Phishing for Information: Целевой фишинг со ссылкой
Other sub-techniques of Phishing for Information (4)
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023) Adversaries may also embed “tracking pixels”, "web bugs", or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) (Citation: Ryte Wiki) These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server. (Citation: Ryte Wiki)(Citation: IAPP) Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022) Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., Steal Web Session Cookie) in addition to their username and password. This may enable the adversary to then bypass MFA via Web Session Cookie.(Citation: Proofpoint Human Factor) Adversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as “quishing”). These links may direct a victim to a credential phishing page.(Citation: QR-campaign-energy-firm) By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.(Citation: qr-phish-agriculture) These QR codes may be scanned by or delivered directly to a user’s mobile device (i.e., Phishing), which may be less secure in several relevant ways.(Citation: qr-phish-agriculture) For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile’s smaller form factor. From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.
Примеры процедур |
|
Название | Описание |
---|---|
Sidewinder |
Sidewinder has sent e-mails with malicious links to credential harvesting websites.(Citation: ATT Sidewinder January 2021) |
Mustang Panda |
Mustang Panda has delivered web bugs to profile their intended targets.(Citation: Proofpoint TA416 Europe March 2022) |
Sandworm Team |
Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
Silent Librarian |
Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page.(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Secureworks COBALT DICKENS August 2018)(Citation: Proofpoint TA407 September 2019)(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Malwarebytes Silent Librarian October 2020) |
AADInternals |
AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.(Citation: AADInternals Documentation) |
ZIRCONIUM |
ZIRCONIUM has used web beacons in e-mails to track hits to attacker-controlled URL's.(Citation: Microsoft Targeting Elections September 2020) |
APT32 |
APT32 has used malicious links to direct users to web pages designed to harvest credentials.(Citation: Volexity Ocean Lotus November 2020) |
Kimsuky |
Kimsuky has used links in e-mail to steal account information including web beacons for target profiling.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Proofpoint TA427 April 2024) |
Magic Hound |
Magic Hound has used SMS and email messages with links designed to steal credentials or track victims.(Citation: Certfa Charming Kitten January 2021)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Google Iran Threats October 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
SMOKEDHAM |
SMOKEDHAM has been delivered via malicious links in phishing emails.(Citation: FireEye Shining A Light on DARKSIDE May 2021) |
APT28 |
APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
Star Blizzard |
Star Blizzard has sent emails to establish rapport with targets eventually sending messages with links to credential-stealing sites.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024) |
Moonstone Sleet |
Moonstone Sleet used spearphishing messages containing items such as tracking pixels to determine if users interacted with malicious messages.(Citation: Microsoft Moonstone Sleet 2024) |
CURIUM |
CURIUM used malicious links to adversary-controlled resources for credential harvesting.(Citation: PWC Yellow Liderc 2023) |
Dragonfly |
Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.(Citation: US-CERT TA18-074A) |
Patchwork |
Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.(Citation: Volexity Patchwork June 2018) |
Контрмеры |
|
Контрмера | Описание |
---|---|
User Training |
User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures: Create Comprehensive Training Programs: - Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives. Use Simulated Exercises: - Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols. Leverage Gamification and Engagement: - Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats. Incorporate Security Policies into Onboarding: - Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures. Regular Refresher Courses: - Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed. Emphasize Real-World Scenarios: - Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks. |
Software Configuration |
Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures: Conduct a Security Review of Application Settings: - Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements. Implement Access Controls and Permissions: - Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software. Enable Logging and Monitoring: - Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM. Update and Patch Software Regularly: - Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process. Disable Unnecessary Features or Services: - Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs. Test Configuration Changes: - Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies. *Tools for Implementation* Configuration Management Tools: - Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance. Security Benchmarking Tools: - CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues. Vulnerability Management Solutions: - Nessus: Identifies misconfigurations and suggests corrective actions. Logging and Monitoring Tools: - Splunk: Aggregates and analyzes application logs to detect suspicious activity. |
Обнаружение
Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.
Ссылки
- ZScaler. (2020, February 11). Fake Sites Stealing Steam Credentials. Retrieved March 8, 2023.
- Tim Bedard and Tyler Johnson. (2023, October 4). QR Code Scams & Phishing. Retrieved November 27, 2023.
- Ryte Wiki. (n.d.). Retrieved November 17, 2024.
- Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.
- NIST Information Technology Laboratory. (n.d.). web bug. Retrieved March 22, 2023.
- Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.
- mr.d0x. (2022, March 15). Browser In The Browser (BITB) Attack. Retrieved March 8, 2023.
- Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
- Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.
- Jonathan Greig. (2023, August 16). Phishing campaign used QR codes to target large energy company. Retrieved November 27, 2023.
- IAPP. (n.d.). Retrieved March 5, 2024.
- Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.
- Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.
- Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021.
- Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.
- Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021.
- Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021.
- DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
- Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
- Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
- KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
- Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
- Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
- MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
- Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.
- Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.
- ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
- Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
- Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023.
- FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
- Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
- Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
- Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
- Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.
- Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024.
- CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
- Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
- PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
Связанные риски
Риск | Связи | |
---|---|---|
Боковое перемещение злоумышленника по локальной сети
из-за
реагирования на мошеннические, фишинговые письма и сообщения
у работника
Конфиденциальность
Целостность
|
|
|
Заражение вредоносным программным обеспечением
из-за
реагирования на мошеннические, фишинговые письма и сообщения
у работника
Доступность
Конфиденциальность
Отказ в обслуживании
Повышение привилегий
Раскрытие информации
Целостность
Искажение
|
2
|
|
Раскрытие информации об ИТ инфраструктуре
из-за
реагирования на мошеннические, фишинговые письма и сообщения
у работника
Конфиденциальность
Раскрытие информации
|
|
|
Раскрытие ключей (паролей) доступа
из-за
реагирования на мошеннические, фишинговые письма и сообщения
у работника
Конфиденциальность
Повышение привилегий
Раскрытие информации
Подмена пользователя
|
1
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.