Deep Dive into Evolving Phishing Threats - 2023 Q3 - VMRay

Deceptive Waters:
Deep Dive into Evolving Phishing Threats

Q3 – 2023

Explore the ever-changing tactics of phishing attacks, from misusing trusted services to innovative QR code methods.

Table of Contents

The realm of phishing threats has evolved into a complex landscape, demanding a comprehensive exploration to understand and confront the dynamic tactics employed by cyber adversaries. In this chapter, we delve deep into various facets of phishing, from the misuse of trusted services like Google AMP to innovative strategies involving QR codes and delayed attacks. 

We dissect the ever-changing methods attackers employ, from impersonating cybersecurity researchers to leveraging SMS phishing and DeepFake voices. The risks are multifaceted, requiring a vigilant approach and proactive security measures to safeguard against the evolving phishing landscape.

The ongoing misuse of open redirect weaknesses by attackers is important to note. An open redirect vulnerability is the functionality of some websites to redirect the user to another website. If a well-known and trusted service contains an open redirect vulnerability, attackers can abuse this behavior to masquerade their own phishing websites as belonging to the trusted domain. This method is really tricky because it misuses the trust users have in well-known services. As such, we have extended our support for redirections.

Google AMP and Looker Studio as Vehicles for Deceptive Phishing Tactic

In the same category, the misuse of Google Accelerated Mobile Pages (AMP) by online criminals has raised significant concerns. The primary purpose of the AMP technology is to allow more efficient caching and simplify mobile, however, as the technology relies on changing the URL of the target and let it go through the google.com domain, attackers have been abusing these links to avoid detection thanks to Google’s strong reputation. This adds another level of difficulty to the analysis and makes it harder to spot the danger.

Similarly, Google Looker Studio was abused in the same regard to send victims phishing mails where the sender is “looker-studio-noreply@google.com”. Most of these attacks also involve additional strategies, for example in the Google AMP example, the attackers have also been seen using image-based HTML emails where the text would first need to be extracted from the image to be analyzed, as well as additional techniques such as multiple redirections.

Exploiting Salesforce: Leveraging Zero-Day Weakness for Targeted Phishing Assaults on High-Profile Accounts

The use of a zero-day weakness in Salesforce to carry out clever phishing attacks was another big issue in the same category. While email spam detection systems are pretty sophisticated nowadays, one simple mechanism at it’s core is the maintenance of trusted email gateways. In that regard, attackers abused a weakness in Salesforce to send out many phishing emails, using the Salesforce email gateway (“@salesforce.com”) to get past spam-detection and security systems.

The target of this particular phishing attempt were important Facebook accounts. In that regard, the attackers have added another layer of obfuscation: they hosted their phishing page on apps.facebook.com, which is a platform open to third-party developers to extend the functionality of Facebook via extensions (or “apps”).

QR Codes in Phishing: A Novel Tactic Exploiting User Action for Deceptive Email Attacks

But not all phishing attempts necessarily try to masquerade their URL as belonging to a trusted party. One creative method we have observed is the use of QR codes in phishing attacks. This was a new way of using QR codes in large phishing attacks and we sense this could become more common in the future.

The QR codes were put in emails that looked real, getting past security systems looking for dangerous links and reaching unaware targets. As QR codes need to be scanned first to reach the page, they require extensive user action to be exploited.

Delayed Phishing Attacks: Evading Immediate Detection Through Timed Malicious Page Activation

We have also spotted a so-called delayed phishing attempt in the wild, meaning, when the phishing email was opened shortly after its arrival, the linked page displayed a 404 error and was non-functional. However, upon re-evaluation of the sample an hour later, the page was operational and was correctly identified as harmful. Such attacks rely on the assumption that emails arriving at a late hour may not be opened immediately but some time later.

However, automatic analysis systems trying to spot malicious mails will scan the content immediately. By delaying when the phishing page becomes available, these scanners can be evaded. This may necessitate analyzing submissions again at later times, for instance, if the email was received during the night or the webpage was initially inaccessible.

A Rising Threat: Tech-Support Scams Exploiting Windows Defender Alerts for Deceptive Gains

Additionally, we have also seen a slight increase in so called tech-support scam. This attacks also involves URLs and web pages that masquerade a Windows Defender security warning, indicating that the PC has been blocked for security reasons.

The victim gets instructed to call a fake Windows support hotline where they either ask for access to your PC or for a one-time fee or subscription to a purported support service.

Beyond Emails: Phishing Extends to Microsoft Teams and Facebook Messenger for Widespread Compromise

While phishing via email is likely to stay relevant far into the future, attackers have also been diving into other attack vectors, such as Microsoft Teams. As this is starting to gain traction, we have also noticed a popular open source tool on GitHub called TeamsPhisher to distribute phishing texts (including attachments) to users in organizations allowing external communication. In one instance, DarkGate was pushed through compromised accounts.

On a similar note, attackers have been abusing Facebook Messenger to target thousands of business accounts. Notably, they did not try to steal credentials via a phishing page, but to infect their systems via a malicious attachment.

Deceptive Tactics: Impersonating Cybersecurity Researchers in Advanced Phishing Schemes

In a more deceptive approach, attackers have been impersonating cybersecurity researchers on platforms like Twitter and GitHub, publishing fake proof-of-concept exploits for zero-day vulnerabilities, targeting both Windows and Linux systems with malware. These fake exploits are promoted by alleged researchers at a non-existent cybersecurity company named ‘High Sierra Cyber Security.’

The repositories appear legitimate, and the users who maintain them impersonate real security researchers, even using their headshots, adding a layer of perceived legitimacy to their malicious endeavors. This method is particularly concerning as it targets the cybersecurity community directly, potentially providing attackers with access to sensitive vulnerability research and even initial access to a cybersecurity company’s network.

One of the more sophisticated phishing attacks has relied on SMS phishing and DeepFake voices of an IT employee to circumvent multi-factor authentication. This level of sophistication speaks for itself – multiple good and well-recommended security features were not enough to stop this attack as the human factor is still the most vulnerable.

Conclusion

In the end, the changing methods in phishing, like misusing trusted services and the new use of QR codes, show how the risk landscape is always changing. In this regard, we in the Threat Analysis team have weekly phishing analysis meetups to be aware of recent trends as soon as possible and react proactively before they become an issue for our customers.

Home: 
VMRay Malware & Phishing Threat Landscape – Q3/2023

Next Chapter: 
Complex delivery chains

See VMRay in action.
Secure your organization against evolving phishing threats.

Further resources

WEBINAR

Key forces shaping the future of security automation

Watch the full recording from the our webinar featuring Forrester

INTEGRATIONS

Explore VMRay’s seamless integrations

Explore all security automation use cases that help you can benefit.

SOLUTION BRIEF

VMRay Professional Services

Learn how VMRay supports deployment, configurations, integrations & more.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator