CyberWire Daily - Inside SendGrid's phishy business. [Research Saturday]
Episode Date: March 16, 2024Robert Duncan from Netcraft is sharing their research on "Phishception - SendGrid abused to host phishing attacks impersonating itself." Netcraft has recently observed that criminals abused Twilio Sen...dGrid’s email delivery, API, and marketing services to launch a phishing campaign impersonating itself. Hackers behind this novel phishing campaign used SendGrid’s Tracking Settings feature, which allows users to track clicks, opens, and subscriptions with SendGrid. The malicious link was masked behind a tracking link hosted by SendGrid. Please take a moment to fill out an audience survey! Let us know how we are doing! The research can be found here: Phishception – SendGrid is abused to host phishing attacks impersonating itself Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
This particular attack came to our attention because it combines so many interesting tactics
that have been used to cloak the attack. And it's pretty notable in the sense
that it's using the infrastructure of the provider itself that it's impersonating.
That's Robert Duncan, VP of Product Strategy at Netcraft. The research we're discussing today
is titled Fishception, SendGrid abused to host phishing attacks impersonating
itself. And that's a very effective tactic because it makes it really difficult for a victim to tell
the difference between a message that they've received or an email that doesn't really originate
with that provider, but by all intents and purposes or for all intents and purposes,
that is indistinguishable. It's really hard to tell the difference between the real and the fake.
And we walk through this particular attack. It's got five or six different tactics that it's used that take it
beyond the usual phishing attack. It means the attackers have really gone to town. They've taken
a lot of time, put in a lot of effort to make the attack, A, difficult to detect for victims,
but also difficult to detect for anti-phishing or cybersecurity companies like ourselves to detect.
And that's kind of how this came to our attention.
We find a lot of attacks.
We're looking at very high volume.
We're looking at millions of attacks.
This particular attack came to our attention.
It's one of many.
Well, let's go through it together here.
I mean, I guess we should say at the outset
that kind of at the center of this
is this organization or this product
called SendGrid.
What do we need to know about that?
So to kind of set the scene,
so SendGrid is a legitimate platform a email sending platform
it's run by twilio they're a large well-trusted organization there's nothing about their
infrastructure that's criminal controlled it really is legitimate infrastructure that normal companies use to send and receive email.
It's a very effective platform.
And that also makes it a really effective platform for criminals.
So that kind of sets the scene for what SendGrid is.
And part of what's pretty notable here
is that SendGrid itself is a useful tool for criminals to have.
So why this is particularly interesting is that they're using the platform,
they've compromised a SendGrid user's account,
and they're using that compromised account to deliver emails
to compromise further SendGrid accounts.
So they're kind of like a worm.
They're building a portfolio of compromised SendGrid accounts
in order to then use that infrastructure for bad behavior.
So we don't have a direct line of sight into what the credentials are actually being used for.
What we can observe is what's being sent
and what we receive through our various sources of these types of threat.
Well, let's walk through it together here. Can you take us through
step by step what exactly is going on?
Where this starts is typical to many phishing campaigns. It's an email with a call to action
for the victim to fix something.
So in this case, the example that we've pulled out
falsely claims that the payment to SendGrid has been declined
and you need to go and immediately click through
to renew your account, fix the payment method.
And that's the hook.
So typically a pretty effective hook. We'd expect many people
to be riled up. They want their sending infrastructure to keep working. It's a kind
of a cornerstone of some or of many businesses. And so that's the hook. What happens next is
also pretty interesting. So what happens next is the link that the email contains
that the fraudster's intending for the victim to click
is actually cloaked for the criminal without any effort.
So SendGrid's platform allows legitimate users
to use their click tracking feature,
which allows them to see how many times users have clicked on links
and be able to track which email recipients have clicked on links.
But what that means is it simultaneously makes it really difficult
for a victim to, or maybe a potential victim at this point, to see the
difference between a legitimate link and a link that goes somewhere untoward. What we can kind
of see here, where we're doubling down on this, is you're expecting this link to go to somewhere
in SendGrid's domain portfolio. That's perfectly legitimate.
That's what you expect.
And that is true.
You do go to a link that is on SendGrid.net.
