Spam News

SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign

Microsoft has discovered a large-scale spear phishing campaign being conducted by the Russian Advanced Persistent Threat (APT) group behind the SolarWinds Orion supply chain attack.

The spear phishing campaign has been active since at least January 2021 and the APT group, tracked by Microsoft as Nobelium. The APT group has been experimenting and has trialed various delivery techniques, including leveraging the Google Firebase platform to deliver a malicious ISO file via HTML email attachments that deliver a variety of malware payloads.

Nobelium escalated the campaign on May 25, 2021 when it started using the Constant Contact mass-mailing service to distribute messages to targets in a wide range of industry verticals. The latest campaign targeted around 3,000 individual accounts across 150 organizations, most of which were in the United States. Each target had its own unique infrastructure and tooling, which has helped the group stay under the radar.

The attackers gained access to the Constant Contact account of the U.S. Agency for International Development (USAID) and delivered spear phishing messages under the guise of a USAID Special Alert. The messages have a reply-to address on the domain and were sent from the domain.

Example Phishing email. Source: Microsoft

The messages claimed “Donald Trump has published new documents on election fraud”, with the messages including a button to click to view the documents. If the recipient clicks the link in the email, they are directed to the legitimate Constant Contact service, and then redirected to a URL under the control of Nobelium that delivers a malicious ISO file. Within the ISO file are a decoy document, a .lnk shortcut that executes a Cobalt Strike Beacon loader, and a malicious DLL file that is a Cobalt Strike Beacon loader and backdoor dubbed NativeZone by Microsoft.

Once the payloads are deployed, Nobelium gains persistent access to compromised systems and can subsequently complete further objectives such as lateral movement, data exfiltration, and the delivery of additional malware.

A previous campaign in May also used the combination of HTML and ISO files, which dropped a .NET first-stage implant – TrojanDownloader:MSIL/BoomBox – that was used for reconnaissance and to download additional malicious payloads from Dropbox.

The phishing campaign is being investigated by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Constant Contact issued a statement confirming that the account credentials of one of its customers were compromised. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” said Constant Contact.

Microsoft has warned that the tactics, techniques, and procedures used by Nobelium have had a high rate of evolution. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics,” warned Microsoft.

Microsoft has published Indicators of Compromise (IoCs) and has suggested several mitigations that can reduce the impact of this threat, including the use of antivirus software, enabling network protection to prevent applications or users from accessing malicious domains, and implementing multi-factor authentication to prevent the use of compromised credentials.

The post SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign appeared first on HIPAA Journal.

New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics

In early 2020, phishers started to take advantage of the pandemic and switched from their standard lures to a wide variety of pandemic-related themes for their campaigns. To coincide with the one-year anniversary of the pandemic, researchers at the Palo Alto Networks Unit 42 Team analyzed the phishing trends over the course of the past year to review the changes in the tactics, techniques, and procedures (TTPs) of phishers and the extent to which COVID-19 was used in their phishing campaigns.

The researchers analyzed all phishing URLs detected between January 2020 and February 2021 to determine how many had a COVID-19 theme, using specific keywords and phrases related to COVID-19 and other aspects of the pandemic. The researchers identified 69,950 unique phishing URLs related to COVID-19 topics, with almost half of those URLs directly related to COVID-19.

Phishing campaigns were promptly adapted to the latest news and thoughts on the coronavirus and closely mirrored the latest pandemic trends. Following the World Health Organization’s declaration of the pandemic in March 2020 there was a global shortage of personal protective equipment (PPE) and testing kits, and phishing campaigns were launched offering access to stocks. Government stimulus programs were then launched, and phishing campaigns were quickly adapted to include lures related to those programs. For instance, the volume of phishing emails related to COVID-19 online test kits closely followed the popularity of test kit-related searches on Google.

Source: Palo Alto Networks COVID19 Phishing Report

Throughout the pandemic, the websites of genuine vendors of COVID-19 test kits were targeted. Access to the sites was gained and phishing kits were uploaded to steal credentials. In December 2020, when the vaccine rollout started, campaigns switched to vaccine related lures using domains that spoofed vaccine developers such as Pfizer, BioNTech and others. The websites of pharmaceutical companies were targeted and had phishing content added related to vaccines. Between December 2020 and February 2021, vaccine-related phishing scams increased by 530%.

