Records associated with the domain itself had been updated on June 2, suggesting an ongoing campaign. Getting through the Cloudflare wall led to a fraudulent Microsoft authentication site generated by a phishing kit, which was being hosted on a domain with varying IP addresses over time, with the most recent dating to January 2023. Trying to view the document brought up a page showing that the contents were protected by Cloudflare, a tactic likely designed to prevent proactive analysis of the site showing where it would lead, the researchers said. In the campaign detailed on Thursday, targets were sent an email with a link to a “shared document,” leading to a file sharing website with a previously compromised legitimate company name in the URL. “While some of these attacks were focal and concentrated, some were widely spread and affected massive number of cross-sectors victims.”
“In the past few years, Sygnia’s IR teams have engaged in numerous incidents in which world-wide organizations were targeted by BEC attacks,” Sygnia’s researchers wrote in their report. The FBI reported that between December 2021 and December 2022 there was a 17% increase in identified actual and attempted losses worldwide, with a particular focus on the real estate sector. The report comes on the heels of a recent FBI public service announcement estimating that BEC compromises were linked to more than $50 billion in actual and attempted losses across more than 275,000 attacks between 20. Sygnia’s investigation revealed that the attack was part of a broad campaign that potentially impacted dozens of organizations - the company would not say exactly how many - around the world in a sprawling campaign of business email compromise, or BEC. “All analyzed emails contain the same structure, only differing in their title, senders’ account and company, and attached link.” “The phishing mails spread in a worm-like fashion from one targeted company to others and within each targeted company’s employees,” researchers with the Israeli cybersecurity firm said in a report published Tuesday. Then, they would use that account to to go after other targets.
The hackers would compromise an email account of an employee for a given company, bypass Microsoft Office 365 authentication, and gain persistent access to the account. When researchers at the cybersecurity firm Sygnia responded earlier this year to a compromised email account at an unnamed company, they stumbled upon a sprawling campaign of business email compromise involving dozens of organizations whose infrastructure the attackers utilized in going after additional victims.
0 kommentar(er)
