Researchers at Group-IB have discovered a sophisticated spear phishing campaign that’s targeted executives at more than 150 companies around the world since mid-2019. The researchers have named the campaign “PerSwaysion” because the attackers abused the Microsoft Sway presentation program. The attackers seem particularly adept at using social engineering against multiple employees as part of the same attack.
“One of the defining signatures of PerSwaysion is that it spreads like wildfire jumping from one victim to another while no malware is present on a user device during the attack,” the researchers write. “New round of phishing attempts leveraging current victim’s account usually takes less than 24 hours. The campaign resulted in a compromise of 156 high-ranking officers in global and regional financial hubs such as the US, Canada, Germany, the UK, Netherlands, Hong Kong, Singapore, and other locations.”
The campaign primarily targets executives, since these employees offer the most value from a social engineering perspective. Importantly, the phishing emails are sent from the real email account of someone the recipient knows—often an executive in another organization.
“The threat actors leverage perfectly orchestrated social engineering technique by ‘persuading’ people holding significant corporate positions to open a non-malicious PDF email attachment coming from an authentic address in their contacts,” Group-IB says.
The PDF contains a convincingly-spoofed Office 365 notification instructing the victim to click a link to read a document. Clicking this link takes the victim to a Microsoft Sway presentation that similarly poses as a notification from Office 365, and leads to a phishing site designed to steal their Microsoft account credentials.
Once the attackers have compromised an executive’s account, they quickly identify the victim’s business contacts and stealthily send them phishing emails from the victim’s account. The researchers emphasize the sophistication of this operation and highlighted the measures the attackers took to fool their victims.
“PerSwaysion campaign is a living example of highly specialized phishing threat actors working together to conduct effective attacks on high ranking officers in large scale,” said Feixiang He, a Senior Threat Intelligence analyst at Group-IB. “They adopt multiple tactics and techniques to avoid traffic detection and automated threat intelligence gathering, such as the use of file-sharing services and web application hosting from reputable vendors. The campaign pursues non-trivial counterintelligence methods, for example, randomizing malicious JS file names and fingerprinting victim browsers and rejecting repeated visits. Such measures taken by cybercriminals seeking to garner sensitive corporate information requires non-standard approach to their detection and response.”
Executives at any organization are more likely to be targeted by sophisticated social engineering attacks. New-school security awareness training can provide all of your employees with an appropriate level of training for the threats they’re likely to face.
Group-IB has the story: https://www.group-ib.com/media/perswaysion/