In 2019, Valimail’s Email Fraud Landscape report estimated that more than one in every 100 emails was of a malicious nature. In 2020, the FBI then affirmed that phishing was the most common attack method seen for the year. And more recently, the Anti-Phishing Working Group (APGW) revealed that phishing attacks hit an all-time high in 2021, with 300,000 attacks having been recorded in December alone.
Now we’re in 2022, it is clear that this trend isn’t changing.
Today, cybercriminals are upping the ante, working to develop sophisticated spear phishing campaigns to trick potential users while abusing trusted platforms like SharePoint, Amazon AWS, Google and Adobe at more frequent rates.
This is exactly what the Menlo Labs research team witnessed in a recently analyzed phishing campaign targeting MICARD and American Express users in Japan. The team found that the threat actor in question was sending potential targets spoofed emails with links to impersonated webpages, using geofencing to ensure that only Japanese IPs could access its websites.
An analysis of impersonated sites
In analyzing the mechanisms used for both the MICARD and American Express phishing pages, we uncovered many similarities.
Beginning with the former, the URL used was “miicarrid[.]co[.]jp.sdsfsee[.]top.)”. When accessed, users would be presented with a login page requesting them to submit their credentials. If they proceeded to do so, they would then be redirected to a second webpage on the same domain that would ask them to submit their account details and card number.
In the case of American Express, the spoofed URL was “www1[.]amerxcanexpress[.]tp.bhisjcn[.]jp”, again presenting any potential victim with a login page and then a secondary page requesting the submission of credit card information.
In the case of both campaigns, should any visitor fall victim and enter their card information, they would then be directed to the homepage of the genuine site, while all their credentials would have been recorded within the URL path of phished pages.
Interestingly, in analyzing the American Express campaign, the Menlo Labs team found a style page (laydate.css) from the path “/admin/im/css/modules/laydate/default/laydate.css?v=5.3.1” that had failed to load.
By following the “/admin” path, we found what looked like an attacker control panel where the attacker would have been able to see any phished data. While the team was unfortunately unable to access it, it did help to clarify that the threat actor was likely to have been of Chinese origin.
Embracing best practices to protect against repeatable threats
The variety of similarities between the Amex and MICARD campaigns suggest that the threat actor has developed a repeatable methodology that could be expanded to impersonate many other brands using a set of attack tactics, techniques and procedures (TTPs) or a specific phishing kit.
Indeed, there we several commonalities that we identified. The phishing pages were hosted on four IP addresses, used the same URL naming patterns, and were assigned to the registrar Namesilo LLC. Additionally, they were each powered by a LetsEncrypt SSL server certificate, the organization offering free, automated, and open certificate authority through the not-for-profit Internet Security Research Group (ISRG).
While MICARD has demonstrated awareness of the campaign, having published a release advising its customers to be cautious of any emails impersonating the brand, the threat actor is likely to continue producing new spoofed sites targeting other financial players, moving from brand to brand as and when its sites are blocked.
Indeed, this is just one campaign among thousands of similar attempts. As threat actors continue to advance their techniques in volume, reach and sophistication, organizations and their employees must respond by adopting best practices to prevent the potential success of phishing attempts.
With approximately 19 in every 20 cyberattacks reported to involve human error in some way, security strategies must first begin with increasing awareness of potential threats and advocating caution.
Beyond this, however, organizations should equally adopt multi-factor authentication (MFA) whenever possible to reduce the opportunity for credentials to be used maliciously should they become compromised.