Phishing, Other Threats Target Email and Video App Users – Security News

189
SHARES
1.5k
VIEWS

Insights and evaluation by Paul Christian Pajares

We’ve got seen a number of threats abusing instruments utilized in work from home (WFH) setups. Cybercriminals are utilizing credential phishing websites to trick customers into getting into their credentials into faux login pages of e-mail and collaboration platforms and videoconferencing apps. Though these threats usually are not new, the necessity for higher options is heightened because of the present expertise and panorama.

Through the years, cybercriminals have remained energetic in propagating credential phishing campaigns. The Pattern Micro 2019 Cloud App Security Report confirmed a 35% improve within the variety of credential phishing makes an attempt involving unknown phishing hyperlinks from 2018 to 2019. This will likely imply that menace actors constantly produce new phishing hyperlinks to evade detection by safety software program. Credential phishing assaults detected and blocked by Pattern Micro Cloud App Safety additionally elevated by 59%; from 1.5 million within the second half of 2018 to 2.Four million within the first half of 2019.

[Associated: The Rising Tide of Credential Phishing]

Right here, we analyzed among the instruments that many firms use for WFH preparations: Outlook on the internet (previously generally known as Outlook Net Entry) and different Workplace 365 purposes comparable to SharePoint, and videoconferencing apps WebEx and Zoom.


Phishing campaigns utilizing Outlook on the internet and Workplace 365 as lures

Credential phishing utilizing Outlook on the internet and Workplace 365 as bait has hit customers in a number of international locations. Information from our Sensible Safety Community signifies over 50,000 phishing detections from January 2020 to April 27 of the identical 12 months, with the threats affecting customers in the USA, Germany, Canada, Taiwan, Japan, Australia, Hong Kong, and different international locations.

Determine 1. Phishing detections associated to Workplace365 and Outlook from January to April 2020

Determine 2. High international locations with customers encountering phishing makes an attempt associated to Workplace365 and Outlook

Workers generally use Outlook mailbox within the workplace however some use the Outlook for the net model when accessing e-mail outdoors the workplace. If not cautious, they might mistakenly try to log in to a phishing web page designed to appear to be Outlook’s login web page.

 
Determine 3. Pretend login web page of Outlook for the net

Many workers are accessing information and collaborating on-line by Workplace 365. Websites related to this are additionally spoofed and used as phishing marketing campaign lures. The 2019 Cloud App Security Report additionally discovered that the variety of distinctive Workplace 365-related phishing hyperlinks blocked in 2019 jumped to greater than double 2018’s whole, in accordance with knowledge from the Pattern Micro Sensible Safety Community infrastructure. We additionally discovered that these threats not solely focused customers, but additionally those that have administrator accounts.

Determine 4. Pretend Microsoft login web page

Phishing campaigns and different threats utilizing WebEx and Zoom as lure

Risk actors deploy phishing campaigns that use videoconferencing apps comparable to WebEx and Zoom as bait. Moreover phishing, different threats comparable to adware, cryptocurrency miners and different malware, and fraud additionally use these apps as lure. Information from the Pattern Micro Sensible Safety Community revealed an estimated 4,000 detections for threats concentrating on Zoom and WebEx customers from January 2020 to April 27 of the identical 12 months. These affected customers from Germany, the USA, China, Japan, Taiwan, Hong Kong, Singapore, and different international locations.

Determine 5. Risk detections for Zoom and WebEx from January to April 2020

Determine 6. High international locations with customers encountering phishing makes an attempt and different threats associated to Zoom and WebEx

 

WFH setups depend on videoconferencing apps for higher communication. Cybercriminals reap the benefits of this by making an attempt to reap credentials by phishing pages. Different threats utilizing these apps as bait embrace malicious domains and pretend apps.

Determine 7. Pretend pages for logging in and becoming a member of a gathering in WebEx


Determine 8. Spoofed login web page of Zoom

Risk actors both compromise legit websites or create malicious domains to host phishing pages. We traced the IP internet hosting areas of the sources of those domains and located that the USA has the very best distinctive IP depend, with at 833. Trailing far behind is the Netherlands at 78 and Germany at 44.

Suggestions

One of many methods menace actors unfold credential phishing pages is thru e-mail. Beneath are among the best practices for defending in opposition to this menace:

  • By no means click on hyperlinks in emails coming from untrustworthy sources.
  • Look at URLs embedded in emails by hovering the mouse pointer over it. This will likely reveal that it results in one other URL.
  • Verify for grammatical errors and spelling errors, that are frequent indicators that the e-mail didn’t come from respected firms.
  • Even when a web page seems like a legit login web page, examine the URL to verify its legitimacy.
  • Keep away from sharing delicate private info on-line.


Indicators of Compromise

Phishing pages concentrating on Workplace365 and Outlook on the internet customers

  • 0utlook-owa.eu-gb.cf[.]appdomain[.]cloud
  • alfazos.linkpc[.]internet.
  • authe1-microsoftmailaccounts[.]ml
  • comeliveonvacation[.]com/outlook/
  • covid939[.]com
  • eronginshop[.]com/owa/
  • helpdeskowa[.]at[.]ua
  • kitchoan.co[.]th/.owa/
  • mailboxfull[.]web site
  • micosfotsharepoint[.]xyz
  • microsharepont[.]cf
  • microsharepont[.]tk
  • my.sharepoint.lee.magnificence[.]bg
  • workplace365[.]it.help[.]emailblox[.]com
  • outlook.winmail01[.]cn
  • web-outlooks[.]com
  • wwedvm[.]appspot[.]com/outlook/

Phishing pages concentrating on WebEx and Zoom customers

  • crag-group[.]com/zoom/
  • darenthvaley[.]co[.]uk/zoom/index.html
  • globalpagee-prod-webex[.]com
  • globalpagee-prod-webex[.]com
  • global-prod-meetsolutions[.]com
  • webexhost[.]191078[.]ru
  • zoom-appointment.myftp[.]org

Obtain websites of faux WebEx and Zoom apps

  • d11udsutejoxdq.cloudfront.internet/{redacted}/zoom-us-zoom_2544611106.exe
  • d36rrippt2k8a8[.]cloudfront[.]internet/{redacted}/cisco-webex-meetings[.]exe
  • dlnow[.]co/cisco-webex-meetings
  • zoom-download[.]com
  • zoom-us-zoom[.]dlnow[.]co

Different malicious websites associated to WebEx and Zoom

  • cccconferzoom[.]com
  • ccconferzoom[.]org
  • meeting-zoom[.]hopto[.]org
  • suppot-webex-cisco[.]com
  • videoconferencestore[.]com
  • zoomcloud[.]xyz
  • zoomeetup[.]com
  • zoomvirtualbackgrouns[.]com



SHA-256 Pattern Micro
Sample Detection
2e3fc390e6b74d86e3535cd2cc0fd864c8cae0b9434cce12063a289d03e7ba10

PUA.Win32.InstallCore.THCCABO


HIDE

Prefer it? Add this infographic to your website:
1. Click on on the field under.   2. Press Ctrl+A to pick all.   3. Press Ctrl+C to repeat.   4. Paste the code into your web page (Ctrl+V).

Picture will seem the identical dimension as you see above.