Named a Visionary in Gartner Magic Quadrant for Secure Web Gateways (SWG)
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Share this article
Menlo Security’s iSOC—our isolation-powered SOC service—identified a credential phishing campaign targeting the hospitality industry. Menlo Labs researchers decided to take a deeper dive into the campaign and I’m glad we did, because it sure turned out to be an interesting one.
We’ve always known that attackers have two primary strategies to increase their probability of success, and they go to great lengths to achieve these goals:
To make credential phishing attacks look legitimate, attackers need to ensure that:
All this requires a certain amount of creativity combined with some serious reconnaissance skills to ensure a higher probability of success. Attackers also need to ensure that security researchers or other automated systems don’t identify their pages/infrastructure. Some of the techniques we’ve observed are:
Redirecting pages to legitimate pages if the user is not egressing from a range of IP addresses the attack was intended for.
The phishing attack that we identified was trying to pose as a Microsoft Office 365 page. Microsoft happens to be the brand that is most phished across our customer base. This is a result of the increased adoption of O365 by many enterprises and cyber criminals are looking to take over legitimate accounts and use them to launch additional attacks within the enterprise.
To defeat automated crawling systems and ensure that a human is interacting with the page, the attackers put the credential phishing page behind layers of visual captchas, so the user would have to click the right set of images to ensure that they are not a bot. The following screenshots show the workflow of the attack. Figure 1 explicitly asks the user to check that they are not a robot. This is common and a lot of websites, such as LinkedIn and Google, prompt users to do the same. Two important things are happening here. The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.
In addition to the first check, the attackers have designed two other captchas, in case the first one gets defeated by automated systems. Figure 2 shows the second captcha that appears. This captcha technique requires the human to select all the picture tiles that match bicycles, followed by another captcha in Figure 3 that asks the human to identify all the pictures that match a crosswalk. If all these checks pass, then the user is taken to the final landing page, which attempts to steal the user’s credentials for O365, as seen in Figure 4.
It should be noted, however, that the attackers do not use the same captchas. In our testing we came across at least four different images that were presented.
Phishing is the most prevalent attack vector affecting enterprises. These attacks take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks very successful.
To learn more about email phishing, download our eBook: Protecting Against Email Threats.
Vinay Pidathala on Sep 30, 2020
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.