Page 92 - Cyber Defense eMagazine June 2024
P. 92
Ransom
Fortra has observed instances in which an adversary will gain access to an organization’s social media
account then lock the organization out of it, promising to restore access in return for a ransom. For
companies which rely heavily on social media for marketing and advertising, this lockout can have
devastating impacts on revenue. Smaller organizations without high level contacts at social media
companies may struggle to regain access to their accounts via official support channels without paying
the ransom and are most at risk to this cashout method. For larger organizations who may be able to
use connections to regain access, this approach is less effective but may still be attempted in concert
with a threat to post damaging information using the stolen account if a ransom is not received quickly.
The Tactics Behind the Campaign
Like many phishing threats, this attack is initially delivered via email. The adversary stays with a tried-
and-true approach; impersonate a legitimate service (in this case Meta) and threaten the restriction or
closure of the organization’s business account due to policy violations. The adversary also takes basic
steps to reinforce their fake identity, including modifying the Display Name section of the “From”: banking
on the fact that the majority of email clients show this value most prominently, and hide or minimize the
actual sending address.
The adversary also makes use of generative AI technology. Fortra observed several variations of the
email lure, subject, and Display Name. Fortra’s analysis strongly indicates that these emails were AI
generated. This is a textbook example of the benefits generative AI can provide to cybercriminals; by
generating multiple high-quality phishing emails with minimal effort it both lowers barriers for adversaries
without strong language skills as well as enables adversaries to scale their operation more effectively.
The adversary also took pains to ensure that these malicious emails was delivered successfully. First,
emails attributed to this campaign were sent using infrastructure belonging to legitimate sales and email
marketing organizations. By leveraging the services of this reputable company, adversaries avoid
deliverability problems caused by low reputation of their email infrastructure. This abuse of legitimate
SASS capabilities is a variation of a living off the land attack known as Living off Trusted Sites (LOTS).
Additionally, steps were taken to disguise the malicious URL leading to the phishing website. The
adversary leveraged a URL intermediary (in this case, Google notifications clicktracking), to mask the
true destination of the URL. In many instances the adversary further disguised the URL by embedding it
within a QR code. While neither tactic is new, both are increasingly popular means of hiding the intent of
the URL. A growing number of phish are using QR phishing or Quishing as the primary lure in email
attacks. At the time of writing, the volume of phish detected in this campaign using QR codes was more
than three times greater than those using traditionally clickable links. In addition to making it harder for
automated software to scan the URL, the biggest benefit of a QR code based lure is that the victim
finishes the interaction on their mobile device, which is likely not protected by the organization’s cyber
defenses.
Cyber Defense eMagazine – June 2024 Edition 92
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