So even a particularly vigilant user
is going to be finding it pretty hard
to tell the difference between a fake and a real link here.
Yeah, I mean, I think about myself
when confronted with these sorts of things.
That's one of the first things I would do
is look at what domain is being referenced here.
And in this case, you've got a message from SendGrid
and it looks like the thing I'm clicking on
is going to go to SendGrid because it is.
Yeah, exactly.
And it was sent, and it really was sent from SendGrid.
So it's kind of the combination of all those factors
means that it's a really convincing attack.
And layering on top of that,
because SendGrid is an email delivery service
and a very effective one,
I'm not trying to advertise for them,
but their service is really well used
by legitimate companies and criminals alike.
It's optimized to get messages into people's inboxes.
So you've kind of got everything you need
to make a really effective phishing campaign.
The one thing to note is that there are a couple of signals
that something's a bit weird.
So the from address that is used in these attacks
does not match SendGrid's own infrastructure.
It matches one of their compromised customers.
So it's pretty easy to see that this is a kind of worm-style behavior.
You're seeing one customer get compromised
and then using that one customer's account,
you can then see how the criminal group
can expand on that network of compromised accounts
by targeting more users.
So suppose someone clicks on this link,
this link that's taking advantage of their click tracking,
what happens next?
So again, another interesting cloaking technique.
This attack is actually, I just want to have a side point here.
This attack really does combine a huge number of cloaking techniques.
Most phishing attacks that we see do not.
Most phishing attacks that we see do not. Most phishing attacks that we see are relatively simple.
If they do use a cloaking technique, they will use one or two.
This particular attack or group of attacks is using five, six, seven different cloaking techniques.
So to kind of pull back to where we are, so we've clicked the link.
You get to the SendGrid click tracking infrastructure,
it redirects you to the actual destination, which in this case is a JavaScript playground called JSPen. So this is a site that is not necessarily involved in the attack. And what's interesting here is that it uses a URL fragment,
so the bit that follows the hash symbol,
to actually contain the malicious code.
And what the JavaScript Playground site does
is it takes the fragment, so that bit of code at the end of the URL,
and turns that back into something that can be executed as JavaScript.
This is particularly interesting because it means that the web server itself,
so JSPen, doesn't necessarily have any visibility over what that malicious code is.
The fragment of the URL does not get sent to the web server.
That's contained purely in the browser.
So another interesting cloaking technique
is that JSPen may have no idea
that this bit of infrastructure is being used
for this particular attack.
Step number two from this is that
the actual bit of code that's in that URL fragment
is actually really simple.
It's actually referencing a JavaScript file
that's hosted on a Microsoft Azure service
that is called Azure Front Door,
which is a CDN,
so similar to something like Amazon CloudFront.
So it's another somewhat interesting thing because they've registered a new subdomain.
So the subdomain is on a legitimate Microsoft domain.
So that's another interesting point.
But what's kind of interesting here is that
often we see criminals using totally free infrastructure,
like things like Cloudflare, GitHub.
What's different here is that the Azure front door service
that's being used is not part of the free tier.
So it does cost money.
The caveat being that most new customers
get a credit balance when they sign up.
So it probably isn't costing the criminals any money
and it's potentially a signal
that that account itself may be compromised.
So it may be a legitimate Azure user
has had their account compromised,
their credit's being used to support this attack.
We can't tell externally whether that's true or not.
But it's another interesting component about this particular attack.
We'll be right back.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by
hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
I suppose it's possible that they could be signing up to this Azure account with a stolen credit card as well.
And so that gets them in the door and then they get this $200 credit to use as they see fit.
But ultimately, when it's time for them to be charged, either it's on the stolen credit card
or it doesn't go through, I suppose. Yeah, exactly that. So the difference is that it does make it
a little bit more challenging for a criminal to use
because they will need to have a credit card,
either somebody's that they've stolen
or an account they've stolen.
There's no reason that they needed to use this
for this attack.
They could have used totally free infrastructure
if they'd wanted to.
So potentially something that gives a signal
to any investigation that was happening to this attack that there are a few leads to follow.
Like there will be a stolen credit card somewhere in this chain.
So, notable in that sense.
Yeah. So tell me about this JavaScript file.
