Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Phishing Camapign. Show all posts

Phishing Campaigns Exploit Cloudflare Workers to Harvest User Credentials

 

Cybersecurity researchers are raising alarms about phishing campaigns that exploit Cloudflare Workers to serve phishing sites designed to harvest user credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. This attack method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, employs Cloudflare Workers to act as a reverse proxy for legitimate login pages, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens, according to Netskope researcher Jan Michael Alcantara. 

Over the past 30 days, the majority of these phishing campaigns have targeted victims in Asia, North America, and Southern Europe, particularly in the technology, financial services, and banking sectors. The cybersecurity firm noted an increase in traffic to Cloudflare Workers-hosted phishing pages starting in Q2 2023, with a spike in the number of distinct domains from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024. The phishing campaigns utilize a technique called HTML smuggling, which uses malicious JavaScript to assemble the malicious payload on the client side, evading security protections. 

Unlike traditional methods, the malicious payload in this case is a phishing page reconstructed and displayed to the user on a web browser. These phishing pages prompt victims to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. If users follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. "The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Alcantara said. 

Once victims enter their credentials, the attackers collect tokens and cookies from the responses, gaining visibility into any additional activity performed by the victim post-login. HTML smuggling is increasingly favored by threat actors for its ability to bypass modern defenses, serving fraudulent HTML pages and other malware without raising red flags. One highlighted instance by Huntress Labs involved a fake HTML file injecting an iframe of the legitimate Microsoft authentication portal retrieved from an actor-controlled domain. This method enables MFA-bypass AitM transparent proxy phishing attacks using HTML smuggling payloads with injected iframes instead of simple links. 

Recent phishing campaigns have also used invoice-themed emails with HTML attachments masquerading as PDF viewer login pages to steal email account credentials before redirecting users to URLs hosting "proof of payment." These tactics leverage phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and bypass MFA using the AitM technique. The financial services, manufacturing, energy/utilities, retail, and consulting sectors in the U.S., Canada, Germany, South Korea, and Norway have been top targets. 

Threat actors are also employing generative artificial intelligence (GenAI) to craft effective phishing emails and using file inflation methods to evade analysis by delivering large malware payloads. Cybersecurity experts underscore the need for robust security measures and oversight mechanisms to combat these sophisticated phishing campaigns, which continually evolve to outsmart traditional detection systems.

Novel Phishing Campaign Employs Countdown Timer to Pressurize Victims

 

A new phishing campaign is forcing victims into entering their credentials by claiming their account will be deactivated and it employs a countdown timer to build the pressure. 

The malicious campaign begins with a text which claims to warn the recipient that an attempt to log in to their account from a location they haven't used before has been blocked and is offered a solution in the form of email verification, cybersecurity researchers at Cofense explained in a blog post. 

Ransomware attackers frequently employ fear tactics because sending victims into a state of panic means they're more likely to follow instructions, particularly if they've been told something is wrong with their accounts. 

What sets this phish apart from other campaigns is the countdown clock displayed to the recipient once the malicious link is accessed. The timer ticks down for an hour, claiming the user must enter their username and password to 'validate' their account before the countdown clock hits zero. 

The real scenario is completely different because nothing will be deleted even if the countdown timer reaches zero. The phishing campaign can only be successful if the targeted user falls into a trap and enters login credentials. 

Phishing attacks are one of the most common techniques hackers employ to steal usernames and passwords. Earlier this year in May, researchers at Zscaler's ThreatLabz identified a phishing campaign employing fake voicemails to exfiltrate data of US organizations across various industries, including software security, security solution providers, the military, healthcare, and pharmaceuticals. 

Tips to mitigate phishing attacks 

1. Employ MFA 

Using multi-factor authentication (MFA) can help protect accounts because even if the attacker knows the correct login credentials, the need for extra verification prevents them from being able to access the account, as well as providing a warning that something could be wrong. 

2. Get free anti-phishing add-ons 

Most browsers nowadays will enable you to download add-ons that spot the signs of a malicious website or alert you about known phishing sites. They are usually completely free so there’s no reason not to have them installed on every device in your organization. 

3. Don’t enter your credentials on an unsecured site 

If the URL of the website doesn’t start with “https”, or you cannot see a closed padlock icon next to the URL, do not enter any sensitive information or download files from that site. Sites without security certificates may not be intended for phishing scams, but it’s better to be safe than sorry.

