CyberWire Daily - Phishing for holiday winnings. [Research Saturday]
Episode Date: February 24, 2018Or Katz is principal lead security researcher for Akamai's Enterprise Security Business Unit, and the research he’s sharing today is a widespread phishing campaign targeting users using an advertisi...ng tactic. The research is titled, “Gone Phishing for the Holidays." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We saw a lot of our customers being redirected to a domain, a web server,
that contains a very odd and unique domain name.
That's Orr Katz joining us once again.
He's Principal Lead Security Researcher for Akamai's Enterprise Security Business Unit.
And the research he's sharing today is a widespread phishing campaign
targeting users using an advertising tactic. business unit. And the research he's sharing today is a widespread phishing campaign targeting
users using an advertising tactic. The research is titled Gone Phishing for the Holidays.
That led us to investigate that a bit more and try to understand what kind of web application
stands behind that domain name. What was unique about that domain name that grabbed your attention?
So first of all, we saw many very similar domain names
that have the same prefix saying holidayseason.com,
which is actually a prefix that is the subdomain of a different domain,
saying something different,
which is a good indication for something, well,
that might be suspicious or something that is being,
as a technique being used for
phishing attacks, where you put something in a subdomain that hints on something that is not
really the real purpose of the website. So this was the first thing that we were able to see.
And so where did it lead from there?
So after we saw those domains, we did things first of all we try to figure out
what kind of traffic we can see goes to that domain we're trying to figure out how a few
things about the domain when those domains were registered for the first time and we would try to
figure out what is actually the application that is being uh deployed on the on that is being deployed on that domain. Well, on those domains, actually, because we saw more than 30 different domain names
with the same prefix and the same content, but the actual domain was different.
So once we looked into that given domain, we actually saw a domain that was a fake domain.
domain, we actually saw a domain that was a fake domain. It's a domain that gives the users the chance to answer some questions regarding some company, that well-known software company.
And we saw that there is a lot of fake indication on that given domain. And we were able to see
a lot of those indications being related to different phishing attacks that we saw in the past.
For example, that given domain contains some question
about that software company that regardless of the answer
that you will give to those question, you will win a prize.
And that was a funny thing that we were able to see.
And a lot of the thing that we were able to see
on that given domain and on that given web application, the phishing web application, is that it contains a lot of elements.
Well, we call them the art of deception.
They are trying to gain the user's trust in order to make them believe that this is a genuine web application that once you will answer questions, you will win a prize.
For example, a few of those techniques being used to get the trust, first of all, we were able to
see that there is indication of fake social media
on that web application, obviously not truly
related or even communicating with
that given social media. In this case, it was Facebook.
We were able to see all kind of indication
that telling the user, well, we are now in progress
and application is trying to figure out
if you are a winner or not,
but actually behind the scene, there is no really progress.
It's just a JavaScript that's running on the background
and create that sense of in progress.
And at the end of the day,
when the users were winning a price,
the application told them to choose the price,
to choose a random choice of one of the options.
And once you choose that random option, you can win a price.
And in all cases, regardless what you would choose,
you will win the same price, which was an iPhone.
And that will, at that point, I think that users of that web application,
well, the users that were tempted to go to that web application,
will get some sort of a sense that they won a price,
they will be very happy about it,
and at that point they will have the full trust with the web application,
giving the web application the information that they want to retrieve.
I see.
And in our case, that information was an email address, the user's email address.
That was the sole purpose of that campaign.
Well, let's back up a little bit and walk through it step by step, because there's some
interesting details here.
One of the things you pointed out in your research is there was, I think, as you said,
there was a common prefix on many of these upstream sites.
They said sale-gadget-promotion was on many of these sites with different subdomains.
So you saw that commonality between many of these destinations.
But then let's walk through this part that you call the art of deception.
First of all, what would lead someone to end up on this site?
Was it random happenstance or were they fished to go visit this site?
So what we were able to see as part of the evidences that we were able to collect
is that this kind of campaign was well planned.
And part of the techniques being used
in order to have as much as distribution of this campaign
was to use advertisements.
Meaning the bad guys are going to a legit websites.
They put their own ads.
Those ads, one being clicked,
will redirect to those phishing websites.
And in a way we can see that each domain on that campaign was active
for only a few days, getting a lot of attention from users. And after a few days, it was, you know,
vanishing there. It was not relevant any longer. So the bad guys are paying for a legitimate ad
to insert this ad. But then when someone clicks on the ad, it takes them to the phishing site.
