High-ranking company executives, generally known as C-Suites, from industries of real estate, government, finance, technology, and manufacturing are being widely targeted by specific developing phishing scam/operation which is under observation from around May 2020. This phishing scam involves a social engineering method/trick in which, the cybercriminals send fake emails to their targeted C-suites, claiming that their Office 365 password is expiring soon and you can change your password or utilize the same password further. The email contains a link to keep the same password, which when clicked, directs the user to a fake phishing webpage which to extract their credentials for further attacks or stealing confidential information.
Researchers of Trend Micro in a post stated that “we observed the attackers targeting potential victims with emails containing fake Office 365 password expiration reports as lures. They prompt the targets to click the embedded link in the email if they want to continue using the same password; choosing the “Keep Password” option leads the user to the phishing page.” As per the researchers, emails of targeted C-suites were gathered mainly from the LinkedIn platform even though they could have bought the target list of emails from hidden marketing platforms that sell data of social media profiles with emails of CEOs and CFOs.
Researchers also observed that the phishing kit of Office 365, used in this campaign, first launched in July 2019, is currently in its fourth version with capabilities like detect bot scanning or crawling attempts and providing alternative content when bots are detected. Some other features of this version explained by the researchers are:-
- New style and new logo for office page.
- Responsive design with all devices and screens.
- Use of the licensing system, every buyer will get the page file and its license key.
- Ability to choose between Office 365 and Voice mail from config.
- Ability to choose between Auto grab and manual email from config.
- Ability to use it as multiple password or one-time password.
- Ability to choose number of password requests (1 to 5 times).
- Ability to edit or hide all titles, messages and texts exist in page from config.
- Accept base64 email in link and without it.
- Come with external redirect (optional).
- Undetectable from Bot (private tricks).
- The page use private trick to bypass antibot, goes to inbox and last long time.
- Special stronger antibot system.
- All page element are dynamic (auto generated fresh page every link call).
- Link one time self destructing (after using it will giving 404 error).
- Link can only be used one time by one user (giving 404 error to not allowed users).
- Can allow accessing to link for limited area or list of IPs.
- Each link can be locked to only one target email.
Researchers mentioned that “And many other new private features and tricks. This Office 365 page is best ever.”
The attacker/hacker behind this campaign displayed the launching of the phishing kit’s fourth version on their Facebook business handle in the middle of 2020. Additionally, the attacker/hacker was discovered selling account details/login credentials, on social media handles, of CFOs (Chief Financial Officers), CEOs (Chief Executive Officer), officers of the finance department, and other C-suites.
Researchers also examined the underground forums as a part of the investigation and discovered several users handles who were found distributing/selling credential harvester tools and also C-suites passwords to their account, for an amount of $250 – $500. The researchers also found eight different compromised phishing websites that were hosting the phishing kits fourth version, which also forced the researchers to believe these kits could have been utilized by several other threat actors as well to target individuals with phishing campaigns.
Researchers detailed that “analysis of the data from the misconfigured sites’ collected log files revealed that the stolen credentials came from eight compromised phishing sites hosting the malicious Office 365 V4 kit as of this writing. We found each site to be possibly made by different phishers for different phishing campaigns of varying scale and scope. One campaign targeted only company CEOs, presidents, and founders in the US, while another campaign targeted directors and managers from various countries such as the US, UK, Canada, Hungary, the Netherlands, and Israel.”
Researchers concluded by alerting and explaining that “Phishing attacks and attackers often target employees — usually the weakest link in an organization’s security chain. As seen in this particular campaign, the attackers target high-profile employees who may not be as technically or cybersecurity savvy and may be more likely to be deceived into clicking on malicious links. By selectively targeting C-level employees, the attacker significantly increases the value of obtained credentials as they could lead to further access to sensitive personal and organizational information, and used in other attacks. The scale and accuracy of the emails and credentials show that the attacker possesses an accurate dataset of victims and potential targets. While the attacker could have simply compiled the emails from the targeted organizations’ websites, they went a step further to validate these to make sure it complements data collected from the public domain. While organizations are aware and wary of the information they include in public-facing websites and platforms, their respective employees should be constantly reminded to be mindful of the details they disclose on personal pages. These can be easily used against them for attacks using social engineering techniques. All employees, regardless of company rank, should exercise caution when reviewing and acting on email prompts for specific actions, especially from unknown sources. Considering this, legitimate service providers and vendors will never ask individual consumers and enterprise users for details such as account access credentials, and especially not to retain dated passwords. These details are susceptible to abuse among unauthorized and malicious individuals and are left for customization by vendors to respective security and IT teams following organizational policies.”