Phishing Campaign Uses Homepage Overlay to Trick VictimsCofense: Attacks Disguise Malicious Domains to Steal Credentials
A recently uncovered phishing campaign designed to harvest credentials used companies' official webpages as an overlay to hide malicious domains designed to harvest corporate credentials, according to security firm Cofense.
See Also: Threat Briefing: Ransomware
This was just one of several social engineering methods this campaign used to trick victims into providing their usernames and passwords, according to the report. For example, the phishing emails were designed to look as though they came from the victim company's technical support team, Cofense notes.
"Another social engineering technique the threat actor uses to lure the employee into interacting with the email is giving the messages urgency, asking the recipient to review them or they will be deleted after three days," says Dylan Main, a researcher with Cofense. "Potential loss of important documents or emails could make the employee more inclined to interact with this email."
The campaign appears to have stopped Sept. 4, when Cofense published its report. The phishing emails the company examined came from targets in the U.S., but the scheme could be more widespread.
The attacks started with a phishing email that claimed security tools had quarantined three messages and that the user needed to open a link embedded in the email to retrieve them because they are blocked from the inbox, according to Cofense. The phishing message added that two valid messages were being held before deletion.
"This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails," Main notes.
The phishing emails contained an embedded link that read "Review Messages Now," which led to a malicious domain. If clicked, the homepage of the victim's company appeared - including a fake login panel, according to the report.
The appearance of the webpage and login panel added to the social engineering element and gave the victim a false sense of assurance that the messages are legitimate, according to the report.
"It is also possible to interact with this page by moving outside of the overlay, showing that it is the actual page they have seen and used before," the Cofense report notes. "The overlay itself is attempting to prompt the user to sign in to access the company account."
If the intended victim attempted to log in using their credentials, those were then harvested and transferred to a malicious domain controlled by the fraudsters, according to the report.
The Cofense report notes that during these phishing attacks, the malicious domain used to harvest the credentials remained the same, but the link in the emails contained various parameters that let fraudsters determine which webpage the victim would see - adding to the overall uniqueness of the scam.
"Depending on what company the threat actor is targeting, the link will populate the address of the original recipient of the email," according to the report.
The use of these types of overlays is becoming more common in phishing emails sent to victims’ mobile devices. In June, for example, the FBI issued a warning that fraudsters are increasingly using Trojans to target banking customers and disguising the malware as legitimate apps, games or other tools.
When a mobile banking customer attempts to launch the malicious app, the dormant Trojan is triggered and prompts a fake login page that overlays the legitimate app for credential stealing, according to the FBI (see: FBI Warns Of Increasing Use of Trojans in Banking Apps).