Exactly.
So when they go there, they're first met with an audio greeting.
That's a bit unusual.
Yeah.
In a way, as part of the phishing campaign goal to get the user attention, they use an
audio message that once you hear that audio managed message that caught your intention and
then you are engaged with that given campaign i mean it's not just a website this is a website
that is talking to you so well i'm i have my attention to that website that part of the
techniques that they are using in order to get the trust and attention yeah and it says please
click to claim your prize before we give away to anyone else. It gives you no option to click away.
Your only choice is to say OK, and then it takes you to the quiz.
And as you said, it takes you to a quiz about a popular software company.
But there's no way to get a wrong answer on this quiz.
Exactly.
Regardless of your answer, you will win a prize.
That's their goal.
You will win a prize. They will get your attention
and trust. And from that point forward, they will be able to retrieve from you the relevant
information that they want to retrieve. That's part of the phishing techniques being used.
And then once you've won, whether you give the right answers or not, you get to choose what
your prize is going to be. And in this case, they have several little treasure boxes that they show you.
And they offer up a PlayStation 4, an iPhone 8, a Samsung S8, all good prizes.
But it's really a forced choice here.
The iPhone 8 is the only one you can actually get, right?
Exactly.
You will get an iPhone 8 because this information will be used in the follow-up redirecting link in which
you will have to leave your credential, well, not your credential, but your email address.
And in that link, when you redirect to that other website that want to retrieve your information,
you will see an ad saying, well, you want an iPhone. So they want to be able to make sure
that you will always win an iPhone. That's
the reason for that. I see. And I suppose if someone is falling for this going down the path,
they might say, well, I had my heart set on that PlayStation 4, but for whatever reason,
I guess an iPhone 8 is a good prize. I'll still go along with that. No doubt about it.
So the next part, they take you to a next screen which shows other people, like you
said, sort of this social media component of other people showing photos of the iPhone 8s that they've
had delivered to them. Exactly. It included pictures. It included fake identities of users.
It was obviously a fake social network indication on that page. And the reason for that is that they
want to give you a sense of there
are others that want that price. You should do that the same, right? Getting the trust that they
want to gain from it. So step by step, they're building up the trust and making people feel as
though this is a legitimate thing and you might be steps away from actually getting this iPhone.
Exactly. And so there's another part of your research here.
You call it additional tactics, double trouble.
And there was some issues with vulnerability to cross-site scripting.
Can you take us through that?
So this is a funny anecdote, actually.
What we were able to see is that this website, those websites that were used as part of that campaign,
were actually vulnerable to cross-site scripting
vulnerability. And in a way, it's funny that
the bad guys are also having those vulnerabilities on
their websites. And it's an anecdote that
obviously should not be used, but in a way that
shows us that they build also
wealthification that are vulnerable.
I see. So perhaps pointing to the amateurishness of these particular attackers,
even their own site was vulnerable to attack from someone else.
Exactly.
They were ultimately trying to harvest email addresses. That strikes me as interesting
because I wouldn't imagine that
an email address had a whole lot of value these days. Well, that's a question that I'm getting a
lot. And actually, we have a sense of thinking that an email address is something that is not
that important and what can happen. But there is a very important part of the bad guys getting our email addresses.
Because, first of all, those email addresses are actually the gate for our environment, for our computers, for our laptops, for our iPads.
And the second part of those attacks is once the bad guys have those email addresses,
they can start a different set of attack campaigns in which they can send you an email saying, well, you should press this link.
And once you press the link for something that is related to you or even associated with you, you will be redirected to a malware download page when you will be infected by malware.
when you will be infected by malware.
So in a way, it started with an email,
but it can be evolved and can be escalated to much more severe issues
as malware being installed on your computer
or different kind of credentials being stolen from you.
And I suppose at a certain level,
there's sort of pre-filtering
for people who might be vulnerable
to this sort of attack,
a certain amount of, I suppose, gullibility.
If you go through all the steps of this and fall for them,
well, then you're probably more likely to fall for an email phishing attack
when we hit you with the next round.
Exactly.
Well, for example, I can say that, you know, me and you,
we are probably are, we're tech chevys.
We are familiar with those attacks. We will most likely will not fall for
those attacks. But a lot of people, young people,
people that are not fully aware of phishing attack
can fall for those traps. And, you know,
I can tell you from my experience at my home that we have one computer
at home that is being used both by me and my kids.
