Sophisticated phishing: a roundup of noteworthy campaigns

Phishing is a problem nearly as old as the Internet. Yet, criminals continue to reach into their bag of phishing tricks in 2019 because, in a nutshell, it just works. Dialing into the human psyche and capitalizing on emotions such as fear, anxiety, or plain laziness, phishing attacks are successful because they take aim at our weaknesses and exploit them—in much the same way an exploit kit takes advantage of a vulnerability in a software program.

To understand why phishing attacks continue to work, we look to cutting-edge tactics devised by threat actors to obfuscate their true intentions and capitalize on basic negligence. To that end, we’ve put together a roundup of noteworthy, out-of-the-box phishing campaigns of this year (and it’s not even Q2 yet!). Here are the attacks that stood out.

You can’t easily dismiss this one

Myki, makers of the top-rated password manager with the same name, recently discovered a deceptive Facebook phishing scam that is so utterly convincing that it piqued the interest of security researchers.

The hullabaloo began when the company started receiving multiple reports from users that their Myki password manager was refusing to automatically fill a Facebook pop-up window on sites they visited, citing this as a bug.

After further investigation, Myki security researchers realized that it wasn’t a bug, and, in fact, their product was protecting their clients from trusting the purported Facebook pop-up. Below is a video demo of the phishing campaign they were able to unearth and successfully reproduce:

Video demo (Courtesy of Myki)

“[The] Hacker designs a very realistic-looking social login pop-up prompt in HTML,” wrote Antoine Vincent Jebara, Co-founder and CEO of Myki, in a blog post. “The status bar, navigation bar, shadows, and content are perfectly reproduced to look exactly like a legitimate login prompt.”

The fake pop-up looks and feels so real that users can drag and dismiss it like one could with a legitimate pop-up. But while it brings a convincing level of legitimacy to the attack, the pop-up gives the game away once users attempt to drag it out of the page, which can’t happen because the parts touching the edge of the browser window disappear, making users realize that the pop-up is part of the web page itself.

So, the next time you notice that your password manager is acting funny—like, not pre-filling on pop-up windows as you know it’s supposed to—try dragging the pop-up away from your browser. If a section (or mostly all) of it disappears after reaching the browser’s edge, it’s a fake pop-up. Close the page tab immediately!

Phishing by a thousand characters

By any sane standard, a 400- to 1,000-character long URL is overkill. Yet this didn’t stop a phisher from using it in his/her campaign. Not just once but in multiple instances in a phishing campaign email—much to the annoyance of clever recipients.

Screenshot of the kilometric long URL used in the campaign (Courtesy of MyOnlineSecurity)“>

The extracted URL above was taken from an email purporting to be a notification from the recipient’s email domain, telling them that their account was blacklisted due to multiple login failures. It then instructed recipients to upgrade and verify their email account before the service provider suspends or terminates the account.

No one knows for sure why someone would be crazy enough to attempt this. By now, fraudsters known there are better, more sustainable ways of obfuscating URLs. But alas, hardworking phishers are still out there. It’s not easy copying and pasting all those characters, after all, much less manually typing them out.

Let’s give them an A for effort, shall we? Nevertheless, phishing is no laughing matter, so let’s keep an eye on this one.

(Not) lost in (Google) translation

Online translation services were designed to serve one purpose: translate content from its original language to another. Who would have expected that phishers could use a legitimate Google Translate page as the landing page for users they’re attempting to own?

Screenshot of the phishing email (Courtesy of Akamai)“>

To: {recipient} From: Security Accounts Subject: Security Alert Message body:

Connecting to a new device

[redacted]

A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.

[Consult the activity]

‘Why do this?’ you might wonder. According to Larry Cashdollar, Senior Security Response Engineer from Akamai, in a blog post, “Using Google Translate does some things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses.”

He also noted that this kind of tactic could be accepted by targets without suspicion when viewed on a mobile device, as the phishing email and landing page appear more legitimate. When viewed on a laptop or desktop, however, the flaws of this tactic are glaring.

Cashdollar mentioned that this phishing campaign is a two-prong attack, wherein phishers aimed at harvesting Google credentials first and then Facebook credentials next. The domain for the fake Facebook login is not hosted on a Google Translate page, mind you.

“…it’s highly uncommon to see such an attack target two brands in the same session,” Cashdollar further wrote.

For users to avoid falling for such a phish, Cashdollar has this to say: “The best defense is a good offense. That means taking your time and examining the message fully before taking any actions. Does the “from” address match what you’re expecting? Does the message create a curious sense of urgency, fear, or authority, almost demanding you do something? If so, those are the messages to be suspicious of, and the ones most likely to result in compromised accounts.”

Where did the quick brown fox go?

Unfortunately, it was replaced by letters placed in locations they weren’t supposed to so phishers could hide the source code of their landing page to make it look less suspicious.

This was what our friends at Proofpoint found when they encountered a campaign that leveraged custom font files for decoding and hiding content.

This particular phishing attack started off as an email purporting to originate from a major US bank, and when users clicked the link in the email, they were directed to a convincing replica of the bank’s official page, ready and waiting to receive credential input.

The custom font files, namely woff and woff2, installed a substitution cipher, which then replaced the letters users see on the page with other letters in the source code via direct character substitution. So, the text “The quick brown fox…” seen in the normal font file, for example, was “Eht wprcx bivqn fvk…” in the custom font file.

Screenshot of the woff font file (Courtesy of Proofpoint)“>

Proofpoint noted that the phishing kit may have been available since May 2018, if not earlier.

To combat this tactic and the others noted in this roundup, users must continue sticking to established safe computing protocols, such as not clicking links of emails that are suspicious and visiting bank websites directly from the browser instead of via email.

Businesses can also stay on top of less obvious phishing attacks by incorporating them into employee training programs. Any good anti-phishing plan will use techniques currently being used in the wild (whereas the Nigerian Prince, while still out there, is probably not one you still need to train on.)

As always, stay safe, and stay informed!