The Dangers of Phishing

Phishing emails and texts often take the form of a couple of tried-and-tested fraudulent ‘fronts’. These included hackers purporting to be from Microsoft, a delivery company, an email provider. Even a government body such as the IRS, and companies such as Facebook, Amazon, and Spotify.

In short, when crafting a phishing attempt, the hacker will aim to pretend to be a company.  The hacker can also pretent to be a service that is well known and one that many people will have some interaction with.

Some other phishing attacks may present in a more general sense. For example, an organization previously unheard of telling you that you have won a million dollars and to deposit the money, they need your banking details.

Phishing targets are usually a mass of individuals that are unconnected. A hacker may get their hands on an email list from breaching a website or could just as easily scrape social media for a huge spreadsheet of email addresses. Due to this, it may be best to think of regular phishing as casting out a net on the sea when trying to catch schools of fish.

Spear Phishing is the more refined, targeted version. It operates with the prime directive of breaching businesses.

Hackers behind spear phishing know exactly who they’re emailing, what company they work for, and what position they hold within the company. Email addresses are gathered in these attacks through many legitimate means – Google, LinkedIn, and the company website. The ‘front’ used in Spear Phishing emails will often be much more direct – hackers often imitate other employees within the company or known suppliers for the organization. One successful Spear Phishing attack can devastate an entire business.

If a hacker gains access to, say, a low-level email account by phishing for credentials, they can easily move laterally across the organization. They can search for more sensitive details to enable them to move vertically up the chain of command. Unlike regular phishing, spear phishing is about seeking out individuals or smaller groups of victims.

The final of phishing falls under Spear Phishing, and so is often used interchangeably. Whale Phishing uses the same methodology as Spear Phishing; however, the targets are often much higher in a company. Whale Phishing targets C-level executives and high-level managers.

This is not to say that business owners shouldn’t be concerned about regular phishing attacks; if anything, they need to pay equal attention.

In the age of Bring-Your-Own-Device (BYOD), employees often access company email or services through their own mobile devices, laptops, and computers. This proves a perfect entry point for hackers, many of which are looking through their victims’ devices to discover if they have corporate connections. Mass spam phishing emails, though possibly not directed at your business, can penetrate it regardless.

Falling victim to a breach through phishing is like handing the hackers the house keys and letting them walk through the front door. In this article, we’ll look at some of the biggest phishing attacks of the year so far.

Large Scale Phishing Campaigns

A phishing campaign lead to a large scale breach which affected over 130 companies. The initial campaign was targeted at Twilio, MailChimp and Klaviyo.

The phishing attack was spearheaded by a kit named ‘0ktapus’, and stolen nearly ten thousand login credentials. These credentials were then used to breach corporate networks for a large number of companies.

According to a report by researchers at Group-IB, this campaign has been on going March 2022. The initial aim of the campaign was to steal credentials in order to perform a large scale supply chain attack.

There was an additional attack against Cloudflare, which was supressed. This is fortunate, given the amount of clients Cloudlfare has.

The clients that were hit in the attack were across a range of industries, from finance, to tech, to games developers, to cryptocurrency. Some of the companies hit include T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter. Also Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy.

The phishing campaign was SMS based. The initial step involved a text with a link to a phishing page, which impersonated an Okta login pages. Here users were asked to enter their credentials as well as their 2FA codes.

Okta is a identity-as-a-service solution, allowing employees to use a single login to access a number of programs within their company.

There were nearly 170 unique domains used in the phishing campaign. They were carefully crafted to appear like the genuine product, which employees would have been used to see in their day-to-day login.

When credentials were entered on the fake domains, they were siphoned out to the hackers Telegram channel.

These credentials were then used to access corporate VPNs and networks. They were also used to access customer support to steal customer data. A lot of the customer data was used for further attacks.

Group-IB are believed to have information relating to the identity of the attackers, however they will only be disclosing this to law enforcement agencies for now. However, it is believed that the hackers are based within the US.

Instagram Scheme

A popular instagram phishing campaign has seen quite a bit of traction in recent months. The campaign attempts to scam users on the image-sharing platform by offering them a blue badge.

