Researchers at Akamai describe a credential phishing campaign that’s been running since at least March 2022. Due to the volume of traffic to the phishing sites, the researchers estimate that the attackers are raking in up to $150,000 per year by selling the stolen credentials.
“This ongoing research led to the discovery of multiple templated sites used as front-ends for the scam infrastructure that have been tied to more than 40,000 malicious routing domains,” the researchers write. “At one point, there were 13,000 sites active concurrently, hosted on more than 20 different hosting providers.”
The attackers use phony profiles, including phony LinkedIn pages, to lend credibility to the scams.
“On the social engineering side of things, we saw fake users on scam websites with ‘testimonies’ of their winning a prize,” the researchers write. “One of those fake users who caught our attention was ‘Natalie Hamilton’: the woman with many faces. Natalie triggered the second part of our research…leading us to a better understanding of the outstanding scam infrastructure and the potential revenue that drives a scam that involves tens of thousands of websites and an estimated millions of victims.”
The campaign uses numerous measures to avoid being flagged by security tools.
“The attackers also used the URL fragment identifier redirection, which is a technique that uses an HTML anchor to point a browser to a specific spot in a page or website to evade detection by security products,” Akamai says. “The attackers generate randomly generated URLs to filter out unwanted visitors, and they use the power of content delivery networks (CDNs) to quickly and easily rotate phishing website domain names and IP addresses without taking down the phishing website infrastructure.”
New-school security awareness training can enable your employees to thwart social engineering attacks.
