uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

Microsoft discovers banking AitM phishing and BEC attacks on financial

Microsoft has disclosed that a new multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attack is aimed at banking and financial services organizations.

The tech giant revealed in a report on Thursday that "the attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-up BEC activity spanning multiple organizations.".

Microsoft criticized the group for using an indirect proxy to carry out the attack and is tracking the cluster under the newly coined name Storm-1167.

Because of this, the attackers were able to easily customize the phishing pages to their intended victims and execute session cookie theft, demonstrating the ongoing sophistication of AitM attacks.

In contrast to other AitM campaigns, this one uses decoy pages to harvest victims' login information and time-based one-time passwords (TOTPs) instead of a reverse proxy.

According to Microsoft, "the attacker presented targets with a website that mimicked the sign-in page of the targeted application, as in traditional phishing attacks, hosted on a cloud service.".

"The said sign-in page included resources loaded from an attacker-controlled server, which started an authentication session with the target application's authentication provider using the victim's credentials. ".

The attack chains start with a phishing email that directs the victim to click a link that takes them to a spoofed Microsoft sign-in page where they must enter their credentials and TOTPs.

By employing a replay attack, the stolen passwords and session cookies are then used to assume the user's identity and gain unauthorised access to the email inbox. The access is then misused to obtain private emails and plan a BEC attack.

BEC attacks and AitM phishing.
To further prevent detection, a new SMS-based two-factor authentication method is added to the target account. This allows users to sign in with stolen credentials without drawing attention to themselves.

According to Microsoft's analysis of the incident, the attacker launched a widespread spam campaign, sending more than 16,000 emails to the compromised user's contacts both inside and outside of the company, as well as distribution lists.

The adversary has also been seen responding to incoming emails and then taking action to delete them from the mailbox in an effort to minimize detection and establish persistence.

In the end, a second AitM attack is launched against the recipients of the phishing emails in an effort to steal their credentials and launch yet another phishing campaign from the email account of one of the users whose account was compromised as a result of the AitM attack.

The change occurs less than a month after Microsoft issued a warning about an increase in BEC attacks and the evolving strategies used by cybercriminals, such as the use of tools like BulletProftLink for mass-production of malicious mail campaigns.

Using residential internet protocol (IP) addresses to make attack campaigns seem locally generated is another trick, according to the tech giant.

According to Redmond, "BEC threat actors then purchase IP addresses from residential IP services matching the victim's location, creating residential IP proxies which empower cybercriminals to mask their origin.".

"Now that BEC attackers are armed with localized address space to support their malicious activities in addition to usernames and passwords, they can conceal movements, get around "impossible travel" flags, and open a gateway to carry out additional attacks. ".