Malicious emails contain various types of malicious payloads these days. Some campaigns attempt to deliver malware, some spread misinformation, some request help in paying transport fees for an enormous delivery of gold bars.
Credentials are still one of the most common targets of malicious actors in the cyber world. Malicious actors have therefore developed a wide array of methods to steal credentials in the most efficient ways possible.
The anatomy of a phishing email
Phishing emails often follow a certain pattern, with the call to action being a key component. One of the most common types of phishing campaigns looks similar to the one pictured below.
The message begins with a greeting, often automatically personalized by inserting the recipient emails local part (e.g. jane.doe if the email was jane.doe@hoxhunt.com). It contains a call to action, i.e. something that is required by the recipient. In this case, the password is supposedly expiring and must be renewed. To increase the likelihood of interaction, malicious actors often try to weaponise our emotions. In this case a sense of urgency is added by setting a fictitious deadline.
The payload
Malicious payloads come in many shapes and sizes. Most commonly however, the malicious payload is a credential harvesting site linked in the message or a HTML filetype attachment containing a similar credential harvesting form.
The picture below shows what was hidden behind the link of the phishing message pictured above: a typical Microsoft Office impersonation designed to look as similar as possible to its legitimate counterpart. If the site looks familiar, the user is much more likely to interact with it and input their credentials.
As companies have begun setting customised backgrounds and logos to their login sites, these old Microsoft impersonation sites are starting to become less and less efficient. If the user is not greeted by the company specific graphics they were expecting, they are much more likely to be alerted.
The malicious solution
To keep up with the times, many malicious actors have begun to use tools that automatically fetch the correct graphics based on the user's domain. The video below shows one of these in action, spotted in a phishing message sent to the CEO of Hoxhunt, Mika Aalto.
Similar to when designing legitimate sites, the malicious actors try to make the required actions as easy as possible for the user to complete. Thus the email is automatically filled in, which also makes the page seem like the user had visited it before. The page has automatically fetched the correct graphics and logo, making it look almost identical to its legitimate counterpart.
As the video progresses, I input some other domains to show how it dynamically switches the graphics accordingly. When “asd.com” is set as the domain, an error is given, indicating that the domain is invalid; a nice touch by the malicious actors.
When a password is eventually input, it is rejected in hopes that the user inputs multiple different passwords. After a few attempts, the user is redirected to a voice message containing an irrelevant recording. In most cases, the redirect sends the user to the legitimate site, in hopes that the user would not be alerted too quickly, giving the malicious actors more time to utilize the stolen credentials. We’ve also seen cases where the user is redirected to a file sharing site containing malware, adding a cherry on top of a phishing attack sunday.
Staying off the hook
Malicious actors are constantly improving their techniques to stay ahead of the game. Many common hints such as the wrong graphics, odd font or spelling mistakes are no longer present in these new campaigns. One clear sign persists though. In most cases, the URL will show something completely unrelated to the service impersonated, as the sites are hosted on whatever domains the attacker has got their hands on. So remember to always check the URL before entering your credentials!