Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Heatstroke’ Phishing Campaign Takes Multi-Stage Approach

A recently observed phishing campaign targeting victims’ private email addresses has adopted a multi-stage approach in an attempt to avoid raising suspicion, Trend Micro reveals.

A recently observed phishing campaign targeting victims’ private email addresses has adopted a multi-stage approach in an attempt to avoid raising suspicion, Trend Micro reveals.

The operators behind this campaign, which Trend Micro’s security researchers refer to as Heatstroke, do not employ a single landing page, and instead attempt to mimic legitimate websites to trick victims into thinking nothing is amiss.

Furthermore, while the phishing kit’s content is forwarded from another location, obfuscation is used to make it appear as if it was on the landing page itself. On top of that, the page is constantly changing, thus being able to bypass content filtering.

The researchers also discovered that the phishing kit can block certain IP ranges, crawling services, and even security tools. Thus, if a connection is attempted from a blacklisted IP, service, or location, an HTTP 404 error will be served instead, or content is forwarded from somewhere else.

In an attempt to bypass firewalls, the first page of the phishing kit is generated by a PHP script encoded in Base64, Trend Micro also notes.

The security researchers also observed another group using the kit for their own phishing attacks, and the kit’s developers have assigned this group its own API key, suggesting that the cybercriminals employ a phishing-as-a-service business model.

The phishing page’s content, Trend Micro discovered, is generated dynamically, based on user/visitor properties.

The campaign attempts to appear legitimate by leveraging domains based on the victim’s country of origin. In some cases, this domain used to belong to a legitimate business and was later put up for sale.

Advertisement. Scroll to continue reading.

Credentials stolen in these attacks are sent to an email address and steganography (hiding or embedding data into an image) is employed for that. Trend Micro says it has captured two similar phishing kits, targeting Amazon and PayPal users.

In both cases, the tactics and techniques were similar, including the website hosting the phishing kit, the type of stolen information, and the employed masking techniques.

“Both kits also seemingly end in the same user verification phase. These similarities could mean that they have the same origin. The similarity could also be buoyed by the timing and scope of the attacks that used these kits, as they were delivered to the same victim,” Trend Micro notes.

The attack starts with a fake account verification email that is sent from a legitimate domain to avoid being blocked by spam filters. Currently, PayPal and Amazon users are targeted, but code in the phishing kit’s htaccess file reveals that customers of eBay, Google, Apple, Internet.bs, and other services are future targets.

The first-stage website is designed to redirect the victim to the phishing kit’s site, which performs user validation, checking if the visitor is a bot, web crawler, or security tool like Nessus. It also checks visitors’ IP addresses using an online anti-fraud service.

Next, the user is diverted to a third-stage website, which performs the actual phishing. The user is asked to fill information fields for email credentials, credit card details and other personally identifiable information (PII).

“Once the user fills all the information fields and clicks the last button, nothing will happen. If the user tries to visit the website with the phishing kit with the same IP and settings, the website will not load the phishing kit,” Trend Micro explains.

Related: Phishing Campaign Impersonates DHS Alerts

Related: FBI Warns of HTTPS Abuse in Phishing Campaigns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.