Users of Intuit QuickBooks Targeted in Phishing Scams

 

Intuit, a financial software business based in the US, has issued a warning to its clients about a new QuickBooks phishing effort. The current phishing campaign, which is the company's fifth big security threat this year, involves deceiving consumers into believing one‘s account has been suspended. 

"We're writing to advise you that we were unable to confirm certain information on your account after performing an assessment of your company. As a result, we've placed a temporary hold on your account." The phishing message goes as follows: "If you believe we've made a mistake, please let us know as soon as possible so we can correct it. Please fill out the verification form below to assist us with effectively revisiting your account. We will re-evaluate your account within 24-48 hours after verification is finished." 

Malicious material within the bogus Intuit support team message would send the target to a phishing website where criminals may steal personal data or install malware on infected devices if they clicked the "Complete Verification" button. The sender "is not linked with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's logos permitted by Intuit," according to the accounting software Intuit. Customers are advised not to open these phishing messages.

Small and medium-sized businesses (SMBs) all over the world utilize Intuit's QuickBooks software. According to the company's website, there are 4.5 million users globally. This year, cyber attackers have targeted the company's vast user base, particularly around tax season in the United States, when the corporation was compelled to release two separate security advisories in as many days in February. 

The email in both phishing scams pretended to be an account inactivity warning, suggesting that the user's account had been disabled due to inactivity. Victims were sent links to a bogus Intuit website, which could have been used to steal account information. 

It also advises consumers to delete the communications from email inboxes to avoid personal data being stolen and a possible malware infection. Customers who opened the email clicked a link, or downloaded a possibly harmful attachment should take the following precautions: 
  • Delete the downloaded attachment right away. 
  • Passwords should be changed regularly. 
  • Run a complete scan on the machine that may have been hacked. 
  • Intuit also offers a comprehensive list of security advice that can assist customers in avoiding common cyberattacks such as phishing emails, customer service scams, and identity theft.

Vidar Spyware Exploits Microsoft Help Files to Bypass Detection

 

Vidar spyware has been discovered in a new phishing campaign that exploits Microsoft HTML help files. The spyware is hidden in Microsoft Compiled HTML Help (CHM) files to bypass detection in email spam campaigns, Trustwave cybersecurity expert Diana Lopera stated. 

Vidar is Windows spyware and an information stealer capable of harvesting both user data and data on the operating system, cryptocurrency account credentials as well as payment details such as credit card details. 

While threat actors often distribute malware via spam and phishing campaigns, Trustwave researchers have also uncovered the C++ malware being deployed via the pay-per-install PrivateLoader dropper, and the Fallout exploit kit. 

According to researchers, threat actors employ an age-old strategy of tricking people to download seemingly innocent files that are actually malicious. The malicious files contain a generic subject line and an attachment, "request.doc," which is actually a .iso disk image. The .iso contains two separate files: a Microsoft-compiled HTML help file (CHM), often titled pss10r.chm, and an executable file titled app.exe. 

The CHM format is a Microsoft online extension file used for accessing documentation and help files. The compressed HTML format allows the distribution of images, tables and links. However, when malicious actors abuse CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to deploy CHM objects. 

When a malicious CHM file is unpacked, a JavaScript snippet will silently execute app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload. 

The Vidar samples gathered by the attacker’s link to their command-and-control (C2) server via Mastodon, a multi-platform open-source social networking system. Specific profiles are searched, and C2 addresses are collected from user profile bio sections. This allows the spyware to design its configuration and start exfiltrating user data. 

To protect yourself against this campaign, you should strictly follow the standard protections against email spam, such as ensuring the source of email before downloading any attachments. It's also a good idea to use the best antivirus software to protect your PC. 

"Since this Vidar campaign utilizes social engineering and phishing, ongoing security awareness training for your staff is essential. Organizations should also consider implementing a secure email gateway for 'defense in depth' layered security in order to filter these types phishing attacks before they even get to any inboxes,” stated Karl Sigler, Trustwave threat intelligence manager. 

"Vidar itself is an information stealer type of malware. It grabs as much data as it can from the victim's system, sends it back to the attackers, and then deletes itself. This includes any local password stores, web browser cookies, crypto wallets, contact databases, and other types of potentially valuable data."