A blue badge is given to Instagram profiles which represent a celebrity, brand, or public figure. They are highly sought after.

The phishing campaign took place in the form of spear phishing, where the hackers sent emails to Instagram users. The hacker tells the Instagram users that their accounts had been reviewed and that they were eligible for a blue badge.

Targets were then asked to fill out a form and claim their badge within 48 hours.

Though it may seem like an obvious ploy, the hackers gamble on the carelessness and enthusiasm of some instagram users.

The campaign was detected by Vade – which an AI-based analysis service that inspects emails. The first messages were sent out in late July.

The emails spiked twice, at the end of July and started of August, both of which had 1000 phishing emails per day.

The 48 hour limit created an illusion of urgency, which is often seen in phishing emails. The phishing domains were named “teamcorrectionbadges”, which helped the con. The hackers used logos for Instagram, Facebook, WhatsApp, Messenger, and Meta additionally.

Once a victim fills out the form, they are informed that they will be upgraded within 2 days. This never happens of course, and the Instagram account is hijacked.

SaaS Phishing Surge

There has been an increase in using software-as-a-service (SaaS) like website builders to create phishing websites that steal login credentials. The increase was spotted by researchers at Palo Alto Networks Unit 42, which showed an increase of 1,100% increase from June 2021 and June 2022.

These SaaS services are ideal for phishing, as they bypass email security and are widely available.

These platforms also make creating new websites an easy experience, and allows hackers to diversify their operations as well as respond to takedowns quickly.

Researchers at Unit 42 divided the SaaS platforms into six categories in their report: file sharing and hosting sites, form and survey builders, website builders, note-taking and documentation writing platforms, and personal portfolio spaces.

Of all categories, website builders were the most abused.

The researchers explained that the hackers host their credential stealing pages directly on the services, and send an email containing a link to the URL. In other cases, they are used for URL redirection.

In some cases, hackers used service providers that don’t respond to takedown requests, allowing them to stay online indefinetely.

“In the event that the final credential-stealing page is taken down, the attacker can simply change the link and point to a new credential-stealing page, preserving the effectiveness of the original campaign,” reads the report.

Due to its nature, its unlikely abusing SaaS platforms will stop anytime soon. Tightening the use of these services would cut off a large portion of legitimate clients.

Hospitality Hit

A hacker, or possibly group of hackers known as TA558 has increased its phishing activity this year. They had a number of campaigns that target the hospitality and travel industries.

TA558 uses several malware families to gain access to systems, perform surveillance, steal data, and siphon money. Much of the malware used were remote access trojans (RATs).

TA558 has been active since 2018. Researchers at Proofpoint noted its surge in the last year or so, which likely come as the tourism industry picks up post-COVID.

TA558 initially used documents full of malicious macros in its phishing emails, but has since switched to embedding files within URLs in the messages.

This has been a common shift for hackers, after Microsoft blocked a number of macros in Office.

The phishing emails are written in English, Spanish, and Portuguese, targeting North American, Europe, and Latin America.

The dupe itself involves making a booking for a target organization as a fradulent group. Victims click on the URL which is supposed to be a reservation link, and recieve a malicious file.

This file launchers a powershell script that dumps a RAT payload on the victims computer.

In most of the cases Proofpoint observed this year, the payload was AsyncRAT or Loda, while Revenge RAT, XtremeRAT, CaptureTela, and BluStealer were also deployed on a smaller scale.

When TA558 has comproimsed hotel systems, it digs deeper to steal customer data as well as credit card information. It also modifies the main website to divert reservation payment to their own serves.

In one case in July 2022, the Marino Boutique Hotel in Lisbon, Portugal was hacked. The hackers stole €500,000 in four days from unsuspecting customers who paid to book a room.

Cryptocurrency Phishing Scheme

A new phishing campaign has emerged that targets Coinbase, Metamask, Kraken, and Gemini users. The campaign abuses Google Sites and Microsoft Azure to create fraudulent sites.

The phishing pages are pushed through comments on legitimate sites by a number of bots. Posting these links on credible websites increases the sites SEO.

These sites are not flagged by automated moderaters as they are hosted on Google and Microsoft.

