EvilProxy Targets 120K, Interpol Dismantles Phishing Platform, FBI NFT Scam- Cybersecurity News [August 7, 2023]

Listen to this blog post below

 

Dive into a detailed analysis of the most recent phishing updates from the week and enhance your understanding of the changing strategies and patterns in online threat prevention, including phishing protection. Gaining this knowledge is crucial in staying ahead of potential threats and maintaining a secure digital environment.

 

EvilProxy Phishing Campaign Aims at 120,000 Microsoft 365 Users

Researchers have flagged a concerning surge in successful cloud account takeovers, particularly among high-ranking executives, over the last five months. EvilProxy, a phishing platform, has become a prominent tool helping malicious actors target MFA-protected Microsoft 365 accounts.

Proofpoint, a cybersecurity enterprise, uncovered a massive campaign using EvilProxy, a malicious tool that uses reverse proxies to intercept authentication requests and user credentials during login attempts. This trick allows attackers to seize authentication cookies upon login.

Since victims will have already navigated MFA (Multi-Factor Authentication), the cookies stolen by threat actors enable them to bypass the additional layer of protection.

This EvilProxy method is being used to impersonate renowned brands like Adobe and DocuSign in a current phishing campaign observed since March 2023.

Once users click the embedded link, they undergo multiple redirections to reach an authentic-looking EvilProxy phishing page mimicking Microsoft 365’s login interface. To obscure user emails from scanners, attackers encode email addresses and use compromised legitimate websites to decode the targets’ identities.

The attackers focus on high-value targets, like C-level executives and CFOs, emphasizing the urgency for improved security awareness, stringent email filters, and FIDO (Fast Identity Online)-based physical keys as defense measures.

 

Interpol Dismantles 16shop, a Phishing-as-a-Service Platform

In a collaborative action, Interpol and cybersecurity experts have successfully dismantled the notorious 16shop PhaaS (Phishing-as-a-service) platform, resulting in an operator’s arrest and platform shutdown.

Phishing-as-a-service platforms provide comprehensive toolkits like pre-made phishing kits for famous brands, hosting, data masking, victim tracking panels, and other utilities for malicious actors, which enhance their attack efficacy.

 

 

Working alongside Interpol, Group-IB reveals that the 16shop platform distributed phishing kits targeting major entities like Apple, PayPal, American Express, Amazon, and Cash App, focusing on victims mainly in Germany, Japan, France, the USA, and the UK.

While hosted by a US organization, server registration details indicated an Indonesian base. During his arrest, Indonesian authorities confiscated electronic devices and luxury vehicles from the operator’s possession. The arrest of several accomplices followed soon after.

 

FBI Alert: Threat Actors Pretending to Be NFT Developers in Crypto Phishing Scams

The FBI is cautioning investors about a rising threat involving counterfeit NFT project developers using deceptive tactics in cryptocurrency-related phishing scams.

Per the Bureau’s findings, scammers infiltrate authentic NFT developer accounts or establish nearly identical ones to deceive users into linking their crypto wallets to fraudulent websites. Subsequently, the victims fall prey to fund theft by threat actors, who then launder the ill-gotten gains through crypto mixers to dodge detection.

The adversaries craft deceptive posts to exploit urgency, leveraging phrases like ‘limited supply’ and portraying the release as an unforeseen or exclusive mint. The provided links in these posts are phishing links leading victims to counterfeited websites mimicking legitimate NFT projects. These fake platforms encourage victims to link their crypto wallets and purchase the NFT.

The FBI advises Americans to exercise caution if renowned NFT initiatives appear to announce fresh prospects or activities unexpectedly. The Bureau further underscores the need to authenticate social media accounts to prevent falling for social media hijack and verify any website’s legitimacy before connecting crypto wallets.

 

Advanced Phishing Attacks Exploit Newly Discovered Zero-Day Vulnerability in Salesforce

A recently identified, highly intricate email phishing scheme has come to light, with experts uncovering its utilization of a zero-day flaw within Salesforce’s email systems and SMTP (Simple Mail Transfer Protocol) servers.

 

Image sourced from cyberkendra.com

 

Guardio Labs, a cybersecurity brand, unearthed this phishing campaign and provided a comprehensive breakdown in a detailed technical blog post this week. Threat actors behind this scheme took an innovative approach by fabricating targeted phishing emails, effectively sidestepping standard detection protocols by leveraging the Salesforce domain.

They meticulously crafted the emails to mimic “Meta Platforms” correspondence and amplify the deception, luring recipients to a deceptive page within Facebook’s web gaming hub. By harnessing trusted email gateways, the malicious actors skillfully evaded filtering regulations, resulting in emails that appeared genuine with “@salesforce.com” domains, further personalized using recipients’ real names.

Upon identifying this loophole, Guardio Labs swiftly informed both Salesforce and Meta. Both corporations acted promptly, and by July 28, 2023, the vulnerability was rectified across the entire spectrum of Salesforce services.