Phishing Back in the News
The Push and Pull of Domain
Phishing
Google is pushing ahead with its Safe Browsing feature. Essentially, Google Chrome will check URLs against Google's list of sites known not to be safe. Nonetheless, domain phishing sites remain an unmitigated threat. "... Phishing domains have gotten more sophisticated — and today, 60% of them exist for less than 10 minutes, making them difficult to block," according to Google's announcement of September 7, 2023. Over time, or "in the coming weeks," this feature will be rolled out to all Chrome users.
Google Chrome has had a Safe Browsing feature since 2020, but right now if you choose to enable Enhanced Safe Browsing mode, Google will offer you increased protection against Domain Phishing sites. The goal of Enhanced Safe Browsing is to "block new attacks with AI, provide deep scan for files, and offer extra protection from malicious Chrome extensions." All this is done without "without sharing your browsing history with Google." [Ibid] A more complete Introduction with instructions on how to enable the Google Enhanced Safe Browsing was posted herein, July 11, 2023.
Of course, Enhanced Safe Browsing is not without its critics. Yet, these criticisms seem very weak from a Consumer viewpoint. CNET posted a Pro and Con review of Enhanced Safe Browsing, July 18, 2023. CNET was heavy on the Pros and very light on the Cons. CNET's main criticism is that Users are sharing much of their browsing history and other personal information with Google. That's like saying "Avoid earning any money because you will have to share those monies with the US Government." Some things are inevitable: Death, Taxes, and Data Collection While Online.
CNET's other criticism is wholly irrelevant to Consumers. "Enhanced Safe Browsing could also hurt developers," so says CNET. [Ibid] In fact, this, too, is actually a benefit to Consumers. Developers must wait before Google will approve a new product. As CNET explained it, "Google requires new developers to follow the developer program policies for a few months before they can be labeled as trusted." And this could negatively impact the income of those who develop Web Widgets. Well, Boo, Freakin', Hoo! Welcome to the 21st Century, Potential Crooks. The problem that all Consumers face while online is: "Who Do You Trust While Online?" Personally, I choose to trust Google far more than some software entrepreneur wannabe hungry for ad revenue.
For Users of Microsoft 365 (formerly Office), Enhanced Safe Browsing is of particular value right now. A hacker group known as W3LL is offering to its kindred lost souls, a "phishing kit that can bypass multi-factor authentication along with other tools that compromised more than 8,000 Microsoft 365 corporate accounts," as The Hacker News reported, September 6, 2023. Security vendor, Group-IB, has published an in-depth look into the criminal activities of W3LL. The report's title states well the topic: "W3LL DONE: HIDDEN PHISHING ECOSYSTEM DRIVING BEC ATTACKS." [pdf will open] Group-IB describes the work of W3LL as an "Adversary-in-The-Middle" type of attack. (p. 6) As MITRE explains an AiTM attack:
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.
Moreover, Group-IB reports that "attacker-controlled infrastructure is placed between a victim and a genuine server, which enables threat actors to manipulate and modify requests to their advantage." These actions, according to Group-IB, are what allow W3LL, and like minded threat actors, to "steal session cookies and bypass multi-factor authentication (MFA), thereby gaining direct access to victims’ accounts undetected and ensuring better persistence." (Ibid.) What Group-IB offers its criminal clientele is a "marketplace" where W3LL can sell "a full spectrum of tools and supplementary items required for phishing operations." (p. 8)
W3LL has been successful in its criminal campaign. One target of
note Group-IB researchers identified is "56,000 corporate
Microsoft 365 accounts and more than 8,000 (about 14.3%) of them were
ultimately compromised.." (p.
9) 
Microsoft has detailed recent AiTM attacks, as well. Microsoft has outlined AiTM attacks that had begun with what is the greatest security threat and dilemma small business people face: "Stage 1: Initial access via trusted vendor compromise." Indeed, "phishing emails from a trusted vendor" is a very common attack vector. The phishing emails Microsoft observed contained a link that spoofed a legitimate site with a bogus OneDrive announcement. Once clicked on, the user was sent to "a phishing page hosted on the Tencent cloud platform that spoofed a Microsoft sign-in page." (Ibid.) From there, the attacker was able to intercept a 2FA request, and gain access to the victim's email accounts.
A week after Microsoft published its report on AiTM attacks, on June 13, 2023, security vendor, Sygnia, documented its findings about a similar AiTM attack on one of its corporate customers. The outline of the AiTM attack within the Syngia report is the most succinct summary of how a AiTM attack begins as a seemingly innocuous email from a trusted source with a link to file sharing page; from there threat actors gained access to a "legitimate Microsoft authentication service;" and ultimately the corporate victim's clients being further ensnarled in the Business Email Campaign (BEC) and AiTM attack.
Furthering the real problem of rogue websites meant to spoof those of legitimate entities, are the sheer number of WordPress sites run by operators with little to no technical acumen. As a reported by securelist.com, and posted on August 24, 2023, over 43% of all web pages and websites on the Internet twere generated with the notably not secure WordPress application. Furthermore, many of these sites are also powered by third-party plug-ins, also noted for a lack of security. And a vast number of these sites are abandoned. And, as such, these websites are easy pickings for hackers upon which to host their wicked warez.
Indeed, as the authors well summarized their findings:
Websites powered by WordPress often suffer from vulnerabilities that allow scammers to easily gain access to the control panel using a special script and publish malicious content.
Unfortunately, it is true, and as the securelist authors put it, "Phishers want their fake pages to cost minimum effort but generate as much income as possible, so they eagerly use various tools and techniques to evade detection, and save time and money." The suggestions the securelist authors gave their readers may sound familiar to regular readers of this blog. The authors begin their recommendations with the following acknowledgement: "Although hackers work hard to create credible imitations of popular websites whose users they are targeting, you can recognize the signs of phishing on a hacked website." Look for elements in the URL that logically should not appear in an URL, like a spoofed brand or a directory name. Basically, users should be aware of, and beware of, "Page content unrelated to the rest of the website." Amen.
It is this environment that makes the Google Enhanced Safe Browsing so valuable to Consumers. Although far from perfect, Google has better means than any other entity to index, sort, and categorize locations on the Internet. Enhanced Safe Browsing is no panacea for web security — as there are none. Between believing what your own eyes are telling you about the location on the Internet you are about to click on — if you will only carefully look at and examine the URL before you click the URL — and the resources of Google's vast and ongoing indexing of almost every page on the Internet, any Consumer can safely surf the web with better security. The Bottom Line here is:
[Ed Note: No WordPress here. Just good old HTML 5, CSS, and a fair amount of coding by hand.]
Gerald Reiff