A cyberespionage group has been using advanced spear-phishing techniques
to steal email log-in credentials from the employees of military
agencies, embassies, defense contractors and international media outlets
that use Office 365's Outlook Web App.
The group behind the attack campaign has been operating since at least
2007 according to researchers from Trend Micro, who published a research paper on Wednesday about the attacks they dubbed Operation Pawn Storm.
The Pawn Storm attackers have used a variety of techniques over the
years to compromise their targets, including spear-phishing emails with
malicious Microsoft Office attachments that installed a backdoor-type
malware program called SEDNIT or Sofacy, or selective exploits injected
into compromised legitimate websites.
The group used one
particularly interesting technique in email phishing attacks against
organizations that use the Outlook Web App (OWA), which is part of
Microsoft's Office 365 service.
For each phishing attack, the
group created two fake domains: one very similar to that of a
third-party website known to the victims -- like that of an upcoming
industry conference for example -- and one similar to the domain used by
the targeted organization's Outlook Web App deployment.
The
attackers then crafted phishing emails with a link to the fake
third-party site where they hosted non-malicious JavaScript code whose
purpose was twofold: to open the actual legitimate site in a new tab and
to redirect the already opened Outlook Web App browser tab to a
phishing page.
"The JavaScript made it appear that the victims'
OWA sessions ended while at the same time, tricked them into reentering
their credentials," the Trend Micro researchers wrote in their paper.
"To do this, the attackers redirected victims to fake OWA log-in pages
by setting their browsers' open windows property."
This technique
does not exploit any vulnerabilities and works in any popular browser,
including Internet Explorer, Mozilla Firefox, Google Chrome and Apple's
Safari, the researchers said. However, two conditions need to be met:
the victims need to use OWA and they need to click on the embedded links
from OWA's preview pane, they said.
This
can be a powerful attack, because the victims know they had a
legitimate OWA session opened in that browser tab and might not check if
the URL has changed before re-entering their credentials.
In
addition to using domain names that were very similar to those used by
the targeted organizations for their real OWA log-in pages, in some
cases the attackers even purchased legitimate SSL certificates so that
the victims' browsers display the HTTPS secure connection indicators for
the phishing sites, the Trend Micro researchers said.
Among those
targeted with this technique were employees of the U.S. private
military company ACADEMI, formerly known as Blackwater; the Organization
for Security and Co-operation in Europe (OSCE); the U.S. Department of
State; U.S. government contractor SAIC; a multinational company based in
Germany; the Vatican Embassy in Iraq; broadcasting companies in several
countries; the defense ministries of France and Hungary, Pakistani
military officials; Polish government employees, and military attachés
from various countries.
The phishing baits used by the attackers included well-known events and conferences that their victims were interested in.
"Apart
from effective phishing tactics, the threat actors used a combination
of proven targeted attack staples to compromise systems and get in to
target networks -- exploits and data-stealing malware," the Trend Micro
researchers said. "SEDNIT variants particularly proved useful, as these
allowed the threat actors to steal all manners of sensitive information
from the victims' computers while effectively evading detection."
Source: http://www.infoworld.com
No comments:
Post a Comment