Application security, Threat Management, Malware, Phishing

Phishing scams use redirects to steal Office 365, Facebook credentials


Researchers have recently warned of two massive phishing operations, collectively targeting hundreds of thousands of users – one seeking credentials for business services such as Office 365 and the other abusing Facebook Messenger to go after roughly 450,000 of the social media giant's account holders.

Active since last week, with a major surge on Oct. 15, the Office 365 operation has reached tens of thousands of inboxes through multiple connected campaigns spoofing well-known applications such as Microsoft Office, Microsoft Teams and Zoom in hopes that users will be fooled into giving away their usernames and passwords. Senior executives and finance personnel have been identified as among the targets of the operation.

Discovered by researchers at GreatHorn, the scam also aims to infect victims with JavaScript designed to deploy various malware, including the Cryxos trojan.

According to F-Secure, Cryxos trojans are typically used to conduct call support scams. They display “an alarming notification message saying that the user's computer or web browser has been 'blocked' due to a virus infection, and that their personal details are 'being stolen'. The user is then directed to call a phone number for assistance in the 'removal process.’”

Victims who click on the emails’ malicious links are either sent directly to the phishing kit, which looks like a log-in page, or they are routed there via open redirector domains and subsidiary remains that the attackers compromised from such global brands as Sony, TripAdvisor, RAC, DigitalOcean and Google.

"The user in a corporate environment will probably not be blocked from when they click, and then it's going redirect them to the real attack, and it's going to look like a Zoom log-in or an Office login," said GreatHorn CEO Kevin O'Brien in an interview with SC Media.

The links can bypass native security controls offered by victims’ email providers, and the open redirects appear to be made possible via Apache servers, possibly due to a flaw in Apache versions prior to 2.4.41, GreatHorn reports in a company blog post.

GreatHorn advises security teams to search their companies' emails for messages with URLs that match the phishing kit’s naming structure, which was identified as http://t.****/r/, where *** represents the domain.

In his company's blog posts, O'Brien called this attack “a pervasive and significant event."

"It looks like something timely and we saw it go out to senior executive in worldwide attack mode. And we saw these things redirecting and landing in mailboxes everywhere we looked," O'Brien explained further to SC Media.

Meanwhile, the Facebook phishing operation, discovered by Cyberint, began last Friday with a campaign targeting nearly 500,000 victims across the globe.

According to a Cyberint blog post, the lure would arrive via Facebook Messenger from a known contact whose account has already been abused. The communication suggests that the recipient looks like the same person in a YouTube video, potentially enticing the potential victim to click on the link and view the video.

Hebrew, Greek and English examples of Facebook Messenger lures (Image from Cyberint blog.)

But the link actually leads victims to a fake Facebook login page in the hopes the users will enter their credentials so they can be stolen. Before reaching the phishing page, however, users are first redirected through multiple websites, including one that checks screen width as a means of determining "if the victim is using a mobile device, presumably as the attack will be less noticeable" to mobile users, the blog post explains. If the screen width is too big, the attack is essentially called off.

One the phishing scam is complete, victim is later redirected again to the legitimate Google Play Store site.

“It’s one of the more unusual attacks we’ve seen lately,” said Cyberint lead researcher Jason Hill in a statement. “The victim was never returned to the targeted site, so at this point we can only speculate it was some kind of referral fraud” in which the intermediate sites possibly earned revenue for fake user activity.

Cyberint says Facebook "shut the attack down" after the company was notified of the problem. and StackPath, whose servers were being abused within the redirection chain, reportedly also took prompt action after they were notified.

Earlier this month, Menlo Security reported that cyberattackers targeting the hospitality industry were recently observed using a phishing page that featured CAPTCHA technology as a way to elude detection, as well as to give potential victims a false sense of security that the malicious site was legit.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.