Criminals steal Office 365 credentials by forging Kaspersky’s e-mail address in a spear attack.
The security company said in an announcement on Monday that although the phishing emails came from the addresses of senders such as [email protected], Kaspersky determined that no one had sent these phishing emails. Instead, these emails were sent using Kaspersky’s legitimate Amazon Simple Email Service (SES) token.
Amazon SES is a scalable email service that allows developers to send emails in any application scenario such as marketing or large-scale email communications.
According to Kaspersky’s explanation, this access token was distributed to third-party contractors when testing the site 2050.earth. The 2050.earth website is a project of Kaspersky. It has an interactive map that futurists and others can use to speculate about what will happen to the earth in the next few decades. And the website is hosted on Amazon’s infrastructure.
Kaspersky said that after discovering that the frequency of spear-like attacks on Office 365 credentials it said had risen sharply, these attacks were likely to come from multiple threat actors, and security personnel immediately revoked the SES token.
According to the official content, the phishing attack did not cause any losses, and no server damage, unauthorized database access or any other malicious activities were found in 2050.earth and related services.
Attack bait: fake fax
Phishing websites are a common way for cybercriminals to deceive people by carefully designing emails and to get them to hand over credentials for online accounts. Phishing attackers sometimes deceive people by impersonating trusted companies (such as Kaspersky), applications, or other institutions, directing victims to specially made phishing websites, tricking them into entering credentials, and making them think it is legitimate Website.
Office 365 credentials are a very common target for phishing attacks. For example, in March of this year, researchers discovered a phishing scam that specifically targeted senior executives in the insurance and financial services industry. The purpose was to obtain their Microsoft 365 credentials and launch a business email breach (BEC) attack.
The cybercriminal who carried out phishing attacks on the subject of Kaspersky did not impersonate Kaspersky employees. On the contrary, these phishing emails usually claim to be “fax notifications,” by luring the target into a fake website, and then obtaining credentials for Microsoft’s online services. This is not the first time the old fraudulent term “fax notification” has been used. In December 2020, the Office 365 certificate was also attacked in the same way.
Kaspersky’s phishing emails are sent from various fake Kaspersky websites, which come from multiple websites, including Amazon’s web services infrastructure.
Kaspersky provides the following phishing email sample.
Analysis shows that these phishing campaigns used a phishing toolkit called “Iamtheboss” by Kaspersky researchers, and another phishing toolkit called “MIRCBOOT”.
MIRCBOOT service provided by phishing platform BulletProofLink
The name MIRCBOOT may sound familiar, perhaps because it is one of the phishing toolkits recently discovered by Microsoft. At that time, Microsoft discovered a large-scale, organized, and complex PhaaS (PhaaS) attack platform. Criminals call it BulletProofLink.
BulletProofLink is a key stealing platform that provides phishing kits, email templates and other hacking tools, allowing users to customize attack activities and develop their own tools. Then they used the PhaaS platform to provide phishing kits, email templates, and hosting services required for the attack.
Other phishing kits available on MIRCBOOT and BulletProofLink allow cybercriminals to build websites and purchase the domain names they need to launch phishing attacks, such as pretending to be employees of a security company, as in this case.