In the last few months, a number of teams of attackers efficiently compromised company e mail accounts of not less than 156 high-ranking officers at numerous companies based mostly in Germany, the UK, Netherlands, Hong Kong, and Singapore. Dubbed ‘PerSwaysion,’ the newly noticed cyberattack marketing campaign leveraged Microsoft file-sharing services—together with Sway, SharePoint, and OneNote—to launch extremely focused phishing attacks.
According to a report Group-IB Threat Intelligence team revealed today, PerSwaysion operations attacked executives of greater than 150 corporations around the globe, primarily with companies in finance, legislation, and actual property sectors. “Among these high-ranking officer victims, more than 20 Office365 accounts of executives, presidents, and managing directors appeared.”
“By late September 2019, PerSwaysion campaign has adopted much mature technology stacks, using Google appspot for phishing web application servers and Cloudflare for data backend servers.”
Like most phishing attacks aiming to steal Microsoft Office 365 credentials, fraudulent emails despatched as half of PerSwaysion operation additionally lured victims with a non-malicious PDF attachment containing ‘read now’ link to a file hosted with Microsoft Sway.
“The attackers pick legitimate cloud-based content sharing services, such as Microsoft Sway, Microsoft SharePoint, and OneNote to avoid traffic detection,” the researchers stated.
Next, the specifically crafted presentation page on Microsoft Sway service additional comprises one other ‘read now’ link that redirects customers to the precise phishing site—ready for the victims to enter their e mail account credentials or different confidential information.
Once stolen, attackers instantly transfer on to the following step and obtain victims’ e mail data from the server utilizing IMAP APIs after which impersonate their identities to additional target individuals who have recent e mail communications with the current victim and maintain necessary roles in the identical or different corporations.
“Finally, they generate new phishing PDF files with the current victim’s full name, email address, legal company name. These PDF files are sent to a selection of new people who tend to be outside of the victim’s organization and hold significant positions. The PerSwaysion operators typically delete impersonating emails from the outbox to avoid suspicion.”
“Evidence indicates that scammers are likely to use LinkedIn profiles to assess potential victim positions. Such a tactic reduces the possibility of early warning from the current victim’s co-workers and increases the success rate of new phishing cycle.”
Though there isn’t any clear proof on how attackers are utilizing compromised company data, researchers imagine it may be ‘offered in bulk to different financial scammers to conduct conventional financial scams.’
Group-IB additionally has set-up an online web-page the place anybody can check if their e mail address was compromised as half of PerSwaysion attacks—nonetheless, it’s best to solely enter your e mail in case you’re extremely anticipating to be attacked.
Credits: The Hacker News