Microsoft named the three most difficult types of phishing used by hackers during 2019.To obtain usernames and passwords, they began to use methods that are technically difficult to implement and even involve Google.
Popular type of attacks
Microsoft unveiled three of the most sophisticated and sophisticated phishing attacks identified in 2019. It released a report on current trends in cybercrime and malware in 2019, in which it noted that phishing was one of the few types of attacks that were on the rise throughout the year.
Microsoft estimates that the number of detected phishing emails increased from 0.2% in January 2018 to 0.6% of the total volume of inspected emails in October 2019. Data for November and the first half of December 2019 are not included in the report.
Microsoft stressed that the total number of ransomware, cryptominers (software that uses the victim’s PC resources to mine cryptocurrency) has decreased in the world, and has begun to decline. Phishing as a way of dishonest money, meanwhile, on the contrary, is attracting more and more attention of cybercriminals.
Attack involving Google
One of the three types of attacks discussed by Microsoft in its publication was a multi-layered malware campaign in which hackers “poisoned” Google search results. The attackers organized the redirection of traffic intercepted from secure resources to sites under their control, which led to these domains appearing in the top search results for certain queries.
The hackers then sent emails to potential victims containing links to Google search results for the keywords, and if they clicked on the link, they were taken directly to the search results themselves. After making sure that they were really Google, and not some of its clones, users clicked on the first links in the top without fear and got to a phishing page that collects this or that personal data.
The Microsoft report says that the hackers tried not to use popular search queries and preferred only meaningless sets of letters and symbols, for example, “BpBbEgInBu”. This helped them to remain unnoticed. In addition, although the geography of the attacks included almost the entire world, the attacks themselves were tied to the regions.
Phishing attacks using fake 404 (site unavailable) pages were discovered by Microsoft experts in August 2019.
The attackers sent emails to potential victims with links that did not lead directly to phishing sites, but to fake 404 pages. To create the pages themselves, the hackers used various algorithms for generating subdomains, and constantly changed the domains themselves, which ultimately gave them the opportunity to create an uncountable number of phishing URLs.
The fake 404 pages themselves almost completely copied the standard form of authentication in a Microsoft account and were created to collect login / password bundles specifically for Microsoft services. The researchers of the corporation noted their maximum similarity – the attackers worked them out to the smallest detail, down to the location of each of the elements. All that was missing on these sites was the Login Options link and the cookie notice at the top.
The third phishing campaign was the implementation of the so-called “MitM attacks”, also known as the “attack of the intermediary” (Man in the Middle). In fact, this is a kind of evolution of the second type of attack from the Microsoft report.
Hackers, instead of manually creating phishing copy pages of the real site, used the MitM component, which itself collects the necessary components of the cloned web page. These include text, various logos, images, and even banner ads when available.
As a result, the hackers have an exact copy of the legitimate site in their hands, and all that was left was to send out emails to potential victims with a link to it. Going through it, the user could easily be deceived and consider that he is on a legal page for entering a login or password to his account.
How not to fall for the trick
It is worth noting that the user can avoid the leakage of his personal data, even if he undergoes all three types of attacks at the same time and clicks on all links in all letters from hackers.
In order to verify the authenticity of a web page with fields for entering a password name, just look at the address bar in the browser – attackers have not yet learned how to replace the site addresses themselves, and as a result, instead of the same office.com, the user will see something in this line something like outlookoffice365user09ngxmd.web.app (real world example).