Next step in the chain.
So the actual JavaScript file, again,
is using cloaking techniques to disguise the purpose of the file.
The reason that sites like this use this type of obfuscation
is to make analysis by cybersecurity companies more challenging.
It means that you need to actually execute the JavaScript
in order to be able to tell what it does.
It makes static analysis much harder.
Not impossible, of course,
but it's adding steps in the chain
to get rid of any people
trying to have a quick look at what's going on.
People are going to see a load of code
and assume that it's meant to be there
and it's doing something legitimate.
Whereas in fact, what it's doing is another cloaking technique.
So layering on more cloaking techniques,
the actual HTML of the attack itself is encrypted with AES
and the obfuscated JavaScript file is the kind of decryption code.
So I guess the kind of obvious point to note here
is that the encryption is effectively pointless.
The key is included alongside the encrypted payload.
But again, another thing to make cybersecurity companies' lives
a little bit more miserable
or make the analysis more expensive,
you need to make sure that you've run
all of this code through a JavaScript engine
to make sure that you can actually
see what it does at the end.
That's kind of step, I think,
I've forgotten where we are.
Step number four or five.
It's obfuscation all the way down.
Exactly.
It is all the way down
and we can keep going.
So,
once we've got to this point,
we can actually,
there actually is the HTML.
You can see that it is impersonating
the Twilio SendGrid login page.
That's the kind of,
once you've got to this point, like a victim wouldn't have
obviously seen all that, that those
kind of obfuscation steps, their browser would have hidden that
from them. They would have just clicked
the link and hit the
send grid login page.
Here again, this does something pretty interesting.
So the kind of bulk
standard phishing
sites will ask for your username, ask for your password,
send it off to some PHP script that will either log it in a text file or send an email
or send it to a Telegram channel behind the scenes.
This one's actually pretty interesting, again.
So another layer is that instead of just capturing the details
and then saying thank you, goodbye, it actually uses the real SendGrid API
to validate the username and password on the fly.
So it's kind of acting like the kind of adversary in the middle style approach
of attacks where they are actually sending traffic from your browser to the
real website on your behalf. And this is a little bit of a twist on that because it's not proxying
it directly through a server. It's actually using client-side code to do that. So it connects to
the real SendGrid API, sends the username and password, and then checks to make sure that it
gets back a success response. This is, again, pretty good tactics by the criminal because
a common technique for users to see if they've kind of hit a phishing site or if they're on the
real site is to try some incorrect credentials first and see if they get accepted.
If they get accepted, they know the site's fake and it's a phishing site,
but they haven't given away their real details.
That technique doesn't work here because the username and password
are validated in real time against the API.
So the site can immediately tell you, hey, your username and password were wrong.
Try again.
So then if a victim's using that technique,
then they'll, second time around,
give the real username and password.
And again, I think, where are we?
Step five, step six, it gets deeper.
So to steal, say, the multi-factor authentication tokens,
what happens next is it sends the details
so far to a drop site.
So this particular drop site had been registered
back in November.
So we saw that for the first time in November last year.
It looks like a default page site
if you visit it by itself. But of course,
there's a hidden PHP file that's not visible from the front page that receives the kind of
stolen credentials so far. What happens next on the phishing site is that it asks you for your
two-factor code. And what happens next is that instead of sending the two-factor code off to this drop site, it will contact the SendGrid API again, provide the two-factor code,
and instead of sending the code itself, it sends back the session token, which allows the criminal
to then use that token in their own browser to access the victim's account.
So at that point, the attack has kind of won.
Their attack has succeeded.
They've got the stolen credentials that they wanted.
They redirect the victim back off the real Sengred page,
and the victim's probably none the wiser.
Wow.
What is your sense for what they're ultimately after here?
Once they've gotten control of someone's SendGrid account,
are they selling that access?
Any indication what they're up to?
It's a great question.
We don't know.
So we can conjecture as to what we think is happening.
So there's definitely an element of then using it to find more SendGrid credentials,
so sending it to other SendGrid users, using that account to do that.
What's also likely, based on the types of reports that we get
from the kind of anti-phishing community
is that it's very likely that those SendGrid accounts are being used
to send other malicious links.
