Page 56 - Cyber Defense eMagazine December 2023
P. 56
From in-depth research of individuals and their interpersonal relations to the use of incredibly convincing
spoofed social media profiles, threat actors are pulling out all the stops as they attempt to trick
unsuspecting victims into clicking malicious links. We have heard recent accounts of cybercriminals
dropping malicious links into zoom calls, while others are actively exploring the use of deepfake
technologies, for example.
As a result, it is becoming harder and harder to discern attacks from genuine digital interactions, as has
been demonstrated in another recent phishing campaign uncovered by the Menlo Labs team.
Analysing the Indeed. com attack chain
In July 2023, Menlo Security’s HEAT Shield detected and blocked a novel phishing attack that attempted
to redirect unsuspecting users of the popular job listing site ‘Indeed.com’ to a phishing page
impersonating Microsoft.
The attack chain began with victims receiving a phishing email that was delivered via a link that had been
deceptively crafted to make the victim believe it had come from Indeed.com. Victims would then click on
a link which would redirect them to a fake Microsoft Online login page where they were asked to enter
their credentials.
The tactic that this campaign tapped into is known as open redirection, where an application either
intentionally or unintentionally redirects users to an untrusted external domain. In this sense, threat actors
were exploiting the highly trusted nature of ‘Indeed.com’ while redirecting targeted victims to a phishing
site.
Critically, the spoofed page was deployed using a sophisticated phishing kit known as EvilProxy that can
fetch content dynamically, doing so from the legitimate login site. The phishing site then acts as a reverse
proxy, proxying the request to the actual website and enabling the attacker to intercept the legitimate
server’s requests and responses.
With EvilProxy, the attacker is also able to steal session cookies, which can then be used to log in to the
legitimate Microsoft Online site, impersonating the victims and bypassing non-phishing resistant multi-
factor authentication (MFA) policies.
Combatting modern phishing threats
This attack chain is a prime example of an Adversary In The Middle (AiTM) phishing attack, harvesting
session cookies to enable threat actors to bypass MFA protections.
In this instance, the Menlo Labs team saw that the threat actors largely focused on targeting executives
in senior level roles across industries, such as banking and financial services, insurance providers,
property management and real estate, and manufacturing. However, given that similar AiTM threats could
Cyber Defense eMagazine – December 2023 Edition 56
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.