Attackers are always using new tactics to stay ahead of defenders, and Microsoft’s Office 365 Threat Research Team describes three noteworthy phishing techniques they’ve observed in 2019. The first was the use of hijacked search results to redirect users to malicious sites. Attackers used a traffic generator to artificially push a baited website to the top of Google search results for specific keywords. When a user clicked on the harmless bait website, they would be redirected to a phishing site or a malware download. This allowed the attackers to send phishing emails with benign links in order to bypass email security filters.
The second technique involved using custom 404 pages as phishing sites. Phishing campaigns are much more efficient when attackers have an easy way to move their phishing page to a different URL, because security technologies are constantly flagging and taking down malicious URLs. By using a URL for a non-existent page on the phishing domain, attackers could use an unlimited number of URLs in their phishing campaigns. When a user clicked on one of these URLs, they would automatically be redirected to the domain’s 404 Not Found page. These pages can be customized just like a normal webpage, so the attackers made them appear to be sign-in pages in order to steal credentials.
A third phishing technique abused Microsoft’s secure rendering site to automatically generate a duplicate of the targeted company’s Microsoft login page. The researchers explain that this allowed the attackers to create targeted phishing sites for each recipient with minimal effort. “Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages,” the researchers write. “The server identified certain specific information based on the recipient’s email address, including the target company, and then gathered the information specific to that company. The result was the exact same
experience as the legitimate sign-page, which could significantly reduce suspicion. Using the same URL, the phishing site was rendered differently for different targeted users”
Attackers will continue finding ways to increase the efficiency of their scams. Security technologies for the most part react to new attack techniques, and attackers know this. New-school security awareness training can enable your employees to anticipate and recognize unfamiliar attacks.
Microsoft has the story: https://www.microsoft.com/security/blog/2019/12/11/the-quiet-evolution-of-phishing
