The hacker has two tasks: Get into the inbox. And get the user to hand over the desired information. Hackers spend tons of time thinking of creative ways to do both. The attack has to be crafted to not only fool security services, but also end-users. Fool the machine, fool the person and you’re golden.

We see tons of interesting ways of doing this. In this attack brief, we’ll discuss one of the most unique and creative ways of getting users to hand over their information. How do they do it? By dynamically mirroring an organization’s login page. 

In this attack brief, Avanan researchers will discuss how threat actors are creating mirror images of an organization’s landing page to fool users into handing over their credentials.

Attack

In this attack, hackers are able to mirror an organization’s traditional login page to get users to type in their credentials

• Vector: Email
• Type: Credential Harvesting
• Techniques: Impersonation
• Target: Any end-user

Email

In this attack, threat actors are dynamically mirroring an organization’s login page 

Email Example #1

The user is presented with a typical-looking password expiration reminder email. The link, as you see, does not go to a Google or company URL. 

From there, the user is asked to fill out a reCAPTCHA form. The purpose of this is to block automated scanners. A bot can’t resolve the CAPTCHA; so the bot will only scan the CAPTCHA page, which is always clean.

Here’s where it gets interesting. Though the URL is completely unrelated to the company website, the page looks exactly like the real deal. In fact, it’s a bit-for-bit mirror of the actual company site. The end-user will have their email address pre-populated and see their traditional login page and background, making it incredibly convincing. 

Techniques

We have written extensively about a group called SPAM-EGY. We also published an informative webinar.  They are a “Phishing as a Service” subscription group that guarantees:

• The ability to reach the inbox using ever-changing obfuscation methods
• Re-direction to a phishing page that appears to be the second page of the Microsoft 365 login with a pre-populated email address
• Dynamically-rendered landing page that changes the logo and background to match the domain of the email address
• The landing page will either request the email twice as validation or, optionally, attempt to use the credentials in real-time in order to verify the password
• If the password is good, the user will be directed to a real document or to the Office.com home page
• Once the user has entered their credentials, a cookie in the browser will render the phishing page 'unreachable', frustrating any further analysis

This attack follows all those trademarks. However, what’s different is that it targets Google domains. This represents an evolution of this type of attack and thus may be carried out by a different group. 

It is incredibly clever since it matches the login page that the end-user is accustomed to seeing. It adds a Google reCAPTCHA form to boost legitimacy and get past automated scanners.

A clever end-user will see that the URLs don’t match. However, everything else does. In the arms race to fool users, this is one of the more effective campaigns we’ve seen. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

• Always hover over any link to see the destination URL before clicking on it
• Encourage end-users to ask IT if the email is legitimate or not
• Implement multi-tiered security that looks at a number of different indicators to determine if an email is malicious