Discover Pixm’s Latest Zero-Day Threat Intelligence Report
Wondering how we gather this critical information? Take a look at this video we’ve prepared to give you an inside view of how Pixm catches zero-day threats that evade traditional security measures.
The past two weeks saw a record surge in zero-day spearphish targeting credentials from Microsoft and Outlook, as well as personal e-commerce, streaming and financial platforms like Amazon, Chase Bank, USAA, PayPal, and Netflix. Attackers employed sophisticated tactics, including delivering phishing links through fileshares and leveraging legitimate cloud hosting services like Backblaze. Consequently, the majority of cases remained entirely undetected by vendors on VirusTotal. Below are key highlights and examples of recent phishing activity.
Phishing URLs
Here is a list of examples of phishing websites that we discovered that we recommend you update your threat intelligence with these URLs.
lol[.]helivaroth[.]ru
live[.]microsoftreviews[.]org
cms-veps[.]com
share1nvite[.]es
authentication-logsid[.]jotacicli[.]com[.]br
beddube[.]s3[.]us-east-005[.]backblazeb2[.]com
r-0lm5-ld-k99z[.]com/chs/
chicagoiron[.]com/USAA/login[.]html
secureverisec[.]com
prime-siginapps[.]ecsauthsgonl[.]website
resolve-reportbillingnetflix-verificationcenter[.]cricketshoe[.]com
office[.]brasbaitss[.]store
v2k5c45hh7c[.]prenniumofs[.]com
i9sro5j6psl[.]prenniumofs[.]com
moreton[.]insurance42[.]site
canvas[.]cloudquell[.]de
websyncs[.]live/services[.]html
Microsoft and Outlook Credentials
A Microsoft credential harvester hosted on Backblase infrastructure was clicked by a staff member at a Texas organization on March 8, which was 100% undetected by VirusTotal vendors.
This credential harvester leveraged the reputation of a trusted cloud storage provider to remain undetected during this phishing attack. Earlier that week at the same organization, another staff member clicked the below Outlook credential harvester in a document share application.
Examples like this are difficult to detect with traditional security architecture, because they are delivered and clicked outside the scope of corporate email protection. Overall, the period saw a record surge in clicks of zero day credential harvesters targeting Microsoft credentials by users in Texas, Kentucky, Florida, Washington, and Idaho.
In particular, on March 12 multiple users at a Washington organization clicked on phishing links hosted the domain prenniumofs[.]com. Other Microsoft credential harvesters clicked during the same period were hosted on Russian infrastructure.
Financial Services Phishing
This period saw a record surge in zero day phishing targeting financial services accounts like Chase, PayPal, and USAA.
Since these phishing links were delivered through personal email, they are outside the scope of corporate email protection. The Paypal phishing case includes a number of malicious scripts, a “vishing” component, and an attached error message: “Your account has been blocked due to some suspicious login attempts.” Cases like this scare recipients into taking action by claiming that their accounts are under threat.
E-Commerce and Streaming Phishing
The same period saw a steady stream of Amazon and Netflix phishing targeting users in Florida and Kentucky.
Suggested Actions
- Block the specified domains on corporate firewalls and endpoint security solutions.
- Remind users of phishing risks for their personal accounts they access even if they are on corporate devices
- Educate users to find the valid support number for their financial service institution via Google and not to call the number provided on an unverified web page
- Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.
If you would like a demo of Pixm to learn more about our AI technology and how we can help protect your customers, sign up here.
Questions or Feedback
PIXM Threat Research Team
threats@pixmsecurity.com
Recent Comments