Researchers have recently warned of two massive phishing operations, collectively targeting hundreds of thousands of users – one seeking credentials for business services such as Office 365 and the other abusing Facebook Messenger to go after roughly 450,000 of the social media giant’s account holders.
Active since last week, with a major surge on Oct. 15, the Office 365 operation has reached tens of thousands of inboxes through multiple connected campaigns spoofing well-known applications such as Microsoft Office, Microsoft Teams and Zoom in hopes that users will be fooled into giving away their usernames and passwords. Senior executives and finance personnel have been identified as among the targets of the operation.
According to F-Secure, Cryxos trojans are typically used to conduct call support scams. They display “an alarming notification message saying that the user’s computer or web browser has been ‘blocked’ due to a virus infection, and that their personal details are ‘being stolen’. The user is then directed to call a phone number for assistance in the ‘removal process.’”
Victims who click on the emails’ malicious links are either sent directly to the phishing kit, which looks like a log-in page, or they are routed there via open redirector domains and subsidiary remains that the attackers compromised from such global brands as Sony, TripAdvisor, RAC, DigitalOcean and Google.
“The user in a corporate environment will probably not be blocked from Sony.com when they click, and then it’s going redirect them to the real attack, and it’s going to look like a Zoom log-in or an Office login,” said GreatHorn CEO Kevin O’Brien in an interview with SC Media.
The links can bypass native security controls offered by victims’ email providers, and the open redirects appear to be made possible via Apache servers, possibly due to a flaw in Apache versions prior to 2.4.41, GreatHorn reports in a company blog post.
GreatHorn advises security teams to search their companies’ emails for messages with URLs that match the phishing kit’s naming structure, which was identified as http://t.****/r/, where *** represents the domain.
In his company’s blog posts, O’Brien called this attack “a pervasive and significant event.”
“It looks like something timely and we saw it go out to senior executive in worldwide attack mode. And we saw these things redirecting and landing in mailboxes everywhere we looked,” O’Brien explained further to SC Media.
Meanwhile, the Facebook phishing operation, discovered by Cyberint, began last Friday with a campaign targeting nearly 500,000 victims across the globe.
Source SC Magazine