Wednesday, 5 February 2020

Invoice Credential Stealer


I've got another credential stealing phish today.

I'm rating this at a 2/5 - it's boring, basic, and very predictable.

The links are masquerading as an invoice, in hopes of tricking a recipient to click them in hopes of making a sale.

Both the View and Invoice_05_02_2020 links point to the same domain - hxxps://share.getcloudapp.com/, but to different subpages within

When either link is clicked, this page loads.


So far, nothing obviously malicious is going on.

The next page loads a few options for email providers. This is where the deception really starts.
When the links to providers are clicked, a fake "Sign in" page appears that takes the email address and password but doesn't actually sign in to anything.

This is where clickers get compromised - they may enter their email address and password, the login fails, they try again thinking they typed their password incorrectly, and the loop continues until they give up.

At this point, the phisher has usernames and passwords.


Multifactor authentication can still protect victims - they would start receiving verification texts, calls, or app prompts and would hopefully not take actions that could let the phisher in.

I suggest SMS for verification codes to my less tech savvy coworkers. There is no reasonable way for the user to accidentally allow a verification attempt - they would have to give that code to the hacker. A sophisticated attacker could use a SIM swap attack to circumvent this, or could simply call the user, present themselves as someone of importance, and ask for the code.

The phone call method where a user just has to press # to verify isn't secure. A hacker may cause back to back calls, and a frustrated person may just press # to make the calls stop.

For my more tech savvy coworkers, I like to suggest the Microsoft authentication app. Once configured, they get a push notification on their cellphone to approve / deny the login attempt. This relies in the user to be smart enough to know when to expect a verification prompt, so I wouldn't suggest it for 


Methods
  • Urgency - nobody wants to be late on an invoice

IOCs
  • Invoice coming from an unknown contact
  • The invoice isn't attached as a PDF

Noteworthy Whois Data
  • There is no whois data for the final site that steals credentials




at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Ransomeware - Intermittent Encryption

 An emerging trend among ransomware gangs is encrypting only parts of files, instead of complete encryption of files or drives. The tactic, ...

  • 2 Factor Proxy Bypass
     In the never ending game of cat and mouse, cyber criminals have found a way to bypass two-factor authentication. While the method is newer,...
  • Ransomeware - Intermittent Encryption
     An emerging trend among ransomware gangs is encrypting only parts of files, instead of complete encryption of files or drives. The tactic, ...
  • Your email password expires today
    Here we have a fairly boring phish. The page it links to was already 404'd by the time I got to it. I suspect it was a credential...