One off the techniques employed by phishers to evade security solutions is to use a two-step process on their phishing websites that requires the visitor to first click to login before being presented with the phishing form – a tactic called client-side cloaking. Many anti-phishing solutions will visit the URL linked in an email to assess the content but will only check the landing page for phishing content. By using client-side cloaking the malicious content is less likely to be detected.

The report highlights the opportunistic nature of phishers. They will rapidly change their TTPs in response to new trends and use lures that are likely to get the best response, including changing targets. Between December 2020 and February 2021, phishing attacks targeting pharmacies and hospitals increased by 189% as phishers switched to targeting healthcare employees to steal their credentials.

Throughout the pandemic, Microsoft was the brand most targeted by attackers. More than 23% of COVID-19 phishing URLS targeted Microsoft credentials. Fake Microsoft login pages were set up to steal the Microsoft 365 credentials of employees at pharmaceutical firms and pharmacies. When Microsoft credentials are obtained, they can be used to access email accounts to send phishing emails from genuine pharmacy and pharma company domains, increasing the chance of those emails being delivered and acted upon by the recipients. Targeted companies include Walgreens in the US, Pharmascience in Canada, Glenmark Pharmaceuticals in India, and Junshi Biosciences in China.

Currently, large numbers of phishing emails are being sent related to vaccines and as more individuals try to get themselves and their family members registered for immunization, vaccine-related phishing scams are likely to continue.

“Individuals should continue to exercise caution when viewing any emails or websites claiming to sell any goods or services or provide any benefits related to COVID-19. If it seems too good to be true, it most likely is,” warned the Unit42 researchers. “Employees in the healthcare industry in particular should view links contained in any incoming emails with suspicion, especially from emails trying to convey a sense of urgency.”

The post New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics appeared first on HIPAA Journal.

Free Google Services Abused in Phishing Campaigns

Several phishing campaigns have been identified that are using free Google services to bypass email security gateways and ensure malicious messages are delivered to inboxes.

Phishing emails often include hyperlinks that direct users to websites hosting phishing forms that harvest credentials. Email security gateways use a variety of methods to detect these malicious hyperlinks, including blacklists of known malicious websites, scoring of domains, and visiting the links to analyze the content on the destination website. If the links are determined to be suspicious or malicious, the emails are quarantined or rejected. However, by using links to legitimate Google services, phishers are managing to bypass these security measures and ensure their messages are delivered.

The use of Google services by phishers is nothing new; however, security researchers at Arborblox have identified an uptick in this activity that has coincided with increased adoption of remote working. The researchers identified 5 campaigns abusing free Google services such as Google Forms, Google Drive, Google Sites, and Google Docs.  It is not just Google services that are being abused, as campaigns have been detected that abuse other free cloud services such as Microsoft OneDrive, Dropbox, Webflow, SendGrid, and Amazon Simple Email Service.

One of the campaigns impersonated American Express, with the initial message requesting account validation as the user was found to have missed information when validating their card. The emails direct the user to a phishing page created using Google Forms. The form includes the official American Express logo and a short questionnaire requesting information that can be used by the attackers to gain access to their credit card account – login information, phone number, card number and security code, and security questions and answers.

Since the link in the email directs the user to Google Forms – a legitimate Google domain and service – it is unlikely that an email security gateway would identify the URL as malicious. “Google’s domain is inherently trustworthy and Google forms are used for several legitimate reasons, no email security filter would realistically block this link on day zero,” explained the Armorblox researchers.

Another campaign used Google Forms in a classic phishing lure. The emails appear to have been sent by a childless widow who has been diagnosed with terminal cancer. She is looking to donate her fortune to good causes, with the recipient of the message told that the widow would like them to make donations to good causes on her behalf. The hyperlink directs the user to an untitled Google Form. Should anyone proceed and submit an answer to the untitled question, they will be shortlisted for further extortion attempts.

A campaign was detected that used a fake email login page hosted on Google’s Firebase mobile platform, which is used to create apps, files, and images. The emails in this campaign impersonate the security team and claim important emails have not been delivered due to the email storage quota being exceeded. The campaign targets email login credentials. The link to the Firebase would be unlikely to be identified as malicious since it is a legitimate cloud storage repository.

