Threat Intelligence

3/2/2018
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Millions of Office 365 Accounts Hit with Password Stealers

Phishing emails disguised as tax-related alerts aim to trick users into handing attackers their usernames and passwords.

A new wave of phishing attacks aims to dupe users and steal their passwords by disguising malicious emails as tax-related notifications from the IRS.

Barracuda Networks last month flagged a "critical alert" when it detected attack attempts to steal user passwords. This threat lures victims with Microsoft 365 Office files claiming to be tax forms or other official documents; attackers use urgent language to convince people to open the attachment.

Examples of this tactic include files named "taxletter.doc" and phrases like "We are apprising you upon the arisen tax arrears in the number of 2300CAD." The use of popular file types like Word and Excel, which are globally known and used, further ensures victims will fall for it.

"Today's documents are far more active … you're putting in a lot of content, media, links," says Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past. "Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files."

In this case, users are hit with the password stealer when they download and open the malicious document. When the document opens, a macro inside launches PowerShell, which acts in the background while the victim views the document.

Tens of millions of people have been affected by these phishing emails, Shi says, and attackers evade detection by crafting different emails. While Exchange server makes up a large portion of people affected, Shi notes other types of email accounts are also targeted with the malicious files.

"What they do is they rotate the content of the email; they rotate sender information," he continues. Signature-based systems won't catch these messages because changing the characteristics of malicious emails changes their fingerprint.

Password theft is increasing overall, a sign of attackers shifting their goals and strategies, Shi explains. Ransomware was big last year; this year, password stealers are appearing in phishing emails, browser extensions, and other programs as criminals hunt login data.

It's all part of a broader trend of sneaky spearphishing and targeted attacks, he says. Usernames and passwords grant access to multiple systems and applications a particular user is attached to, as well as social media sites and contact lists to fuel future attacks.

"Some attackers try to be like a sleeper cell on your system," Shi notes. Instead of seeing a red flag, victims will notice subtle clues they have been compromised: their system will slow down; they'll see more pop-ups. All are signs they've lost control of applications on their system.

IRS officials are also recommending caution amid an increase of tax-related phishing emails. Last month, the IRS Online Fraud Detection & Prevention Center (OFDP) announced a rise of compromised emails starting in January 2017. Cybercriminals are aiming for mass data theft and many are impersonating executives to request W-2 information from human resources.

It's a timely opportunity for attackers to capitalize on users' wariness of tax season and make their campaigns more effective. "You feel vulnerable because you get an email saying the IRS is eyeing you," Shi says. "What happens is, you're likely going to open the document."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/7/2018 | 8:53:05 AM
Re: Office 365 Accounts Hit
Rather a good reason to cancel the Office365 subscript and go back to the last GOOD one - Office 2010 on my home system
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/3/2018 | 3:06:45 PM
Bad headline - this is a phishing scam like others
Yes, it's interesting that Office365 users were targeted, but this does not mean that "accounts" were "hit."  Another booby-trapped attachment.  It's a large-scale phishing attack, but nothing more than phishing.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
3/2/2018 | 7:50:13 PM
Office 365 Accounts Hit
Not at all unexpected.  Even before reading the article, there's the fact that there are so many small companies that use Office 365, for good reasons.  Unfortunately, most are too small to have anything close to dedicated enterprise-level cybersecurity assets.  Often, they're lucky to have one person in the office with security, or even general IT support, as part of their job description.  But don't think multinationals needn't be concerned - if these small companies are cyber-business-partners, their being compromised can be a steppingstone toward a more lucrative vulnerability. 

It's sad, but what is an obvious scam to those experienced in cybersecurity, can seem all too real to the intelligent, but untrained knowledge workers just trying to get through their workload.  Fold the same old letter, phone, email ploys into Office 365 documents (an environment people assume secure, and where you can be called on the carpet for ignoring something that might be important), and you've increased the potency dramatically. 

Yes the "tax time" feature does make these enticements more effective, but there's more to it.  Get the necessary data to file a false IRS return (with false direct deposit information), and you might be able to walk off with a refund before the real entity has filed. 

Another aspect mentioned in the article is the misuse of PowerShell.  Power is right, but is it too much power, too easily accessible and unnecessary for most users?  Again, something the big companies know to control, but users in small firms might not even know it's there. 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14512
PUBLISHED: 2018-07-23
An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[nickname] parameter to the index.php?m=core&f=set&v=sendmail URI. When the administrator accesses the "system settings - mail ...
CVE-2018-14513
PUBLISHED: 2018-07-23
An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[content] parameter to the index.php?m=feedback&f=index&v=contact URI.
CVE-2018-14514
PUBLISHED: 2018-07-23
An SSRF vulnerability was discovered in idreamsoft iCMS V7.0.9 that allows attackers to read sensitive files, access an intranet, or possibly have unspecified other impact.
CVE-2018-14515
PUBLISHED: 2018-07-23
A SQL injection was discovered in WUZHI CMS 4.1.0 that allows remote attackers to inject a malicious SQL statement via the index.php?m=promote&f=index&v=search keywords parameter.
CVE-2018-14517
PUBLISHED: 2018-07-23
SeaCMS 6.61 has two XSS issues in the admin_config.php file via certain form fields.