The realm of phishing threats has evolved into a complex landscape, demanding a comprehensive exploration to understand and confront the dynamic tactics employed by cyber adversaries. In this chapter, we delve deep into various facets of phishing, from server-side attempt to detect sandboxes to the misuse of redirection services , reCAPTCHA and QR Codes.
A major challenge encountered was the server-side attempt to detect sandboxes. Phishing sites are likely trying to detect sandboxes through the association of IP addresses with known VPNs with the intent of redirecting the visitor to benign websites like Wikipedia, delivering 404 error messages, or aborting connections instead of revealing the phishing page.
The goal is to ensure that URLs function normally on personal devices but not within sandboxes.
Another persistent issue involved the misuse of redirection services by phishing actors to lend a veneer of trust to their malicious links. Services like LinkedIn and Google were exploited to camouflage phishing URLs.
Additionally, official services provided by platforms such as Facebook and Google were manipulated for targeting victims. For instance, in one case, Google Forms was used for payment requests in phishing schemes, where the ‘from’ field being ‘noreply@google.com’ added an air of legitimacy to the scam.
Phishing sites are also increasingly deploying fake reCAPTCHA pages instead of real ones. This tactic could be aimed at avoiding detection by CAPTCHA services or lending an additional layer of credibility to the phishing sites in the eyes of potential victims.
In addition to evolving phishing tactics, the trend of “Quishing” (phishing involving QR codes) has become increasingly prevalent. Initially used in emails, QR codes are now incorporated into PDF and Word documents, HTML attachments, and websites.
Attackers are also employing innovative evasion techniques. One method involves using slightly blurry images in QR codes, easily decipherable by smartphones but posing challenges for automated software.
Another technique includes inverting the colors or randomly tilting QR code squares to the left or right, making it easier for smartphones to read them but potentially causing automated QR extraction libraries used in security solutions to fail. These strategies highlight the ongoing need for advanced methods in detecting and countering phishing attacks.
Phishing attacks have also increasingly exploited trusted domains by abusing so-called “open redirect” vulnerabilities. Attackers use reputable domains like LinkedIn, Google, or Microsoft to create phishing links, capitalizing on the trust users have in these well-known services.
This approach is particularly effective as the legitimate domains do not immediately raise suspicions, especially among non-technical users.
Attackers have evolved beyond merely exploiting open redirection vulnerabilities. Some now host malicious content on services associated with well-known domains, like Microsoft’s “blob.core.windows.net” for Azure blob/data storage, where attackers can even choose a subdomain, or Adobe’s “indd.adobe.com” for publishing InDesign documents online.
By leveraging these trusted domains, attackers can more effectively deceive users and circumvent traditional security measures.
Additionally, we have observed a notable trend in phishing: many phishing pages used less known Top-Level Domains (TLDs) such as “.top” or “.xyz”. To understand this trend better, we analyzed URLs automatically submitted to our systems in the last 30 days (between December 2023 and January 2024), focusing on the association of certain domains with malicious activities.
The analysis, while inherently biased as most links in the dataset were malicious, still confirmed an observed pattern: certain TLDs are highly associated with malicious activities, to the extent that the mere presence of these TLDs should raise user suspicion. Conversely, the most trusted domains were those with stricter controls, like “.edu” or “.gov”, which are less likely to be associated with phishing due to the rigorous requirements for their registration.
There has been a notable shift in phishing tactics, with attackers moving beyond traditional entry points like email. Users are increasingly wary of email-based threats, leading attackers to explore alternative platforms.
This quarter, innovative phishing attempts were observed through various services, including Microsoft Teams, where DarkGate malware was delivered. Google Ads were exploited to distribute different malware families, and text messages masquerading as communications from Amazon, delivery services, or even family members.
Furthermore, attackers have utilized Skype (see Figure 4) and GitHub Gists, which are public pages for sharing code snippets, similar to Pastebin. These Gists can be indexed by search engines, making them accessible via Google.
This method was exploited by at least one attacker to trick victims into installing a malicious Python package via pip.
In this quarter, we witnessed a distinct evolution in phishing techniques, including server-side VM detection, misusing redirection services from reputable domains, and deploying fake reCAPTCHA pages.
The emergence of “Quishing” using QR codes in various document formats and evasion techniques like blurry images or tilted QR dots demonstrate the adaptive methods used by attackers.
Phishing sites leveraging less known TLDs like “.top” or “.xyz” and hosting malicious content on services linked to well-known domains indicate a calculated approach to gain user trust.
Additionally, the shift from traditional phishing mediums to platforms like Microsoft Teams, Google Ads, text messages, Skype, and GitHub Gists reveals the attackers’ inclination towards exploiting varied and less conventional communication channels.
Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!