APT-Like Phishing Threat Mirrors Landing Pages

A phishing campaign is underway that uses mirror images of target organizations' landing pages to trick victims into entering login credentials.

According to a report from security firm Avanan, the malicious actors are then able to use these harvested credentials to gain access to a treasure trove of personal or company files, and access to other applications and other places in the network.

The attack flow starts with emails telling targets that it's time to update their passwords, with a button to click. That takes them to a phishing page that appears to be the organization's Google domain, with a pre-populated email address and a Google reCAPTCHA form, further adding to the veneer of authenticity.

Here's the interesting part: The landing page is dynamically rendered, so that it changes the logo and background presented to match the legitimate domain from the user's email address.

"Though the URL is completely unrelated to the company website, the page looks exactly like the real deal," according to the report, out today. "In fact, it’s a bit-for-bit mirror of the actual company site. The end user will have their email address pre-populated and see their traditional login page and background, making it incredibly convincing."

From there, the phishing page will either request the email twice as validation or, use the credentials in real time in order to verify the password. If the password is good, the user will be directed to a real document or to the organization's home page.

Meanwhile, the user's browser receives a cookie that renders the phishing page "unreachable," preventing any further analysis.

Jeremy Fuchs, cybersecurity research analyst at Avanan, explains that the attackers are after usernames and passwords because of what they can access later.

"They are after these credentials because they are incredibly valuable," he says. "Passwords are keys to the kingdom. They can open financial documents, personnel files, employee records; they can lead to bank accounts and medical records. By stealing credentials, the attackers have a whole bevy of information at their fingertips."

Ties to SPAM-EGY, APTs

Fuchs says he's seen this page-mirroring approach off and on for about two years, in attacks from the SPAM-EGY phishing-as-a-service group as well as advanced persistent threats (APTs). 

This current spate of attacks follows the SPAM-EGY group's trademarks, but Avanan researchers note that these attacks differ by targeting Google domains instead of Microsoft 365.

"This represents an evolution of this type of attack and thus may be carried out by a different group," according to the report.

Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet’s FortiGuard Labs, agrees page-mirroring is not a new tactic but certainly an effective one. He points out such mirrored sites are often included in phishing kits that are sold through the crime-as-a-service (CaaS) model

Organizations Should Take Note of Telltale Phishing Signs

A recent report from Kaspersky says that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications. But Fuchs says that, as with most phishing attacks, there are some telltale signs on which organizations need to train users.

"It's important to remind employees to take two seconds and do two quick things: look at the sender address and the URL of the page," he advises. "The sender address is often amiss; that's clue one that something is off. The URL will also likely be off; that's clue two. Infusing that into everything employees do is critical."

Manky adds that any credential transactions should be done securely (HTTPS/SSL), and the certificate should be checked, as the certificate is unique and would not be mirrored.

"Of course, a site that looks completely legitimate will cause the victim to trust further — however, they should not be trusting the content rather the flow," he adds.

Manky also notes that cyber-hygiene training is a necessity for everyone in the organization, with home workers, not just organizations, being targets of cyberattacks.

"Multifactor authentication and password protection can help protect remote workers’ personal information, and knowing how to spot phishing emails and malvertising schemes will help employees avoid falling for these social engineering ploys," he says.

Phishers Adopting Sophisticated APT Tactics

Kristina Balaam, senior threat researcher of threat intelligence at Lookout, says as the general public’s awareness of phishing threats increases, threat actors seem to recognize that they need to improve their tactics to successfully compromise their targets.

"Users are becoming more discerning and aware of the risks that phishing campaigns pose to their personal and financial security," she explains. "When page-mirroring is used to help ensure a phishing page closely replicates a legitimate authentication portal, users are more likely to place trust in the Web application and miss more sophisticated indicators of compromise."

She adds that while some phishing campaigns may use incorrect branding or contain extensive grammatical errors, these more sophisticated pages may only reveal themselves through less obvious indicators, like slightly misspelled domains (that is, typosquatting) domains or missing SSL certificates.

"Phishers take what works and amplify it. If something works, they'll keep at it," Fuchs says. "Given that many of these attacks are available as downloadable 'kits,' the barrier to entry is far lower."

From his perspective, that means there will likely be a continued proliferation of these types of attack spread by various groups, both APT and non-APT alike. Balaam agrees and says she believes this convergence reflects a shift in the willingness of financially motivated threat actors to increase their investment in their campaigns to improve their success rates and generate a greater return on their investments.

"For IT security, this shift seems to be leading us toward a marked increase in the number of everyday users targeted by more sophisticated campaigns with TTPs previously employed primarily by APT actors," she says.

Other recent phishing campaigns from the current avalanche of attacks also show ever-greater sophistication, including the Ducktail spear-phishing campaign and a phishing kit that injects malware into legitimate WordPress sites.