www.darkreading.com
Open in
urlscan Pro
2606:4700::6811:7563
Public Scan
URL:
https://www.darkreading.com/vulnerabilities-threats/-perswaysion-phishing-campaign-continues-to-be-an-active-threat-for-orga...
Submission: On December 07 via api from US — Scanned from DE
Submission: On December 07 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
The Edge DR Tech Sections Close Back Sections Featured Sections The Edge Dark Reading Technology Attacks / Breaches Cloud IoT Physical Security Perimeter Analytics Security Monitoring Security Monitoring App Sec Database Security Database Security Risk Compliance Compliance Threat Intelligence Endpoint AuthenticationMobile SecurityPrivacy AuthenticationMobile SecurityPrivacy Vulnerabilities / Threats Advanced ThreatsInsider ThreatsVulnerability Management Advanced ThreatsInsider ThreatsVulnerability Management Operations Identity & Access ManagementCareers & People Identity & Access ManagementCareers & People Black Hat news Omdia Research Security Now Events Close Back Events Events * Cybersecurity Outlook 2022 - December 8 Virtual Event * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV Webinars * Cybersecurity Forecast 2022: Snowpocalypse or cloudy with a chance of rain? Dec 09, 2021 * Beyond Patch Management: Next-Generation Approaches to Finding and Fixing Vulnerable Code Dec 07, 2021 Resources Close Back Resources White Papers > Reports > Issues > Tech Library > Slideshows > Videos > Subscribe Login / Register The Edge DR Tech Sections Close Back Sections Featured Sections The Edge Dark Reading Technology Attacks / Breaches Cloud IoT Physical Security Perimeter Analytics Security Monitoring Security Monitoring App Sec Database Security Database Security Risk Compliance Compliance Threat Intelligence Endpoint AuthenticationMobile SecurityPrivacy AuthenticationMobile SecurityPrivacy Vulnerabilities / Threats Advanced ThreatsInsider ThreatsVulnerability Management Advanced ThreatsInsider ThreatsVulnerability Management Operations Identity & Access ManagementCareers & People Identity & Access ManagementCareers & People Black Hat news Omdia Research Security Now Events Close Back Events Events * Cybersecurity Outlook 2022 - December 8 Virtual Event * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV Webinars * Cybersecurity Forecast 2022: Snowpocalypse or cloudy with a chance of rain? Dec 09, 2021 * Beyond Patch Management: Next-Generation Approaches to Finding and Fixing Vulnerable Code Dec 07, 2021 Resources Close Back Resources White Papers > Reports > Issues > Tech Library > Slideshows > Videos > The Edge DR Tech Sections Close Back Sections Featured Sections The Edge Dark Reading Technology Attacks / Breaches Cloud IoT Physical Security Perimeter Analytics Security Monitoring Security Monitoring App Sec Database Security Database Security Risk Compliance Compliance Threat Intelligence Endpoint AuthenticationMobile SecurityPrivacy AuthenticationMobile SecurityPrivacy Vulnerabilities / Threats Advanced ThreatsInsider ThreatsVulnerability Management Advanced ThreatsInsider ThreatsVulnerability Management Operations Identity & Access ManagementCareers & People Identity & Access ManagementCareers & People Black Hat news Omdia Research Security Now Events Close Back Events Events * Cybersecurity Outlook 2022 - December 8 Virtual Event * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV Webinars * Cybersecurity Forecast 2022: Snowpocalypse or cloudy with a chance of rain? Dec 09, 2021 * Beyond Patch Management: Next-Generation Approaches to Finding and Fixing Vulnerable Code Dec 07, 2021 Resources Close Back Resources White Papers > Reports > Issues > Tech Library > Slideshows > Videos > -------------------------------------------------------------------------------- Subscribe Login / Register SEARCH A minimum of 3 characters are required to be typed in the search bar in order to perform a search. Announcements 1. 2. Event Cybersecurity Outlook 2022 | A FREE Dark Reading & Black Hat Virtual Event | December 8, 2021 <REGISTER NOW> Alert Check out our NEW section called "DR Tech" for comprehensive coverage of new & emerging cybersecurity technology. PreviousNext Vulnerabilities/Threats News 'PERSWAYSION' PHISHING CAMPAIGN STILL ONGOING, AND PERVASIVE Research shows that multiple attack groups have been using the Microsoft file-sharing service - leveraging phishing kit for much longer than previously thought. Jai Vijayan Contributing Writer November 18, 2021 Source: Artur Szczybylo via Shutterstock PDF A phishing kit that has been used in thousands of attacks worldwide has been active for significantly longer than previously thought — and it continues to pose a potent threat to organizations across multiple sectors, new analysis shows. The kit, named PerSwaysion, is designed to give cybercriminals a way to launch a phishing campaign relatively easily and with little up-front effort. The most notable aspect about the threat is its use of Microsoft file-sharing services, such as Sway, SharePoint, and OneNote, to lure users to credential-stealing sites. David Pearson, co-founder and CEO of newly launched SeclarityIO, says his company's analysis of data on PerSwaysion shows the campaign, in fact, launched as far back as at least October 2017 and is currently active despite public disclosure of the group's phishing kit and TTPs. An analysis of data from URLscan showed that over the last 18 months alone, some 7,403 people from across 14 industry sectors landed on 444 unique PerSwaysion phishing portals at some point. Victims came from organizations within the US government, financial services, pharmaceutical, healthcare, aerospace, engineering, technology, and other sectors. Pearson estimates the number of organizations impacted by the campaign since May 2020 to be, at least, in the high hundreds. "Realistically, this has gone on for so long it is likely that just about [every sector] is impacted," Pearson says. "This is a phishing kit that has customers all over the world, and [attackers] are targeting whoever they want." Security vendor Group-IB gave the campaign its name last year after observing how extensively it abused the Sway service as part of the attack chain. In an April 2020 report, Group-IB described PerSwaysion as a collection of small but targeted phishing attacks executed by multiple criminal groups mainly against small and midsize financial services companies, real estate groups and law firms. The security vendor had assessed the PerSwaysion campaign had been ongoing since 2019 and had successfully compromised email accounts belonging to at least 156 high-ranking officials at multiple organizations located mainly in the US and Canada, and to a lesser number in global financial hubs in Germany, the UK, the Netherlands, and Hong Kong. Previous reporting on PerSwaysion by Group-IB and others had described attackers as deploying a three-phase operation to lure users to credential-grabbing phishing sites. According to Group-IB, the first phase involves potential victims receiving a well-crafted spear-phishing email with a non-malicious PDF attachment purporting to be a Microsoft file-sharing notification. Users who click on the "Read Now" hyperlink in the notification are directed to a file hosted on Microsoft Sway or — less often — another Microsoft file-sharing service. The page is designed to look exactly like an authentic Microsoft file-sharing site except when users click on the Read Now link, they are directed to a credential-harvesting site designed to look like an account sign-on page. Drag-and-Drop Op Pearson says his analysis of PerSwaysion shows the kit essentially makes deploying a phishing portal a drag-and-drop operation for attackers. The kit contains templates for spoofing account login pages belonging to eight trusted brands, including Microsoft, Google, Facebook, Twitter, and — as an indication of just how long the kit has been around — some older brands like Hotmail and AOL. The kit's attack infrastructure itself consists of a front-end phishing portal that victims land on when they click through the URL links, a template hosting site, a redirector site that ensures the appropriate template is served up to the victim, and the credential collection site itself. Fresh Insight Pearson says SeclarityIO was also able to uncover fresh insight into the attack vectors that different threat actors used to initially deliver the PerSwaysion kit to potential victims thanks to its network interpreter technology. The platform allows organizations to upload any kind of traffic flow format to understand, for example, who might have communicated with whom on the network, how many packets were sent and received, and other metrics. "We don't look at any payload information," Pearson says. "We just look at the flow of information, and we have 30 or so categories that we group traffic into." SeclarityIO categorizes communication to any port on any site, he adds, to help organizations identify malicious activity, like command-and-control (C2) traffic. The technology works with an organization's network flows and helps security analysts visualize what vectors an attacker might have used to evade defenses, how a user might have interacted with the site, and whether that interaction requires remediation, Pearson notes. SeclarityIO's platform helped show that in some PerSwaysion attacks, threat actors used