A new phishing campaign unveiled by researchers from DomainTools is a phishing campaign on the go, deceiving users via fake text messages. The messages masquerade as trusted brands like Amazon to get the targets to give away sensitive data. This operation is put at the hands of the threat actor "Chenlun," who was seen tricking people last year for masquerading as a USPS delivery alert during the holiday season. On 18 October 2024, consumer targeting waves, this wave represents new waves in tactics that target trusting consumers on the most-used brands.
Phishing Attack Evolution: From USPS Notification Scam to Authentication and Authorization Hack
In December 2023, DomainTools reported on the earlier approach that Chenlun used through exploiting USPS alerts to instruct users on how to navigate to fraudulent websites. This scheme, also labelled as "smishing, tricked users into message prompting them to visit virtually identical websites to the one genuine USPS websites. These next sent information that victims did not need to provide. With the current attack, however, Chenlun used the more narrow deception of alerts that there is unauthorised access to his or her online store accounts. This prompted victims into confirmation of their account information with links that led him to a scam website. To this end, it goes without saying that one ought to be careful when opening any link on email or text.
Advanced techniques of hiding and concealing evidence
The strategies that Chenlun uses today are more advanced than that of not being detected. The phishing attack this year is different from the past years because it does not use domain names containing USPS but instead uses a DGA. A DGA automatically generates new, arbitrary domain names, which creates an added difficulty in blocking malicious websites and makes it challenging for the security systems to identify phishing attempts. The constant change in the infrastructure of the domain leaves Chenlun free to continue their attacks without instant interference from cybersecurity defences.
Changed Domain Structures and Aliases
The latest phishing campaign also demonstrates the changed structure of the Chenlun domain. Last year, the fraudsters utilised domains like the official USPS websites. This time around, they change them into simple domains and even switch to other registrars and name servers. Now, they use NameSilo and DNSOwl, for example, and not Alibaba Cloud's DNS service, just like last year. The changing tendency makes phishing attempts less predictable and also complicates the procedure for cybersecurity analysts in relation to the identification and monitoring of suspicious domains.
Moreover, the most recent activity of Chenlun used pseudonyms like "Matt Kikabi" and "Mate Kika". These pseudonyms, which were first identified in the 2023 report, have more than 700 active domains. Reusing these identities, Chenlun has been able to maintain a massive presence online undetected by cybersecurity tools.
Collaboration as a Critical Form of Defense Against Phishing
DomainTools emphasises that effective countermeasures against phishing attacks require the collective efforts of organisations. Recommendations from security experts include active monitoring of registration patterns, sharing threat intelligence, and developing robust strategies that can counter changing phishing techniques.
DomainTools further emphasises that Chenlun's strategy changes reflect the ongoing problem that cybersecurity professionals face. By constantly changing obfuscation techniques, Chenlun underlines the importance of domain-related data in identifying patterns and suspect domains.
Takeaway for Business and Consumers
Continuous activity by Chenlun also points to the fact that vigilance needs to be maintained, given the sophistication in phishing scams. Business entities need to strengthen cybersecurity measures in monitoring domain registrations and promote threat intelligence sharing. Individual consumers need to maintain vigilance by avoiding a response to unsolicited messages or links.
In short, Chenlun's latest phishing campaign calls out for proactive defence. While the attackers continue adapting with a view to remain unseen, the necessity for people to stay updated and network inter-sectorally is the urgent requirement in the world of digitization.
