Cybercriminals are using new techniques to increase their chances of success in targeted phishing attacks against various organizations. Undoubtedly, online phishing scams are rising, causing significant losses to businesses and individuals. Here are the latest developments related to email security.
TA453 Utilizes Multi-Persona Impersonation (MPI) Tactic in Latest Phishing Attacks
The Iranian hacking group TA453 recently developed a new phishing technique called Multi-Persona Impersonation (MPI), which uses multiple personas/e-mail accounts to lure the victims into realistic email conversations, which are difficult to detect.
The MPI phishing technique
Researchers from Proofpoint state that the MPI phishing technique uses social proof, a psychological principle, to lure the victims easily by adding an element of authenticity. MPI requires greater attention to detail, like monitoring the activities of the fake person (wherever applicable) and maintaining a realistic conversation with the potential victim.
How did threat actors fake scenarios?
The researchers three instances linked to the MPI technique:
- In the first case, the sender was posing as the Director of Research at FRPI. He CCed the Director of Global Attitudes Research, PEW Research Center, in an email forwarded to the target.
- The second case involved scientists who specialized in genome research. The CCed person sent a OneDrive link that downloaded a document containing malicious macros.
- In the third attack, the threat group targeted two academics specializing in nuclear arms control. The group CCed three people to make the attack look more complex.
Researchers warn that organizations should maintain an increased awareness when receiving emails from suspicious or unknown senders. The techniques like MPI will evolve in the future to cause greater harm.
EvilProxy Phishing Toolkit Found on Dark Web Forums
A new Phishing-as-a-Service (PhaaS) called EvilProxy (or Moloch) was up for sale on dark web forums, Resecurity has reported.
Resecurity published an advisory saying EvilProxy actors use cookie injection and reverse proxy methods to bypass two-factor authentication (2FA) and proxying the victim’s session. The advisory further states that cyber-espionage groups and advanced persistent threat (APTs) actors have used such techniques.
“However, EvilProxy is the successful productization of these methods, highlighting the significance of growing attacks against MFA authorization mechanisms and online services.” Resecurity wrote.
Furthermore, acting on the ongoing attacks’ investigation against various employees of Fortune 500 companies, Resecurity says it has obtained substantial knowledge regarding EvilProxy, including its modules, functions, structure, and network infrastructure.
Security researchers said they had identified Early occurrences of EvilProxy in attacks against MSFT and Google customers with MFA enabled on their accounts (with SMS or Application Token). Establishing a timeline for EvilProxy’s operations, researchers said they spotted the malware in early May 2022 when cybercriminals released a video demonstrating how one can use it to deliver advanced phishing links.
These threat actors can use it to compromise consumer accounts on Apple, Instagram, Microsoft, Facebook, Google, and Twitter, among others.
Users Alerted as Phishing Campaigns Exploit Queen Elizabeth II’s Passing
Experts warned that threat actors are using the Queen’s death as a lure to phish for victims’ Microsoft credentials. Proofpoint recently posted a screenshot showing a spoofed email that looked as if sent from the tech giant. With the headline, “In Memory of Her Majesty, Queen Elizabeth II,” the email read that Microsoft is going to launch an AI memory board in her memory. The spoofed email further requested the users’ assistance to make it work.
The victims had to click on a link embedded in the email, which took them to a page that requested them to key in and enter their email credentials. Proofpoint warned that the sophisticated phishing attempt could bypass MFA (multi-factor authentication).
Proofpoint researchers added that the campaign used a man-in-the-middle (MITM) phishing framework, utilizing a reverse proxy for custom landing pages for each victim. The infrastructure used to deploy the phishing campaign bypassed MFA to collect user credentials.
Sherrod DeGrippo, VP, threat research and detection, Proofpoint, said that phishing actors exploit major news stories like the Queen’s death and COVID-19.
“Social engineering requires manipulating the target’s emotional state. In the recent case, the attackers attempted to elicit a sense of sadness, grief, or concern by offering a place to share comments and memories in honor of the Queen,” she continued.
Lampion Banking Trojan Returns in a New Phishing Attack
Threat actors behind the Lampion banking trojan recently released a new set of phishing attacks to target victims. The latest phishing attacks bypass email security checks by leveraging the renowned file-sharing software, WeTransfer.
About the latest phishing attack
Security researchers at Cofense observed a new campaign in which Lampion operators sent phishing emails using compromised accounts asking recipients to download a few documents, including a ‘Proof of Payment’ from WeTransfer.
However, the downloaded file is a ZIP archive that contains a VBS script initiating the attack. Once executed, the script starts the WScript process connecting two hardcoded URLs that fetch DLL files. The DLL files then install the Lampion banking trojan on users’ systems. Hackers used the malware to pick up bank account details from the infected computers. They trick the victims, asking them to enter credentials on fake login forms.
The Lampion Trojan is more dangerous because cybercriminals use more than one legitimate service for spreading across systems. The researchers also added that besides WeTransfer, the threat actors leverage AWS (Amazon Web Services).
The Lampion trojan, primarily designed for targeting Spanish-speaking users, has gone international in the past few years. In 2022, researchers believe its distribution picked up rapidly, with some identifying a hostname link to the LockiBit 2.0 and Bazaar ransomware.