Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
This monster of a phishing campaign is after your passwords
#1
https://www.zdnet.com/article/this-frank...passwords/  This monster of a phishing campaign is after your passwords
TodayZoo phishing campaign sends links to spoofed Microsoft 365 login pages.

Liam Tung
By Liam Tung | October 22, 2021 | Topic: Security


Microsoft has detailed an unusual phishing campaign aimed at stealing passwords that uses a phishing kit built using pieces of code copied from other hackers' work.

A "phishing kit" is the various software or services designed to facilitate phishing attacks. In this case, the kit has been called ZooToday by Microsoft after some text used by the kit. Microsoft also described it as a 'Franken-Phish' because it is made up of different elements, some available for sale through publicly accessible scam sellers or reused and repackaged by other kit resellers.


Microsoft said TodayZoo is using the WorkMail domain AwsApps[.]com to pump out email with links to phishing pages mimicking the Microsoft 365 login page.


Microsoft says the attackers have been creating malicious AWS WorkMail accounts "at scale" but are just using randomly generated domain names instead of names that would represent a legitimate company. In other words, it's a crude phishing product likely made on a thin budget, but large enough to be noticeable.

It caught Microsoft's attention because it impersonated Microsoft's brand and used a technique called "zero-point font obfuscation" – HTML text with a zero font size in an email – to dodge human detection. Microsoft detected an uptick in zero-font attacks in July. 

TodayZoo campaigns in April and May of this year typically impersonated Microsoft 365 login pages and a password-reset request. However. Microsoft found that campaigns in August used Xerox-branded fax and scanner notifications to dupe workers into giving up credentials.

Microsoft's threat researchers have found that most of the phishing landing pages were hosted within cloud provider DigitalOcean. Those pages were identical to the Microsoft 365 signin page.

Another unusual trait was that after harvesting credentials, the stolen information was not forwarded to other email accounts but stored on the site itself. This behaviour was a trait of the TodayZoo phishing kit, which has previously focussed on phishing credentials from Zoom video-meeting accounts.



But Microsoft researchers believe this phishing group is a single operation rather than a network of agents.

"While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own," Microsoft said.

Microsoft says it informed Amazon about the TodayZoo phishing campaign and that AWS "promptly took action".
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  This phishing scam left thousands of stolen passwords exposed through Google search tarekma7 1 1,075 01-23-2021 , 10:24 PM
Last Post: mrtrout
  Update New phishing campaign packs guardian 0 897 05-02-2020 , 05:12 AM
Last Post: guardian
  Microsoft Office 365 Admins Targeted by Ongoing Phishing Campaign tarekma7 0 1,458 11-17-2019 , 11:26 AM
Last Post: tarekma7
  Phishing campaign throws Shade ransomware at Russians Mohammad.Poorya 0 1,858 01-29-2019 , 04:59 PM
Last Post: Mohammad.Poorya
  HTTPS Phishing Page | Apple.com | Phishing Scam baziroll 0 2,255 04-21-2017 , 01:20 PM
Last Post: baziroll

Forum Jump:


Users browsing this thread: 1 Guest(s)