With users becoming increasingly skeptical of unknown links and emails, attackers are having to turn to something other than phishing campaigns to wrangle in possible victims.
A new attack, drive-by-logins, might be the phishing campaign's ultimate successor, according to a High-Tech Bridge blog post detailing the attack.
A drive-by-login attack differs from drive-by download by targeting a specific visitor to an infected website. This allows attackers to leverage a vulnerability in the website and install a backdoor that delivers malware directly to their target.
In High-Tech Bridge's sample incident, for example, the attackers identified a person they wanted to infect. With some intelligence gathering on their side, they determined the person frequently visited a favorite online shop.
This type of information can be gleaned from social media alone, said Ilia Kolochenko, CEO of High-Tech Bridge, in an interview with SCMagazine.com. No infection or email access is necessarily needed.
Once the attackers identified the person's preferred online shop, they exploited a recent Flash zero-day vulnerability to compromise its storefront with their backdoor code. Then, they waited. The target's email address and IP are written into the code to serve as a trigger to drop the malware, the blog post said.
“To make sure the malware stays untouched [on the site] until the victim comes, they [the attackers] modify it in such a manner that the malware is injected into the browser only for the particular victim," Kolochenko said.
Their logic, he said, could be that regularly visited sites might not be as scrutinized as unfamiliar sites. Extra permissions could be provided because it's trusted.
Furthermore, whereas a phishing campaign requires not only the creation of a convincing email but also a legitimate appearing website, this attack harnesses already existing, and trusted, online destinations.
Drive-by-logins could feasibly replace phishing as attackers' preferred method of infection, Kolochenko said, but it seems more likely to be used in Advanced Persistent Threat (APT) campaigns. Even if high-profile targets employ their own security teams, for example, they remain at the mercy of a website's security.
That's why he recommended website operators deploy automated vulnerability scans as well as manual web application penetration testing. Victims, he said, should remain aware and skeptical of trusted sites.