Fraud Management & Cybercrime , Fraud Risk Management , Next-Generation Technologies & Secure Development

Phishing Campaign Uses Homepage Overlay to Trick Victims

Cofense: Attacks Disguise Malicious Domains to Steal Credentials
Phishing Campaign Uses Homepage Overlay to Trick Victims
Phishing email that appears to come from a company's technical support staff (Source: Cofense)

A recently uncovered phishing campaign designed to harvest credentials used companies' official webpages as an overlay to hide malicious domains designed to harvest corporate credentials, according to security firm Cofense.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry

This was just one of several social engineering methods this campaign used to trick victims into providing their usernames and passwords, according to the report. For example, the phishing emails were designed to look as though they came from the victim company's technical support team, Cofense notes.

"Another social engineering technique the threat actor uses to lure the employee into interacting with the email is giving the messages urgency, asking the recipient to review them or they will be deleted after three days," says Dylan Main, a researcher with Cofense. "Potential loss of important documents or emails could make the employee more inclined to interact with this email."

The campaign appears to have stopped Sept. 4, when Cofense published its report. The phishing emails the company examined came from targets in the U.S., but the scheme could be more widespread.

Quarantine Messages

The attacks started with a phishing email that claimed security tools had quarantined three messages and that the user needed to open a link embedded in the email to retrieve them because they are blocked from the inbox, according to Cofense. The phishing message added that two valid messages were being held before deletion.

"This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails," Main notes.

The phishing emails contained an embedded link that read "Review Messages Now," which led to a malicious domain. If clicked, the homepage of the victim's company appeared - including a fake login panel, according to the report.

Fake webpage overlay displayed in recent phishing attack (Source: Cofense)

The appearance of the webpage and login panel added to the social engineering element and gave the victim a false sense of assurance that the messages are legitimate, according to the report.

"It is also possible to interact with this page by moving outside of the overlay, showing that it is the actual page they have seen and used before," the Cofense report notes. "The overlay itself is attempting to prompt the user to sign in to access the company account."

If the intended victim attempted to log in using their credentials, those were then harvested and transferred to a malicious domain controlled by the fraudsters, according to the report.

Overlay Page

The Cofense report notes that during these phishing attacks, the malicious domain used to harvest the credentials remained the same, but the link in the emails contained various parameters that let fraudsters determine which webpage the victim would see - adding to the overall uniqueness of the scam.

"Depending on what company the threat actor is targeting, the link will populate the address of the original recipient of the email," according to the report.

The use of these types of overlays is becoming more common in phishing emails sent to victims' mobile devices. In June, for example, the FBI issued a warning that fraudsters are increasingly using Trojans to target banking customers and disguising the malware as legitimate apps, games or other tools.

When a mobile banking customer attempts to launch the malicious app, the dormant Trojan is triggered and prompts a fake login page that overlays the legitimate app for credential stealing, according to the FBI (see: FBI Warns Of Increasing Use of Trojans in Banking Apps).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.