New Attack Uses APT Group Techniques, Mirrors Legit Landing Pages For Convincing Credential Harvesting

Avanan has published its newest research, discovering threat actors using ever-changing obfuscation methods, previously seen in attacks led by the APT group SPAM-EGY to mirror images of an organization’s landing page and fool users into handing over their credentials. 

This attack presents users with a typical looking password expiration reminder email. By clicking on the provided URL, victims are directed to a fake page that mirrors the actual company website displaying identical images of the organization’s login page that users are accustomed to seeing. 

 Jeremy Fuchs, Cybersecurity Research Analyst at Avanan Had this to say:

The information the attackers are after is primarily credentials–usernames and passwords. They are after them because they are incredibly valuable. Passwords are keys to the kingdom. They can open up financial documents, personnel files, employee records; they can lead to bank accounts and medical records. By stealing credentials, the attackers have a whole bevy of information at their finger-tips

We’ve seen this off and on for about two years and it’s quite simple. One of the groups that does this, SPAM-EGY, claims “10,000% access to the inbox.” In that regard, they’re doing quite well.

Like with most phishing attacks, there are some telltale signs. It’s important to remind employees to take two seconds and do two quick things–look at the sender address and the URL of the page. The sender address is often amiss; that’s clue one that something is off. The URL will also likely be off; that’s clue two. Infusing that into everything employees do is critical.

Phishers take what works and amplify it. If something works, they’ll keep at it. Given that many of these attacks are available as downloadable “kits”, the barrier to entry is far lower. That means we’ll see a continued proliferation of these types of attacks, only spread by various groups, both APT and non-APT alike.

You can read the full report here.

Leave a Reply

%d bloggers like this: