publishing date icon
January 14, 2022
read time icon
5 min. read

Watch: Sophisticated new credential harvesting attack uses fake popups and fake Microsoft Windows OS

Hoxhunt social engineer, Pontus Keski-Pukkila created a video that takes us through a sophisticated and subtle credential harvesting attack using a devious script that logs users out of their Outlook account and peppers them with subsequent log-in popups while they are trying to read an altered Atlantic Monthly article on a clever look-alike attack site.

Author image
Pontus Keski-Pukkila
Social Engineer
facebook iconLinkedin iconTwitter icon
Post hero image

Everybody should be familiar with the idea of credential harvesting pages that mimic common login pages. Five typical credential harvesting scams are presented here. But I've seen a new class of credential harvesting schemes that could catch even knowledgeable users off guard. They use fake log-in prompts with additional background scripts in an attack site that logs users out of Microsoft accounts they might be logged into.

While standard credential harvesting scams are quite effective, attackers are always coming up with new, creative schemes to fool more advanced users who might be familiar with the more common methods. One such example I've seen uses popups/prompts that simulate native OS counterparts like ones commonly seen in Microsoft Windows. These credential harvesting popups are possible on hosted sites and the campaign can be carried out with some basic web development skills.  

These fake prompts could be added to any attacker-controlled website. With a good look-alike domain and appropriate directory paths, the URL will look quite realistic. One convincing example of a credential harvesting popup I've seen is used on a counterfeit Atlantic Monthly site. This video shows how a malicious link in an email, which looks very much like a real Atlantic Monthly link, directs a victim to what's actually a mimicry of the prestigious magazine's content and website.

The hook in the email attack is the article, which is most effective if tailored to suit the target’s interests. Real articles can be copied and even modified to make them more appealing. Here, with some information collected from the target’s social media, the attacker has changed the city in the original article to the one where the target is currently living. And of course, the date is updated.

The prompt to log back in to Outlook looks and behaves like a real one. It can be dragged around inside the website (but not outside, which is a crucial red flag) and all the buttons have the expected functions. For example, by clicking X or Cancel, the prompt window is closed. But then it pops up again. And the email field is pre-filled to make it easier for the target input their password.

Here's where the attack gets next-level. To make it even more realistic, the attacker has added a script which, in the background, silently signs the target out of their microsoft.com account while the news article is loading.  So when the user checks their Outlook tab, they'll see that they actually are logged out and the popup thus appears legit.

When the target types in their credentials, they are sent to the attacker and the prompt will not appear again. This added layer to the attack makes it more deceptive and particularly dangerous, even for security-conscious users.

Ensure the popup is safe by dragging it around

Be extra careful of popups nowadays. Anything on the web site, the part inside of your web browser, should not be trusted. Check the domain and in case of these look-alike native OS prompts, you can try to drag it outside of the web browser, or open a new tab. If you can't, and it's "constrained" inside the current site, the popup is not native and was created by the attacker who made the malicious website.

If the popup behaves like this, don't trust it!

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to our newsletter