October is both Cybersecurity Awareness Month in the US and European Cyber Security Month in the EU – twin campaigns on either side of the Atlantic that aim to improve awareness of the importance of cyber security both at work and at home, and provide tips on how to stay secure.
Given the huge proportion of cyber attacks that rely on phishing to gain a foothold in victims’ systems, it’s hardly surprising that one of the four ways of staying safe online advocated by the US campaign is recognising and reporting phishing.
Keeping informed about current attacks is one of the best ways of reducing the risk of falling victim. So, as ever, this blog series examines recent phishing campaigns and the tactics criminals use to trick people into compromising their data.
This month, we look at campaigns targeting Microsoft credentials by abusing open redirects from the job site indeed.com and exploiting LinkedIn Smart Links, and a series of attacks on users of postal services around the world.
You can find everything you might want to know about phishing on our website.
EvilProxy phishing campaign targets Microsoft 365 accounts via indeed.com
A phishing campaign identified by Menlo Security has been targeting senior executives in various industries – most notably banking and financial services, property management and real estate, and manufacturing – since July.
The attack exploits an open redirection vulnerability on the job listing site indeed.com to redirect victims to a malicious web page impersonating the Microsoft Online login page.
Because the link appears to come from indeed.com, it can bypass email security controls and is more likely to be clicked by the recipient.
When users attempt to log in, the phishing page uses the EvilProxy AITM (adversary-in-the-middle) kit to intercept requests between the legitimate website and the user, enabling it to steal credentials and session cookies that it can then use to bypass multifactor authentication when impersonating the victim on the legitimate website.
Image: Menlo Security
Menlo Labs has informed indeed.com of the vulnerability and its active exploitation.
LinkedIn Smart Links phishing resurgence
In 2022, Cofense Phishing Defense Center identified a series of phishing attacks abusing LinkedIn Smart Links (or ‘slinks’) to bypass secure email gateways and redirect email recipients to credential phishing websites.
Now, according to Cofense, there has been a surge of similar attacks as part of a phishing campaign comprising over 800 emails and 80 unique Smart Links, targeting Microsoft Office credentials.
These phishing emails have reached the inboxes of users in multiple industries, including finance, manufacturing, financial services, energy, construction and healthcare.
The Smart Links tool is provided as part of LinkedIn’s Sales Navigator service, which allows business accounts to provide content and track engagement metrics.
As Cofense explains, Smart Links use “the LinkedIn domain followed by a ‘code’ parameter”. However, malicious Smart Links can include other information after this code, such as victims’ obfuscated email addresses.
A phishing kit can then read the obfuscated email address attached to the Smart Link and use it to autofill a credential form on a malicious website, lending it greater legitimacy.
The victim, landing on what appears to be a Microsoft login page that already includes their email address, is more likely to trust it and supply their password.
USPS and other postal services spoofed in smishing attacks
The security researcher Brian Krebs reports that there has been a “sizeable uptick” in smishing (SMS phishing) attacks targeting customers of postal services around the world.
Krebs was alerted to the phishing campaign by a reader who received a text message ostensibly sent by the USPS (US Postal Service), alerting them to a problem with a delivery.
Following the link in the message took them to a phishing page mimicking a USPS page, where they were asked to enter their personal data and financial information.
This data would then be sent via an automated bot to a Telegram user called @chenlun “who offers to sell customized source code for phishing pages”.
Image: Krebs on Security
Krebs found that the USPS phishing domain was registered in 2022 via Alibaba in Singapore to a registrant in Georgia, AL – not a real location.
Searching for other domains registered to Alibaba to anyone in Georgia, AL returns nearly 300 top domains used to phish customers of the USPS and postal services in other countries, including the Australia Post, An Post in Ireland, Correos in Spain, the Costa Rican post, the Chilean Post, the Mexican Postal Service, Poste Italiane in Italy, PostNL in the Netherlands, PostNord (in Denmark, Norway and Sweden) and Posti in Finland.
This is not the first such scam targeting postal services and delivery companies: in June, Krebs reported that UPS (the United Parcel Service) had warned that attackers were harvesting personal data from a Canadian shipment tracking tool to send smishing messages.
Can you spot a phishing scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.