#HoxhuntPhishmas Day 24: Advanced Credential Harvesting

It's been a wonderful 23 days of Phishmas! To close out the season, we are bringing you a true detective story of advanced credential harvesting. Grab a cup of tea and enjoy the read!

‍

As a result of the arms race between information security professionals and cybercriminals, cyberattacks are becoming increasingly complex. In this blog post, we examine a phishing campaign that uses an advanced credential harvester to gain user login information. While elements of this campaign make it more difficult to identify as a phish, there are some key things you can do to avoid such credential harvesting attacks.

What is a credential harvester?

Phishing emails often included malicious links. By clicking on them, victims are directed to a fake login page: a site that looks like an authentic login page for a commonly used service. As soon as the victim logs in, they unwittingly provide their user credentials to cybercriminals. These pages are called credential harvesters.

An advanced credential harvester not only lacks many of the tell-tale signs of phishing, but also fetches information from the actual service it's mirroring in real time.

This email includes many elements that make it seem legitimate:

• The email itself is almost a direct copy of an authentic Microsoft Planner notification email. It informs the recipient about a pending task they've been assigned, just like a real Planner notification message would.
• The email is personalized, greeting the recipient by their first name and mentioning their organization to increase legitimacy.
• A less common method of personalization is also present: the message claims that the requested task is linked to the recipient's job title. In the case we're about to examine, the recipient is employed as Business Development Manager. The phish has, in fact, correctly identified this information.
• In order to increase the likelihood of the recipient interacting with the email, the message claims that the task expires in seven hours. Invoking a sense of urgency is a common technique used by cybercriminals. When people feel rushed, they are more likely to make rash decisions.

What happens when we click on the malicious link?

We are greeted with a familiar-looking Microsoft login page after clicking the link in the email. The page itself appears to be legitimate. The URL field, however, immediately reveals that we are not on a Microsoft domain. In credential harvesting cases, the URL is a dead giveaway and should always be checked!

In credential harvesting cases, the URL is a dead giveaway and should always be checked!

The video above displays how the actual credential harvesting page functions.

When we attempt to log in with a test account (test@outlook.com), the login fails. This is quite unusual for a credential harvesting page, as typically they accept any credentials.

A further test with a throwaway account (jonathan.doe44@outlook.com), created for the purposes of this demo, reveals more unusual features.

The account (jonathan.doe44@outlook.com) was configured with a second email address (k*********@outlook.com) as a backup login method.

When we attempt to log in, the credential harvesting page displays sending a code to the backup email address as an alternative authentication method.

This reveals that the credential harvesting page is, in fact, fetching information from Microsoft in real time.

In this case, when we type in our account’s real password, login is successful, and we are redirected to a copy of the real Microsoft website.

Compromising multi-factor authentication

Traditionally, multi-factor authentication has been the downfall of credential harvesting, as the time-sensitive one-time passwords required for authentication severely reduce the scalability of credential harvesting attacks.
‍

Time-sensitive one-time passwords required by multi-factor authentication severely reduce the scalability of credential harvesting attacks.

‍

To demonstrate this, we configured multi-factor authentication for the throwaway account (jonathan.doe44@outlook.com) using the Authenticator application.

As soon as we log in with our password, we are prompted for our Authenticator application code. When we enter the code, we are redirected to Microsoft's real login page, which we can confirm by observing the URL. Attackers do this in hopes that the victim doesn't realize they were just successfully phished.

The sign-in activity on our throwaway account now reveals that cybercriminals have gained a foothold on our account. This connection is being made from an IP address assigned to a Lithuanian cloud platform.

‍

The sign-in activity on our throwaway account now reveals that cybercriminals have gained a foothold on our account.

‍

With this foothold, cybercriminals could now gather information from emails and various applications linked to the account. They could then attempt to perform lateral movement within the organisation’s network to access and extract sensitive files or to perform a ransomware attack.

Staying off the Hook

• One of the most common emotions social engineers attempt to evoke is urgency. In this way, the attacker is able to manipulate you into taking a risky action that you might later regret.
• Before clicking on any links, be sure to check where they lead. Links in this email do not lead to Microsoft domains, though it appears to come from a Microsoft service.
• Check the URL before typing in your credentials. This credential harvesting page is practically identical to its legitimate counterpart. Checking the URL, however, reveals that it is not on a Microsoft domain.