CyberWire Daily - Leveling up their credential phishing tactics. [Research Saturday]

Episode Date: May 17, 2025

This week, Dave speaks with Max Gannon of Cofense Intelligence to dive into his team's research on "The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders." Threat actors co...ntinuously develop new tactics, techniques, and procedures (TTPs) to bypass existing defenses. When defenders identify these methods and implement countermeasures, attackers adapt or create more sophisticated approaches. This research explores how cybercriminals are leveling up their credential phishing tactics using Precision-Validated Phishing, a technique that leverages real-time email validation to ensure only high-value targets receive the phishing attempt. The research can be found here: The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders⁠⁠⁠⁠⁠ Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt, Identity Attack Paths are easy targets for threat actors to exploit but hard for defenders to detect. This poses risk in active directory, Entra ID and hybrid configurations. Identity leaders are reducing such risks with Attack Path Management. You can learn how Attack Path Management is connecting identity and security teams
Starting point is 00:00:49 while reducing risk with Bloodhound Enterprise, powered by SpectorOps. Head to spectorops.io today to learn more. SpectorOps. See your attack paths the way adversaries do. They're not using any sort of really advanced techniques. They're using pretty simple stuff, but they're using it in a different way. And by using it this way, they show that they have an understanding of how soft work, which is something that a lot of directors don't. That's Max Gannon, intelligence manager with Kofence Intelligence. The research we're discussing today is titled, The Rise of Precision Validated Credential Theft,
Starting point is 00:01:50 A New Challenge for Defenders. My team has what we call qualitative groups. And when we find some kind of interesting behavior, we tag it with a group. And a lot of times we'll only see it once or twice, so it's not really worth writing about just yet. But when we've seen enough of this qualitative group, especially if it suddenly starts to become more common, then we'll really do an in-depth dive on it and start writing about it. So this was originally something we saw in very small numbers. It was enough to be mildly frustrating, but not a real problem.
Starting point is 00:02:29 And then, especially within the last month, we've seen it drastically increase to the point where if it's annoying for us, it's got to be a big problem for socks. Right. Well, can you explain what precision validated fishing is and how it differs from traditional fishing attacks? So the first step is, you know, someone gets an email, a credential fishing email, and typically it's Microsoft spoofing, but we've seen other brands as well. And then usually this email gets reported and the SOC gets u r l and the sock tries to visit the u r l and. The transition page send a prompt and it says hey i need you to confirm your identity and put in the email address that this link was sent to. And so that's contacts that the sock needs to have.
Starting point is 00:03:24 And so that's context that the SOC needs to have. If they somehow get that information and are allowed to use it, then they enter it and they move on to the next step. Sometimes this is the actual Microsoft-branded credential fish, which has all the little bells and whistles that you would expect. And sometimes there is an additional step, where once you've verified the email address,
Starting point is 00:03:43 then they send an email to the email account and then you have to use a code or a link from that email to progress onto the next step of the credential pitch. And this final step is hosted typically on a different site. And that final step usually stays up for significantly longer than the intermediary, the first step. How do you rate the sophistication of these threat actors? That's a bit difficult because, as I said earlier, they're not using any sort of really advanced techniques.
Starting point is 00:04:20 They're using pretty simple stuff, but they're using it in a different way. And by using it this way, they show that they have an understanding of how SOCs work, which is something that a lot of directors don't. But by making this validation only work a certain way, they're taking advantage of a flaw in cybersecurity procedures, really. So for that, I'd rate them pretty highly for having additional information about how it would work, because that's unusual. For sophistication, actual sophistication,
Starting point is 00:04:58 I'd rate it probably middle, because once you get your hands on the code it's really easy to figure out they don't do much in the way of obfuscation. Well can you share an example of how this has been used in an actual fishing campaign? Yeah certainly. So we got in a pretty standard looking Microsoft Office credential phishing campaign. And we went ahead and visited it and immediately came up with the notification that we needed an email address. So this escalated things a little bit,
Starting point is 00:05:39 because while we do have access to email addresses, a lot of customers don't like it when you use an email address. There's a lot of issues with that, especially for outsourced SOCs. So we were able to get the information we needed and then find the list of targeted email addresses and use an email address from that targeted list and progress through the phishing get what we needed. Can we go through some of the mechanics here? I mean how does the real-time email validation process work
Starting point is 00:06:16 within these phishing attacks? Yeah so the first step is really basic. It just compares the email address you enter to a list of email addresses that the threator has of people who've been targeted by the phishing campaign. So that step, if you can find the list, which is usually obfuscated, but if you can find it then you can bypass it. The next step is actually sending the email address, sending an email to the email account. Sometimes this involves clicking a link, sometimes this involves just copying and pasting a code. And what kinds of technologies or methods are they using to validate the email addresses in real time?
Starting point is 00:07:01 So most of this takes place using pretty basic JavaScript that's just built into the traditional machine page. None of the actual techniques used are particularly advanced. They're just combining known capabilities into a new method of doing things that makes life very difficult. We'll be right back. And now a word from our sponsor ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats.
Starting point is 00:07:45 Threat Locker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how Threat Locker can help you lock down your environment at www.threatlocker.com Worried about cyber attacks? Cyber care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry-leading experts.
