A new credential phishing strategy links stolen data to legal online accounts, according to cybersecurity researchers.
Cofense calls the technique precision-validating phishing since it uses real-time email validation to give only high-value targets bogus login screens.
“This tactic not only gives the threat actors a higher success rate on obtaining usable credentials as they only engage with a specific pre-harvested list of valid email accounts,”
the firm stated.
The latest spear-phishing attack targets only active, legitimate, and high-value email addresses, unlike “spray-and-pray” credential harvesting campaigns that bulk-distribute spam emails to steal victims’ login information.
Cybersecurity
After the victim enters their email address on a phishing landing page, the attacker’s database validates the email and then displays a fake login page. If the email address is not in the database, the page produces an error or redirects the user to Wikipedia to avoid security analysis.
The phishing kit validates the email address before capturing the password using an API- or JavaScript-based validation service.
“It increases the efficiency of the attack and the likelihood that stolen credentials belong to real, actively used accounts, improving the quality of harvested data for resale or further exploitation,” stated Cofense.
These attacks are difficult for automated security crawlers and sandbox environments to assess because they cannot bypass the validation check. This customized technique decreases attacker risk and extends phishing campaign duration.”
The cybersecurity business also identified an email phishing campaign that utilizes file deletion reminders to steal passwords and distribute malware.
The two-pronged attack uses an embedded URL that appears to lead to a PDF file scheduled for deletion on files.fm. The mail recipient can get the PDF file from files.fm if they click the link.
When opened, the PDF offers two options: preview or download. Selecting the former leads users to a fraudulent Microsoft login screen, where they can steal their credentials. The download option dumps an application that claims to be Microsoft OneDrive but is ConnectWise’s ScreenConnect remote desktop software.
“It is almost as if the threat actor intentionally designed the attack to trap the user, forcing them to choose which ‘poison’ they would fall for,” he said. “Both options lead to the same outcome, with similar goals but different approaches to achieving them.”
The discoveries follow the revelation of a complex multi-stage attack that uses vishing, remote access tooling, and living-off-the-land strategies to achieve early access and persistence. The tradecraft used in this activity matches the patterns associated with the Storm-1811 and STAC5777 clusters.
“The threat actor exploited exposed communication channels by delivering a malicious PowerShell payload via a Microsoft Teams message, followed by the use of Quick Assist to remotely access the environment,” stated Ontinue. “This led to the deployment of signed binaries (e.g., TeamViewer.exe), a sideloaded malicious DLL (TV.dll), and ultimately a JavaScript-based C2 backdoor executed via Node.js.”