Google Docs has also been abused in a campaign in which the payroll team is impersonated, with the Google Docs document containing a link to a phishing page where sensitive information is harvested. Since the initial link is to a legitimate and commonly used Google service, it is unlikely to be blocked by email security solutions. While some email solutions would be able to identify the malicious link in the Google-hosted document, various redirects are used to obfuscate the malicious link.

A campaign was also identified that impersonated the user’s IT department security team and Microsoft Teams, using a fake Microsoft login page hosted on Google Sites. Google Sites is a legitimate service that allows individuals to easily create webpages, but in this case has been used to create a webpage hosting a phishing form, complete with the genuine Microsoft logo.

Campaigns abusing trust in Google Docs have also been identified by researchers at Area 1 Security. The messages in that campaign impersonated the HR department and claimed the recipient had been terminated, with the Google Docs document providing details of the termination and severance pay. The document contains a malicious macro that, if allowed to run, will download the Bazar Backdoor and Buer loader malware. IRONSCALES also recently reported that around half of all sophisticated phishing campaigns were successfully bypassing the leading email security gateways.

The campaigns range from highly targeted attacks on specific groups of individuals, such as HR and payroll departments, to untargeted large-scale ‘spray and pray’ campaigns to obtain as many credentials as possible, using more general lures.

These campaigns highlight the need for advanced security solutions that are capable of identifying and blocking phishing emails that abuse legitimate cloud services and the need for ongoing security awareness training for employees to help them identify phishing emails that evade detection by their organization’s cybersecurity defenses.

The post Free Google Services Abused in Phishing Campaigns appeared first on HIPAA Journal.

Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services

Connecticut Department of Social Services (DSS) has reported a potential breach of the protected health information of 37,000 individuals as a result of a series of phishing attacks that occurred between July and December 2019.

Several email accounts were compromised and were used to send spam emails to several DSS employees, the investigation of which confirmed the phishing attacks. A comprehensive investigation was conducted using state information technology resources and a third-party forensic IT firm, but no evidence was found to indicate the attackers had accessed patient information in the email accounts. According to the DSS breach notice, “Due to the large volume of emails involved and the nature of the phishing attack, the forensic efforts could not determine with certainty that the hackers did not access personal information.”

Identity theft protection services have been offered to affected individuals as a precaution and steps have been taken to improve email security and better protect against phishing attacks in the future.

More Than 92,000 Individuals Affected by Mercy Iowa City Phishing Attack

Mercy Iowa City has started notifying 92,795 individuals that some of their protected health information was potentially compromised in a phishing attack. The attack involved a single email account which was accessed by an unauthorized individual between May 15, 2020 and June 24, 2020. The email account was used to send spam and phishing emails.

A review of the compromised account revealed it contained names, dates of birth, Social Security numbers, driver’s license numbers, treatment information, and health insurance information. Individuals whose driver’s license number or Social Security number were potentially compromised have been offered complimentary credent monitoring services for 12 months.

Mercy Iowa City has implemented additional safeguards to prevent further attacks, including multi-factor authentication on email accounts.

LSU Health Care Services Suffers Phishing Attack

The Louisiana State University (LSU) Health New Orleans Health Care Services Division has announced that an unauthorized individual has accessed the email account of an employee and potentially viewed or obtained the information of patients of several hospitals in Louisiana.

The email account was breached on September 15, 2020. The attack was discovered on September 18 and the email account was immediately disabled. An investigation was launched but no evidence was found to indicate patient information in the emails and attachments was accessed or obtained by the individual responsible.

A review of the breached email account revealed it contained the protected health information of patients of the following hospitals:

  • University Medical Center in Lafayette
  • Lallie Kemp Regional Medical Center in Independence
  • Leonard J. Chabert Medical Center in Houma
  • O. Moss Regional Medical Center in Lake Charles
  • Bogalusa Medical Center in Bogalusa
  • Interim LSU Hospital in New Orleans.
  • Earl K. Long Medical Center in Baton Rouge

The types of information potentially compromised varied from patient to patient and medical center to medical center, but may have included names, phone numbers, addresses, medical record numbers, account numbers, dates of birth, Social Security numbers, dates of service, types of services received, insurance ID numbers, and a limited number of financial account information and health information. The investigation into the breach is continuing, but so far “thousands” of patients are known to have had their information exposed.

LSU Health is currently evaluating additional security measures to better protect against further attacks and additional information security training has been provided to employees.

