Automated Phishing

[Man]

A Telegram bot is selling a subscription to phishing tools for hacking Microsoft 365 accounts, including the ability to bypass two-factor authentication.

Researchers have discovered a phishing marketplace in Telegram called ONNX that gives cybercriminals access to tools for hijacking Microsoft 365 accounts, including methods for bypassing two-factor authentication. Thanks to this, attackers can launch phishing attacks on Microsoft 365 and Office 365 email accounts. Employees of information security departments of companies should be aware of this threat and pay special attention to anti-phishing protection. We tell you more about this threat.

Malicious QR Code Attachment and Two-Factor Authentication Bypass​

Researchers described an example of an attack using the ONNX phishing marketplace tools that was carried out on employees of several financial institutions. To begin with, victims received emails that appeared to be from the HR department, and the recipient's salary was used as bait.

The letters contained attached PDF files, which contained a QR code that had to be scanned to gain access to a “protected document” with the coveted salary information. The idea here was to force the victim to open the link not on a work computer, which most likely had anti-phishing protection, but on a smartphone, which may well not have such protection.

The link opens a phishing site that pretends to be a Microsoft 365 account login page. Here, the victim is asked to first enter a login and password, and then a one-time two-factor authentication code.

The fake Microsoft account login page asks the victim to enter their username, password, and one-time two-factor authentication code.

All this information, of course, is sent straight to the attackers. One-time two-factor authentication codes usually have a very short shelf life - usually 30 seconds. Therefore, to speed up the delivery of information, the creators of the phishing kit use the WebSocket protocol, which provides fast communication in real time.

Having received the login, password and one-time code, the attackers immediately, while the code is still valid, use this data to log into the account and thus gain full access to the victim's correspondence. This access can then be used, for example, for BEC attacks ( business e-mail compromise).

Phishing-as-a-Service: Everything for Fishing and Hunting​

The center of operations of this phishing service, as already mentioned above, is Telegram. The creators of ONNX make full use of the possibilities of automation - all interaction with buyers occurs through Telegram bots.

The attackers provide phishing services on a subscription basis. The prices are quite low: for example, a monthly subscription to collect passwords from Microsoft 365 accounts without bypassing two-factor authentication will cost $200, and with interception of 2FA codes - $400.

Even small cybercriminals can afford such expenses. At the same time, with a small investment, they get access to very effective phishing services - all that remains for them is to choose a suitable target and come up with a monetization scheme.

How to Protect Your Organization from Advanced Phishing Attacks​

This is what makes Phishing-as-a-Service a dangerous threat: such a model significantly expands the range of attackers who have serious tools at their disposal. Therefore, you need to consider the possibility of an attack on your organization using advanced phishing services and take care of protection against them. Here is what we can advise here:

• Consider using FIDO U2F hardware devices (also known as Yubikeys) or passkeys for two-factor authentication. These tools will defeat even the most sophisticated and undetectable phishing.
• Use a robust solution with anti-phishing tools on all corporate devices, including smartphones and tablets .
• To teach employees how to respond correctly to suspicious emails, conduct regular information security training.

Source