Security Experts:

Connect with us

Hi, what are you looking for?



‘Heatstroke’ Phishing Campaign Takes Multi-Stage Approach

A recently observed phishing campaign targeting victims’ private email addresses has adopted a multi-stage approach in an attempt to avoid raising suspicion, Trend Micro reveals.

A recently observed phishing campaign targeting victims’ private email addresses has adopted a multi-stage approach in an attempt to avoid raising suspicion, Trend Micro reveals.

The operators behind this campaign, which Trend Micro’s security researchers refer to as Heatstroke, do not employ a single landing page, and instead attempt to mimic legitimate websites to trick victims into thinking nothing is amiss.

Furthermore, while the phishing kit’s content is forwarded from another location, obfuscation is used to make it appear as if it was on the landing page itself. On top of that, the page is constantly changing, thus being able to bypass content filtering.

The researchers also discovered that the phishing kit can block certain IP ranges, crawling services, and even security tools. Thus, if a connection is attempted from a blacklisted IP, service, or location, an HTTP 404 error will be served instead, or content is forwarded from somewhere else.

In an attempt to bypass firewalls, the first page of the phishing kit is generated by a PHP script encoded in Base64, Trend Micro also notes.

The security researchers also observed another group using the kit for their own phishing attacks, and the kit’s developers have assigned this group its own API key, suggesting that the cybercriminals employ a phishing-as-a-service business model.

The phishing page’s content, Trend Micro discovered, is generated dynamically, based on user/visitor properties.

The campaign attempts to appear legitimate by leveraging domains based on the victim’s country of origin. In some cases, this domain used to belong to a legitimate business and was later put up for sale.

Credentials stolen in these attacks are sent to an email address and steganography (hiding or embedding data into an image) is employed for that. Trend Micro says it has captured two similar phishing kits, targeting Amazon and PayPal users.

In both cases, the tactics and techniques were similar, including the website hosting the phishing kit, the type of stolen information, and the employed masking techniques.

“Both kits also seemingly end in the same user verification phase. These similarities could mean that they have the same origin. The similarity could also be buoyed by the timing and scope of the attacks that used these kits, as they were delivered to the same victim,” Trend Micro notes.

The attack starts with a fake account verification email that is sent from a legitimate domain to avoid being blocked by spam filters. Currently, PayPal and Amazon users are targeted, but code in the phishing kit’s htaccess file reveals that customers of eBay, Google, Apple,, and other services are future targets.

The first-stage website is designed to redirect the victim to the phishing kit’s site, which performs user validation, checking if the visitor is a bot, web crawler, or security tool like Nessus. It also checks visitors’ IP addresses using an online anti-fraud service.

Next, the user is diverted to a third-stage website, which performs the actual phishing. The user is asked to fill information fields for email credentials, credit card details and other personally identifiable information (PII).

“Once the user fills all the information fields and clicks the last button, nothing will happen. If the user tries to visit the website with the phishing kit with the same IP and settings, the website will not load the phishing kit,” Trend Micro explains.

Related: Phishing Campaign Impersonates DHS Alerts

Related: FBI Warns of HTTPS Abuse in Phishing Campaigns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...