NEW PHISHING TECHNIQUES CAUSING INCREASED CONCERN

Despite years of warnings, developing password requirements, and recommendations for multi-factor authentication, credential theft remains one of the top attack methods used by malicious threat actors. These threat actors undoubtedly continue to adapt, but if there's an option to take the path of least? resistance, they will take it. Below we detail some examples of the evolving phishing methods used by these malicious actors.

Exploiting Amazon Web Services (AWS)

By using a legitimate cloud service like AWS to create phishing pages, attackers can bypass traditional?security scanners. AWS is a tempting target for threat actors as it allows you to design and host a website, which these threat actors are able to do as indiscriminately as legitimate users. By sending a link to an AWS?hosted webpage through a phishing email, the scammers can bypass security tools and convince the?recipient to input their credentials for whatever account they may be attempting to compromise.

In the case below, a malicious actor used a phishing page created and hosted through AWS to warn people about an alleged password expiration. Clicking on the “Keep My Same Password” button in the email takes the user to a phishing page set up with a phony prompt where the user is asked only to enter their password, which is then harvested by the malicious actor.

Traditional email security tools use static Allow and Block lists to determine if the content is legitimate by?analysing the linked website. As a prominent website and service, Amazon Web Services will always be on?the Allow list, thus often allowing the phishing email to reach the user’s inbox.

Homoglyph

A homoglyph is a text character with shapes that are near identical to each other. Some phishers take advantage of the likeness of character scripts to register counterfeit domains or send phishing emails using?Cyrillic characters. These domains will appear to be trustworthy at first glance, and there may be URLs?embedded in phishing emails that will not be blocked by message or content filters. In the below example scenario, an organisation may want to block an email that contained the URL of?‘www.pɑypal.com.’ To do so, an inbound content filter is written that will looking for the URL containing?‘www.paypal.com.’ The action of this content filter would be configured to drop and notify.

The first URL uses a homoglyph of the letter “a” of the Unicode format. If you look closely, you can see that?the first “a” in PayPal is actually different to the second “a”.

Exploiting Decentralised InterPlanetary File System (IPFS)

Phishing techniques have taken a leap by utilising the concept of decentralised cloud services using IPFS,giving attackers another lucrative playground to experiment with.?

IPFS, is a peer-to-peer (P2P) network to store and share files and data using cryptographic hashes instead?of URLs or filenames as is observed in a traditional client-server approach. Each hash forms the basis for a?unique content identifier (CID). The idea is simple: create a resilient distributed file system that allows data?to be stored across multiple computers. This would allow information to be accessed without having to rely?on third parties such as cloud storage providers, effectively making it resistant to censorship — meaning?that even if a phishing site is taken down in one place, it may still be available on other nodes and quickly?be distributed to other locations. This makes it very difficult to stop a phishing campaign once it has started.

These attacks do involve some type of social engineering to coax targets to click fraudulent IPFS links and?activate the infection chains. Malicious actors can easily camouflage their activities by hosting their content?in legitimate web hosting services such as AWS, or by using multiple URL redirections to thwart scanners.

Browser in the Browser Attack (BiTB)

The newest phishing kit simulates a browser window within the browser to spoof a legitimate domain giving?a phishing attack near invisibility. Often when we authenticate to a website via Google, Microsoft, etc., we?are provided a pop-up window that asks us to authenticate.?

The Browser in Browser attack takes advantage of third parties’ single sign-on (SSO) option. Threat actors?have the user first visit a malicious or compromised page and then use JavaScript code to present a popup window that is another phishing phony to lure you into typing your account information.?

The main difference from a usual phishing case lies in the fact that in addition to popping up the fraudulent window, it can show any URL, including a legitimate one. This trick works well as people have become so?used to this authentication model that they do not really pay attention to it anymore and just type their?credentials to log in. Replicating the entire window design using basic HTML/CSS or by using published?templates that replicate Google, Facebook, etc. login pages is quite straightforward. By combining the?window design with an HTML inline frame element pointing to the malicious server hosting the phishing?page, it’s pretty much indistinguishable from the legitimate site. The image below shows the fake window?beside the real window and how it is almost impossible to discern any difference.

On top of this, JavaScript can be used to make the pop-up page appear from a link, button click or even a?page-loading screen.

Pharmin

Pharming is a difficult-to-detect approach, in which bad actors hijack a DNS (Domain Name Server) to?translate URLs into IP addresses. Then, when the target enters the website address, the DNS server redirects?them to a fake, malicious website to harvest credential information rather than the intended website.

Recommendations

It is recommended to use DNS sinkholing to block access to IPFS-based phishing sites. As a result, all DNS?requests for a phishing site are redirected to a dummy server. Incorporate a secure email gateway to filter?out harmful and malicious emails, and automatically quarantine them away from user inboxes. Likewise, configure and enable URL Filtering to properly detect and prevent homoglyphic phishing attacks.?Additionally, look at expired or missing SSL certificates (denoted by a slashed padlock sign) in addition to?URLs as often URLs are well masked in BiTB attacks. It is also highly recommended to make use of password?managers and FIDO keys to prevent BiTB attacks. As phishing pages are not in fact a real browser window,?password managers with autocomplete options may not react to them, thus alerting the user.

BY AWAIS NASIR