Phishing attacks continue to evolve. Cybercriminals now use hidden identities and public cloud platforms to launch highly convincing phishing campaigns. To avoid being a victim of attacks that are embedded in the workflow, employees must be aware of these evolving threats.
The StrongestLayer Investigation
Recently, the StrongestLayer Threat intelligence team discovered a sophisticated phishing campaign that targeted employees in the US. This investigation highlights how complex these threats are becoming. It is important that employees are aware of phishing threats and have the ability to deal with them in their everyday work.
The attackers posed as legitimate DHL websites, tricking people into paying fraudulently with credit cards for alleged delivery fees. The design, language and urgency of the site made it nearly impossible to distinguish from real DHL communications. Employees who relied on DHL to run their business were put at risk.
Phishing Tactics Revealed
The attacker weaponized dormant domains quickly to avoid detection. The phishing website, registered as “exprxxxxx[. Delivery” was inactive for an extended period of time before the attack. This stealthy approach bypassed typical security measures and left organizations vulnerable.
After activation, “exprxxxxx[. After activation, “exprxxxxx[. This domain falsely claimed that it had been in operation since 2005. However, the registration date was 2023. This domain looked like a legitimate Japanese website to further disguise its malicious intent.
The phishing infrastructure ran on a server that was known to host malware sites. We found malicious domains that were connected to the exact same IP address. All of these domains were flagged as phishing threats and contributed to the increasing number of phishing attacks aimed at unknowing employees.
It Is Important to be Resilient Against Phishing Attacks
This investigation highlights the rapid evolution of phishing threats and the critical need for organizations to bolster end user resilience against the immediate but ever-changing threat. By prioritizing an organization wide, deep understanding and targeted awareness of ‘the next’ phishing threat and empowering users to recognize and respond to suspicious activity, organizations can enhance their human defenses and mitigate the risk of successful phishing attacks.
List of IOCs:
- exprxxxxx[.]delivery
- 3kou[.]co[.]jp
- 0-3.us
- 0-x[.]com
- 00033pyabil[.]online
- 0004hd[.]com
- 000666tv[.]com
- 000ipl[.]com
- 000j000[.]link
- 000t20win[.]com
FAQs (Frequently Asked Questions)
1. What makes phishing so dangerous in today’s world?
Phishing has become more sophisticated. Hackers use emails and websites that look like legitimate business sites, making it harder to detect.
2. How do attackers conceal their identity?
To remain anonymous, attackers use techniques like redacted WHOIS data and public cloud platforms. They register dormant sites and activate them right before they launch attacks. This makes it hard for security tools like AV to detect the threats.
3. What can employees do to recognize phishing attacks?
Be wary of emails requesting sensitive information and domain names that are unfamiliar. Regular training and awareness helps users to stay alert against phishing attacks.
4. What is the role of dormant domains in phishing?
Domains that are dormant have been inactive for a long time before they become weaponized. This tactic allows attackers to launch surprise attacks and avoid detection by traditional security tools.
5. How can organizations improve their phishing resilience?
By regularly training staff, encouraging vigilance and integrating advanced tools that flag suspicious activities early, organizations can improve their resilience.
6. What is IOC (Indicator Of Compromise)?
A sign of compromise is an IOC. Examples include suspicious domain names, malware signatures, or unusual login patterns. These indicators can help cybersecurity teams to identify potential threats.
7. What impact do phishing attacks have on businesses?
Phishing attacks may lead to financial losses, data breaches and reputational damage. As employees are usually the first line in defense, their awareness is crucial to prevent successful attacks.
8. What should I do when I suspect I have been phished by someone?
Report it to your IT team or security immediately if you suspect you have fallen victim to a phishing scam. Change your passwords, and keep an eye on your accounts to see if there are any strange activities.
Safwan Khan & Haris Kamal
StrongestLayer Threat Intelligence