NEW PHISHING CAMPAIGN: TAKING THE BAIT 

by | May 28, 2024

Phishing. For the past decade, phishing has remained a stalwart among attack vectors due to its alarming adaptability and effectiveness. The 2024 Data Breach Investigations Report (DBIR) from Verizon highlights a significant surge in phishing attacks that exploit both human psychology and technical vulnerabilities. This evolution underscores a disturbing trend: attackers are no longer just casting wide nets but are instead using precisely targeted tactics that mimic legitimate business communications almost indistinguishably. 

Initiated through a compromised legitimate website, this campaign leveraged severe vulnerabilities within widely used WordPress plugins to establish a command and control infrastructure. This campaign’s hallmark was its precision—targeting specific individuals within organizations through emails meticulously crafted to mirror legitimate corporate communications, thus maximizing the likelihood of credential theft. 

As phishing tactics become increasingly sophisticated, blending seamlessly into daily workflows and exploiting trusted relationships, our research emphasizes the critical need for organizations to advance their defensive strategies. This involves not only bolstering technical defenses but also significantly enhancing employee awareness and training to recognize and resist these ever-evolving threats. 

Initiation and Setup 

The campaign began by selecting nocoastsushi.com, an innocuous sushi restaurant website, compromised by exploiting several vulnerabilities identified in the widely used WordPress plugins: 

  • FORMIDABLE 6.1.1: Unauthenticated PHP Object Injection (CVE-2023-6842) 
  • JS_COMPOSER 6.6.0: WPBakery Page Builder XSS (CVE-2023-31213) 
  • LAYERSLIDER 6.11.2: Admin+ Stored XSS (CVE-2024-2879) 
  • REVSLIDER 6.2.22: Author+ Remote Code Execution (CVE-2024-2306) 

This foundation allowed for the discreet setup of phishing operations under the guise of a legitimate website’s infrastructure. 

Execution of the Phishing Campaign 

The phishing emails originating from this infrastructure were notably advanced. Crafted to resemble legitimate SharePoint notifications, they effectively exploited the trust and routine behaviors of corporate employees. Demonstrating a high degree of customization, these emails used the actual nicknames of employees and closely mimicked the internal formatting and language typical of the targeted organizations. This level of detail suggests a thorough reconnaissance phase and a deliberate strategy to reduce suspicion while enhancing the likelihood of employee engagement. 

Email Example: 

  • Subject: “<Domain Admin> shared ‘Contract- AgreementIhfmS’ with you.” 
  • Content: The emails contained a deceptive link, ostensibly leading to a SharePoint document but actually redirecting recipients to a phishing page designed to harvest credentials. 

Sophistication in Deception 

The emails and phishing pages showcased an alarming level of precision in mimicking the internal communications and branding of targeted organizations. Each phishing page was tailored to reflect the unique aspects of the spoofed entity, from logos to specific organizational CAPTCHAs, enhancing the deception’s effectiveness. The phishing sites incorporated real CAPTCHAs and links to actual social media accounts, adding layers of authenticity to their phishing attempts. 

Impact and Insights 

Other than the campaign’s dual focus on exploiting technical vulnerabilities and human psychology, this attack also showcased several noteworthy tactics that underline its sophistication and targeted nature: 

Credibility Through Compromise: By dispatching phishing emails from a compromised email account belonging to a reputable healthcare organization, the attackers significantly reduced the likelihood of detection by reputation-based email filtering systems. This tactic leveraged the inherent trust in the compromised organization to bypass security measures. 

Strategic Victim Selection: These phishing attacks’ primary targets were back office employees and sales executives, who likely have access to critical organizational data and systems. This choice of targets underscores the attackers’ strategic aim to maximize potential access to sensitive information and systems. 

Lowering the guards: The emails prominently displayed support for the LGBTQ community through a genuine commercial. This inclusion was likely aimed at resonating positively with recipients, leveraging societal values and the organization’s legitimate advocacy efforts to increase the likelihood of engaging with the phishing content. 

Here are the IoCs related to this campaign: (Write ‘IoCs related to the attack’) 

  • msonlineencrypt./com 
  • 0e368b25357b8c6ad3c8a63d43f9de1f 
  • 172.67.176./88 
  • 104.21.80./85 
  • MD5 3cde68f25007cac0f16b787cd7d59053  
  • SHA-1 757d6aa28f9bba8da67da3bbde9f8700eb96161f 
  • SHA-256 17341bd207b912e2e504d1a9194f2cca462860a1ba72bec02d09bd45566d7f4e 

Despite public reputation services dismissing these threats as benign and native email solutions failing to detect their malicious nature, only the most advanced third-party threat protection systems were effective in recognizing and mitigating the phishing attacks. 

Conclusion 

This investigation into a particularly sophisticated phishing campaign highlights a critical lesson: despite public reputation services dismissing these threats as benign and native email solutions failing to detect their malicious nature, only the most advanced third-party threat protection systems were effective in recognizing and mitigating the phishing attacks. This revelation serves as a stark reminder of the ongoing cyber security arms race, where success hinges on our ability to continuously outpace the cunning strategies employed by cyber adversaries. 

To navigate this challenging environment, organizations must adopt a proactive and holistic approach to cyber security. This includes deploying multi-layered security solutions, conducting regular security control assessments, and committing to comprehensive training to enhance threat awareness and preparedness across all levels of the organization. By embodying the principles of continuous improvement and vigilance, we empower ourselves to anticipate, adapt, and effectively counter the sophisticated maneuvers of cyber adversaries. 

Veriti was able to detect the malicious activity by analyzing the detections from the different security controls and enforced automatically a protection from this campaign cross the security stack – enabling the relevant protections from it. 

Get your security controls assessment now


Recommended Articles

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product

Product Overview

Maximize security posture while ensuring business uptime

Odin

AI-Powered Contextual Cybersearch

Automated Security Controls Assessment

Validate your security control

Integrations

Connect Veriti with your security solutions

Use Cases

Agentless OS-Level Remediation

Proactively safeguard your systems directly at the OS-Level on the endpoint

Vulnerability Remediation

Safely remediate vulnerabilities in one click

Business Continuity

Reduce alert fatigue. Increase Security Effectiveness

MISCONFIGURATION MANAGEMENT

Proactively neutralize misconfigurations to minimize exposure risks

Mobilizing Threat Remediation

Identify and mobilize threat remediation across the security stack automatically.

GENERATIVE AI SECURITY

Chat with your environment to cut MTTR times drastically

Solutions

Safe Remediation

Ensure remediation actions do not give rise to additional exposures

MITRE ATT&CK®

Quickly respond to live threats with safe and precise remediation

VERITI FOR Enterprises

Increase business outcomes

VERITI FOR MSSPs

Efficiently manage multiple clients in a consolidated platform

VERITI FOR HEALTHCARE

Neutralize security gaps without impacting healthcare operations

VERITI FOR MANUFACTURING

Protect the heart of your production processes

SEC AND THE BUSINESS

A security pro’s guide to exposure assessments and remediation

 

Read Whitepaper >>

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Events

Live event and on-demand webinars

Glossary

Our Comprehensive Definitions Guide

MASTERING MODERN OS-LEVEL SECURITY: THE AGENTLESS APPROACH

WATCH NOW>>

Our Story

Learn about Veriti

Careers

Work with us

Newsroom

Our latest updates

Contact US

Get in touch

CHANNEL PARTNERS

Become a partner

MSSPs

Reduce operational costs