Phishing attacks are by no means the sexiest or most technically advanced operations, but they continue to work and the groups behind them constantly improve and update their tactics to stay ahead of technical defenses and educational efforts. Data gathered by Microsoft over the course of the past year shows that attackers are using a variety of sneaky techniques in their campaigns now, including poisoning search engine results and generating custom 404 error pages to entice victims.
Phishing groups often rely on email-based lures to begin their attacks, and those have proven to be quite effective. But security education initiatives that have taught people how to identify malicious messages, coupled with better defensive technologies, have made it more difficult for those emails to have the intended effect. Many phishing emails include some kind of link to a website, and often those sites are faithful replicas of a legitimate one designed to trick victims into entering banking or email credentials or other valuable information. Browser vendors have added developed client-side and web-based systems that are highly effective at detecting those sites and preventing people from hitting them or entering sensitive information on them.
So phishing gangs have had to adapt, and one of the techniques that they’ve landed on is using poisoned search results to direct victims to malicious sites. The technique involves sending phishing emails that contain links to Google search result pages for specific keywords. The attackers use traffic-generation techniques to the pages in the results list, making sure that the pages they control remain high up in the search results. Because the result page is a legitimate Google page hosted on a trusted domain, both the browser and the victim are more likely to trust it and the links on it. But when a victim clicks on one of the links, he is taken to an attacker-controlled phishing page or redirected to a malware download.
“The campaign was made even stealthier by its use of location-specific search results. When accessed by users in Europe, the phishing URL led to the redirector website c77684gq[.]beget[.]tech, and eventually to the phishing page. Outside Europe, the same URL returned no search results,” a report from Patrick Estavillo of Microsoft’s Office 365 Threat Research Team says.
“For this to work, attackers had to make sure that their website, c77684gq[.]beget[.]tech, was the top search result for the keyword ‘hOJoXatrCPy’ when queried from certain regions. The website’s HTML code is composed of a redirector script and a series of anchor elements. These anchor elements were designed to be crawled by search engines so that the page is indexed and returned as result for the search keywords that attackers wanted to use for their campaign.”
The technique is a clever one, but it’s not the only innovation phishing groups have developed. Microsoft’s threat research group also discovered a campaign that specifically mimicked the company’s account login page. That piece of the campaign isn’t unusual; phishing groups have been using highly accurate replicas of account login pages for Google, Microsoft, and other services for many years. But those pages often are hosted on specious URLs that are fairly easy to identify as fake.
The campaign that Microsoft discovered uses fake 404 error pages that are hosted on randomized URLs on a domain controlled by the attacker.
“Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers could use random URLs for their campaigns. For example, we saw these two URLs used in phishing campaigns; the attackers added a single character to the second one to generate a new URL but serve the same phishing page,” Microsoft’s report says.