Threat Intelligence Blog

Posted September 6, 2018

Even with all of the hacks and third party breaches that have plagued some of the biggest global corporations over the past few years, phishing still remains one of the most frequent ways into an organization. It has been reported that up to 93% of all breaches start with a phish.

LookingGlass has broad and deep access to phishing data and insight into phishing campaign techniques for catching phish. We hope that in sharing the “behind-the-scenes” of a phishing attack, your organization can be more prepared to defend against this recurring digital risk.

Year-to-date we have observed the following as some of the top phishing “targets” or brands used as bait:

  • Wells Fargo
  • Microsoft
  • PayPal
  • Dropbox
  • Google

None of these should come as a surprise, as they are all well-known brands with expansive customer bases, and attackers typically cast a wide net in an effort to reach as many victims as possible. For example, if an attacker wants to infiltrate a corporate environment they can make a fairly educated guess that the likelihood of that business using a service such as Microsoft 365 is quite high. Thanks to widely available dumps of email addresses and account information, the attacker just needs to collect a list of email addresses associated with the business, craft their strategically themed phishing email, and then wait for the clicks to commence – and they will most certainly commence.

A common theme we have observed in association with these targets are login pages designed to harvest user credentials. In August, we took a look at a phishing campaign that targeted PayPal. In this instance, the phishing link was hosted on a WordPress site of an apparent victim domain, where the domain owner most likely had no idea that they were serving up malicious content on their site. A visit to the site’s home page revealed a very unobtrusive comment indicating that the site had been “Hacked by Virus-ma” (figure 1):

Virus Ma

 

Some quick research revealed Virus-ma had at least one hacking-related YouTube video channel.

When a user visits the phishing page via the phishing link, they are presented with an extremely realistic PayPal spoof (figure 2):

PayPal Login Page

Regardless of what credentials the user enters (we obviously did not use legit PayPal credentials in our testing), they will be accepted and the user is directed to the next screen which requests contact information. The screen following that asks for credit card information, social security number, and account number (figure 3):

Update Your Credit/Debit Card

The credit card data is checked in real time, so incorrect or false entries are instantly rejected. Our research did not go beyond this screen as we were not willing to provide legitimate user financial information that could be verified. Also, it is noteworthy that the website is encrypted, which gives a false sense of security to the user, ultimately making them more likely to provide confidential and sensitive information. In this case, the domain used a TLS certificate signed by cPanel (figure 4):

Certificate

The page source behind these pages revealed some interesting data about the attacker, in which they identify themselves and out the page as being a “scam page” (figure 5):

Phishing Log

At LookingGlass Cyber we see hundreds of phishing attacks like these every day. Trying to prevent them is a daunting task, but with an understanding of the processes behind the phish, organizations can better educate their users about what to avoid as well as put appropriate detection methods in place.

Protect yourself from future phishing attacks here, or contact us.

 

Additional Posts

Assembling a Modern Security Operation Center

Enterprise-level SOCs may have as many as 50 security appliances, all which are difficult to ...

Can Your SOC Use More Visibility?

The Security Operation Center (SOC) is an intricate ecosystem of personnel, network equipment, ...