Find the right approach to browser security
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Ravisankar Ramprasad | Oct 03, 2023
Share this article
Menlo Labs recently identified a phishing campaign targeting executives in senior level roles across various industries, but primarily Banking and Financial services, Insurance providers, Property Management and Real Estate, and Manufacturing.
The key findings based on our research of the phishing campaign are as follows:
This is a classic example of AiTM (Adversary In The Middle) phishing attack by harvesting session cookies enabling threat actors to bypass MFA protections.
In July 2023, Menlo Security HEAT Shield detected and blocked a novel phishing attack that involved an open redirection in the ‘indeed.com’ website redirecting victims to a phishing page impersonating Microsoft. Consequently, this makes an unsuspecting victim believe the redirection resulted from a trusted source such as ‘indeed.com’.
The threat actors were found to deploy the phishing pages using the phishing-as-a-service platform named ‘EvilProxy’. The service is advertised and sold on the dark web as a subscription-based offering with the plan validity ranging between 10 days, 20 days, and 31 days. One of the actors, known by the handle ‘John_Malkovich’, plays the role of an administrator and intermediary assisting customers who have purchased the service.
The campaign targeted C-suite employees and other key executives across organizations based in the United States across various sectors.
The chart below depicts the various sectors targeted by the campaign.
This data was collated with the help of intelligence gathered through URLScan, Phishtank, and VirusTotal feeds.
The infection vector was a phishing email delivered with a link that is deceptively crafted in such a way that it comes from a trusted source, in this case ‘indeed.com’. Upon clicking the link the victim is redirected to a fake Microsoft Online login page.
The depiction of the attack kill chain with the step-by-step breakdown is shown below.
Open redirection happens when an application (by design or unintentionally) causes redirection to an untrusted external domain. This flaw can be utilized to exploit the trustability of the redirecting source to ultimately redirect the victim to a phishing site or a compromised site serving malware.
In this specific attack, the user clicks on a URL believing that they are being directed to indeed.com or another of its subdomains. The subdomain ‘t.indeed.com’ is supplied with parameters to redirect the client to another target (example.com) as shown in the example below. The parameters in the URL that follow the “?” are a combination of parameters unique to indeed.com and the target parameter whose argument consists of the destination URL. Hence the user upon clicking the URL ends up getting redirected to example.com. In an actual attack, the user would be redirected to a phishing page.
The HTTP header request and responses show the redirection chain caused by the vulnerability.
The threat actors employed the EvilProxy phishing kit which acts as a reverse proxy, performing an adversary in the middle attack by stealing user session cookies thereby helping to circumvent 2 factor authentication successfully bypassing MFA.
The phishing redirection chain consists of 3 parts:
The diagram below shows the redirection chain in this specific attack.
The phishing pages have been noticed to have the subdomain ‘lmo.’ and have specifically impersonated the Microsoft Online login page. The phishing pages were found to be hosted on nginx servers capable of acting as a reverse proxy. The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site. This helps in harvesting the session cookies and this tactic can be attributed to the usage of EvilProxy Phishing kit.
Artifacts observed which can be attributed to EvilProxy usage:
Menlo observed this campaign across one of our customers and we were able to successfully eliminate this threat by virtue of our HEAT Shield. HEAT Shield was able to detect and prevent this phishing attempt on the fly by virtue of its real time analysis feature. HEAT Shield was able to successfully detect the phishing site by leveraging AI-based detection models to analyze the rendered web page way before the URL reputation services and other security vendors flagged this page for malicious behavior. HEAT Shield also generates the Zero Hour Phishing Detection alerts in the process which help provide greater visibility to the SOC analysts by providing them with context of the threat and enriched data that will adequately support their research.
HEAT Shield protects users from credential harvesting and account compromise by cutting off the attack vector from the initial access stage (MITRE ATT&CK framework) and redefines the way security is implemented by enforcing a proactive approach to deal with such highly evasive threats. This rapidly evolving threat landscape makes it imperative for us to stay one step ahead and invest in Zero trust by design.
In light of the intelligence gathered and analysis performed from various sources, we can state with confidence that the threat actors have been using the ‘EvilProxy’ phishing kit and specifically exploiting the open redirection vulnerability in the ‘indeed.com’ application to impersonate the Microsoft Online page for credential phishing and account compromise.
Account compromise only forms the preliminary stages of an attack chain that could possibly end up in a Business Email Compromise where the potential impact could range from identity theft, intellectual property theft and massive financial losses.
There is a high probability that we can see a surge in the usage of ‘EvilProxy’. Firstly, it is easy to use with a simple interface with tutorials and documentation easily available on the dark web. The ability to circumvent MFA makes this a powerful tool in the arsenal for cybercriminals.
Menlo Labs have reached out to Indeed.com informing them of the existence of the open redirect vulnerability and its active exploitation out in the wild. They have been informed about the criticality and severity that this threat poses.
Posted by Ravisankar Ramprasad on Oct 03, 2023
Tagged with Awareness, HEAT, Menlo Labs, RBI, Threat Trends, Web Security
Threat Trends & Research
To talk to a Menlo Security expert, please complete the form.