Attackers behind an extensive phishing campaign utilized a partially recycled phishing kit in order to target victims' Microsoft credentials. The campaign illustrates the diverse ways cybercriminals are leveraging phishing kits - from renting them to building their own customized versions, said researchers with Microsoft.
TodayZoo, so-called due to its “curious” use of these words in its credential harvesting component, was first observed in December 2020, and since then has been utilized in several phishing attacks that aim at stealing victims’ Microsoft 365 account credentials, according to the Microsoft 365 Defender Threat Intelligence Team on Thursday.
“Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones,” according to Microsoft researchers. “The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.”
Since December, researchers have observed TodayZoo being leveraged as the backbone for several widespread phishing campaigns. In March, for instance, Microsoft researchers observed the attackers behind TodayZoo abusing the AwsApps[.]com domain - an issue that Amazon has since remedied - in order to send victims emails that impersonated Microsoft. These emails used a variety of lures, including ones related to password resets or fax notifications. Targeted email recipients were prompted to click on a link, which led to initial and secondary redirect URLs before landing them on a page mimicking the Microsoft 365 sign-in page that asked for their credentials.
The phishing campaign used an old tactic called zero-point font obfuscation, where attackers hide words that could be flagged by natural language processing by inserting text with a zero font size between the words. Researchers also noted that the landing page’s source code revealed where the stolen credentials would be exfiltrated (a compromised site ending in TodayZoo.php), an unusual move as typically credential harvesting pages forward the stolen passwords to attacker-owned email accounts.
A Reconstructed Phishing Kit
The consistency of the campaign’s redirection URL patterns, domains and other TTPs led researchers to believe that the attackers were using an old phishing kit template, and had replaced the credential harvesting part with their own exfiltration logic.
One of the clues for TodayZoo’s origins was the source code on its landing page, which included static references to external source codes. These typically help a phishing kit mimic the branding of the spoofed login page. However, many of the site connections were “dead links,” identified by Microsoft as holdovers from other commoditized kits available for free or purchase.
Upon further inspection, researchers tied TodayZoo to a code block called DanceVida, which many other phishing kits have leveraged. TodayZoo’s implementations matched 30 to 35 percent of the larger superset of kits referencing DanceVida, such as a similar phishing kit called “Office-RD117” that shared several components.
While TodayZoo did rely on certain recycled parts, the kit contained its own customized code blocks for the credential harvesting components.
”While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits,” said researchers. “These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own.”
The Rich Phishing Kit Marketplace
TodayZoo demonstrates the diversity of phishing kits that cybercriminals are recycling, renting or reselling. With phishing leading 33 percent of cyberattacks, cybercriminals on underground marketplaces are getting savvier in how they market, sell and deploy these types of attacks.
Phishing kits - archive files comprising images, scripts and HTML pages that allow attackers to set up phishing landing pages - are frequently built using chunks of code from other kits. These can be purchased via publicly accessible scam sellers, or reused or repackaged by kit resellers.
The phishing kit economy overall has transformed to become service based, as seen with a recently uncovered phishing-as-a-service operation called BulletProofLink that sells kits, email templates, hosting and automated services “at a relatively low cost.” Typical pricing for phishing kits is around $100, researchers said, with the pricing model largely based on competition with similar commodity attack kits on forums and marketplaces.
Cybercriminals have the option to either rent resources from phishing-as-a-service providers who then handle the legwork, or to make a one-time purchase of a phishing kit. However, as seen with TodayZoo, other cybercriminals are choosing to build their kits from the ground up, picking and choosing existing features from other kits.
Philip Misner, principal security group manager with the Microsoft Security Response Center, said that attackers have used and re-used parts of kits historically for ease of use, as well as to try and evade detection. This is a trend that researchers are also observing increasingly with malware as well, he said, including with LemonDuck and other multi-part malware campaigns.
Many kits that are sold for money become freely available either through VirusTotal, being left online after a campaign, or being spotted during harvesting and can have their components easily repurposed," he said. "This can allow attackers to combine effective parts of various kits or add their own without paying additional cost, or even to resell them.