CYBER NEWS

Phishing Ataque Exploits Azure Blob a ser protegido pela Microsoft SSL

Os pesquisadores de segurança detectado recentemente um caso curioso de arquivo PDF aprisionado hospedado no armazenamento Azure Blob. Mais especificamente, the case involves storing the attackers’ phishing form on Azure Blob Storage in order to be secured by a Microsoft SSL certificate.




The entrapped PDF is linked to an Office 365 phishing page hosted in Azure Blob storage, and because of that, it has a Microsoft-issued domain and SSL certificate, Netskope researchers discovered.

It should be noted that the combination of the Microsoft domain, certificado, and content make this phishing scheme particularly convincing and difficult to recognize. Durante sua análise, the researchers identified similar phishing sites hosted in Azure blob storage.

The Azure Blob Phishing Attack Explained

As in any phishing scenario, the malicious PDF are delivered to victims as email attachments. These are crafted in a smart way, containing legitimate content from legitimate sources.

Nesse caso, the document originally arrived in an email and was saved to Google Drive, where Netskope Advanced Threat Protection detected the file and prevented potential credential loss or fan-out“, Os pesquisadores notado.

Analysis of the PDF

The PDF distributed in this particular phishing campaign impersonates a law practice based out of Denver. It was named “Scanned Document… Please Review.pdf”. The PDF has a link that downloads the actual PDF:

Once the “Download PDF” hyperlink is clicked, the victim sees a message explaining that the document is trying to connect to the following Azure blob storage URLhttps://onedriveunbound80343[.]blob.core.windows.net:

The phishing page is hosted in Azure blob storage which assures a valid Microsoft-issued SSL certificate and hosting on a Microsoft-owned domain. These two factors make the phishing attempt quite sophisticated and difficult to recognize. As pointed out by the researchers, “seeing a Microsoft domain and a Microsoft-issued SSL certificate, on a site asking for Office 365 credentials is pretty strong evidence that the site is legitimate, and are likely enough to convince a user to enter their credentials”.

Story relacionado: Como detectar e remover Phishing (falsificação) Paginas web

Once the user clicks, his credentials are uploaded to this location: https://searchurl[.]bid/livelogins2017/finish40.php. Então, the user is redirected to another phishing page hosted in blob storage.

Mais tarde, the user is going through a series redirects to several landing pages posing to download the secured document. Finalmente, the user is finally redirected to a Microsoft page, but no document is downloaded to the victim’s machine. As the document is not downloaded, the victim might again try to re-validate the credentials or enter credentials related to another account.

To counter such phishing attackers, the researchers’ recommendation is always checking the domain of the link, e:

Know the domains typically used when you login to sensitive services. Além disso, be able to identify common object store domains, such as those used by Azure blob storage. This knowledge will help you differentiate between well-crafted phishing sites and official sites.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...