Senior executives working at US-based organizations are being targeted by a new phishing campaign that leverages a popular adversary-in-the-middle (AiTM) phishing toolkit called EvilProxy to carry out money harvesting attacks. credentials and account takeover.
Menlo Security said activity began in July 2023, primarily highlighting the banking and financial services, insurance, property management and real estate, and manufacturing sectors.
“Threat actors exploited an open redirect vulnerability in the job search platform ‘indeed.com’, redirecting victims to malicious phishing pages impersonating Microsoft,” said security researcher Ravisankar Ramprasad in a report published last week.
EvilProxy, first documented by Resecurity in September 2022, works as a reverse proxy that is set between the target and a legitimate login page to intercept credentials, two-factor authentication (2FA) codes, and session cookies to hijack interest accounts.
Microsoft tracks the threat actors behind the AiTM phishing kit under the name Storm-0835 and are estimated to have hundreds of customers.
“These cybercriminals pay monthly license fees ranging from US$200 to US$1,000 and conduct daily phishing campaigns,” the tech giant said. “Because so many threat actors use these services, it is not practical to attribute campaigns to specific actors.”
In the latest set of attacks documented by Menlo Security, victims receive phishing emails with a deceptive link pointing to Indeed, which, in turn, redirects the individual to an EvilProxy page to collect entered credentials.
This is achieved by exploiting an open redirect flaw, which occurs when a failure to validate user input causes a vulnerable website to redirect users to arbitrary web pages, bypassing security barriers.
“The ‘t.indeed.com’ subdomain has parameters to redirect the customer to another destination (example.com),” Ramprasad said.
“The parameters in the URL that follow the ‘?’ are a combination of parameters unique to Indeed.com and the destination parameter whose argument consists of the destination URL. Therefore, the user clicking on the URL ends up being redirected to example.com. In a real attack, the user would be redirected to a phishing page.”
The development comes as threat actors are leveraging Dropbox to create fake login pages with embedded URLs that, when clicked, redirect users to fake sites designed to steal Microsoft account credentials as part of a business email compromise (BEC) scheme.
“It’s yet another example of hackers using legitimate services in what we call BEC 3.0 attacks,” Check Point said. “These attacks are incredibly difficult to stop and identify, both for security services and end users.”
Microsoft, in its Digital Defense Report, noted how “threat actors are adapting their social engineering techniques and use of technology to carry out more sophisticated and costly BEC attacks” by abusing cloud-based infrastructure and exploit trusted business relationships.
It also comes as the Police Service of Northern Ireland warned of a rise in qishing emails, which involve sending an email with a PDF document or PNG image file containing a QR code in an attempt to bypass detection and trick victims into visiting malicious sites and credential harvesting pages.