According to a recent report by Group-IB Threat Intelligence team published today and shared with The Hacker News, PerSwaysion operations attacked executives of more than 150 companies around the world, primarily with businesses in finance, law, and real estate sectors.
“By late September 2019, PerSwaysion campaign has adopted much mature technology stacks, using Google appspot for phishing web application servers and Cloudflare for data backend servers.” Like most phishing attacks aiming to steal Microsoft Office 365 credentials, fraudulent emails sent as part of PerSwaysion operation also lured victims with a non-malicious PDF attachment containing ‘read now’ link to a file hosted with Microsoft Sway.
“The attackers pick legitimate cloud-based content sharing services, such as Microsoft Sway, Microsoft SharePoint, and OneNote to avoid traffic detection,” the researchers said.
Next, the specially crafted presentation page on Microsoft Sway service further contains another ‘read now’ link that redirects users to the actual phishing site—waiting for the victims to enter their email account credentials or other confidential information.
Once stolen, attackers immediately move on to the next step and download victims’ email data from the server using IMAP APIs and then impersonate their identities to further target people who have recent email communications with the current victim and hold important roles in the same or other companies.
After getting all the data by using the server IMAP APIs, next, they create a PDF file that contains the data of the current victim, such as full name, email address, legitimate company name. Once they are done with the PDF file, next, they will send these files to a choice of new people who serve to be external of the victim’s organization and carry essential professions.
Once the operators of PerSwaysion conducted new spear-phishing operations from a negotiated account, they just delete the representing emails from the outbox folder to evade disclosure, said the Group-IB.
At first, Group-IB was inadequate to identify the motive of the hackers, as they are gaining access only to the email accounts.
Thus there are three steps by which PerSwaysion’s whole scheme could be detected to avoid traffic detection and automated threat intelligence gathering:-
- Initially, each victim gets an email carrying a regular PDF file as an email attachment. Once the victims unlocked the file, they would be demanded to tap a link to inspect the original content.
- After opening the link, it will redirect the victims to a Microsoft Sway page, where a related file would summon the victim to tap on another link.
- And this final link will redirect the victims, or we can say the officer to a page, imitating the Microsoft Outlook login page, where hackers will quickly accumulate the victim’s essential data.
“Evidence indicates that scammers are likely to use LinkedIn profiles to assess potential victim positions. Such a tactic reduces the possibility of early warning from the current victim’s co-workers and increases the success rate of new phishing cycle.”
Though there’s no clear evidence on how attackers are using compromised corporate data, researchers believe it can be ‘sold in bulk to other financial scammers to conduct traditional monetary scams.
(Image Courtesy: www.dotmagazine.online)