The campaign was highlighted by cybersecurity researchers at Netskope.

Google even accidentally included the phishing pages as featured snippets, giving them an even greater rating.

The sites mimic Metamask, Coinbase, Gemini, and Kraken, and aim for user wallets and assets.

The sites are simply landing pages, with visitors being redirected to the phishing sites when the click on “login”.

The MetaMask phishing site attempts to steal the user’s password and wallet’s secret recovery phrase (seed phrase). This information allows the threat actor to import the wallet on their own devices and drain the contents.

For the crypto exchange phishing pages, the threat actors attempt to steal their login credentials. They also steal 2FA details, allowing full access to a users account.

AMEX/Snapchat Phishing Hack

Hackers have used redirections on the Snapchat and American Express websites in a phishing campaign which aims to steal 365 credentials. Redirects such as these are used to send targets to malicious sites which are used for phishing.

“Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer,” email security firm Inky, which observed the attacks, explained.

“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.”

According to Inky, the Snapchat redirect was used in nearly 7000 phishing emails over two and a half months.

The AmEx redirect was quickly patched in late July, with new attempts producing an error page. Before it was patched, it was used in over 2000 phishing attempts.

“In both the Snapchat and the American Express exploits, the black hats inserted personally identifiable information (PII) into the URL so that the malicious landing pages could be customized on the fly for the individual victims,” Inky explained.

“And in both, this insertion was disguised by converting it to Base 64 to make it look like a bunch of random characters.”

To defend against such attacks, Inky advised email recipients to check for “url=,” “redirect=,” “external-link,” or “proxy” strings or multiple occurrences of “HTTP” in URLs embedded in emails likely showing an indication of redirection.

FCC issue warning

The Federal Communications Commission (FCC) have issues a warning around an increase in SMS phishing attempts in which hackers attempt to steal personal information and/or money.

These types of phishing attacks are known as smishing, though the FCC refers to them as robotexts. The hackers used a number of lures to trick victims into handing over their details.

“The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022,” the US communications watchdog’s Robocall Response Team said.

“In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June.”

These phishing attacks are often in regards to believable claims, such as unpaid bills, delivery issues, bank issues, or law enforcement actions.

Very often these texts lead to malicious landing pages, where victims are asked to verify purchases with their card details.

The sending information can be spoofed to make it appear as if the SMS comes from a trustworthy source, such as a government agency or popular company like Amazon.

“If you think you’re the victim of a texting scam, report it immediately to your local law enforcement agency and notify your wireless service provider and financial institutions where you have accounts,” the FCC added.

FCC added that users who think they may have been targeted should visited the FCC Consumer Help Center and the FCC Scam Glossary.

Protection Against Phishing

Phishing attacks are without a doubt the most common attack vector for hackers. Though awareness and education are good defenses against any form of attack, with Phishing it is the key to protection. Simply not opening links or attachements in emails is the highest level of protection.

This may seem well and good, but in a network in an organzation, there can be hundreds of email address, and hundreds of people who may still click on dodgy link. Businesses and organizations should spend resources to educate their members, or pay dearly for it down the line.

There are a number of ways to stop a phishing scam:

The links or URLs are not pointing to the correct location
There’s a sense of urgency in the email, such as asking the user to complete request within 24 hours, a week etc.
There’s a request for personal information such as social security numbers or bank or financial information
The sender address may seem trustworthy but has misspellings or other additions
The message is unexpected or unsolicited
The attached or message requests that you enable macros, adjust security settings, or install applications
The message has errors
The sender address doesn’t match the signature on the message
There are many recipients in the ‘To’ field which appear random
The gretting isn’t personal
Phishing landing pages look familiar but there is a sense of uncanny valley, where things look just a little bit ‘off’

Despite an education into phishing, people can still fall victim to it, even the most security-minded users. To that, we created SaferNet. SaferNet is an always-on VPN with an arsenal of tools that protect users against many forms of malware, and is especially proficient in dealing with phishing attemps.

Any clicks made from a phishing email to a malicious landing page will be blocked, and the administrator of the SaferNet account will be notified. SaferNet is the perfect solution for phishing for business owners, families, and individuals.