The IT Nerd

INKY has published research that analyzes a novel email phishing attack delivered via hijacked accounts luring victims to the modern scheduling platform Calendly where the threat actors crafted a clever sequence leading to a credential-harvesting payload that impersonates Microsoft 365. INKY’s cybersecurity researchers detected this credential harvesting operation exploiting the free online appointment scheduling software by hackers inserting malicious links on Calendly’s event invitations. 

Calendly displays confirmation pages for invitees after scheduling, which are customizable. In this attack, phishers uncovered this and created a fraudulent SharePoint notification with fax attributes including several pages/file sizes using the “Add Custom Link” feature to insert a malicious link on the event confirmation page. 

As part of the company’s investigation, an INKY engineer entered a fake username and password to test the phishing site and got a fake invalid-password error. Behind the scenes, the attackers harvested the fake credentials. Another attempt to log in led to a second harvesting event, whereupon the victim was redirected to their own (supposed) domain.

I had a look at this report yesterday ahead of its publication and I have to admit that this is crafty. Many people are so used to doing whatever a site telling them to do that I can see how this would be effective. It underlines that everyone needs to be vigilant 100% of the time.

You can read the full report here.

UPDATE: A Calendly spokesperson reached out to me with this statement:

“Security is a top priority at Calendly. Similar to other major technology providers, we have an extensive network of tools and systems in place, such as a next-generation web application firewall, fraudulent IP tracking, and anomalous traffic pattern alerts. We also recommend customers add an additional layer of protection with a password manager and two-factor authentication. 

In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”

Singaporean security firm CloudSEK has uncovered a large phishing campaign in which hundreds of eBike phishing sites have abused Google Ads to trick users into giving their personal data to fake investment schemes that are impersonating genuine brands. With large-scale postings of fraudulent websites, the attackers are leveraging Google Ads and SEO to target the Indian audience. 

Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“Phishing attacks have proven to be the #1 threat vector for compromising organizations but also luring users into gaining access to credentials or personal data. This is a very sophisticated attack in how the attackers leveraged Google Ads to reroute users to fake websites that looked perfectly legitimate. It also shows why phishing attacks are almost impossible to prevent. Organizations must employ new and advanced analytics that includes a well-crafted set of behavioral analytics and machine learning (ML) models to identify suspicious activity and escalate when appropriate to classify this activity as an actual malicious threat. Detection of redirection to illegitimate sites is one area where this be beneficial above and beyond traditional XDR and SIEM solutions.”

Hopefully Google gets on top of this to stop this attack as this seems like a pretty nasty one.

Qualys Senior Engineer of Threat Research Akshat Pradhan has identified a new campaign from Lazarus hackers targeting the defense industry with fake Lockheed Martin job offers.

The Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin Corporation, which is an American aerospace, arms, defence, information security, and technology corporation. This is thematically similar to other observed variants where Lazarus has posed as defence companies like Northrop Grumman and BAE Systems with job openings. We refer to this campaign as “LolZarus” due to the use of different lolbins in observed samples, some of which are the lolbin’s first recorded usage by a well-known adversary.

The campaign works by attacking hopeful job applicants in the defense industry by sending targeted phishing documents pretending to offer employment opportunities. The documents contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents and create Scheduled tasks for persistence.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“These types of phishing attacks are a perfect example of how threat actors easily compromise systems in an organization. They are almost impossible to defend against despite email security and employee training. Outside of the initial compromise methodology, it is especially hard for security teams to identify this new attack out of the gate until a threat research team uncovers and analyzes the campaign. In this case is a new variant of attacks typically used by a known state-sponsored hacking group. The worst part is that it uses capabilities that mimic real activity to further hide malicious intent. Even with current XDR and traditional SIEM tools, it is a big challenge for security teams to identify the campaign once the initial compromise occurs based on the various techniques used because slight changes in creating the variant often circumvents these tools detection capabilities. Customers need to invest more in behavioral based analytics solutions, that not baselines normal user and asset activity, but can self-learn what is normal and abnormal in order to better prioritize threat activity. Rule-based machine learning (ML) models cannot do this pro-actively and require a vendor update based on the discovered research. This does not provide immediate detection against these previously-unknown variants.”

This campaign highlights the fact that everyone needs to be trained to not get fooled by these phishing attacks. Here’s some tips to avoid being that person or company who gets pwned.