The post Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services appeared first on HIPAA Journal.

Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users

Office 365 users have been warned about an ongoing phishing campaign which harvests user credentials. The campaign uses sophisticated techniques to bypass email security gateways and social engineering tactics to fool company employees into visiting websites where credentials are harvested.

A variety of lures are used in the phishing emails which target remote workers, such as fake password update requests, information on teleconferencing, SharePoint notifications, and helpdesk tickets. The lures are plausible and the websites to which Office 365 users are directed are realistic and convincing, complete with replicated logos and color schemes.

The threat actors have used a range of techniques to bypass secure email gateways to ensure the messages are delivered to inboxes. These include redirector URLs that can detect sandbox environments and will direct real users to the phishing websites and security solutions to benign websites, to prevent analysis. The emails also incorporate heavy obfuscation in the HTML code.

Microsoft notes that the redirector sites have a unique subdomain that includes a username and the targeted organization’s domain name to add realism to the campaign. The phishing URLs have an extra dot after the top-level domain, after which is the Base64 encoded email address of the recipient. The phishing URLs are often added to compromised websites, rather than used on attacker owned domains. Since many different subdomains are used, it is possible to send large volumes of phishing emails and evade security solutions.

Office 365 credentials are highly sought after. Email accounts can be accessed and used for further phishing attacks, business email compromise scams, and the accounts often contain a wealth of sensitive data, including protected health information. Once an attacker has access to the Office 365 environment, they can access sensitive stored documents, and conduct further attacks on the organization.

Microsoft explained that Microsoft 365 Defender for Office 365 can detect phishing emails in this campaign and resolve attacks, but a recent study by IRONSCALES has shown that many email security gateways fail to block these sophisticated phishing threats.

The Israel-based security firm recently published data from a test of the leading secure email gateways and found they failed to block around half of advanced phishing attempts, including spear phishing and social engineering attacks. The company used its Emulator to test the effectiveness of five of the top secure email gateways, including Microsoft’s Advanced Threat Protection (APT), and simulated real-world phishing scenarios to see how each performed.

For the tests, IRONSCALES conducted 162 emulations (16,200 emails) against the top 5 secure email gateways and found 47% of the emails were delivered to inboxes – 7,614 emails.  The penetration rate – the percentage of emails that bypassed the secure email gateways – ranged from 35% to 55% across the 5 tested security solutions.

The leading secure email gateways were effective at blocking emails containing malicious attachments, with only 4% being delivered to inboxes, and just 3% of emails containing links to malicious files were delivered. However, they were far less effective at blocking social engineering and email impersonation attacks, which accounted for 30% of all successfully delivered emails. Domain name impersonations accounted for 25% of the delivered emails. These emails linked to a domain name that had the right records set in the DNS. Emails containing links to URLs containing fake login pages were delivered 16% of the time.

The tests highlighted the need for AI-driven security solutions that have natural language understanding and the importance of providing security awareness training to the workforce, as many of these advanced phishing threats will reach end user inboxes.

The post Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users appeared first on HIPAA Journal.

Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware

A new phishing campaign is being conducted using the TrickBot botnet which delivers the Bazar backdoor and Buer loader malware. The campaign was detected by researchers at Area 1 Security and has been running since early October.

The Bazar backdoor is used to gain persistent access to victims’ networks, while the Buer loader is used to download additional malicious payloads. Previously, Buer has been used to deliver ransomware payloads such as Ryuk and tools such as CobaltStrike.

Area 1 Security researchers detected two email lures in this campaign. One is a fake notification about termination of employment and the other a fake customer compliant. The employment termination email appears to have been sent by an authority figure in the head office of the company being targeted and states that the individual has been terminated. Further information on the termination and payout are provided in a document that appears to be hosted on Google Docs.

If the link is clicked, the user will be directed to a Google Doc decoy preview page and is advised to click another link if they are not redirected. That link directs them to a URL where a file download is initiated. The user will be presented with a security warning asking if they want to run the file. Doing so launches a PE32+ executable on Windows systems and triggers a sequence of events that results in the download of either the Buer loader or the Bazar backdoor. Constant Contact links are also being used in this campaign.

The use of cloud services for hosting malicious documents is now commonplace. It is a tactic used to bypass security solutions that scan attached files for malicious code such as macros. By linking to legitimate cloud services, some security solutions will fail to detect the link as malicious and will deliver the emails to users’ inboxes. Should the links in the emails be classified as malicious by URL scanning security solutions, the attackers can simply switch to different URLs.

