A sophisticated phishing kit has been used by multiple cybercrime groups to target high-ranking employees in North America and other parts of the world, and researchers believe there are at least 150 victims.
The campaign has been analyzed by cybersecurity company Group-IB, which tracks the operation as PerSwaysion due to its abuse of the Microsoft Sway presentation application. Some of the PerSwaysion attacks were previously detailed by Avanan, a company that provides security solutions for email and collaboration tools.
According to Group-IB, the PerSwaysion campaign has been active since at least mid-2019, and the first peak was observed in September. Attacks ramped up again in late December 2019.
Data collected by Group-IB shows that the attackers compromised the accounts of at least 156 executives and other high-ranking employees, mainly in the United States, where 81 victims have been identified. Victims have been identified in countries around the world, including in the UK, Canada and the Netherlands.
The most targeted sector was financial services, with over half of the victims working in this industry. The cybercriminals also targeted individuals in the real estate, legal, consulting, manufacturing, energy, retail, IT and other sectors.
Attacks start with a phishing email being sent to the targeted user. The email contains a harmless PDF document informing victims that a file has been shared with them on a Microsoft Office 365 service such as Sway, SharePoint or OneNote. When users click on the “Read Now” link in the PDF document, they are taken to a page hosted on Sway, SharePoint or OneNote, where they are once again shown a “Read Now” link. This link points to a phishing website designed to harvest the victim’s Office 365 credentials.
The emails and PDF documents used in the PerSwaysion campaign have been created with a phishing kit and an associated PDF generator that Group-IB believes was developed by someone in Vietnam. The phishing kit is offered based on a malware-as-a-service model and its creators do not appear to be using it themselves. Instead, they have sold it to other cybercriminals, who have been using it to obtain credentials that they can sell to others or which they can use themselves to steal valuable information from the targeted organizations.
“At the current stage, PerSwaysion scammers do not have clear preferences of financial profit generating models,” Group-IB said in a blog post. “The scammers hold covert access to many corporate email accounts and large piles of sensitive business email data. The situation opens up a wide range of possibilities. The account access could be sold in bulk to other financial scammers to conduct traditional monetary scams. Sensitive business data extracted from emails, such as non public financial records, secret trading strategies, and client lists, could be sold to the highest bidder in the underground markets.”
The phishing kit includes a feature that sends an email to the cybercriminals as soon as someone enters their credentials on a phishing site. This allows the hackers to quickly access compromised accounts and send out phishing emails to the victim’s contacts, mainly high-ranking people at other organizations. These activities are typically conducted within 24 hours.
One of the groups using the phishing kit has members in Nigeria and South Africa. This gang has been conducting phishing attacks since at least 2017.
Group-IB has set up a page where users can check if their email address is among the ones targeted in the PerSwaysion campaign.