Threat actors are moving away from spray-n-pray phishing attacks in favor of campaigns that can automatically adapt to a target’s device and operating system.

Today, anti-phishing security vendor Cofense published research covering the cutting-edge ways threat actors are upping their phishing game. As research post author Max Gannon of Cofense Intelligence explained, classic phishing attacks often have clumsy, simple emails and an attachment with a simple infection chain that could bypass secure email gateways. Many modern campaigns now use emails targeted and tailored to the victim, with complex narratives relevant to the target (such as delivering an invoice for a business manager) and more complex infection chains.

More recently, Cofense has seen examples of phishing campaigns that are even more targeted once the victim clicks a link or an attachment. It is at that stage that the attachment or landing page collects information for the user-agent provided by the browser; user-agent data is a string of text data that Web browsers and applications send when a Web page is loaded. Through this data, the attacker can fingerprint and collect data including victim email addresses, browser information, device information, language, victim local time, screen and window size, and geolocation. 

Related:New Initiative Tackles Security for End-of-Life Open Source Software

“One method of detection that is appearing more often is the use of Cloudflare user-agent blocking, which redirects traffic based on the perceived operating system of the browser before the victim even visits the malicious page,” the research read. “This enables threat actors to deliver customized payloads without having to add their own detection scripts.”

The Right Phishing Payload for the Right Victim

This data is often used to deliver the right malware to the right user; one example Cofense cited was a phishing landing page that delivered FleetDeck for macOS or Tiflux RAT for Windows, depending on what attackers detected during fingerprinting. Much of the malware Cofense has observed in multiplatform campaigns has been “technically legitimate remote access tools (RATs) that have been repurposed to act as remote access trojans (Also RATs),” as they’re much harder for automated defenses to detect. 

Moreover, “threat actors are progressively using tools like Telegram to exfiltrate and save the information more often,” Gannon wrote.

Multiple campaigns have been observed using platform-aware tactics, and similar tactics are used for the deception component as well. Phishing landing pages will make decisions to mimic Google, Docusign, Microsoft Teams, Adobe, and Zoom download screens based on telemetry picked up from the victim’s browser.

Related:Robinhood Cuts Access Approval Time to Support High-Velocity Development

It is no surprise that phishing actors have stepped up their game up in recent years. Large language models (LLMs) have made it so attackers around the world can generate phishing emails in perfect English in no time at all; phishing kits have offered low-level attackers the ability to conduct sophisticated attacks they couldn’t pull off otherwise; and social engineering attacks continue to get trickier, thanks to emerging tactics like ClickFix.

As for these new platform-aware techniques, the reason behind them is simple: better economics for the attacker.

“By building campaigns that can identify a victim’s device and deliver the most effective payload for that environment, threat actors can reach more targets, increase the likelihood of compromise, and extract more useful information from each interaction,” Gannon wrote. “Instead of losing traffic when a victim is on macOS, Android, or another unsupported platform, threat actors can still monetize the click-through credential theft or customized remote access tools. In practice, this means greater profit, broader target coverage, and higher return on investment from the same lure, infrastructure, and campaign effort.”

Related:Apple’s MacOS Gap Lets Users Disable Security Tools

Just Another Phishing Campaign

The campaigns Cofense describes are standard phishing campaigns with some trickier moves once an email recipient clicks a malicious link. 

Like so many other phishing campaigns, best practices work well here. Phishing-resistant authentication methods like FIDO2 keys are generally sound considerations, as is employee training on the modern ways threat actors conduct phishing and social engineering campaigns. There are also a wide range of security products that aim to prevent such attacks from ever reaching employee inboxes.

Gannon tells Dark Reading that the core message for security leaders is that the most important thing to do is close the cross-platform visibility gap by unifying monitoring across Windows, Mac, and mobile, so activity is appropriately viewed as a single campaign. 

He also recommends building visibility “into what happens after the click, meaning the redirect chains and device-specific delivery logic, rather than relying solely on blocking the first email.” Moreover, one of the most valuable resources for stopping phishing are one’s own employees.

“Organizations,” he says, “should also treat their people as a primary sensor rather than a last line of defense, since threat actors increasingly repurpose trusted remote access tools like ConnectWise RAT that signature-based defenses will rarely flag, and it is usually a trained employee, not an automated scanner, who recognizes that an unexpected tool is out of place.”





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *