This phishing kit is punishing unaware shoppers this Black Friday
>
Akamai cybersecurity researchers have uncovered a new phishing campaign targeting consumers in the United States with bogus holiday offers. The goal of the campaign is to steal sensitive identity information such as credit card details and ultimately their money.
The threat actors create landing pages impersonating some of the biggest brands in the US, including Dick’s, Tumi, Delta Airlines, Sam’s Club, Costco, and others.
The landing page, often hosted on reputable cloud services such as Google or Azure, directs users to complete a short survey, after which they are promised a prize. The survey would also be time-limited to five minutes, using urgency to divert people’s attention from potential red flags.
Unique phishing URLs
After completing the survey, the victims would be declared “winners”. All they have to do now to receive their prize is pay the shipping costs. Here they would give away their sensitive payment information, to be later used by the attackers in various ways.
However, what makes this campaign unique is the token-based system that allows it to fly under the radar and not be picked up by cybersecurity solutions.
As the researchers explain, the system helps redirect each victim to a unique phishing page URL. The URLs differ based on the victim’s location, as scammers try to impersonate locally available brands.
To explain how the system works, the researchers said that each phishing email contains a link to the landing page, which comes with an anchor (#). This is usually how visitors are navigated to specific parts of a landing page. In this scenario, the tag is a token, used by JavaScript on the landing page, which reconstructs the URL.
“The values behind the HTML anchor are not considered HTTP parameters and are not sent to the server, but this value is accessible through JavaScript code running in the victim’s browser,” the researchers said. “In the context of a phishing scam, the value placed after the HTML anchor can be ignored or overlooked when scanned by security products that verify whether it is malicious or not.”
“This value is also missed when viewed by a traffic inspection tool.”
Cybersecurity solutions overlook this token, allowing threat actors to keep a low profile. On the other hand, researchers, analysts and other unwanted visitors are kept at bay, because without the correct token the site will not load.
Through: Beeping computer (opens in new tab)