Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Beware of phishermen with spears! ‘PerSwaysion’ spear-phishing dupes users to get 365 log-in credentials

Beware of phishermen with spears! ‘PerSwaysion’ spear-phishing dupes users to get 365 log-in credentials

Microsoft Sway has been noted being used to deceive victims into giving up their private 365 log-in credentials in a newly observed spear-phishing campaign.

Cyber-criminals appear to be now using ‘Microsoft Sway’ to dupe users into revealing Office 365 login credentials, says the latest research.

3-stage process

blog post  posted by Feixiang He, Senior Threat Intelligence Analyst at Group-IB, quantifies that the phishing attack, which has been named PerSwaysion, is a 3-stage process which takes a target from a PDF attached email, through then to Microsoft file sharing services, & then to the final phishing site.

It was warned that cyber-criminals have shown an ‘adequate level of phishing capabilities’ since Aug. 2019, the earliest moment the campaign left evidence of their activities on the internet. PerSwaysion  seems to ensnare many layers of traffic ‘whitewashing’ to get around as much corporate network defence as can be achieved.

“In the current wave of attacks, scammers primarily abuse Microsoft Sway file sharing service as the jumping board to redirect victims to actual phishing sites,” Feixiang He cautioned.

Variations

Group-IB also noticed there were other variations using Microsoft SharePoint & OneNote.

“The scammers pick legit file sharing services which have the ability of rendering seamless preview of uploaded files with phishing links. This key feature helps scammers construct web pages that strongly resemble authentic Microsoft experience,” explained Feixiang.

Back-end Servers

Also, criminals seem to separate phishing application & victim data harvesting back-end servers, giving rise to additional identity masquerading.

“Such application architecture also improves flexibility and operational continuity when phishing sites are taken down or blocked. Scammers simply deploy new instances under new domain names without disrupting overall data collection operations,” he maintained.

Feixiang said that the PerSwaysion campaign is yet another living example of highly specialised phishing threat actors working together to conduct effective attacks on a large-scale.

High Ranking

It is claimed that perhaps 156 high ranking officers of organisations are compromised. Researchers commented that high-profile victims are mainly based in the USA & Canada, but the remainder are in global & regional financial hubs e.g. Germany, the UK, Netherlands, Hong Kong & Singapore etc.

Group-IB has now organised a website where checks can be done to see if their email address was actually compromised by PerSwaysion. They added they would work with ‘appropriate parties’ in local countries in order to advise companies of breaches.

Vietnamese

“The campaign phishing kit is primarily developed by a group of ‘Vietnamese speaking malware developers’ while campaign proliferation & hacking activities are operated by other independent groups of scammers,” he stated.

Adam Palmer, Chief Cyber-Security Strategist at Tenable, has further added that the ‘optimum means’ for an organisation to defend itself against this type of attack, in addition obviously to user awareness, is to engage in ‘good cyber-hygiene’, for example, by identifying those critical risks & patching systems with ‘common vulnerabilities’ liked by criminals, blocking malicious sites & IP addresses, enforcing multi-factor authentication (MFA), & using encryption for sensitive data.

“These recommendations make it far harder for criminals to be successful,” he counselled.

Reputable Applications

Ciaran Byrne, Head of Platform Operations at Edgescan, observed that the PerSwaysion attack, as it has been dubbed, appears to just utilise ‘reputable applications’ in order to begin a phishing platform.

“There are countless avenues a nefarious actor can take to trick a user into carrying out actions they have no intention of doing, and this seems no different. Vigilance is important, & people should always be wary when submitting any details or clicking on links in any domain. Double check the URL before entering sensitive information and hover over a link to view what the link actually is,” he concluded.

Serious

Matters here clearly to be taken extremely seriously by all professionals!

 

SHARE ARTICLE