Cybersecurity researchers are bringing attention to a new type of qualification phishing scheme that ensures that stolen information is associated with a valid online account.
This technique is called precision verification phishing by Cofense. It says it employs real-time email verification so that only selected high-value targets are provided on fake login screens.
“This tactic doesn’t just give threat actors a higher success rate in obtaining usable credentials, as they only involve themselves in a specific harvest list of valid email accounts,” the company said.
Unlike “spray and play” qualification harvesting campaigns that usually involve bulk distribution of spam emails, when you get a victim’s login information indiscriminately, the latest attack tactics take spear phishing to the next level by only engaging with email addresses that attackers have verified as active, legal, and high.
In this scenario, the email address entered by the victim on the phishing landing page is verified against the attacker’s database, and then a fake login page is displayed. If the email address does not exist in the database, the page will either return an error or be redirected to a harmless page, such as Wikipedia, to help users avoid security analysis.
The check is performed by integrating API- or JavaScript-based verification services into the phishing kit to verify your email address before proceeding to the password capture step.
“It increases the efficiency of the attack and the likelihood that stolen credentials belong to real, actively used accounts, improving the quality of harvested data for resale or further exploitation,” Cofense said.
“Automized security crawlers and sandbox environments struggle to analyze these attacks because they cannot bypass validation filters. This targeted approach reduces the risk of attackers and increases the lifespan of phishing campaigns.”
The development comes as cybersecurity companies have revealed details of email phishing campaigns that they use to use as a lure to qualify and deliver malware using file removal reminders.
The 2nd attack utilizes an embedded URL that appears to point to a PDF file that is removed from a legal file storage service called files.fm. If the message recipient clicks on the links, they will be used for legitimate files.fm links.
However, once the PDF is opened, the user will be presented with two options to preview or download the file. Users who choose the former will be taken to a fake Microsoft login screen designed to steal credentials. When the download option is selected it drops an executable that claims to be Microsoft Onedrive, but it is actually ConnectWise’s ScreenConnect Remote Desktop Software.
It’s “as if threat actors are intentionally designing an attack to lock users in, forcing them to choose which “poison” they fall into,” Kofanse said. “Both options lead to the same outcomes and have similar goals, but there are different approaches to achieving them.”
The findings also acquire early access and establish persistence following the discovery of sophisticated multi-stage attacks combining Vising, remote access tools, and living off the land techniques. The commerce observed in the activity is consistent with the cluster tracked as Storm-1811 (also known as STAC5777).
“The threat actor exploited exposed communication channels by providing a malicious PowerShell payload via Microsoft team messages, and then used Quick Assist to remotely access the environment,” says Ontinue. “This unfolded a signed binaries (such as TeamViewer.exe), a sideloaded malicious DLL (TV.DLL), and a JavaScript-based C2 backdoor that was run through node.js.”
Source link
