Hackers continually refine their tactics to launch successful campaigns. Unsuspecting users are frequently susceptible to such attacks, highlighting the need for comprehensive cybersecurity training. As a result, enterprises often implement additional security measures like Multi-Factor Authentication (MFA) to thwart account takeovers.
Nevertheless, as security evolves, hackers adapt by incorporating new techniques into their phishing attempts to bypass these safeguards. To protect our customers, we need to understand the data and technologies that’s accessible to the hacker. This blog delves into the methods hackers employ in their phishing attacks to compromise and take control of user accounts. Having knowledge in the phishing threat landscape, we would be able to build a defense to protect our customers better.
Phish Campaign Overview
To initiate a phishing campaign, a cybercriminal must engage in careful planning before executing their phishing operation. There are five fundamental steps involved in the criminal’s attack strategy. As illustrated in Figure 1, the initial phase requires the identification of the specific enterprise they intend to target and the potential victims within that organization. Once the criminal has selected their target, the next step involves acquiring a phishing kit for use in the campaign. This blog centers on the exploration of phishing kits, their advantages, and the infrastructure they employ to host their phishing content.
Brand/Phishkit
Phishkits, a shortened form of ‘phishing toolkits,’ comprise a collection of malevolent tools and resources designed to replicate genuine websites and services. These kits simplify the creation of deceptive web pages that closely resemble authentic sites, deceiving unsuspecting victims into divulging sensitive information. They typically include pre-designed HTML templates, CSS styles, and scripts to imitate websites with remarkable accuracy. In the underground, phishkits are frequently referred to as ‘scampages.’
Phishkits are readily accessible in the underground marketplace, often available free of charge. For more specialized phishing needs, numerous developers advertise their services in various forums and Telegram channels. Figure 2 displays the phishkit featured in the 2022 edition of the Fraud Bible, while Figure 3 showcases a phishkit shared within the Telegram platform.
Many of these phishkits are outdated, employing older methods that store credentials in files or transmit them through email addresses. Such kits are ineffective at bypassing multi-factor authentication (MFA) when enforced by the target site.
Advantages of Phishkits
Disadvantages of Phishkits
Evilginx
Evilginx is an advanced phishing toolkit that employs a man-in-the-middle technique to capture login credentials, MFA tokens, and session cookies, thereby enabling the bypassing of 2-factor authentication protection. Evilginx addresses numerous shortcomings found in traditional phishing kits. In Figure 4, you can see the step-by-step process of Evilginx once the user accesses the phishing URL.
Below is the Evilginx process flow:
Advantages of Evilginx
Disadvantages of Evilginx
Telegram Bot
Recently, cybercriminals have begun integrating Telegram with phishkits, also known as Adversary-In-The-Middle. When a user submits their credentials, these credentials are sent in real-time to the criminal using a Telegram bot. With this capability, the criminal can log in and trigger the OTP (One-Time Password), which is then sent to the user. The phishing page is subsequently updated to receive the OTP. Once the user submits the OTP, the criminal gains access to the account, successfully taking it over.
The attacker follows this sequence in the attack:
The Telegram Bot API is as straightforward as a single POST method, demonstrated below.
Advantages of Telegram Bot Phishing
Disadvantages of Telegram Bot Phishing
Infrastructure
When selecting the phishkit or platform, the criminal proceeds to identify the infrastructure for deploying the phishing operation. It’s not uncommon to find phishing sites hosted on compromised WordPress instances or servers under their control. As more cloud services become available for developers to host their code, cybercriminals have adapted quickly, seeking opportunities to deploy their phishing campaigns with minimal risk of discovery. Below are some popular cloud providers that cybercriminals often leverage to host their phishing operations, with risk levels indicating the likelihood of being detected.
Targets
In hacker jargon, ‘leads’ is a term akin to the business world, referring to the target of their engagement. Cybercriminals use two types of lead data, depending on the type of attack they plan, whether it’s an SMS or email campaign. These datasets are readily accessible to cybercriminals. In various specialized markets, criminals can purchase either a generic list or a list specifically tailored to a particular target brand. This enables them to enhance their success rate. As shown in Figures 8 and 9, advertisements for leads and leads related to Chase bank are presented.
Frequently, cybercriminals share leaked databases that can be readily utilized with minimal effort. For instance, Figure 10 illustrates a criminal sharing a data dump from cms.gov, which includes information on dentists, doctors, nurses, pharmacists, and medical practices. This dataset comprises names, phone numbers, and addresses. This information potentially leads to phishing attacks targeting healthcare.
As highlighted in the BidenCash Dump of 2023, the cybercriminal exposed over 2 million debit/credit card details to the public. This breach encompassed more than 600,000 records, each containing the name, email, and phone number of a specific financial institution’s customers. The cybercriminal can leverage this data for targeted phishing attacks, knowing that the victims hold accounts with the particular financial institution.
Account Takeover
With the combination of Telegram bot phishing and Evilginx, phishers significantly increase their chances of successfully taking over an account, thanks to real-time attacks and session cookie capture. Even if they can’t immediately take control of the account, obtaining the victim’s credentials and phone number provides another avenue for exploitation
Criminals can employ 2FA (Two-Factor Authentication) bots to engage in social engineering, aiming to capture tokens from the victims. These 2FA bots are automated services available on the Telegram platform. Users can select the bank or brand they wish to impersonate and specify the target phone number. Once initiated, the bot automatically calls the user using the provided phone number, pretending to represent the chosen brand in order to extract the OTP (One-Time Password) token.
The following code serves as a proof of concept for the OTP bot, illustrating the straightforward nature of these bots.
This code snippet employs Twilio to initiate a call to a person using the provided phone number. When the target answers the call, a recorded voice message states, ‘Hello, this is [bank name], we are calling to verify your OTP. Please provide the six-digit number.’ Once the user responds or enters the six-digit number, it is automatically transmitted to the endpoint server controlled by the actor.
Summary
Phishing remains an age-old, yet persistently effective, social engineering technique in the world of cyber threats. Cybercriminals continue to exchange knowledge on phishing methods and even offer phishkits freely to anyone interested. While Multi-Factor Authentication (MFA) has enhanced account security, cybercriminals adapt rapidly, devising strategies to circumvent these protective measures.
While it’s hard to prevent cybercriminal from copying the website, you can take some measures to make it more challenging for imitators:
Use Obfuscation Techniques: You can employ code obfuscation techniques to increase the complexity of your website's source code, making it more challenging for imitators to decipher. This additional layer of security can also act as a deterrent against potential Man-in-the-Middle (MITM) attacks like Evilginx.
Educate Your Audience: Empower users with the knowledge to exercise caution when encountering links in emails or SMS messages. Encourage them to manually visit the website and perform the desired actions, avoiding the risk of falling victim to deceptive emails.
Phishing Email Examples
Kohl
CashApp
UPS
Navy Federal Credit Union
Phishing Website Examples
NatWest
Wellsfargo
Wellsfargo
Bank of America