And in a way, if my kids will fall into a trap such as that phishing attack, the same computers used by both of us will be infected by malware.
So in a way, it sounds like it will target very specific people or people with a sense of understanding on fishing landscape,
but actually it can affect a lot of people that are actually not related to that.
Yeah, and I suppose like many of these attacks, there's very little cost to run the campaign at a large scale,
and so it pays off ultimately.
Exactly. I can tell you, for example, that I'm located in Israel
and a few weeks ago we saw a very huge phishing attack
that was targeting a well-known company that sells furnitures.
And on that given week, it was the week of the special sale of that company.
And in a way, we saw a lot of people, very, you know, tech chevys,
a lot of people that have a sense of understanding what's good and what's bad,
being, you know, falling for that trap and following that phishing campaign.
Just because, you know, the context of the phishing campaign on a given week
when they have a big grand sale for those furnitures,
led us to, you know us fall into those traps.
Yeah, and this particular campaign, as you pointed out, really targeted people during the holidays when perhaps money might be tight, they're looking for maybe something, a free bonus,
so they might be more susceptible to something like this that time of year.
Exactly. People are much more trustworthy at the holiday season where they have a sense of understanding that, you know, they can win a prize.
And this is a great period, a time of the year when, you know, there is a lot of willingness to give prizes and a willingness to communicate and give from the companies to the people that are consumers of those companies.
So that also was the context of that giving campaign.
It seems to me like I've seen a lot more of these types of attacks.
And I think we've seen reports of that, that these annoying pop-up ads of, you know, you're a winner.
Congratulations, particularly on the mobile side. It seems like we've really been flooded with these. these annoying pop-up ads of, you know, you're a winner, congratulations,
particularly on the mobile side.
It seems like we've really been flooded with these.
Have you all been seeing that as well?
Yes, definitely.
We see hundreds, if not thousands, of such campaigns on a given week.
We can see that there is a trend of a lot of traffic or a lot of targeting more of the mobile users for very tactical reasons.
So the bad guys understand that they can abuse those kind of platform because they are less secured.
For example, if my computer is part of my work, is being protected by the security control that we have in our office,
my mobile phone in most cases will not be protected. Therefore, the bad guys are targeting
those actual platform, those devices. And in terms of advice for people to protect themselves
against these sorts of things, or even, you know, protecting your family members, your kids,
maybe your elderly parents, things like that. What do you suggest?
So I think the most important thing here is awareness.
We have to educate our young ones.
We have to educate our peers and our colleagues to be, well, suspicious in such cases.
Even though they feel that they won a prize, that there is something good happened to them,
they need to stop for a minute and ask themselves, is it legit? Is it not? Should I give my credentials so freely?
And these are the things that we should do as a community, obviously. And this is part of the
motivation for us to create such blog and create the insight that we're able to see in such a very
specific campaign. Can you describe some of the invasive techniques that this campaign is using?
So, yes, we were able to see a few techniques being used.
For example, we were able to see that the domains being associated with that given campaign
are domains that were registered over six months prior to the time that the campaign was executed.
And in a way, the reason for that is that the bad guy understand that once you use
a newly registered domain, that will create a lot of alerts,
a lot of security control.
We will be able to detect those domains
just because they were recently registered and tracked them.
Now, if you register domain
over six months ago, that will lower the level of suspicions around those domain and that
gives the bad guys the advantage of not being detected so quickly. This is the first technique.
The second part of the technique that the bad guys are using in order to stay invasive,
is the fact that they actually use 30 different domains.
Each domain is being activated to a limited timeframe.
And we can see that once one domain inactive,
a new domain comes in and being inactive.
And in a way they are being lonely
while they abuse our trust,
but getting a lot of attention and a lot of traffic of users,
abusing one domain after the other,
and by that creating the amount of attention that they want to gain.
Now, is this campaign, has it wound down, or is it still running,
or were they only really running during the holiday season?
This gaming campaign was running during the holiday season? This giving campaign was running during the holiday season,
but we actually see a lot of campaigns similar to that
are being activated on a weekly basis.
So it's not that giving campaign,
but there are others in the pipeline
and we are being abused by a lot of those campaigns.
Our thanks to Orr Katz from Akamai for joining us
You can read the complete report Gone Fishing for the Holidays
in the blog section of the Akamai website
Cyber threats are evolving every second and staying ahead is more than just a challenge It's a necessity Thank you. give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default-deny approach can keep your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.