New Phishing Attack That Uses Multiple Replica Sign-In Pages

Hackers today depend on phishing attacks and social engineering like never before; in fact, 9 out of 10 data breaches today start with a phishing scam.

Organizations today have stepped up their defenses against cybercrimes and hence direct network and machine exploits are showing a decreasing trend. Cybercriminals now seek to target people within the organizations and hence depend on a broad range of phishing attack vectors. They come up with all kinds of sophisticated, dangerous phishing scams and trick users into giving away personal data, including login credentials. They use different means to trick users; they would use the social media, chat, pop-up ads, IM applications, rogue browser extensions, apps, web freeware etc and execute phishing attacks with ease. Using the phishing attacks they would first hack individual computers and thereby gain entry into enterprise networks.

Cybercriminals are coming up with newer and newer kinds of phishing scams these days. A recent type of phishing scam that security researchers have detected includes using multiple replica sign-in pages to cheat users into giving away their credentials.

In a detailed report published in ISBuzz News, Atif Mushtaq, the founder and CEO of SlashNext, writes, “Recently, we uncovered an alarming type of phishing attack that is based on so-called replica sign-in pages for federated account log-ins. This type of attack works by playing into the human brain’s tendency to give priority to well-known visual icons, in which case the mind tends to “see” what it thinks it has seen, or rather what it expects to see.”

Mushtaq further explains, “Replica phishing pages carefully duplicate the logos, colors and fonts from popular global brands such as Google, Microsoft, Dropbox and Yahoo. These imitations are often so realistic that they lure users into giving away their credentials. Some of these log-in pages come complete with a functional “Password Reset” option. Others include requests for secondary email accounts, mobile phone numbers, or one’s answers to security questions to ostensibly provide “enhanced security.” Talk about social engineering – the bad guys are banking on the user’s trust and familiarity with normal security procedures to finagle yet more user secrets!”

In his report, Atif Mushtaq talks about numerous multi-brand phishing pages coming up. Hackers come up with fake web pages displaying multiple brands simultaneously. Mushtaq also mentions the instance of a hacker displaying a custom Dropbox phishing page which requires anyone who wants to access the page to enter his personal credentials from a separate trusted, federated email log-in source of his choice.

Mushtaq explains, “Regardless of which pop-up credential the user selects, the form will submit the stolen information through a php script of the same name as the pop-up, all hosted on the same server. For each php, the attacker writes the code to forward the collected information to a specific repository email address.”

It’s also explained how attackers go past the Dropbox log-in to lure users into giving away their email address and Gmail recovery phone number as well. There will be a “Continue” button, which the user would have to press after entering the email address and the phone number; once this button is pressed, the credentials are sent to the repository email address and the user would get redirected to a Google Docs URL

Though employees in organizations are being trained to stay wary of such attacks, things are getting complicated with hackers creating more sophisticated, legitimate-looking phishing attacks every day. People, despite all training sessions and awareness creation, continue to make mistakes and hacks continue to happen.

Atif Mushtaq recommends certain measures that need to be adopted to combat such phishing scams. He writes, “To detect these kinds of malicious phishing sites and protect employees from falling prey, phishing protection systems must be informed by real-time analysis and detection of zero-hour phishing threats on the Web. The system must make out the underlying context of the message and work backwards and forwards from the final attack screen to definitively identify phishing sites before a user can take the bait and share compromising info.”

He adds, “For sufficient protection from these fast-moving and convincing phishing attacks, our phishing security systems need to imitate a humanlike mentality but with the speed and scale required to protect large organizations with lots of Internet traffic. This approach requires putting a contextual frame and real-time phishing site analysis in place to identify these latest replica sign-in pages.”