Cybercrime remains a persistent threat in the digital landscape, with phishing, credentials theft, and business email compromise being the primary tactics employed by criminals to breach organizations’ defenses. These methods have been the root cause of a significant majority of successful data breaches globally. Check Point Research, in collaboration with Otorio, recently delved into a large-scale phishing campaign that targeted numerous global organizations. The campaign, initiated through deceptive emails posing as Xerox scan notifications, managed to evade Microsoft Office 365 Advanced Threat Protection and successfully pilfered credentials from over a thousand corporate employees.
Despite the seemingly straightforward nature of the attack, a critical flaw in the attackers’ strategy inadvertently led to the exposure of the stolen credentials on public internet platforms. This blunder allowed anyone with basic search capabilities to access compromised email addresses and passwords, providing a golden opportunity for malicious actors.
The phishing campaign’s infection chain began with tailored emails impersonating Xerox scan notifications, with the recipient’s name or company title featured in the subject line. Upon opening the attached HTML file, a JavaScript code executed password checks, forwarded the data to the attackers’ servers, and redirected the user to a legitimate Office 365 login page. The attackers continuously refined their techniques to enhance the legitimacy of their phishing pages and evade detection by antivirus software.
The infrastructure supporting this campaign involved a blend of unique servers and compromised WordPress websites utilized as drop-zone servers. These servers ran for approximately two months, hosting multiple .xyz domains crucial to the phishing attacks. By leveraging compromised servers with established reputations, the attackers aimed to bypass security filtering and improve the chances of successful email delivery.
An analysis of the email headers revealed that the campaign leveraged Linux servers on Microsoft’s Azure platform, utilized PHP Mailer 6.1.5 for email delivery, and employed 1&1 email servers for distribution. Compromised email accounts were instrumental in disseminating spam through high-reputation phishing campaigns, enhancing the likelihood of successful delivery.
Upon collecting victims’ data on drop-zone servers, the stolen credentials were stored in publicly accessible files, enabling a breakdown of targeted industries based on a subset of stolen credentials. Noteworthy industries targeted included Energy and Construction companies, indicating a specific focus within the campaign.
Comparisons to previous phishing activities revealed striking similarities, suggesting a potential connection between multiple campaigns. By identifying and reporting the compromised .xyz domains to the XYZ Registry’s Anti-Abuse Team, swift action was taken to suspend these domains and mitigate further abuse.
As organizations and individuals navigate the evolving cyber threat landscape, vigilance is key to safeguarding against malicious attacks. Tips to enhance data security include exercising caution with unfamiliar domains and email senders, avoiding interactions with suspicious email attachments, verifying the authenticity of online sources, and refraining from password reuse across platforms.
In conclusion, the phishing campaign serves as a stark reminder of the deceptive tactics employed by cybercriminals and underscores the importance of proactive cybersecurity measures. By adopting a comprehensive cyber architecture and leveraging advanced prevention tools like Check Point Infinity, organizations can bolster their defenses against sophisticated phishing attacks and account takeovers.
📰 Related Articles
- FBI Exposes 42,000 Phishing Domains in LabHost Cybercrime Network
- eCLUTCH and BLAST Forge Global Esports Broadcast Partnership
- Youth-Led Parliament Urges Global Action on Climate Crisis
- Young Global Innovators Dive into Hangzhou’s Tech World for Cultural Exchange
- YAWI Launches Campaign to End Period Stigma in Africa