#HoxhuntPhishmas Day 24: A real-world Credential Harvesting case explored and exposed!
As a result of the arms race between information security professionals and cybercriminals, cyberattacks are becoming increasingly complex. In this blog post, we examine a phishing campaign that uses an advanced credential harvester to gain user login information. While elements of this campaign make it more difficult to identify as a phish, there are some key things you can do to avoid such credential harvesting attacks.
Phishing emails often included malicious links. By clicking on them, victims are directed to a fake login page: a site that looks like an authentic login page for a commonly used service. As soon as the victim logs in, they unwittingly provide their user credentials to cybercriminals. These pages are called credential harvesters.
An advanced credential harvester not only lacks many of the tell-tale signs of phishing, but also fetches information from the actual service it's mirroring in real time.
This email includes many elements that make it seem legitimate:
We are greeted with a familiar-looking Microsoft login page after clicking the link in the email. The page itself appears to be legitimate. The URL field, however, immediately reveals that we are not on a Microsoft domain. In credential harvesting cases, the URL is a dead giveaway and should always be checked!
In credential harvesting cases, the URL is a dead giveaway and should always be checked!
The video above displays how the actual credential harvesting page functions.
When we attempt to log in with a test account (test@outlook.com), the login fails. This is quite unusual for a credential harvesting page, as typically they accept any credentials.
A further test with a throwaway account (jonathan.doe44@outlook.com), created for the purposes of this demo, reveals more unusual features.
The account (jonathan.doe44@outlook.com) was configured with a second email address (k*********@outlook.com) as a backup login method.
When we attempt to log in, the credential harvesting page displays sending a code to the backup email address as an alternative authentication method.
This reveals that the credential harvesting page is, in fact, fetching information from Microsoft in real time.
In this case, when we type in our account’s real password, login is successful, and we are redirected to a copy of the real Microsoft website.
Traditionally, multi-factor authentication has been the downfall of credential harvesting, as the time-sensitive one-time passwords required for authentication severely reduce the scalability of credential harvesting attacks.
Time-sensitive one-time passwords required by multi-factor authentication severely reduce the scalability of credential harvesting attacks.
To demonstrate this, we configured multi-factor authentication for the throwaway account (jonathan.doe44@outlook.com) using the Authenticator application.
As soon as we log in with our password, we are prompted for our Authenticator application code. When we enter the code, we are redirected to Microsoft's real login page, which we can confirm by observing the URL. Attackers do this in hopes that the victim doesn't realize they were just successfully phished.
The sign-in activity on our throwaway account now reveals that cybercriminals have gained a foothold on our account. This connection is being made from an IP address assigned to a Lithuanian cloud platform.
The sign-in activity on our throwaway account now reveals that cybercriminals have gained a foothold on our account.
With this foothold, cybercriminals could now gather information from emails and various applications linked to the account. They could then attempt to perform lateral movement within the organisation’s network to access and extract sensitive files or to perform a ransomware attack.
Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.
Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.