Starting point is 00:08:34 So if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at cyber.care.com care slash cyber wire. So what makes precision validated fishing particularly challenging for security teams to detect and analyze?
Starting point is 00:09:19 So it's especially difficult for external socks. But even for a company who has an internal sock, it's difficult because first you need the email address. And as I said, typically socks are not provided with this email address. So even if you somehow manage to get the email address, then you have to also get the company's permission to use the email address. And getting permission is sometimes just not possible. So socks are pretty much blocked off by company policy
Starting point is 00:09:52 at this point. And even if they somehow get approval to use an email address, then if one of the next steps involves sending a confirmation email, they have to get access to somebody's inbox. And that is, I've personally only heard of two situations in which that has happened. It's extremely rare. It's people are just not comfortable doing that with good reason. So, SOCs are able to get maybe half of the IOCs they could gather otherwise.
Starting point is 00:10:28 And because of this gating, oftentimes, once the first couple steps go through, they're redirected to a final credential wishing page. And this final one has the IOCs that the socks need, because the intermediary pages can be reported and taken down but if the final one stays the same the contractors just send out a new campaign with new intermediaries so the SOCs are just stuck going for the first URL because that's all they have. Oh that's interesting. So
Starting point is 00:11:00 given all that and what are your recommendations then? I mean, how should organizations best defend themselves? So luckily, there are very few situations in which a email is sent to the email account. So for most SOCs, the first obstacles they need to overcome are finding the email address of the recipient and being allowed to use that email address on the credential page. So for this to happen, what they need is open communication. They need to have a contact at the company who they can talk to, they can explain the
Starting point is 00:11:40 situation, they can say, okay, so we've got this, you know, potentially very advanced fish that is very much targeting specific people. Can you give us approval so we can do this investigation so we can get this additional information and help protect you better? And if there's that open line of communication, then they're going to have a lot more success than somebody who is really just, they don't really have a good contact going. Are there particular industries that you're seeing targeted here? I think the one we have seen it with most is the oil and natural gas sector. They're the ones we've seen the most of this with, unfortunately, but it's becoming all around more common.
Starting point is 00:12:30 And what is the ultimate goal here? I mean, are these financially motivated attacks? Are they going after, is it a corporate espionage situation? What are you all seeing? So I think at a very base level, what threat actors are trying to do is improve their return on investment. So credential phishing happens all the time.
Starting point is 00:12:54 And typically, once they send out, threat actors will send out these mass email campaigns trying to get as many credentials as they can. But the credentials are typically unverified. So when they sell them in bulk on the dark web, they don't actually get very much money for them. They just really don't get much money because they're not validated. They don't have any sort of confirmation that these are active accounts, that these credentials can be used and that sort of thing. But with precision validation, you can, the threat actors can not only sell it for more because it's validated, but they can also sell it in groups.
Starting point is 00:13:30 They can say this specific list of people with this title at this company, here are their credentials, and they can sell it for a lot more than just a big collection of a thousand email addresses and passwords. So even if they're not doing an additional, a big collection of a thousand email addresses and passwords. So even if they're not doing an additional more targeted approach, simply from return on investment by using this technique, they're making a lot more money. Is there a user awareness component here?
Starting point is 00:13:59 Can we educate our users to do a better job defending against, I guess, are there any specific tells that you all have observed? Yeah, so one of the biggest things is the prompt for email addresses. Even sometimes when you put in the correct email address, it'll prompt you again for an email address, just to make sure. So what this really, to me, it's kind of a surprise,
Starting point is 00:14:30 or it should be a surprise because when you visit these web pages, if you're using a password manager, all your credentials are already saved. So if you're visiting a website and you think it's Microsoft, and you go to the Microsoft website and your password manager isn't giving you credentials, then there's probably something wrong. So looking for, I mean, obviously look at the URL, but looking for obvious signs like, you know,
Starting point is 00:14:54 it's not giving me the autofill information here when it always does on the Microsoft accounts, you know, stuff like that can really help you spot these things. What are some of the key takeaways you hope that readers get if they check out this research? So, the biggest thing I think that I'd like people to get from this is that every company that has a SOC, whether they're internal or external, needs to have clear communications with them. Because this is a very obvious situation in which communication is important.
Starting point is 00:15:32 And communicating can potentially help save people from getting compromised if they say, okay, we know who else is on the list, we can inform them. But if you don't have that communication, then not only are they more susceptible to attacks like this, but there are so many things that can go wrong if a SOC doesn't have someone who they can say, hey, we've noticed this trend. And you do think about it with your users.
Starting point is 00:16:01 So for example, with FisherMe, we have specific SIMs, and we say, the intelligence team says, we've seen this, and the SIMs are built based on that, and people can select their SIMs. So if there's communications between the SOC and other departments, the SOC can say, hey, we're seeing this, and other departments who are responsible for training can say, okay, we're going to use sentence along with that, those themes that you've identified. Our thanks to Max Gannon from Co-Fence Intelligence for joining us. The research is titled, The Rise of Precision Validated Credential Theft, A New Challenge for Defenders.
Starting point is 00:16:49 We'll have a link in the show notes. And that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Starting point is 00:17:08 Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening, we'll see you back here next time.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.