A new form of credential hacking scheme, which enables the theft of sensitive information to be linked to legitimate online accounts, is attracting the attention of cybersecurity researchers.
Cofense claims to use real-time email confirmation to ensure that only a select group of high-value targets are served the fake registration screens, which is precision-validating hacking.
The danger actors use a particular pre-harvested list of acceptable email accounts, according to the company, which increases their success rate in obtaining usable credentials.
The most recent attack tactic takes spear-phishing to the next level by only engaging with email addresses that attackers have verified as active, legitimate, and of high value, in contrast to” spray-and-pray” credential harvesting campaigns that typically involve the bulk distribution of spam emails to obtain victims ‘ login information in an indiscriminate manner.
In this situation, the victim’s email address is checked against the suspect’s collection before the phony login page is displayed. If the email address is not present in the database, the section either returns an error or the customer is redirected to Wikipedia in order to avoid security analysis.
The phishing kit’s hacking system incorporates an API- or JavaScript-based verification company that validates the message address before moving on to the password capture step.
It improves the effectiveness of the strike and the likelihood that stolen credentials belong to true, active accounts, enhancing the quality of the data for resale or more exploitation, according to Cofense.
Because they cannot pass the validation filter, automated protection crawlers and sandbox environments also find it difficult to analyze these attacks. This specific strategy reduces the risk of attackers and increases the duration of hacking activities.
The security firm’s announcement comes as it details an email phishing strategy that uses file deletion reminders as a pretext to gain credentials and install malware.
The two-pronged harm makes use of an embedded URL that appears to point to a PDF file that is scheduled to be deleted from a genuine document storage service called documents. vhf. They are directed to legitimate documents if the message recipient clicks on the website. Fm hyperlink to the alleged PDF file from where they can get it.
Customers are presented with two choices when the , though, to either demo or download it. Users who choose the former are directed to a fake Microsoft login screen that was created to take their credentials. When the download solution is selected, it displays an executable that purports to be Microsoft OneDrive but actually contains ScreenConnect remote desktop software from ConnectWise.
It’s “almost as if the risk professional purposefully designed the harm to entrap the consumer, forcing them to choose which “poison” they may drop for,” according to Cofense. ” Both possibilities lead to the same result, with similar objectives but different ways of achieving them.”
The findings come in addition to the investigation into a powerful multi-stage assault that combines living-off-the-land techniques with remote access tooling to get initial access and create persistence. The tradecraft observed in the activity is in line with clusters tracked as STAC5777 ( also known as STAC5777 ).
The risk professional “used Easy Assist to remotely access the environment by delivering a destructive PowerShell load via a Microsoft Teams information,” according to Ontinue. ” This resulted in the use of authorized files, like TeamViewer. exe ), a sideloaded malicious DLL ( TV ). dll ), and a JavaScript-based C2 backdoor that was ultimately run through Node. js”.