A surge in spearphishing emails designed to steal Office 365 credentials include some that were made to look like they came from a Kaspersky email address.
It is a legitimate access token, stolen from a 3rd-party contractor, which lets the attackers send phishing emails from kaspersky.com email addresses.
Nobody at Kaspersky sent the phishing emails, the security company stated in an advisory issued on Mon. Rather, the emails sent from the Kaspersky email address were sent with the company’s legitimate, BUT stolen, Amazon Simple Email Service (SES) token.
Send E-Mail
Amazon SES is a scalable email service that lets developers send mail from any app, including in marketing or mass email communications.
The phishing campaign is huge, the company observed, & the Kaspersky-themed phishing emails only made up a tiny part of it. The campaign relies on more than just the Kaspersky token or the one email address involved, which was noreply@sm.kaspersky.com.
“This access token was issued to a 3rd party contractor during the testing of the website 2050.earth,” according to Kaspersky’s advisory. The 2050.earth site is a Kaspersky project that features an interactive map illustrating what futurologists & others think will happen to the planet in coming decades.
Amazon Infrastructure
Kaspersky commented that the site is hosted on Amazon infrastructure.
After seeing what it called “a huge uptick” in recent Office 365 credential spearphishing attacks – attacks that may be coming from multiple threat players – the SES token was immediately revoked, Kaspersky observed.
The theft caused no damage, explains the advisory: “No server compromise, unauthorised database access or any other malicious activity was found at 2050.earth & associated services,” it explained.
Phony Faxes
Phishing is a common way for cyber-criminals to fool people through socially engineered emails into giving up their credentials to online accounts that can store sensitive data.
Phishers use these emails – which sometimes fool people by impersonating a trusted company (like Kaspersky), application or institution – to direct people to specially crafted phishing sites so they can enter credentials, thinking they’re doing so for a legitimate reason.
Office 365 credentials are a common target for phishing attacks. In March, for example, a phishing scam targeted executives in the insurance & financial services industries with the aim of harvesting their Microsoft 365 credentials & launching business email compromise (BEC) attacks.
Fax Notifications
The cyber-crooks who thought up the Kaspersky-themed scheme did not try to impersonate Kaspersky employees.
Instead, the phishing emails typically pretend to be “fax notifications” that lure targets to fake websites that take credentials for Microsoft’s online services. It’s not the 1st time the old “fax alert” method has been used: In Dec. 2020, Office 365 credentials were similarly under attack by a campaign that used the same email con.
The Kaspersky phishing emails were sent from various supposed Kaspersky addresses, & they are coming from multiple websites, including Amazon Web Services infrastructure.
Analysis showed that the phishing campaigns are relying on a phishing kit that Kaspersky researchers have named “Iamtheboss,” used in conjunction with another phishing kit known as “MIRCBOOT.”
Turnkey Phishing Platform
If the name MIRCBOOT sounds familiar, it might be because it was 1 of the phishing kits that Microsoft recently found when it uncovered a large-scale, well-organised, sophisticated phishing-as-a-service (PhaaS) operation that the criminals called Bullet Proof Link.
Bullet Proof Link, a turnkey platform, provides phishing kits, email templates, hosting & other tools that let users customise campaigns & develop their own phishing ploys. They then use the PhaaS platform to help with phishing kits, email templates & the hosting services needed to launch attacks.
Domain Names
MIRCBOOT & the other phishing kits available on Bullet Proof Link allow potential cyber-criminals to set up the websites & purchase the domain names they need to launch phishing campaigns, pretending to be, say, employees of a security firm, as in this case.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/