URL shorteners, such as bit.ly and tiny.cc, to try and bypass email filters and to make malicious URLs appear more legitimate. In other instances, attackers used email platforms such as sendgrid.net to deliver their phishing lures straight to user email inboxes. Other tactics included luring users to legitimate but compromised websites, redirects through online ads, and open redirects to reroute users to a different site from which they intended to go. Pearson says SeclarityIO has been unable to determine how the PerSwaysion kit is marketed. They have also been unable to dig up any more information on who might have developed the kit beyond what Group-IB already revealed last year: that the operators likely are Vietnamese-speaking. Vulnerabilities/ThreatsAttacks/BreachesThreat Intelligence Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Recommended Reading: 7 Ways to Reduce Cyber Threats From Remote Workers Reuven Aronashvili 5 April 2021 darkreading.com 7 Ways to Reduce Cyber Threats From Remote Workers The pandemic's decline won't stop the work-from-home trend nor the im… Software, Incident Response Among Big Focus Areas in Biden's Cybersecu… Jai Vijayan 13 May 2021 darkreading.com Software, Incident Response Among Big Focus Areas in Biden's Cybersecurity Executive Order Overall objectives are good, … Attackers Compromised Code-Checking Vendor's Tool for Two Months Robert Lemos 20 April 2021 darkreading.com Attackers Compromised Code-Checking Vendor's Tool for Two Months A script used to upload sensitive reports-with access t… How to Build a Resilient IoT Framework Samuel Greengard 1 April 2021 darkreading.com How to Build a Resilient IoT Framework For all of their benefits, IoT devices weren't built with security in mind -- and… How the Biden Administration Can Make Digital Identity a Reality Hal Granoff 16 April 2021 darkreading.com How the Biden Administration Can Make Digital Identity a Reality A digital identity framework is the answer to the US go… Watch Out for These Cyber-Risks Ken Todd 30 March 2021 darkreading.com Watch Out for These Cyber-Risks It's difficult to predict what will materialize in the months ahead in terms of cyber-ri… More Insights White Papers * Protecting Your Mainframe Against Relentless Ransomware * 2021 Ransomware Threat Report More White Papers Webinars * Cybersecurity Forecast 2022: Snowpocalypse or cloudy with a chance of rain? * Beyond Patch Management: Next-Generation Approaches to Finding and Fixing Vulnerable Code More Webinars Reports * 10 Hot Talks From Black Hat USA 2021 * Enterprise Cybersecurity Plans in a Post-Pandemic World More Reports Editors' Choice In Appreciation: Dark Reading's Tim Wilson Dark Reading Staff, Dark Reading Finding Your Niche in Cybersecurity Kristina Balaam, Senior Security Intelligence Engineer, Lookout HP Issues Firmware Updates for Printer Product Vulnerabilities Jai Vijayan, Contributing Writer 10 Stocking Stuffers for Security Geeks Ericka Chickowski, Contributing Writer Webinars * Cybersecurity Forecast 2022: Snowpocalypse or cloudy with a chance of rain? * Beyond Patch Management: Next-Generation Approaches to Finding and Fixing Vulnerable Code * Optimizing Your Cloud Backups Virtual Event 11/11 * Creating an Encryption Strategy for Your Enterprise * End to End Automation: A Game Changer for Improving Workforce Efficiency More Webinars White Papers * Protecting Your Mainframe Against Relentless Ransomware * 2021 Ransomware Threat Report * Unit 42 Incident Response and Data Breach Report * Forrester's Planning for Failure: How to Survive a Breach * The 2021 Small and Midsize Business Security Outcomes Study More White Papers Events * Cybersecurity Outlook 2022 - December 8 Virtual Event * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV More Events More Insights White Papers * Protecting Your Mainframe Against Relentless Ransomware * 2021 Ransomware Threat Report More White Papers Webinars * Cybersecurity Forecast 2022: Snowpocalypse or cloudy with a chance of rain? * Beyond Patch Management: Next-Generation Approaches to Finding and Fixing Vulnerable Code More Webinars Reports * 10 Hot Talks From Black Hat USA 2021 * Enterprise Cybersecurity Plans in a Post-Pandemic World More Reports DISCOVER MORE FROM INFORMA TECH * Interop * InformationWeek * Network Computing * ITPro Today * Data Center Knowledge * Black Hat * Omdia WORKING WITH US * About Us * Advertise * Reprints FOLLOW DARK READING ON SOCIAL * * * * * Home * Cookies * Privacy * Terms Copyright © 2021 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. This site uses cookies to provide you with the best user experience possible. By using Dark Reading, you accept our use of cookies. Accept