Why This Matters
Phishing attacks are becoming more advanced and more complex to detect. Recently, StrongestLayer Threat Intelligence discovered a phishing page hosted on the India times website, redirecting users to a malicious Microsoft login replica. This incident highlights the need for employees to be vigilant and prepared for the next cyber threat.
The Attack Breakdown
StrongestLayer’s team encountered a phishing domain using the mass mailing website exactag.com, where attackers created malicious subdomains. Our analysis flagged the site as suspicious. But then, a new trend surfaced—phishing redirections from a trusted news source: India Times.
What Exactly Happened to India Times?
A malicious actor gained control of a subdomain on exactag.com and planted a redirection script to reroute users from India Times to their phishing page.
The phishing flow redirected to the domain camenergyllc. Nyc, ultimately leading to a fake Microsoft login page.
Upon analyzing the source code of the phishing page, StrongestLayer’s threat analysts found AI-generated code designed to hide the functional parts, making detection even more difficult.
How Long Was India Times Compromised?
We discovered that India Times had been compromised for over a month, hosting phishing redirects to various campaigns. The malicious link flow is as follows:
- camenergyllc. NYC (phishing page)
- exactag.com/ai.aspx
- India Times(redirection)
- https://m[.]exactag[.]com/ai[.]aspx?tc=d9608989bc40b07205bbd26a23a8d2e6b6b4f9&url=https://hr.economictimes.indiatimes.com/etl.php?url=//camenergyllc[.]nyc/nsbd/lcv/vbWSOimLtTe6IJj/a2h1cnJhbS53YXJhaWNoQHRlbGVub3JiYW5rLnBr
- https://hr[.]economictimes[.]indiatimes[.]com/etl[.]php?url=//camenergyllc[.]nyc/nsbd/lcv/vbWSOimLtTe6IJj/a2h1cnJhbS53YXJhaWNoQHRlbGVub3JiYW5rLnBr
- https://camenergyllc[.]nyc/nsbd/lcv/vbWSOimLtTe6IJj/xxxxxxxhbS53YXJhaWNoQHRlbGVub3JiYW5rLnBr?utm_source=promotions&utm_medium=email&utm_campaign=
- https://theduck[.]hostcabofrio[.]com[.]br/[.]well-known/vwq[.]html#4xxxxxxx.xxxxxxx@xxxxxxxxxxx[.]xx
We started investigating the last two links in this incident. When we tried accessing link 3 after some time, there was a banner notice saying that the website was under load and that we should try again later.
However, this should be taken with a grain of salt, as these kinds of limits are often put in place by attackers to reduce the risk of being discovered after their target has been served the content. These notices are intended to hide the content of that particular path on the website from analysts once the domain has served a phishing campaign for enough time.
At this point, it is supposed to go into hibernation or a cloaked state for infrastructure preservation purposes since registering and setting up websites costs money, and attackers want to keep their domains undetected for as long as possible.
Tactics Used by the Attacker
The attacker used several clever tactics:
- Cloaking: After some time, the phishing page showed an error banner, masking the actual page.
- Redirection: The phishing page is redirected through multiple URLs, creating a complex chain.
- Hibernation: Attackers often hide content after it serves its purpose of avoiding detection.
- Deceptive Domains: The final phishing page looked like a Microsoft login page, but its URLs pointed to different, malicious domains.
When we accessed the subdomain that was hosting the phishing page, we found a menu of one of the popular pubs in Brazil i.e., TheDuckPub.
As we came to the hostcabofrio.com.br, it immediately gave a familiar suspicious page where contents have been removed from the web server’s root path in order to hide itself from the public. This is a typical tactic heavily used by attackers.
The WhoIS of the main phishing detonation domain reveals that this belongs to someone in Brazil and has been active since 2016.
Lessons Learned for Employees and Security Professionals
- Simply because the main domain name of a URL is a known and reputable brand, it does not mean that the redirected website is safe.
- Just because you are being shown an error notice, doesn’t mean that the intent behind that error notice is genuine as we witnessed here. Many times the phishing sites use such cloaking techniques to masquerade as being unavailable or benign in order to avoid being blocked by detection engines and threat analysts.
- Do not be fooled by known, familiar brands on a website. Without market leading detection tools at their disposal, employees are tasked with investigating whether this is the real deal or not before clicking anything.
- Lastly, all of the hyperlink urls on the spoofed ‘Microsoft’ phishing login page are pointing to a domain that is different from login.live.com. Without detection tools designed to boost Human Layer security (like StrongestLayer), vigilance and caution are the only two things that can save you from falling victim in these scenarios.
How StrongestLayer Help?
StrongestLayer’s email security and human risk tools can detect these advanced phishing techniques before employees fall victim. By analyzing redirection flows and domain activities, StrongestLayer can protect users from phishing attempts and build resilience against future threats.
FAQs (Frequently Asked Questions)
1. How did the attackers use India Times for phishing?
Attackers compromised a subdomain of India times and used it to redirect users to a phishing page that mimicked a Microsoft login.
2. What can employees do to avoid phishing attacks?
Employees should always check URLs carefully, even when visiting trusted sites. Training, vigilance, and
tools like StrongestLayer are crucial to staying safe.
3. Why did the phishing page show an error message?
The error message was part of the attacker’s cloaking tactics to hide the phishing site after it had served its purpose.
4. How can StrongestLayer help protect organizations from phishing?
StrongestLayer offers AI-driven tools that detect suspicious domains, redirection patterns, and phishing emails, providing real-time protection for employees.
5. Why are phishing attacks becoming more sophisticated?
Attackers are using AI to obfuscate their code and create more convincing phishing pages, making it harder for traditional security systems to detect them.
Safwan Khan
Head of StrongestLayer Threat Intelligence