Phishing continues to be a highly dangerous online threat, as threat actors are persistent in improving their methods. One of the latest successful phishing campaigns was recently detected by Akamai Security Research. The team “has observed a new and highly sophisticated phishing kit” that imitates a number of popular retail brands ahead of the holiday season.
The high successful rates of the phishing kit are due to a mixture of evasion techniques and social engineering tricks. One of the notable aspects of the kit is a token-based system that confirms each victim is redirected to a unique phishing URL. In addition, the threat actor uses URL shorteners, fake user profiles and testimonials, and even a CDN to achieve infrastructure resilience.
Fake Customers and User Testimonials
The researchers performed a detailed analysis of the fake customer profiles. One particular fake user, Natalie Hamilton, was recycled with slight modifications across the various scam templates. The prize review comments were also customized, appearing legitimate at first glance. What gave the scam away is the strong similarity of the comments across the prize offerings, which would still go unnoticed by an average online user.
URI Fragmentation
URI fragmentation is another interesting feature of the kit, and a novel evasion technique. What is it all about?
“The URL fragment identifier is a hash mark (#), also known as HTML anchor, in the URI link that points a browser to a specific spot in a page or website. This is a technique commonly used in tables of contents or other categorization lists for a better user experience. The values being after the HTML anchor will not be considered as HTTP parameters and will not be sent to the server, yet this value will be accessible by JavaScript code running on the victim’s browser. In the context of a phishing scam, the value placed after the HTML anchor might be ignored or overlooked when scanned by security products that are verifying whether it is malicious or not. This value will also be missed if viewed by a traffic inspection tool,” the researchers explained.
What’s the researchers’ conclusion? This phishing kit proves why phishing scams continue to be so successful. Threat actors are well acquainted with mitigation, social engineering, and various tactics that make detection almost impossible. “This blog post is not a dig at any security product or vendor’s efficacy — instead it showcases how even multiple layers of defense can be eroded to achieve a malicious purpose,” the team concluded.
Another example of a successful phishing-as-a-service kit was detected in September. Called EvilProxy, the platform is specialized in reverse proxy phishing campaigns aiming to circumvent MFA [multi-factor authentication] mechanisms.