PhishWire - Sept 16 2024

September 16, 2024

At the start of September, aggressive spearphishing campaigns targeted staff and administrators across the country. These campaigns included multi-factor phishing, delivery in Adobe files, and custom login experiences. Below are some examples and highlights.

a0ueftsev[.]online

mastereviteconboxtothenework[.]me

entertechinno[.]sa[.]com

sawingki[.]top

x2xintegrations[.]com

onedrivdocument[.]weebly[.]com

server-home-100771[.]weeblysite[.]com

Multi-Factor Authentication Phishing

On September 9th, PhishID caught a spearphish clicked by a district staff member targeting their email credentials. 

x2xintegrations[.]com/

The phishing page included a multi-factor authentication phishing kit similar to those published in our earlier threat report. Had PhishID not blocked the site, the unsuspecting staff member would have been at risk of entering their password onto a fake login page. Upon password submission, the phishing site would forward the stolen password to the real email login page and, at the same time, redirect the staff member to a one-time password (OTP) page for their multi-factor authenticator app. The real Microsoft login page would then send the actual OTP to the user’s authenticator app. From there, the unsuspecting user would enter their real OTP into the fake phishing site. As discussed in the threat report, “multi-factor bypass” tools like this have become commonplace.

Chameleon Phish

The same week, three district administrators clicked the phishing domain entertechinno[.]sa[.]com, which was targeting email credentials. Like a chameleon, this attack customizes the password page images and logos to match the district of the user name. Upon clicking the domain, a user first faces a fake Cloudflare captcha to boost its legitimacy and then is directed to a typical Microsoft login page asking only for an email. 

Upon an email being submitted, the phishing page then uses the email domain and customizes a password phishing page with matching images–all in real-time. The above example uses fictional schools to illustrate the different login experiences. Despite its clear dangers, even days after PhishID blocked the attacks, VirusTotal still marked the domain as safe. While multi-factor authentication is a necessary component of modern phishing protection, remember to educate users that it is not a phishing panacea.

Phish ID also detected numerous spearphish attacks during this period that were clicked outside email in applications like Google Docs and Adobe. Fortunately, because PhishID operates in the browser, it can protect users no matter where the links are clicked.

Actions 

• Add these domains to your block lists

  • a0ueftsev[.]online

  • mastereviteconboxtothenework[.]me

  • entertechinno[.]sa[.]com

  • sawingki[.]top

  • x2xintegrations[.]com

  • onedrivdocument[.]weebly[.]com

  • Server-home-100771[.]weeblysite[.]com

• Focus awareness efforts on high-risk credentials (staff and students)

• Deploy PhishID to protect credentials from targeted spearphishing campaigns

• Educate users to double-check the domain even if the page is requesting a multi-factor OTP