A phishing campaign is underway, which appears to provide password expiration reports for Office 365, breaking into dozens so far accounts email C-Suite (company executives), according to a warning issued by Trend Micro. Targeting organizations in various sectors - such as finance, policy, manufacturing, real estate and technology - the campaign lists victims in Japan, USA, UK, Canada, Australia and many European countries.
To date, more than 300 unique compromised URLs have been identified, along with 70 email addresses from eight sites. Phishers have managed to infringe on 40 legitimate email addresses belonging to company executives - such as CEOs, directors, founders, owners and employees.
Attackers use fake Office 365 password expiration reports, asking the potential victim to click on a built-in link that will allow them to continue using the same password. However, when the victim clicks on the option "Keep password", transferred to a phishing page.
The hackers then use the breached infrastructure and the stolen ones credentials for hosting phishing pages, as well as for targeting more victims. In addition, hackers use a phishing kit, which was first analyzed last year when used in similar attacks with fake Microsoft login pages. The kit is available in underground markets, thus allowing cybercriminals to access stolen credentials.
Trend Micro also found that hackers advertised stolen credentials on the accounts of Office 365 CEOs, CFOs and CFOs, among others. The anti-malware provider also pointed out that these are posts that have appeared in numerous English and Russian-speaking forums, including an underground forum that appears to match another user's ad. In particular, all posts in the Russian-speaking forums were made in English and use newly registered accounts.
Most of the phishing emails in this campaign were sent to corporate executives using VPS by FireVPS, a company that provides customers with various Windows Remote Desktop Protocol (RDP) programs. According to Security Affairs, Trend Micro has warned the company of abusing its service in the phishing campaign, but has not yet received a response.
The phishing kit, which seems to be the evolution of similar tools, also includes an extensive list of IP addresses and namespaces domain, aimed at blocking access to security companies and large cloud providers, most likely in an effort to avoid detection. The developers of the kit are actively advertising the creation in SOCIAL MEDIA sites and deal with the sale of stolen credentials. Trend Micro was finally able to link the business page to Facebook of the developer with the personal page and has already provided the authorities with details on the matter.
Trend Micro also linked cybercrime sites to other phishing attacks, including one that targets CEOs, presidents and company founders exclusively in the United States. Another campaign targets directors and other executives in Canada, Israel, Hungary, the Netherlands, the United Kingdom and USA.
CEOs' email addresses in the US seem to be the main target of this campaign. Such emails allow intruders to conduct further phishing, gain access to sensitive information, and conduct BEC and social engineering attacks.