Get To Learn Deeper About Phishing Attacks in the Public Cloud You Use

admin | June 12th, 2019 | Cyber Threat

Phishing Attacks in Recent Times

In recent days, one of the popular Cyberthreat research laboratories found an exciting PDF decoy present in the Google Drive. This PDF file was imitating as a law agency in Denver, CO. It was linked with an MS Office 365 phishing page, which was hosted in Azure blob storage. It has a Microsoft-based domain and SSL certificate because the phishing bait is hosted over the Azure blob storage. The integration of Microsoft domain, content, and certificate develop this bait specifically convincing and tough to identify as phishing. Today in CloudCodes official post, we are going to provide a deep analysis of PDF decoy and phishing websites. In its continuity, we have posted similar phishing websites present in the Azure blob storage. In the end, we will wind up with some suggestions to help secure you and your company from falling victim to same phishing campaigns.

Please Note – During the research, the PDF decoy was mentioned as PDF_PHISH.Gen1, and the phishing websites were reported to Microsoft on September 17, 2018.

The portable document decoys traditionally get arrive as mail attachments to victims. They are designed to hold legitimate data and come from legitimate sources. Often, email attachments are stored on the cloud storage platforms like Google Drive. Sharing these PDFs with other individuals could cause a secondary propagation vector, like CloudPhishing Fan-out Effect. In this scenario, the PDF originally came as an email attachment and gets stored to the Google Drive, where the research team observed the document and secured potential credential loss or fan-out.

Its Time to Enter Into The PDF Analysis

The PDF decoy imitates a legal practice based out of Denver, and was titled as “Scanned Document….. Please Review.pdf”. This particular file comprises of a link for downloading original Adobe portable document, as shown in the following figure.

Phishing-1

Clicking on the “Download PDF” link, the target encounters a dialog box to inform that the document is trying to establish a connection with Azure blob storage URL.

Phishing-2

After clicking on the displayed link, a phishing website gets launched on victim’s PC.

Phishing-3

This recent phishing page is hosted on the Azure blob storage. As a result, it held a valid MS-based SSL certificate and is hosted on the Microsoft-owned domain.

Phishing-4

At the face value, checking the Microsoft domain and its issued SSL certificate, on a website asking victims to enter Office 365 credentials is quite a strong move. Without giving a single thought, victims simply enter their tenant credentials because they assume that the site is legitimate, and this is likely sufficient to convince them. When victims’ enter their credentials and click on a button to continue, their data gets uploaded on an unknown website that is maintained by hackers.

5

At the face value, checking the Microsoft domain and its issued SSL certificate, on a website asking victims to enter Office 365 credentials is quite a strong move. Without giving a single thought, victims simply enter their tenant credentials because they assume that the site is legitimate, and this is likely sufficient to convince them. When victims’ enter their credentials and click on a button to continue, their data gets uploaded on an unknown website that is maintained by hackers.

6

After entering the details again, the account email address and password are again sent to hackers’ URL.

7

After this, victims are shown a range of redirects to multiple landing pages asking them to download the secured PDF.

8

Once all pages get displayed, the target is now finally redirected to the Microsoft site. On the other side, none of the documents get downloaded on the victim’s PC. This forced victim to again repeat the entire procedure and try to use alternative Microsoft account credentials, if any.

Similar Strains Existence

We analyzed that the PDF decoy included header properties within it like Creator, CreatorTool, and Producer, which we used to address same sort of threats.

9

There were two more PDF decoys holding the same header properties. These contained websites to another phishing links in blob storage. These portable documents imitated an Oregon-based dental equipment vendor.

10

Similar to the original bait, the account details were mailed to the same domain with different URL path. At the analysis time, it has been found that a website powered by Vesta – an open source hosting control panel, showed the IP fixed to domains.

After going through the entire incidents, we do not have any evidence to trust that phishing campaigns are particularly for organizations they were impersonating. Instead, the only weblink was that small firms in the United States were selected. This threat appears to be widely targeted toward O365 customers in the US.

Its Time To Conclude With Some Recommendations

CloudCodes suggests its clients to implement the following set of recommendations for combating cloud-based phishing campaigns:

  • Always verify the link domain. Typically learn the domain utilized when you enter your account credentials. In addition to this, have to power to address some common object store domains like those utilized in Azure blob storage. This will help an individual in differentiating well-crafted phishing websites and official sites.
  • Deploy a real-time data visibility and control approach to monitor the operations across unsanctioned and sanctioned cloud platforms. Also, keep your PC updated with all latest versions of the software.

Whatsoever it is, at the end of the day phishing attacks can be secured by adopting proper cloud security solutions. So, what for are you waiting for? Contact the CloudCodes team to enforce CASB security methods in your premises!

CloudCodes CASB Solutions

See How CloudCodes Can Secure Your Enterprise Data