CyberWire Daily - Hijacking holiday spirit with phishing scams. [Research Saturday]
Episode Date: December 17, 2022Or Katz from Akamai sits down with Dave to discuss research on highly sophisticated phishing scams and how they are abusing holiday sentiment. This particular threat, most recently has focused on Hall...oween deals, enticing victims with the chance to win a free prize, including from Dick’s Sporting Goods or Tumi Backpacks. It then requests credit card details to cover the cost of shipment. From mid-September to the end of October 2022, Akamai's research were able uncover and track this threat. This kit mimics well known retail stores in hopes to hijack credit card information, feeding off of people's holiday spirit. The research can be found here: Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So basically, this campaign is saying the following thing, and it's not that unique
in that sense, saying, hey, there is some free of charge gift or price or coupon, something
in that nature.
It's very compelling.
It's very engaging in many ways.
And it leads for victims to, you know, press on that relevant link, go through a website
and from there, you know, be more engaged with the scam and as a result, lose some of
their personal information.
That's Orr Katz. more engaged with the scam and as a result lose some of their personal information.
That's Or Katz. He's a security executive for thought leadership and research at Akamai. The research we're discussing today is titled,
Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment.
And it is good looking.
I mean, they've taken the effort here to really make it look like the brands that they're impersonating.
Yes, definitely.
And they're doing a really good job, right?
We don't want to admit that, but in a sense, they're doing a good job for them to create something that's very trustworthy, looks very appealing, looks legit.
And as a result of that, create much more engagement from potential victims, which is something that, you know, we need to address, right?
That's something that keeps me awake at night, right?
Being able to track those things and making sure that, you know, we know
how to mitigate those kind of scams. And I mean, this is using some of the standard social
engineering schemes that we track here. I mean, they're sort of a call to action with some urgency.
They even have some fake user forums. And that's the story behind the scene, which is, right, it's
not just one campaign being activated.
There's a bunch of those campaigns being activated at the same time.
And they are using the same phishing toolkit in that sense.
Like, toolkits would be the software being used by adversaries to launch those kind of campaigns.
to launch those kind of campaigns.
And what they are doing is that they are creating those,
as you mentioned, fake users that looks as if they're like social networks kind of users
that are trying to say,
hey, this campaign really,
like this kind of offer really works.
It's not a scam.
I got some free gift and et cetera.
And they're doing that and they're using the same fake users
for different kind of campaign, different kind of merchandise being offered
to the victims. And that's part of the scale
of that kind of campaign. Well, let's go through some of the technical
things that they're doing here as well. They're taking advantage of some URL
shorteners? Yes. So overall, they're using
a variety of techniques. The first one, as you mentioned, it's URL
shorteners. And in a sense, they're creating a nest
of links that at the end of the day leads
to the landing page, the actual phishing website. And they're using
that as part of their techniques
and their ways to try to evade detection.
Using a nested kind of links
to lead to different or same scam
create kind of agility from their point of view
to be able to change one of those links
and still being resilient to detection in that sense.
Yeah, I mean, looking through the research here, I mean, it really reads like a,
it's practically a textbook example of some of the techniques that we see here.
I mean, they're using legitimate web services like AWS or Google Cloud.
Exactly. And I've been asked about that a lot, right? I've been asked, how come phishing
is still working, right? And I'm struggling. Sometimes I'm struggling to answer that, right?
How come people are still falling into those scams and being victimized by those scams?
And there's two aspects for that. First of all, it's the social engineering part of that, how you
can engage people into those scams. And we talked about that. But the second part, as you mentioned, it's
a variety of techniques being used to make sure that those scams
work. And URL shorteners and being able to create
those kind of links that no one knows how to detect, that's part of the
magic that they are creating in order to make sure that
their scams still work.
There's a technical element here that you all highlight, and this is the usage of URI
fragment identifier redirection. Can you unpack that for us? What are they doing here?
It's the first time that I was able to see that kind of techniques being used, and we haven't
seen no one report on that techniques in a while. So we consider that
as a novel kind of technique. And the interesting part here, and that's like before we go into the
details, the issue is that adversaries are creating links that make sure that only those
that press on the original link being sent to your email will be landing on the phishing scan.
And in other words, if you will take the original link
without some extra kind of information,
what we call URL fragmentation, of that kind of link,
and you will try to use that, you will not get into the landing page.
If you will take that and use that from like something that is not a browser, like a script
or something like that, that scans a variety of URLs, you will not get to the landing page.
And in that sense, it's one of those, you know, again, a variety of techniques being used to make sure that those scams will work and will postpone
detection of that scam by creating all kinds of barriers for us from a defensive point of view.
And that kind of link creates that. Basically, in a way, it's that kind of techniques being used,
making sure that only once we use our browser
and using the original link that was sent to us,
only then we will get to the landing page for the scan.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with
public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your
attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users
only to specific apps, not the entire network, continuously verifying every request based
on identity and context, simplifying security management with AI-powered automation, and
detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So help me understand here.
