Despite all the money major brands spend on logo design, people are terrible at remembering them. And it only makes it easier for scammers to trick people into clicking on malicious links.
On average, each month, a company sees 90 domains impersonating their business. These fake pages are set up by cybercriminals or even state-sponsored threat actors to conduct fraud.
The most common objective of setting up an impersonating domain is to collect an employee's or customers' credentials. Fake web pages contain brand names, logos, and some data-entry forms to be filled by the victim. Typically, such domains are the landing pages of links included in phishing emails or SMS messages sent to the victim to request to reset expired passwords.
Recently, the mail protection company INKY detected and analyzed such a type of attack. They noticed the US-based telecommunications provider Verizon's impersonation campaign in dozens of fake emails sent from various Gmail addresses. Experts noticed that phishers used mathematical symbols as part of the Verizon logo. The malicious link hidden in the phishing email led to the credential harvesting site.
Bukar Alibe, a cybersecurity Analyst at INKY, told CyberNews it was a sophisticated attack in some ways.
“The phishers were clever by sending phishing emails from Gmail accounts because it allowed them to pass sender reputation checks. Hosting the fake Verizon site on a newly created domain creates a zero-day threat. It won't appear on threat intelligence feeds until it's discovered and reported. Lots of security vendors use computer vision to detect impersonation sites but the phishers stole elements from Verizon's real site and created a customized site with Microsoft elements so that makes it harder for computer vision to detect accurately,” he said.
However, visually, the use of math symbols to impersonate Verizon made the emails look fake and suspicious, so it's probably counterproductive for the phishers to do that, Alibe thinks.
Current Verizon's logo uses a bright red, asymmetrical "V" after the word "Verizon." The "V" element does look like a checkmark.
INKY found three fake logo variants in the wild. Each made use of a mathematical symbol for the red element. The three impersonations reproduced that element via:
All three types masqueraded as voicemail notifications. Verizon does provide voicemail services, including notifications.
Clicking on the button (black or red, depending on the version) prominently displaying the text "Play >" (made up of the word plus a close-angle-bracket character) led to a site that appeared to be Verizon's, but was in fact a malicious impersonation. The phishers could easily steal separate HTML and CSS elements from Verizon's real site to put together a custom job that included a correct version of the logo!
The bad guys created and registered the fake site — sd9-08[.]click — via Namecheap barely a month ago, according to a WHOIS lookup. Namecheap has since taken it down. It now has an NXDOMAIN status, which essentially means it doesn't exist anymore. The bad guys use newly created domains to pass most security software tests, allowing phishing emails to slip past corporate defenses and into hapless recipients' inboxes.
At the bottom of the fake page, targets were invited to "play, listen, or download" their voicemail with Office365 credentials. Using the red "Authenticate with Office365" button led to a fake Microsoft login dialog box.
An INKY analyst entered fake credentials into the fake login to assess the site.
The first attempted login received a response that the password was incorrect. The second attempt elicited a bogus error message.
However, the credentials were harvested both times on the backend. This pattern, the double ask, is fairly common. It's not entirely clear what the phishers are up to, but it's possible that they want the victim to confirm the correctness of the data or that they hope the victim will try a different account, yielding them two sets of credentials for the price of one.
INKY reported this flurry of phish to Verizon's [email protected] address.
“Although this particular campaign is over, anyone receiving a similar email in the future can report it to that address with their name and account and phone numbers,” INKY claimed.
“The worst-case scenario is that the victim's Microsoft credentials are harvested, and this has unmeasurable consequences,” Alibe said.
Microsoft credentials (and other work email accounts) are very valuable for phishers to understand an organization's supply chain. Once they gain access to a compromised account, email data is exfiltrated to analyze and monitor buyer/supplier relationships.
“Some data exfiltration methods are downloading an account’s entire mailbox or setting up mail forwarding rules to receive messages. The goal is to remain undetected and wait for the perfect opportunity to launch another attack. Using stolen emails and data as context, they can use look-alike domains or spoofed senders that trick employees into sending data or money to the wrong recipient,” he added.
No industry is spared
Phishing has been around for a quarter of a century, yet it remains an effective cyberattack technique. Adversaries are quick to identify new opportunities, develop new tactics, and exploit human emotions.
Phishing has been around for a quarter of a century, yet it remains an effective cyberattack technique. Adversaries are quick to identify new opportunities, develop new tactics, and exploit human emotions.
A single click on the wrong link can be all it takes to compromise the network of an entire organization, often with disastrous consequences, including data breaches or injections of malware and ransomware on company devices.
A survey conducted by the cybersecurity company Sophos shows that phishing has increased significantly since the start of the pandemic. All sectors were affected, with the central government experiencing the highest increase (77%), closely followed by business, professional services (76%), and healthcare (73%).
According to the company researchers, the minor variation between sectors affirms that adversaries are often indiscriminate and will try to reach as many people as possible to increase their likelihood of success. For organizations, phishing is often the first step in a complex, multi-stage attack.
The problem is that sophisticated adversaries often pass the red flag tests so that their emails wouldn’t look suspicious. Moreover, they constantly evolve and innovate, for example, criminals increasingly abuse Google Forms. Here are some tips from the world-renowned hacker Kevin Mitnick on how to secure your organization.
Other useful tips:
More from CyberNews:
Sky.com servers exposed via misconfiguration
MLN, an Australian IT vendor, has its customer database leaked
Microsoft: attacks from Russian nation-state actors are increasingly effective
We've seen just the tip of the Mēris botnet iceberg
Subscribe to our newsletter
Your email address will not be published. Required fields are markedmarked