Sneaky Credential Phishing Campaign Discovered By Researchers

Dark web security specialists Flashpoint has detected a credential phishing campaign that had a low detection rate.

The campaign seems to have originated out of Western Africa due to the originating IP addresses of the phishing emails, as well as an analysis of the scammers tactics, techniques, and lack of operational security.

Flashpoint warned that the campaign relied on malicious PDF files that contained embedded links. These links redirected potential victims to credential-harvesting phishing sites.

Unsophisticated Practices

“In general, business email compromise (BEC) scams are widely viewed as a type of cybercrime that necessitates relatively minimal technical ability,” said Ronnie Tokazowski, senior malware analyst at Flashpoint.

“Despite this, analysts industry-wide have observed BEC operators progressing from simple schemes such as 419 and fake lottery scams … towards experimenting with malware and creating sophisticated networks in order to quickly and reliably move money from one account to another.

“Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity. The campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites.”

According to Tokazowski, the scammers sent seventy-three malicious PDFs in credential phishing campaigns between 28 March and 8 August this year.

“These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organisations, real estate firms, and churches, with the goal of harvesting user credentials,” he warned.

The way the scam would work is the potential victim would receive a malicious PDF containing a malicious link. If they opened the PDF, the potential victim would be presented with a prompt to view a secure online document. If the victim then clicked this link, they would be redirected to a phishing website to input their login credentials.

Login Harvesting

Essentially, at this stage the phishing page would present the potential victim with several options to “download” the file. They are asked for login credentials for their organisation. And once a victim enters their login credentials, the script redirects the victim to a document or web page owned by the targeted organisation.

“If valid credentials were submitted, the actors behind the phishing campaign would harvest them,” wrote Tokazowski. “Once harvested, the threat actors would then use the compromised accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts.”

And Tokazowski warned that despite western African being considered among the lowest-skilled cyber threat actors, they have been responsible for more than $5 billion  in fraud in the last three years.

Phishing Campaigns

In July Barracuda warned that spear phishing campaigns should be receiving attention, despite all the hype about ransomware of late. A study released in April for example found that 70 percent of UK universities have fallen victim to a phishing attack in the past.

Google and Facebook have also admitted to being tricked out of more than $100 million (£77m) in such campaigns.

Indeed, such attacks were one of the most prominent threat vectors in 2016, a trend which has continued into 2017 as the likes of Netflix, McDonald’s and even the Saudi Arabian government being targeted.

Quiz: Cyber security in 2017