Last month Microsoft announced a takedown operation that saw it take control of the infrastructure used by the operators of TrickBot. This major operation was only temporarily effective at disrupting the botnet infrastructure. Microsoft said the takedown operation was only likely to be temporary, as the TrickBot operators would likely rebuild their operation on different infrastructure.

Area 1 Security researchers note that this campaign resumed after just two days after the takedown of the botnet and, this time around, the TrickBot gang is using sinkhole resistant EmerDNS TLDs, which make any further takedown attempts difficult.

The post Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware appeared first on HIPAA Journal.

Office 365 Users Targeted in Microsoft Teams Phishing Scam

A new Office 365 phishing campaign has been detected by researchers at Abnormal Security that spoofs Microsoft Teams to trick users into visiting a malicious website hosting a phishing form that harvests Office 365 credentials.

Microsoft Teams has been adopted by many organizations to allow remote workers to maintain contact with the office. In healthcare the platform is being used to provide telehealth services to help reduce the numbers of patients visiting healthcare facilities to control the spread of COVID-19.

Microsoft reported in in a June call announcing financial earnings for the quarter ended June 30, 2020 that Microsoft Teams is now used by more than 150 million students and teachers. More than 1,800 organizations have more than 10,000 Teams users, and 69 organizations have more than 100,000 users. The use of Microsoft Teams in healthcare has also been growing, with 46 million Teams meetings now being conducted for telehealth purposes. The increase in usage due to the pandemic has presented an opportunity for cybercriminals.

According to figures from Abnormal Security, the latest campaign has seen the fake Microsoft Teams emails sent to up to 50,000 Office 365 users so far. The messages appear to be sent from a user with the display name “There’s new activity in Teams,” making the messages appear to be automated notifications from Teams.

The messages advise users to login as the Team community is trying to get in touch. The emails include a button to click to login to Teams that has the display text – “Reply in Teams.” The messages include a realistic looking footer with the Microsoft logo and options to install Microsoft Teams on iOS and Android.

The links in the email direct the user to a Microsoft login page that is a carbon copy of the official login prompt, aside from the domain on which the page is hosted. That domain starts with microsftteams to make it appear genuine.

The campaign is one of many targeting Office 365 credentials and there have been several campaigns targeting videoconferening platforms in response to the increase in popularity of the solutions during the pandemic.

Emotet Trojan Campaign Uses Fake Microsoft Word Upgrade Notifications

The Emotet Trojan is being spread in a new campaign that uses fake Microsoft Word upgrade notifications as a lure to get users to install the malware. Emotet is the most widely distributed malware currently in use. Infection with the malware sees the user’s device added to a botnet that is used to infect other devices. Emotet is also a malware downloader and is used to install information stealers such as TrickBot and QBot malware, which are used to deliver ransomware variants such as Ryuk, ProLock, and Conti.

The messages appear to be Microsoft Office notifications that advise the user that they need to perform an upgrade of Microsoft Word to add new features. The messages have a Microsoft Word attachment and the user is instructed to Enable Editing and then Enable Content. Doing so will launch a malicious macro which will download Emotet onto the user’s device

Users should exercise caution and should avoid clicking links or opening attachments in unsolicited emails. Since Emotet hijacks the user’s email account to send further phishing emails, the messages may even be sent from an individual in the user’s contact list.

The post Office 365 Users Targeted in Microsoft Teams Phishing Scam appeared first on HIPAA Journal.

Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE

A sophisticated COVID-19 themed phishing campaign has been detected that spoofs chemical manufacturers and importers and exporters offering the recipient personal protective equipment (PPE) such as disposable face masks, forehead temperature thermometers, and other medical supplies to help in the fight against COVID-19.

The campaign was detected by researchers at Area 1 Security, who say the campaign has been active since at least May 2020 and has so far targeted thousands of inboxes. The threat actors behind the campaign regularly change their tactics, techniques, and procedures (TTPs) to evade detection by security tools, typically every 10 days.