So that could be more phishing, targeting somebody else, could be malware.
SendGrid's a very useful service.
It's a useful service to legitimate companies. It's a useful service to legitimate companies.
It's a useful service to criminals.
So it's a great way to get into victims'
inboxes. SendGrid spends a lot of time
optimizing their platform
so that they can do that. And so
it's a really attractive service for a criminal
to have on hand.
So I expect that
it's A, going to be used to expand
this particular criminal groups,
access to more SendGrid credentials.
And then plausibly, it could be being resold on underground forums
or used directly to then send out more malicious content.
We see quite a lot of different SendGrid accounts and URL shorteners in the reports that we get.
So it's very likely that that's kind of the next step.
Again, asking for your conjecture here,
any sense for why they might be going
to the amount of trouble that they are?
Because as you said,
most phishing organizations,
most phishing campaigns,
they may use some of this, but this is throwing everything at it.
Yeah, again, a really good question.
So one may point to the value of the Sengred credentials,
that they're worth spending this much effort to do.
A second element is that, as we've seen with other phishing campaigns,
once a particular group or a particularly savvy author has written, say, a phishing kit
in order to be able to automate deploying more sites that do the same thing,
once that's happened once, the actual incremental cost is pretty small to deploy new ones.
The actual technical skill you might need
is actually pretty low
for the foot soldiers, as it were,
in the group.
So it's likely that that type of dynamic
is playing out.
We can't say for certain whether that's true or not for this
particular case, but it's definitely a pattern that we see across different genres of attack,
where there's like a particularly savvy group or particularly savvy subset of the criminal group,
and they then have either affiliate networks or selling access to kits in order to do so.
So I think on one hand,
I think your question's well put
in that why would they go to this much trouble?
The kind of counterpoint to that is
once one person's gone to that much trouble,
it's really easy to replicate.
I see.
If I'm a SendGrade customer,
what are your recommendations?
What sort of things can I put in place
to protect myself here?
Well, I think all the standard precautions still apply.
So as I said earlier,
this was actually a really tricky thing
to tell the difference on the actual email that was received.
There were a couple of signals.
So the from address was wrong.
So it wasn't being portrayed as being sent by SendGrid itself.
So this is the from address that's actually displayed to users.
So there was a signal in there that something was a little bit weird. But I think
this is a really tricky one. Where this is something that's known to the anti-phishing
community, using antivirus tools, anti-phishing extensions can help and a really good thing to do.
Of course, those rely on the attack already being known.
So there's a variety of different things to do.
So you want to use your normal security precautions and be very cautious.
As always on the internet,
you have to be on your toes at all times.
It's a tricky thing to say and ask people to do,
to be constantly on guard.
And it's an unfortunate reality of where we are,
that there's a lot of fraud, there's a lot of trickery,
and people are out there to try and steal your credentials,
steal your money, and do bad stuff.
Yeah, I mean, I guess this campaign starts off
with something that has to do with payment, right?
And so I guess that in itself
should be a signal for greater vigilance.
Yeah, that's right.
So usual advice is you've received an email
or a message that's saying,
do something immediately. Good thing to do is actually take a few seconds you've received an email or a message that's saying,
do something immediately.
Good thing to do is actually take a few seconds,
think about it and think,
okay, well, if my SendGrid, okay,
if the payment has failed, that's okay.
I'm going to go to the real SendGrid website. I'm going to log into my profile there
and validate that that's actually true.
So going through your bookmarks, going through websites you've been to before,
the same thing applies for thinking about unsolicited phone calls.
The exact same approach works there too.
So you want to be thinking about hanging up and phoning back the number on the back of the card.
The equivalent for email is the same thing. So ignore the email,
go to the provider's website and try and find the alert from that direction.
Our thanks to Robert Duncan from Netcraft for joining us.
The research is titled Fishception,
SendGrid Abused to Host Phishing Attacks Impersonating Itself.
We'll have a link in the show notes. Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. intelligence optimizes the value of your biggest investment, your people. We make you smarter about
your team while making your team smarter. Learn more at n2k.com. This episode was produced by
Liz Stokes. Our mixer is Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon
Karpf. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next time.