Cybersecurity researchers pay attention to the new type of phishing accounting accounting, which guarantees that the stolen information is related to the valid accounts on the Internet.
The technique has been named Precision-Validating Phiscing from Cofense, which says it uses real-time email checks, so only the selected high-value set is provided with a fake screen screen.
“This tactic not only gives the subject a threat to a higher level of success in obtaining useful powers, as they are only engaged in a certain pre -recruited list of valid email accounts,” company company company – Note.
Unlike the “spray and gaps” of accounts, which usually provide for a volumetric distribution of spam letters to get information about the entrance of the victims, the latest attack attacks raises spears to a new level, interacting only with e-mail addresses that the attackers conducted both active, legitimate and high values.
In this scenario, the e -mail address entered by the victim on the target phishing page was confirmed in the attacker’s database, after which the Bogus page is displayed. If the email address does not exist in the database, the page either returns the error or the user is redirected to the wort -page, such as Wikipedia to avoid security analysis.
The checks are carried out by integrating the API-or-JavaScript check-up service in a phishing set that confirms the email address before moving to a password seizure step.
“This increases the efficiency of the attack and the likelihood that the abducted powers belong to the real, actively used accounts, enhancing the quality of the collected data for resale or further operation,” the cofens said.
“Automated safety and sandbox scanners also fight for analysis of these attacks as they cannot bypass the check filter. This purposeful approach reduces the risk of the attacker and expands the life of phishing companies.”
The development comes when the cybersecurity company also revealed the details of the phishing company by email that uses reminders of file deletion as bait to capture powers and provide malicious software.
A double -sided attack uses a built -in URL, which seems to indicate a PDF file, which is planned to be deleted from a legal file storage service called files.fm. If the recipient of the message clicks on the link, they will be accepted to legal files.FM link from where they can download the intended PDF file.
However, when PDF opensThe users are presented with two options either for preview or to download the file. Users who choose the first one are transferred to a fake screen to enter Microsoft designed to steal their powers. When the download option is selected, it lowers the executable file that claims that is Microsoft OneDrive, but in fact, is the SCREENCONNECT DEBTING SOFTS from ConnectWise.
This “almost as if the actor threatened intentionally an attack – Note. “Both options lead to the same result, for similar purposes, but various approaches to their achievement.”
The data obtained also follow from the detection of a complex multi -stage attack, which combines the visation, remote access tool and the methods of arrivals to gain initial access and to establish persistence. Crack Ship observed in the activity matches cluster tracking Storm-1811 (AKA STAC5777).
“Acting threats operates open communication channels by delivering useful PowerShell load via Microsoft Teams Message followed Ambulance To deletedly access the environment ‘Ontinue – Note. “This has led to the deployment of the signed binary files (for example, TeamViewer.exe), the selection of malicious dll (TV.dll), and ultimately the back rear of C2 based on Javascript, made through node.js.”