The threat actors regularly rotate IP addresses for each new wave of phishing emails, frequently change the companies they impersonate, and revise their phishing lures. In several of the intercepted emails, in addition to spoofing a legitimate company, the names of real employees along with their email addresses and contact information are used to add legitimacy. The emails use the logos of the spoofed companies and the correct URL of the company in the signature. By including correct contact information, should any checks be performed by the recipient they may be led to believe the message is genuine.

Source: Area 1 Security

The aim of the threat actors is to deliver the Agent Tesla Trojan. Agent Tesla is an advanced remote access Trojan (RAT) that gives the attackers access to an infected device, allowing them to perform a range of malicious actions. The RAT is capable of logging keystrokes on an infected device and stealing sensitive information from the user’s AppData folder, which is sent to the command and control server via SMTP. The malware can also steal data from web browsers, email, FTP and VPN clients.

The RAT is offered on hacking forums as malware-as-a-service and has proven popular due to the ease of conducting campaigns and the low cost of using the malware, although the researchers note that Agent Tesla can be downloaded for free via a torrent available on Russian websites. The malware includes a User interface (UI) that allows users to track infections and access data stolen by the malware.

The RAT is delivered a compressed file attachment. If the attachment is extracted, the recipient will be presented with an executable file with a double extension, that will appear to be a .pdf file. Since Windows is configured by default to hide known file extensions, the extracted file will appear to be a.pdf file when it is actually an executable file. The display name is “Supplier-Face Mask Forehead Thermometer.pdf”, but the actual file is “Supplier-Face Mask Forehead Thermometer.pdf.exe” or “Supplier-Face Mask Forehead Thermometer.pdf.gz”.

The hash is frequently changed to avoid being detected as malware by security solutions. When the hash is changed, the malware will not be detected by signature-based security solutions until definitions are updated to include the new hash.

The attackers also take advantage of flaws in the configuration of email authentication protocols such as DMARC, DKIM, and SPF when spoofing the domains of legitimate companies.

According to the researchers, the attackers are mostly using a shotgun approach, rather than spear phishing emails on a select number of targets; that said, the researchers have identified some targeted attacks on executives of Fortune 500 companies.

Since the campaign is regularly updated to evade detection by security solutions, it is important to raise awareness of the campaign with employees to prevent them inadvertently installing the malware.

The post Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE appeared first on HIPAA Journal.

Study Reveals Increase in Credential Theft via Spoofed Login Pages

A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed.

The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email.

The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more.

IRONSCALES researchers found the brands with the most fake login pages closely mirrored the brands with the most active phishing websites. The brand with the most fake login pages – 11,000 – was PayPal, closely followed by Microsoft with 9,500, Facebook with 7,500, eBay with 3,000, and Amazon with 1,500 pages.

While PayPal was the most spoofed brand, fake Microsoft login pages pose the biggest threat to businesses. Stolen Office 365 credentials can be used to access corporate Office 365 email accounts which can contain a range of highly sensitive data and, in the case of healthcare organizations, a considerable amount of protected health information.

Other brands that were commonly impersonated include Adobe, Aetna, Alibaba, Apple, AT&T, Bank of America, Delta Air Lines, DocuSign, JP Morgan Chase, LinkedIn, Netflix, Squarespace, Visa, and Wells Fargo.

The most common recipients of emails in these campaigns with individuals working in the financial services, healthcare and technology industries, as well as government agencies.

Around 5% of the fake login pages were polymorphic, which for one brand included more than 300 permutations. Microsoft login pages had the highest degree of polymorphism with 314 permutations. The reason for the high number of permutations of login pages is not fully understood. IRONSCALES suggests this is because Microsoft and other brands are actively searching for fake login pages imitating their brand. Using many different permutations makes it harder for human and technical controls to identify and take down the pages.

The emails used in these campaigns often bypass security controls and are delivered to inboxes. “Messages containing fake logins can now regularly bypass technical controls, such as secure email gateways and SPAM filters, without much time, money or resources invested by the adversary,” explained IRONSCALES. “This occurs because both the message and the sender are able to pass various authentication protocols and gateway controls that look for malicious payloads or known signatures that are frequently absent from these types of messages.”

Even though the fake login pages differ slightly from the login pages they spoof, they are still effective and often successful if a user arrives at the page. IRONSALES attributes this to “inattentional blindness”, where individuals fail to perceive an unexpected change in plain sight.

The post Study Reveals Increase in Credential Theft via Spoofed Login Pages appeared first on HIPAA Journal.