This monster of a phishing campaign is after your passwords

Discussion in 'Headline News' started by RickAgresta, Oct 22, 2021.

  1. RickAgresta

    RickAgresta General Peanut, leader of the Peanutty Forces

    Messages:
    22,384
    Likes Received:
    21,050
    Trophy Points:
    288
    TodayZoo phishing campaign sends links to spoofed Microsoft 365 login pages.

    Microsoft has detailed an unusual phishing campaign aimed at stealing passwords that uses a phishing kit built using pieces of code copied from other hackers' work.

    A "phishing kit" is the various software or services designed to facilitate phishing attacks. In this case, the kit has been called ZooToday by Microsoft after some text used by the kit. Microsoft also described it as a 'Franken-Phish' because it is made up of different elements, some available for sale through publicly accessible scam sellers or reused and repackaged by other kit resellers.

    Microsoft said TodayZoo is using the WorkMail domain AwsApps[.]com to pump out email with links to phishing pages mimicking the Microsoft 365 login page.

    SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacks

    Microsoft says the attackers have been creating malicious AWS WorkMail accounts "at scale" but are just using randomly generated domain names instead of names that would represent a legitimate company. In other words, it's a crude phishing product likely made on a thin budget, but large enough to be noticeable.

    It caught Microsoft's attention because it impersonated Microsoft's brand and used a technique called "zero-point font obfuscation" – HTML text with a zero font size in an email – to dodge human detection. Microsoft detected an uptick in zero-font attacks in July.

    TodayZoo campaigns in April and May of this year typically impersonated Microsoft 365 login pages and a password-reset request. However. Microsoft found that campaigns in August used Xerox-branded fax and scanner notifications to dupe workers into giving up credentials.

    Microsoft's threat researchers have found that most of the phishing landing pages were hosted within cloud provider DigitalOcean. Those pages were identical to the Microsoft 365 signin page.

    Another unusual trait was that after harvesting credentials, the stolen information was not forwarded to other email accounts but stored on the site itself. This behaviour was a trait of the TodayZoo phishing kit, which has previously focussed on phishing credentials from Zoom video-meeting accounts.

    But Microsoft researchers believe this phishing group is a single operation rather than a network of agents.

    "While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own," Microsoft said.

    Microsoft says it informed Amazon about the TodayZoo phishing campaign and that AWS "promptly took action".

    Link:
    https://www.zdnet.com/article/this-...SAGE_ID}&cid={$contact_id}&eh={$CF_emailHash}
     
    Hook, lelisa13p, headcronie and 2 others like this.
  2. headcronie

    headcronie Greyscale. Nuff Said. Super Moderator

    Messages:
    14,629
    Likes Received:
    6,906
    Trophy Points:
    113
    Is it just me, or does there seem to be a more pronounced attack on O365 than there is for Google Workplace? Or am I just missing those news articles?
     
    RickAgresta, Hook, lelisa13p and 2 others like this.
  3. lelisa13p

    lelisa13p Your Super Moderator Super Moderator

    Messages:
    23,850
    Likes Received:
    9,897
    Trophy Points:
    288
    Is there anything anywhere, computer-related, that isn't a potential target for mayhem and plunder? :vbmad:

    I wish the perpetrators severe brain damage. No mercy.
     
  4. headcronie

    headcronie Greyscale. Nuff Said. Super Moderator

    Messages:
    14,629
    Likes Received:
    6,906
    Trophy Points:
    113
    No.

    Sent from my Samsung Note 20 Ultra using Tapatalk
     
    scjjtt, RickAgresta, Hook and 2 others like this.

Share This Page