This phishing kit is punishing unaware shoppers this Black Friday

Cybersecurity researchers from Akamai have spotted a new phishing campaign that targets consumers in the United States with fake holiday offers. The goal of the campaign is to steal sensitive identity credentials like credit card information, and ultimately their money.

The threat actors are creating landing pages that impersonate some of the biggest brands in the US, including Dick’s, Tumi, Delta Airlines, Sam’s Club, Costco, and others.

The landing page, often hosted on reputable cloud services like Google, or Azure, directs users to complete a short survey, after which they’d be promised a prize. The survey would also be time-limited to five minutes, using urgency to draw people’s attention away from potential red flags. 

Unique phishing URLs

After completing the survey, the victims would be pronounced “winners”. The only thing they’d now need to do, in order to receive their prize, is to pay for the shipping. This is where they’d give away their sensitive payment information, to be later used by the attackers in different ways. 

However, what makes this campaign unique is its token-based system that allows it to fly under the radar and not get picked up by cybersecurity solutions. 

As the researchers explain, the system helps redirect each victim to a unique phishing page URL. The URLs differ based on the victim’s location, as crooks look to impersonate locally available brands. 

Explaining how the system works, the researchers said each phishing email contains a link to the landing page, that comes with an anchor (#). This is usually how visitors are navigated to specific parts of a landing page. In this scenario, the tag is a token, used by JavaSCript on the landing page, which reconstructs the URL. 

"The values being after the HTML anchor will not be considered as HTTP parameters and will not be sent to the server, yet this value will be accessible by JavaScript code running on the victim's browser," the researchers said. "In the context of a phishing scam, the value placed after the HTML anchor might be ignored or overlooked when scanned by security products that are verifying whether it is malicious or not."

"This value will also be missed if viewed by a traffic inspection tool."

Cybersecurity solutions overlook this token, helping threat actors keep a low profile. On the other hand, researchers, analysts, and other unwanted visitors, are kept away, as, without the proper token, the site won’t load. 

Via: BleepingComputer



Comments