Using Google Search, 404 error phishing login pages, MitM to co-opt legit logos
Microsoft saw phishing attacks reach new heights of creativity and sophistication in 2019. The company has revealed the most cunning phishing attacks it spotted this year targeting Office 365 users around the globe this year.
The three new techniques that made Microsoft’s most creative list for 2019 involved hijacking Google search results; creating custom ‘404’ Not Found error pages that were crafted as Microsoft login phishing pages; and using a man-in-the-middle component that captured legitimate Microsoft logos to simulate Microsoft sign-in pages.
The three techniques are part of the reason Microsoft has observed a significant rise in phishing attacks in recent years. Earlier this month it flagged the percentage of phishing emails to Office 365 users had climbed from 0.3% to 0.6% over the past year, continuing the two-year trend of two-fold year-over-year increases in inbound phishing email.
The first technique involved using Google Search results to herd targets in certain regions, such as Europe, towards a page that was the top result for specific, albeit obscure, keywords that eventually led the victim to a phishing page.
According to Microsoft, the search poisoning technique relied on sending phishing links designed to return top results for certain keywords. Via Google search, the attackers direct users to an SEO website controlled by an attacker, sending victims onwards to a site they download malware from or a phishing site.
In one example, the attackers ensured the top result for the keyword search “hOJoXatrCPy” was the domain c77684gq[.]beget[.]tech, which the attackers controlled.
This allowed phishers to send phishing emails containing legitimate URLs and a trusted Google domain, which the attackers leveraged to send users in some regions to a malicious redirector website, while sending other users outside of Europe to a URL that returned no search result.
Microsoft said the 404 page scam veneer was “shrewd” way to serve phishing pages.
“We uncovered a phishing campaign targeting Microsoft that used 404 pages crafted as phishing pages, which gave phishers virtually unlimited phishing URLs,” said Microsoft.
The 404 page looked pretty much identical to a Microsoft account sign-in page, but relied heavily on subdomain generation algorithms to bypass security systems and generate random domains and near-infinite phishing URLs that would return a ‘404 error’ message that looked just like Microsoft’s login page.
The final technique noted in Microsoft’s 2019 roundup involved employing a Man-in-the-Middle (MitM) component in a phishing attack to make it appear more legitimately from Microsoft.
Rather than copy parts of Microsoft’s log-in pages, the attackers used an MitM component to capture “logos, banners, text, and background images from Microsoft’s rendering site” — meaning that phishing site could directly tap Microsoft’s own site to display a very convincing login page, as well using a target’s email address to spoof the target’s specific sign-in page for Microsoft online services.
“Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages. The server identified certain specific information based on the recipient’s email address, including the target company, and then gathered the information specific to that company. The result was the exact same experience as the legitimate sign-page, which could significantly reduce suspicion,” Microsoft explained.