CyberSecurity news

FlagThis - #credentialtheft

@cyble.com //
Cyble threat intelligence researchers have uncovered a global phishing campaign leveraging the LogoKit phishing kit. This sophisticated kit is being used to target government, banking, and logistics sectors. The initial discovery stemmed from a phishing link mimicking the Hungary CERT login page, highlighting the campaign's ability to impersonate legitimate websites to steal credentials.

The LogoKit is designed to enhance credibility and increase the likelihood of successful credential theft. The phishing attacks often embed the victim's email address in the URL, pre-filling the username field on the spoofed login page. This personalized approach, combined with the kit's ability to dynamically generate convincing phishing pages, makes it a potent threat. CRIL analyzes show that the kit uses brand assets from Clearbit and Google Favicon to create realistic-looking login pages.

These phishing campaigns are part of a larger trend of surging identity attacks. Reports indicate a significant increase in cyberattacks targeting user logins. Cybercriminals are increasingly turning to sophisticated phishing-as-a-service platforms to conduct BEC schemes and ransomware disasters. Organizations should implement strong DNS security measures to protect against such threats.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • thecyberexpress.com: Cyble threat intelligence researchers identified a phishing campaign aimed at Hungarian government targets that further investigation revealed was connected to wider global attack campaigns targeting the banking and logistics sectors.
  • cyble.com: The initial phishing link we identified mimicked the Hungary CERT login page, with the victim's email address prefilled in the username field to enhance credibility and increase the likelihood of credential submission.
  • The Register - Security: Phishing platforms, infostealers blamed as identity attacks soar
Classification:
  • HashTags: #Phishing #LogoKit #CredentialTheft
  • Company: Cyble
  • Target: Government, Banking, Logistics
  • Product: LogoKit
  • Feature: Credential harvesting
  • Malware: LogoKit
  • Type: Phishing
  • Severity: Major
Shira Landau@Email Security - Blog //
A sophisticated phishing campaign is currently targeting Microsoft Office 365 users, leveraging OAuth application functionality to bypass traditional security measures and enterprise-grade spam filters. Attackers are creating applications with embedded phishing messages as the app name, allowing them to generate properly signed security notifications that appear legitimate. These deceptive emails bypass email authentication checks and appear to come from official "no-reply" addresses, successfully navigating through standard email security checks and creating a significant deception that threatens enterprise security frameworks. Security leaders are urged to reassess their defense strategies to address these emerging threats that specifically target authentication mechanisms.

Attackers register a domain and create an associated account to establish their malicious operation. They then create an OAuth app with the phishing message embedded in the app name. Granting their newly created account access to this OAuth app generates a properly signed security notification. This authenticated message is then forwarded to potential victims, directing them to fake sign-in pages that function as credential harvesting mechanisms under the guise of legitimate support pages. These pages, hosted on legitimate subdomains of the email service provider, prompt users to "upload additional documents" or "view case," both leading to credential harvesting.

The "SessionShark" phishing kit is also being used to target Microsoft Office 365 accounts, designed to bypass multi-factor authentication (MFA) by stealing session tokens. This kit operates as an adversary-in-the-middle, intercepting login credentials and user session tokens. It creates a webpage that closely mimics the legitimate Microsoft Office 365 login interface, dynamically adapting to various conditions to increase believability. Once a victim submits their credentials, including completing MFA, the sensitive details and session cookie are instantly logged and exfiltrated to the attacker via Telegram bot integration.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Email Security - Blog: Authentication Breach Alert: OAuth Flaw Enables “Perfect Phishing†Campaign
  • The DefendOps Diaries: Understanding and Mitigating OAuth 2.0 Exploitation in Microsoft 365
  • BleepingComputer: Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
  • hackread.com: New SessionShark Phishing Kit Bypasses MFA to Steal Office 365 Logins
Classification: