cofense2022stg.wpengine.com
Open in
urlscan Pro
34.74.117.101
Public Scan
URL:
https://cofense2022stg.wpengine.com/blog/cofense-intelligence-strategic-analysis-2/
Submission: On May 10 via api from TR — Scanned from DE
Submission: On May 10 via api from TR — Scanned from DE
Form analysis
0 forms found in the DOMText Content
* Blog * Customer Resource Center * Contact Support * Contact Us Menu * Blog * Customer Resource Center * Contact Support * Contact Us * Stop Threats End-to-End Email Security Defend your organization with a complete email security solution designed to identify, protect, detect & respond to threats. Security Awareness Training Condition your workforce against today’s latest threats and transform them into your front line of defense. Global Intelligence Network Protect your organization with our deep analysis into the current threat landscape and emerging trends. Cofense vs. The Competition See why the Cofense Intelligent Email Security suite stands out against the competition Business Email Compromise (BEC) BEC amounts to an estimated $500 billion-plus annually that’s lost to fraud. Ensure your business is protected. Ransomware & Malware Phishing is the #1 attack vector for ransomware attacks. Stop phishing attacks in their tracks. Credential Theft Protect your user’s credentials and avoid a widespread, malicious attack. * Solutions Email Security for the Enterprise Complete threat protection, detection and response tailored for enterprise businesses. Email Security for the Mid Market Security awareness training + email security protection purpose-built for your mid-market organizations. Email Security for Managed Service Providers (MSPs) Best-in-Class Phishing Protection and Simulations designed for MSPs, from the ground up. Managed Email Security Solutions Protect your organization from attacks with managed services from the Cofense Phishing Defense Center™. Detect and Stop Attacks Automatically identify and quarantine email threats across your organization in minutes. Analyze & Remediate Reported Threats Accelerate threat detection and response, empowering fast resolution. Actionable Insight into Emerging Threats Protect your organization with our deep analysis into the current threat landscape and emerging trends. Security Awareness Training Condition your workforce against today’s latest threats and transform them into your front line of defense. Security Awareness Training + Threat Protection Growing companies can get protection, realistic simulations and security awareness training all in one platform. Easily Report Suspected Threats Report suspicious threats with just one click. Empower Your Team Train employees through an with award-winning Learning Management System. * Clients Industries We Serve Businesses from all industries rely on Cofense to safeguard their teams. What Our Customers Say Global organizations trust Cofense to protect their most critical assets. * Resources Knowledge Center Hub Check out our resource library of solution content, whitepapers, videos and more. Events & Webinars Come see us at a local event or join us at an upcoming webinar. Blog Stay current on cybersecurity trends, market insights and Cofense news. Check Your SEG See the real threats that are currently evading your Secure Email Gateway (SEG). * About About Cofense Cofense stops email security threats and protects your company through our network of 35+ Million human reporters. News Center See the latest articles, press releases and more in our news center. Awards It’s an honor to be recognized in the cybersecurity market. Check out our recent awards. Partners Grow your business, drive new revenue streams, and improve your competitive posture through our Partner Program. Careers We’re looking for passionate people to join us in our mission to stop all email security threats for organizations around the globe. Management Team Get to know our management team. X Get a Demo MAN-IN-THE-MIDDLE (MITM) ATTACKS REACHING INBOXES INCREASE 35% SINCE 2022 MITM PHISHING GROWS, USING REAL LOGIN PROCESS TO STEAL CREDENTIALS * May 9, 2023 Home » Blog » Man-in-the-Middle (MitM) attacks reaching inboxes increase 35% since 2022 Share Now Facebook Twitter LinkedIn A man-in-the-middle (MitM) attack is an adversary’s attempt to steal information by inserting themselves between victims and their legitimate, expected destination. Threat actors combining credential phishing with man-in-the-middle attacks have been another evolution in the threat landscape. In this context, rather than setting up one fake login page, the attacker lures victims to their web server which will broker the entire authentication process between the user and the actual destination. If successful, threat actors can use the harvested usernames, passwords, and session cookies to gain access to a victim’s account and even bypass multi-factor authentication. Man-in-the-middle attacks are meant to be transparent to the victim, but this does not mean they are undetectable. Credential phishing man-in-the-middle attacks are no different. Based on a few tell-tale signs, Cofense Intelligence has identified notable trends, including: * a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023 * 94% of MitM credential phishing attacks reaching inboxes targeted O365 authentication * 89% of campaigns used at least one URL redirect, and 55% used two or more The signs we used to track MitM phishing attacks not only allow us to perform statistical analysis, but are also useful for detection and defense. Network defenders will need to be aware of these markers to better protect their organizations. MITM PHISHING BY THE NUMBERS Taking the characteristics of credential phishing MiTM URLs (outlined later in this report) and matching them against phishing campaigns found in customer mailboxes, Cofense Intelligence has observed a gradual but persistent increase in the volume of credential harvesting man-in-the-middle attacks since early 2021. Figure 6 shows major spikes in January and September of 2022, followed by significant corrections that still retain an upward long-term trajectory. The spikes and corrections may be due to cycles in which threat actors develop, test, and refine the capabilities of their MiTM phishing kits. There are also numerous open-source tools (such as evilginx2, CipherGinx, and Muraena) that could provide threat actors with MiTM capabilities. Figure 1: Count of man-in-the-middle phishing campaigns per month over the past two years. The significant majority of man-in-the-middle landing pages we have identified attempt to intercept Office 365 credentials (Figure 2), with Outlook and Amazon following as a distant second and third. Figure 2: Type of login pages being intercepted by man-in-the-middle servers. The majority of campaigns observed have a malicious URL embedded in the body of the email rather than in an attachment. Very few of the embedded URLs address themselves to the man-in-the-middle server itself. Instead, most pass through one or more URL redirects before reaching the final URL that actually conducts the man-in-the-middle attack. Figure 3: Most man-in-the-middle phishing campaigns use multiple redirects before the final MiTM URL. HOW IT WORKS Man-in-the-middle attacks have been used for a long time, in different contexts. For example, to eavesdrop on network traffic, an attacker could send an update to the other devices saying their machine is the new default gateway and all network traffic should be routed through their computer. An attacker could impersonate a trusted device by setting up their own Wi-Fi hotspot near other available wireless networks allowing them to intercept the traffic from any device which connects to it. In credential phishing, a man-in-the-middle server will act as a proxy between the user and the actual destination (Figure 4). It will present to the user the destination’s login page and will pass on any received username and password to the destination website. If multi-factor authentication (MFA) is enabled for that account, it will present the MFA request to the user for further input, and forward any responses to the destination. Figure 4: The man-in-the-middle server intercepts all steps of authentication. Most websites today use web certificates to verify that the site can be trusted and to create a secure connection between themselves and the user. The verification process helps to ensure that the destination is who it claims to be. This secure connection encrypts the back-and-forth traffic with the purpose of making it difficult for attackers to decrypt any traffic they happen to intercept. The credential harvesting man-in-the-middle server gets around this by setting up two secure connections. One between itself and the destination and the other between itself and the user. To help disguise itself within the authentication process, the man-in-the-middle server will use a valid certificate to authenticate its own identity and allow encrypted traffic between itself and the user. Since the man-in-the-middle server is between these secure connections, it can decrypt the data from the user and extract the username and password (Figure 5). It then re-encrypts the traffic and sends it on to the destination website. If the authentication is successful, it will continue to broker the connection between the user and the destination, often even passing along MFA requests. Figure 5: Extracted credentials from a secure connection. Once all the authentication processes are successful, the final step is for the destination website to craft a session cookie to send back to the user. Session cookies are very valuable. They are used to manage logins, shopping carts, user preferences, and any other information that needs to be saved throughout someone’s interaction with a website. Just like the username and password, the attacker can decrypt and extract the session cookie before sending it along to the user (Figure 6). Figure 6: Captured session cookie received from the destination website. Once the attacker has the session cookie, they can use it to interact with the website as if they were the user. This session cookie allows them to bypass usernames, passwords, and even the multi-factor authentication steps. Using that session cookie, they will be granted all the access and permissions associated with that account. DETECTING MAN-IN-THE-MIDDLE PAGES Figure 4 shows the actual landing page for login.microsoftonline.com and one that is passing through a man-in-the-middle server. At first glance, these two pages look identical. This makes sense, as the man-in-the-middle server has just made a real-time request in order to clone the actual login.microsoftonline.com. However, there are two significant differences. Figure 7: Authentication prompts for legitimate (back) and man-in-the-middle server (front). URL INSPECTION One way to determine if the landing page is legitimate is to inspect the URL. Table 1 shows a few well-known login URLs and samples of malicious ones found in recent campaigns. Notice how similar the URLs are to each other except for the domains. Attackers will still use the tried-and-true method of creating domain names which are similar to the destination they are trying to impersonate (e.g., Microsoft). They may also create a domain which impersonates a customer’s business or include subdomains such as secure or login to help look more legitimate. Service/Destination URL Legitimate O365 https://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id= . . . O365 MitM https://lmo.merlinindvstries[.]com/common/oauth2/v2.0/authorize?client_id= . . . O365 MitM https://mcmicroteam.infobd71[.]com/common/oauth2/v2.0/authorize?client_id= . . . O365 MitM https://login.microsoftonline.atn0[.]live/common/oauth2/v2.0/authorize?client_id= . . . O365 MitM https://login.0-396[.]com/common/oauth2/v2.0/authorize?client_id= . . . O365 MitM https://secure.origirnal[.]com/common/oauth2/v2.0/authorize?client_id= . . . O365 MitM https://login.micsoftsonline[.]com/common/oauth2/v2.0/authorize?client_id= . . . Legitimate Outlook https://login.live[.]com/login.srf?wa=signin . . . Outlook MitM https://microsoftonline.fovere[.]co/login.srf?wa=signin . . . Outlook MitM https://microsoftonline.eonashnville[.]com/login.srf?wa=signin . . . Outlook MitM https://microsoftonline.italiandesignbrand[.]com/login.srf?wa=signin . . . Legitimate Amazon https://amazon[.]com/ap/signin? . . . Amazon MitM https://aws3dshiharai-amazon.misecure[.]com/ap/signin? . . . Table 1: Legitimate and malicious URLs found as a part of campaigns which made it to customer inboxes. WEBSITE CERTIFICATES The other way to determine if a website is legitimate would be to inspect its website certificate. Legitimate certificates are authorized by a certificate authority. These certificates are used to verify that a website is who it says it is. A padlock icon will appear in your web browser to indicate that the certificate is valid and the connection between you and the destination is secure. If there are any issues with the certificate, modern web browsers will warn you to not proceed any further. The certificates below (Figure 8) are from the two websites in Figure 7. Both browsers showed the padlock icon which indicates the certificates are trusted. However, looking at the certificates more closely shows the important difference. The common name in the certificate of the legitimate website is microsoftonline.com. The common name in the certificate from the man-in-the-middle server has nothing to do with Microsoft at all. Figure 8: Certificates from the legitimate (left) and man-in-the-middle server (right). Just like the URLs above, these names in the certificates should be carefully inspected as attackers are likely to create domain names which are similar to microsoftonline.com. Domains such as m1crosoft0nline.com and micsoftonline.com may fool the casual viewer. DEFENDING AND DETECTING Throughout the day, there can be a number of online locations where users may be asked to input their business credentials. These could be locations within their own company, multiple online cloud portals, and even shared locations from other businesses. The credential phishing man-in-the-middle campaigns are unique in that the authentication process looks and feels very legitimate, so much that users may not even take a second glance at the URL to question its legitimacy. With that in mind, here are a few tips for defending against such attacks. * Users should be reminded of which online portals are approved for company use. * Emails containing URLs or attachments that bring users to a website which looks legitimate but does not match the company-approved ones should be considered suspicious and reported for further analysis. Detecting these campaigns at the inbox level will be difficult as most of the attacks make use of multiple redirects before landing the victim on the final man-in-the-middle URL. Despite the redirects, patterns in the final malicious URL will be very similar to legitimate ones. Alerts on outbound network traffic which match known URL patterns but do not match the legitimate domains could be beneficial. The basic logic of an alert might look something like this: * O365 * URL contains “.com/common/oauth2/v2.0/authorize?client_id=” AND * URL NOT contains “login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=” * Outlook * URL contains “login.srf?wa=signin” AND * URL NOT contains “login.live.com/login.srf?wa=signin” Finally, threat actors may leave tracks once they start interacting with a compromised account. Alerts like the following may help to detect a compromised account. * Stolen session cookies * Impossible travel * Mailbox rule manipulation READ MORE RELATED PHISHING BLOG POSTS COFENSE NAMED AMONG TOP EMAIL SECURITY VENDORS IN FORRESTER LANDSCAPE REPORT Read More » February 13, 2023 SCAMMERS LEVERAGE EARTHQUAKE IN TURKEY & SYRIA IN NEW DONATION SCAM Read More » February 13, 2023 WHAT TO DO IF YOU’RE IN A ROMANCE SCAM Read More » February 15, 2023 1602 Village Market Blvd, SE #400 Leesburg, VA 20175 (888) 304-9422 Facebook-f Twitter Linkedin Youtube COMPANY * What We Do * How We Do It * About * Contact Us * Legal * Privacy Policy RESOURCES * Knowledge Center Hub * Events & Webinars * Blog * Check Your SEG * * Get a Demo ©2023 Cofense. All rights reserved. This site is registered on wpml.org as a development site. We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website. Accept