A phishing campaign uses custom login pages for email domains

November 14, 2024
Phishing Campaign Login Pages Email Domains Cyberattack

A new phishing campaign has been identified targeting email users by dynamically altering the appearance of the phishing page based on the recipient’s email address. The attacker sends the victim an email containing a malicious link with an encoded email ID in the URL. When the victim clicks on the link, the phishing site decodes the email ID, adjusts the user interface (UI) to resemble the victim’s email provider or organization, and prompts the victim to enter their password. The phishing campaign is highly sophisticated in its design and execution, making it difficult for users to identify the malicious intent of the website.

URL

https[:]//app.accountists.com/payment-approval/22692.0.jsp?accountID=aW5mb0BtaWNyb3NvZnQuY29t&_task=mail&_mbox=INBOX&?utm_medium=ppc&utm_source=house-ads&utm_campaign=teams-overflowai-launc#aW5mb0BtaWNyb3NvZnQuY29t

Query Parameters

“?accountID=aW5mb0BtaWNyb3NvZnQuY29t” (Dummy Query parameter)

This is a query parameter that contains the accountID. In this case, the value of accountID is encoded in Base64.

Affected Parties

  1. Individuals and organizations receiving phishing emails
  2. Email service providers (targeted for brand impersonation)
  3. Corporate users (especially those using corporate email domains)

Indicator of Compromise (IOC)

Domain/URL:

App.accountists[.]com (Phishing Domain)

hxxps://x9e[.]net/next/sim/1v[.]php (Command & Control)

IP Address:

85[.]202[.]163[.]133

Details of the Phishing Campaign Attack

  1. Delivery Method
    • The phishing attempt begins with an email that contains a link. This link has an encoded email address in the URL, which is disguised using base64 encoding or other obfuscation techniques.
      The email subject and content are crafted to make the message appear as though it originates from a legitimate source, such as an official email provider (e.g., Gmail, Outlook) or a corporate IT department.
  2. Malicious URL Structure
    • The query parameter “account” in the malicious URL is the base64-encoded email address.
      Upon visiting the link, the phishing site decodes the email and pre-populates it into the email field of the login form. This makes the phishing site seem more legitimate to the victim.
  3. Dynamic UI Changes Based on Email Address
    • Once the victim’s email is parsed from the URL, the phishing page dynamically changes its appearance based on the email domain (e.g., @gmail.com, @outlook.com, @company.com).
      The page fetches brand-specific logos and UI elements from services like Clearbit API or Google’s favicon service to display the logo of the email provider or organization, making it look more authentic.
      For instance, a victim with a @gmail.com email will see the Gmail logo, while someone with a corporate domain like @company.com will see the company’s branding.
  4. Credential Harvesting
    • The phishing site displays a login form asking for the victim’s password, which is sent to the attacker’s server upon submission.
      An AJAX request silently exfiltrates the victim’s credentials to the attacker’s server. This communication is encoded in base64 to evade detection by security software.
  5. User Redirection
    • If the victim attempts to log in multiple times (e.g., after entering the wrong password), the site eventually redirects them to a legitimate service like Docusign or Gmail, further obscuring the attack.
      The redirection to a trusted service after several failed attempts makes the victim believe that any earlier error messages were legitimate.
  6. Error Feedback and Further Deception
    • If the victim enters an incorrect password, they are presented with error messages like “Password is incorrect. Please try again,” encouraging them to try again and increasing the chances of capturing accurate credentials.
      After multiple attempts, the site resets the process, making the victim feel like it was a temporary issue and not a security threat.

Advisory Recommendations

For Potential Victims

  • Be Cautious of Unexpected Emails: Always verify the sender’s email address and the legitimacy of any links before clicking. Do not trust emails that ask you to take urgent action, especially if they contain generic greetings (e.g., “Dear User”).
  • Hover Over Links Before Clicking: Hover over any embedded links to view the URL. Be suspicious if the domain name does not match the expected organization (e.g., Gmail login links should always lead to accounts.google.com).
  • Check the URL for Encoding: If you notice base64-encoded strings in a URL (such as a long string of letters and numbers after a # or ?), this can be a sign of phishing. Legitimate companies rarely send encoded email addresses in URLs.
  • Verify with Your Provider: If you receive an email prompting you to log in, go directly to the official website (e.g., type gmail.com into your browser) instead of clicking on links within the email.
  • Look for HTTPS Encryption: Ensure the URL starts with “https://” (though note that some phishing sites may still use HTTPS to appear legitimate).
  • Use Two-Factor Authentication (2FA): Even if your credentials are compromised, having 2FA enabled can provide an extra layer of protection. Use an authenticator app or SMS-based 2FA wherever possible.

For IT Departments and Organisations

  • Implement CSP and X-Frame-Options headers: To prevent your website from being embedded in iframes, protecting it from being misused in a phishing campaign.
  • Monitor Referrer Headers for Suspicious Embedding: Set up logging mechanisms to monitor traffic sources and referer headers. If your site is being embedded in iframes from suspicious or unauthorized sources, you can detect this through unusual referer headers.
  • Educate Users on Phishing Tactics: Conduct regular security awareness training for employees and users to help them recognize phishing attempts, especially those using brand impersonation tactics.
  • Implement Domain Monitoring: Set up monitoring tools to track the use of your company’s domain in phishing attacks.
  • Use DMARC, SPF, and DKIM: Ensure your organization has implemented DMARC, SPF, and DKIM email authentication mechanisms to reduce the risk of email spoofing.
  • Monitor User Activity for Suspicious Logins: Keep an eye on failed login attempts and unusual login activity, such as multiple attempts from different locations. Implement account lockout policies after a set number of failed attempts.
  • Use Security Incident Response Tools: Invest in automated phishing detection and incident response tools. These can identify and mitigate phishing attempts by flagging suspicious links and intercepting credential harvesting forms.
  • Encourage Use of Password Managers: Password managers auto-fill passwords on legitimate websites but won’t do so on phishing sites. Encourage users to rely on them to avoid falling victim to such scams.

How To Protect Yourself

  • Stay informed about the latest phishing techniques, as attackers continuously refine their methods.
  • Always validate the URL in your browser and ensure it matches the expected website before entering sensitive information.
  • Enable account recovery options like recovery phone numbers and backup email addresses to secure your accounts further.
  • If you think you’ve fallen victim, immediately change your password and notify your email provider or IT department. Use tools like Have I Been Pwned to check if your email has been compromised in any breach.

Conclusion

This phishing campaign is an advanced attack that uses social engineering and brand impersonation to steal credentials. By dynamically adjusting the user interface based on the victim’s email provider or organization, it creates a convincing experience that can trick even vigilant users. Protect yourself by following the recommended security practices and being aware of the signs of phishing. Always verify the source of unexpected emails, and avoid clicking on unfamiliar links.

About the author

Leave a Reply