New Phishing-as-a-Service Platform Enables CyberCriminals to Generate Convincing Fake Pages
Since at least mid-2022, fraudsters have been using a new phishing-as-a-service (PhaaS or PaaS) platform called Greatness to target business users of the Microsoft 365 cloud service, decreasing the barrier to entry for phishing assaults.
Cisco Talos researcher Tiago Pereira said
It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page.
The majority of the companies involved in Greatness campaigns are in the U.S., the U.K., Australia, South Africa, and Canada, with a spike in activity observed in December 2022 and March 2023.
Phishing kits like Greatness give threat actors, whether experienced or not, a convenient one-stop shop where they can create convincing login pages for a variety of online services and get beyond two-factor authentication (2FA) security measures.
The counterfeit pages, in particular, act as a reverse proxy to collect login information and time-based one-time passwords (TOTPs) supplied by the victims.
Attack chains start with malicious emails that contain an HTML attachment. When opened, the HTML attachment executes obfuscated JavaScript code that sends the user to a landing page that asks for their password and MFA code and has already pre-filled the recipient’s email address.
The entered tokens and credentials are then sent to the affiliate’s Telegram channel in order to gain unauthorized access to the concerned accounts.
The AiTM phishing kit also includes an administration dashboard, which the affiliate can use to set up the Telegram bot, monitor data breaches, and even create booby-trapped attachments and links.
Furthermore, in order to view the phishing page, each affiliate must have a current API key. The API key also enables behind-the-scenes contact with the genuine Microsoft 365 login page by posing as the victim and preventing undesired IP addresses from visiting the phishing page.
Pereira says: “Working together, the phishing kit and the API perform a ‘man-in-the-middle’ attack, requesting information from the victim that the API will then submit to the legitimate login page in real-time, This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA.”
The information is released at the same time that Microsoft has started requiring number matching in Microsoft Authenticator push notifications as of May 8, 2023, in order to strengthen 2FA security and prevent quick bombing attacks.
