Attack technique
Technique name: Phishing Campaign - Mimicking a legitimate website/login page
MITRE ATT&CK
- Tactic: Initial Access
- Technique: Phishing
Technique description
Phishing remains a persistent and evolving threat, with fake login pages mimicking popular websites being a primary method attackers use to deceive users into providing their credentials on fake sites. The HTTP referer header plays a crucial role in identifying the source URL of an HTTP request, helping websites understand where users are coming from. Phishing kits are commonly leveraged by attackers, and often act similarly, redirecting users to the authentic site after harvesting credentials. When users unknowingly enter their credentials into a phishing site, they are usually redirected to the genuine site being impersonated.
Insights from threat intelligence
Recent reports have highlighted a surge in credential harvesting campaigns. These campaigns are often empowered by phishing kits, constantly evolving and shared within threat actor communities, enabling even less experienced adversaries to deploy deceptive fake login pages. Mimicking authentic websites, these campaigns effectively deceive users and extract sensitive credentials, leading to a significant risk to organizational assets and resources.
References
- Credential Harvesting at Scale Without Malware | Unit42 - Palo Alto Networks
- Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins | SentinelOne Blog
- What are the most common methods cyber attackers use to infect a system with malware? | ANY.RUN Blog
Threat hunting theses breakdown
Credentials’ Phishing Detection Based on a Suspicious HTTP Referrer
Relevant data sources: Proxy Logs
Thesis explanation
Redirection to a legitimate site right after the credentials’ submission, is commonly conducted in phishing attacks conducted by phishing-kits. Hence, detecting HTTP requests to the authentic site with a referer header that includes a suspicious domain, can serve as an important signal of potential phishing activity.
The thesis centers on identifying HTTP requests to commonly targeted legitimate sites within phishing campaigns, where the referer header directs to suspicious domains, potentially signaling phishing activity.
Blind spots
- Referrer domains that are observed on 10 or more hosts are out of scope in this thesis
Recommended investigation flow
- Investigate the referrer domain:
- Does the domain appear in Cisco Umbrella Top 1 Million?
- Is it a baby domain (registered recently)?
- Which registrar registered it?
- Does it have a valid certificate?
- Does the whois information reveal the organization that owns the domain?
- When was it first accessed by the organization?
- How frequently is it accessed?
- Is it associated with Phishing or any other malicious activity according to Virus Total or other threat intel sources?
- Does the website itself mimic the looks of the website the user was redirected to?
- Does the domain specified in the referer field is similar to the value of the target host? (e.g. - referer field: “logon.microsiftonlne[.]com” | host field: login.microsoftonline[.]com)
Investigate the phishing origin and look for suspicious activity:
- Was there an email with a link to the suspicious referrer domain received by the affected user around the HTTP request time?
- Was there a suspicious credentials usage after the request was made (for example, anomalous IP accessing organizational applications on behalf of the affected user)?