Does that mean that, for example, if this link was loaded in some kind of security package that pre-detonates links like this,
that it may not take them to the landing page where it would for me if I clicked on it in my browser?
Exactly that.
me if I clicked on it in my browser. Exactly that. In a sense, if you would try to reach out that link without using a browser or browser engine, you can do that automatically in a
sort of simulation of a browser. If you will not do that, if you access that link, it will not work
because that link is actually using some functionality of JavaScript on our browser to create a follow-up link,
a link that's being generated by the browser, by the JavaScript running on our browser, to redirect us to the next stage of that scan.
And if you are not running a browser or browser engine,
you will not be able to create that link.
And as a result of that,
you will not get to the phishing scam.
And in a sense, that's what motivated adversaries
in a way that trying to make sure
that those that are not legitimate victims,
you know, the legitimate victims, it's a bit...
That's an interesting turn of phrase, isn't it?
Exactly.
We'll not get to the scam, right?
And when I'm trying to create an analogy for that
from our, like from Akamai point of view
on things that we're doing to protect our customers,
when we are making sure that, you know,
non, like users that are not humans, meaning bots, will
not reach our websites because we want to block that kind of traffic, those kind of
adversaries are using similar techniques in a sense, but on the other way around.
They are making sure that only victims will reach out their scam and not something
that just tried to scan some URLs and try to figure out if that is a scam or not.
You point out the use of randomly generated URLs, that they're really working hard to
limit the access to the kit. Yeah. So, again, variety of techniques.
One of the techniques that we're able to see is a technique that makes sure that only the
person that was following the link, the original link, will have access to the scan website.
access to the scam website, it's a dynamic kind of generation of that link that can change between different original links being sent to end users, to the victims. And they make sure that once you
take a given link given to you, for example, and I will try to use that link from my browser,
and I will try to use that link from my browser,
I will not get to that landing page.
I need to follow the original link that was delivered for me on my email
to be able to get to that scan.
If you will give me the final link,
the final URL that is exposed to you
once you access the website,
and I will try to use it, it will not work.
And again, think about it from an adversary point of view. They are trying to delay time for
detection. They are trying to make sure that if you see something suspicious and you send it over
for me to examine that, I will try to use that link and it will not work. And I will say, hey,
nothing works here. I'm not getting into the scam. And as a result of
that, detection times takes longer because we need to do
more investigation and better understanding what really happened here.
Who do you suppose they're targeting here?
Is there any specificity there in terms of who it seems like
they're going after?
So the campaign that we tracked was mainly focused on North America victims.
We noticed that there are some other campaigns that are targeting different geolocated kind of victims.
But in our case, it was mostly North America and the brands being abused in that sense were aligned with that. But basically, it's a consumer kind of campaign, a very basic one,
trying to, you know, get to as many people as possible, lead them to the scam. And at the end
of the day, try to get their credit card information. Do you have any sense for the availability of this kit?
Where people are purchasing it and the degree to which
the bad guys are using it out there?
That's a really great question.
The short answer is no. I don't have much visibility into the kit itself,
how it's being sold, and what's the market behind that.
But I will say that we know that that kit and version, previous version of very similar,
if not the same kit, are being used over and over again for quite some time.
again for quite some time.
And I think that, in a sense, helps us to understand some of the scale and some of the motivation behind the scene,
meaning this is someone that is, that's his work.
His work is to create those phishing toolkits,
to take them each time to the next level,
make them much more sophisticated for many reasons, right?
To not be detected.
That is a motivation for sophistication of the toolkit
or creating more engagement in that sense.
And they're doing that for quite some time.
They're doing that in high scale.
We see a lot of those.
And we know it's some sort of a business for that. And that's unfortunately,
you know, what we're seeing out there. Well, based on the information you've gathered here,
then what are your recommendations for folks to best protect themselves against this?
I think that at the end of the day, there is recommendation for our colleagues, our friends, our neighbors, people that we care
about, and tell them, hey, if it's too good to be true, it probably is. Make sure that you're
not falling into those scams. If someone offers you a gift, a very nice gift, and it doesn't cost
anything but for you to provide your credit card number for a very limited amount of money for delivery, for example, for shipment,
think about it.
It might be wrong, right?
Don't do that.
And that's for looking at the victim from that point of view.
For organization, I would say it's all about layers.
I would say it's all about layers.
It's all about our ability to create multi-layered approach that will make sure that we reduce the potential
of having victims from our organization to the minimum.
It's not 100% bulletproof, right?
But it's all about the risk and what we are doing to reduce that risk.
Our thanks to Orr Katz from Akamai for joining us.
The research is titled
Highly Sophisticated Phishing Scams
Are Abusing Holiday
Sentiment. We'll have a link in the show notes. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karpf, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Varmatsis, Ben Yellen, Nick Volecki, Millie Lardy, Thanks for listening.
We'll see you back here next week.