Saturday, January 23, 00:12
Home security New phishing campaign abuses three corporate cloud services!

New phishing campaign abuses three corporate cloud services!

A new phishing campaign abuses three corporate cloud services - the Microsoft Azure, Microsoft Dynamics and IBM Cloud - to steal credentials connection. This new phishing campaign is supposed to come from a Help Desk called “Servicedesk.com”, mimics the wording used by real IT helpdesk domains in corporate environments. The e-mail has the form of a notice Quarantined mail frequently sent to workplaces via email security products and spam filters (spam), asking the user to "release messages stuck in the queue".


The address (folder) "From:" listed in the email, is the “Noreply@servicedesk.com” and while the domains can easily be forged, the email headers for this phishing campaign indicate that the email was sent from this domain. The phishing email is sent from an intermediate domain Cn.trackhawk.pro, but the original domain is "servicedesk.com".


In most email spoofing scenarios, a mismatch between the email domain "From:" and the domain mentioned in the lower header “Download:”, is an indication of suspicious activity. In this campaign, the domain "servicedesk.com" is used at the address "From:" (folder) and corresponds to the domain mentioned in the last heading "Download:", making it easier to bypass spam filters.

phishing campaign

These headers can indicate two scenarios:

  • Either server of "servicedesk.com" were compromised and attackers send emails through them.
  • Either the attackers send emails through the domain "cn.trackhawk.pro", but put the header "Download: from servicedesk.com…" at the bottom, to match the domain "From:" (folder), to show more convincing and reliable.

Additionally, the IP ping that states "Download: from servicedesk.com ([104.37.188.73])" returned timeouts, indicating that it is not live. IP "cn.trackhawk.pro" (66.23.232.62), however, responds correctly to pings, indicating that scenario # 2 is more likely. Still, the lack of validations DMARC, DKIM and SPF in the domain "servicedesk.com", allows spammers to take advantage of this domain, as shown in these attacks.


The abuse of corporate cloud services Microsoft Dynamics, Microsoft Azure and IBM Cloud for hosting phishing landing pages adds persuasiveness to the campaign. This is especially true because domains hosted on Azure (windows.net) or IBM Cloud automatically receive free SSL certificates containing the names of these companies, adding even more credibility.


Also, in phishing email there are buttons with the indication “RELEASE MESSAGES” or “CLEAN-UP CLOUD” which, when pressed by a user, they take him to a legitimate address URL Microsoft Dynamics 365. This URL then redirects the user to an IBM Cloud domain, the cf.appdomain.cloud, used for IBM Cloud Foundry deployments to host the phishing landing page. This landing page has been designed with some "degree of awareness" on the part of the attacker, as entering a "test" password that is too weak will display an error "wrong password".

Phishing

Entering a password of appropriate length and complexity, if it meets the criteria set by IBM Cloud, will redirect the user to another fake page, confirming the settings update host in the Microsoft Azures hosting domain, windows.net. This malicious page eventually redirects the user to the site associated with their email address domain. In this case, the final destination will be Axxrma.com.


Phishing emails are becoming more and more common, targeting both email users and companies, and could have very negative consequences (eg theft). data, ransomware attacks). Phishing campaigns that abuse legitimate cloud infrastructure are on the rise as they add credibility to phishing attacks and provide free SSL certificates. The growing complexity of these attacks allows attackers to bypass spam filters and security products, increasing the need for advanced security systems in companies.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Pohackontas
Pohackontashttps://www.secnews.gr
Every accomplishment starts with the decision to try.

LIVE NEWS

Intel CPUs Review: Core i7-10700 vs Core i7-10700K!

Over the years, the Intel series of processors (CPUs) introduced the series of overclocking models "K" and more recently the series ...

The DeLorean can return as an electric car

The DMC DeLorean has been out of production for almost 40 years, but it looks like the iconic vehicle will return as an electric car.

Windows RDP servers are used to support DDoS

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to reinforce the unwanted ...

SEPA: He refused to pay a ransom and thousands of files were leaked

Thousands of stolen files of the Scottish Environmental Protection Agency (SEPA) have been published by hackers, after the organization refused to pay the ransom ...

Fines at Valve, Capcom and Zenimax for geo-exclusion of games

Following a European Commission investigation, a group of video game publishers was fined € 7,8 million following allegations of geo-exclusion practices. In...

Bitcoin helps the middle class survive the pandemic

Regulators still imply that Bitcoin is just a tool for criminals, but it seems that for the middle class ...

Lightworks 2021.1 for Linux, Mac and Windows has been released

Lightworks Professional Multi-Platform Video Editing Software received the first major update to Lightworks 2021.1 for Windows, Linux and Mac.

Netflix: Watch the 9 best Anime movies of all time

One of the good things about the pandemic was that many people were introduced to the anime world. And the issue with anime is ...

CHwapi: Windows BitLocker "hit" the Belgian hospital!

The CHwapi hospital in Belgium was attacked by a cyber attack on January 17, with hackers claiming to have encrypted 40 servers and 100 ...

CPU / GPU Lotteries: Newegg sells the few on the market

Hardware shortages are not uncommon, but the pandemic has worsened the situation. The whole planet is closed to ...