specific locations. To do this, the HTML code of the site contained a redirector script and anchor elements with the anchor elements designed to be crawled by search engines to establish results for the keyword, according to the blog.
Fake 404 pages
Another attack employed by fishers was the creation of custom 404 pages designed to look like the real Microsoft account log-in page.
As a non-existent URL for a website would generate a 404 page, Estavillo’s post claimed that phishers could generate a seemingly unlimited amount of random phishing URLs.
One example of this was to simply add a character at the end of a URL to create a second URL, both of which would direct users to the same phishing page. Examples of these included:
- hxxps://skype-online8024[.]web[.]app/8cc1083b... LmNvbQ
- hxxps://skype-online8024[.]web[.]app/8cc1083b... LmNvbQs
Other fake 404 URLs would include randomised domains, which would allow for the number of phishing URLs to increase “exponentially”. Examples of these included:
- outlookloffice365usertcph4l3q[.]web[.]app
- outlookloffice365userdqz75j6h[.]web[.]app
- outlookloffice365usery6ykxo07[.]web[.]app
Man-in-the-middle component
Impersonation is the key to phishing, and in Microsoft’s third noticeable example, Estavillo’s post claimed that phishers “took impersonation to the next level".
“Instead of attackers copying elements from the spoofed legitimate website, a man-in-the-middle component captured company-specific information like logos, banners, text, and background images from Microsoft’s rendering site,” he said.
This attack worked by phishers sending out emails with a URL pointing to an attack-controlled server, being the man-in-the-middle component, which pretended to act like Microsoft’s log-in pages.
The server was able to identify user-specific information based on the email address, which included their company, and then located information specific to the particular company.
Much like a typical log-on experience, the one URL was able to render differently for different users
“To generate legitimate-looking phishing sites, the server used the following code to retrieve the banner used by the target’s victim company as identified by the domain information in the email address; the response is the URL for the company banner,” Estavillo wrote.
“The server also retrieved the text used in the company’s sign-in page; the response is the actual text specific to the target victim’s company. To complete the legitimate-looking phishing page, the server requested the background image using the code below; the response is the URL to the image.”
