Phishing campaigns, in combination with man-in-the-middle attacks, are extremely potent, and as such their popularity among criminals is surging.
This is according to a new report (opens in new tab) from Cofense, which found instead of just one fake login page where they’d steal the credentials, the threat actors are luring victims to web servers capable of brokering the entire authentication process.
That means, should the victim fall for the deception, they’d give the attackers more than just their login information (username and passwords) – they’d also give them session cookies and thus allow them to bypass multi-factor authentication (MFA).
Phishing threat
With that in mind, the number of phishing emails reaching people’s inboxes grew by more than a third (35%) between Q1 2022 and Q1 2023. Of all the man-in-the-middle credential phishing attacks that reached people’s inboxes, almost all (94%) targeted Office 365 authentication.
Finally, nine in ten (89%) of campaigns used at least one URL redirect, while 55% used two, or more.
While these malicious (opens in new tab) landing pages might look almost identical to the authentic ones, there are some things the attackers simply can’t copy. Employees should be aware of these things, and always keep them in mind before logging in anywhere – especially if the login link came from an email or a social media message.
The easiest way to determine if the landing page is malicious is to take a closer look at the URL. The threat actors will try and get the URL to be as close to the original as possible, so look for any suspicious words, typos, or similar. Another way to determine if a landing page is after your sensitive data is to inspect the website certificate, as these are authorized by a certificate authority. Users should look for the padlock icon in the web browser, as that indicates the validity of the certificate and the security of the connection between the browser and the destination.
“The common name in the certificate of the legitimate website is microsoftonline.com. The common name in the certificate from the man-in-the-middle server has nothing to do with Microsoft at all,” the researchers concluded.
