PhishWire - Nov 25 2024

In November, we observed an increase in spear phishing attempts targeting staff members using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts. Here are some examples and highlights.

• instagram-clone-mu-two.vercel[.]app/Login

• scots84[.]com

• sellbuyeverything[.]site

• aaituljabhvani[.]org/ESEHA/index[.]php

• login[.]office-link[.]click

• webpage-pop-appropriations-guilty[.]trycloudflare[.]com/login.html

• centrilv[.]work/[.]i2tc4mea2v/nmvujul/7222[.]cgi

• naplswlwa3uhust5fr2s[.]z13[.]web[.]core[.]windows[.]net/MachelpArN047/index.html

Social Media Phishing

On November 15th, a phishing link impersonating Instagram was clicked 16 times in a Texas district. Although social media access is highly restricted through content filters and firewall products, these tools do not prevent zero-day phishing links from reaching their intended users. 

Here is a Facebook phishing page clicked on November 16th, mimicking Meta’s security verification process.

Not only can examples like these bypass content filters, but they can also be delivered in apps like Facebook and Instagram’s native messenger apps, which are totally outside the scope of email security tools.

Stealth Redirect: Never Gonna Give You Up

A Microsoft spearphish was clicked by a staff member on November 18th that exhibited stealth redirect tactics. The link initially leads to a Cloudflare Captcha to ‘verify’ the user. When an analyst opened the link in their Chrome browser, they saw the same phishing page captured by the PhishID browser extension. However, when opening the same link in a server sandbox, they were redirected to a Youtube page.

Examples like this illustrate the tools hackers routinely use to evade detection from security sandboxes embedded in email protection. First, the link requires a human action to resolve. Second, the link will only resolve the phishing attack when clicked on a user device. Simultaneously, a security sandbox is redirected to a Rick Astley music video.

We observed ongoing multi-channel phishing attacks delivered via non-email document-sharing platforms like OneDrive, specifically targeting staff members.

This attack had similar patterns to those observed in October targeting districts in Texas, Colorado, and Idaho.

Actions 

• Remember to add these domains to your block lists, spam filters, and web content filters

• Focus awareness efforts on high-risk credentials (staff and students)

• Deploy PhishID to protect credentials from targeted spear phishing campaigns

• Prioritize phishing awareness efforts for high-priority staff

• Educate users that multi-factor authentication is not a phishing panacea

• Encourage users to double-check the domain even if the page is requesting a multi-factor one-time-password