Early-mid June saw a surge of phishing campaigns targeting Amazon, Microsoft and Netflix accounts, including phishing kits capable of harvesting extensive personal data, like social security numbers and bank access numbers. Many Microsoft-themed attacks employed advanced evasive tactics – such as heavily obfuscated scripts, anti-scanning measures, and simulated multi-factor authentication steps. Meanwhile, an Amazon phishing kit was found capable of harvesting extensive personal data beyond passwords, and Netflix phishing links included unique identifiers likely used to track campaign targets. Here are some examples and highlights
Phishing URLs
loginmicrosoftcommon365authmked1c[.]bdfkfwwgyqon[.]es
xiotecltd[.]com/support/10be73e78
prime-siginauth[.]authecsbeaneyr[.]website
managesecure[.]log-in[.]information-reactivate-statement[.]memberprime[.]vlx[.]yeo[.]mybluehost[.]me
rmuba[.]ewetanign[.]ru
office[.]trustmark[.]cloud
gfmw[.]guestaccessportal[.]com
oneonline[.]chirping[.]it[.]com
Amazon Phishing: SSN, Bank Access Numbers and More
On June 12th, a staff member at a Maryland organization clicked the below Amazon phishing attack on their work device.
The page contained a data filtration configurations embedded deeply in it’s json:
This indicates a configurable phishing kit capable of requesting sensitive identity and financial data, including:
- Social Security Number (SSN)
- National IDs
- Bank Account Numbers
- Online banking access numbers
- Passport & civil IDs
- Mother’s maiden name (MMN)
On June 12 a similar Amazon phishing attack was clicked by an employee at a Virginia organization, also targeting their personal account on their work device.
The login UI included an email validation that exactly mimics Amazon’s two step sign-in process. The mybluehost[.]me domain was also used in earlier Amazon phishing attacks reported on earlier.
Microsoft O365 / Sharepoint Phishing: fake MFA, Voicemail Lures, and Evasive Javascript
On June 9, a user at a Kentucky organization clicked this Office 365 spearphish hosted on a Russian top level domain.
The HTML included tags that prevent web crawlers from caching or indexing the page and clip board interference that prevents analysts from copying content. It also included a ~1 million character javascript blob likely intended to thwart static analysis. On June 10, a another Kentucky staff member clicked this Microsoft phishing link via a voicemail lure.
The attack presented the user with multiple sign-in prompts and ultimately a message stating that a voice mail had “expired” and the user would be redirected to Microsoft. Voicemail lures like this are commonly used in business email compromise (BEC) campaigns to trick users into clicking malicious links.
On June 11, a Texas administrator clicked this spearphishing link. The page used advanced evasive scripting with encrypted payloads, anti-analysis techniques, and an obfuscated user interface.
The same day, an employee at an Iowa organization clicked this Microsoft 365 phishing link.
The URL structure perfectly mimicked Microsoft’s OAuth flow. The phishing page also employed session tracking and device fingerprinting perhaps to track the effectiveness of the phishing campaign and gather intel on the user.
On June 17, a staff member at a Minnesota organization clicked this SharePoint-themed phishing attack, which simulated multiple MFA flows like push approvals, SMS verification, and authenticator app prompts.
Netlifx Phishing Campaigns and User Tracking
The same period also saw an uptick in Netflix phishing campaigns tracking click through rates and device information. For instance, on June 15th a staff member at a Texas organization clicked the below Netflix phishing link on their work device.
The page included watermarking and campaign identifiers used to track individual campaign deployments or victim origin.
Mitigations
- Block the specified domains on corporate firewalls and endpoint security solutions.
- Educate users about phishing risks even on pages that purport to use MFA
- Remind users of phishing risks for their personal accounts they access even if they are on corporate devices
- Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.
- Protect your users from the next wave of zero day phishing attacks and schedule a demo.
threatresearch@pixmsecurity.com
Recent Comments