One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8615686 |
| Date de publication | 2024-11-21 21:51:24 (vue: 2024-11-21 22:08:33) |
| Titre | Financially Motivated Threat Actor Leveraged Google Docs and Weebly Services to Target Telecom and Financial Sectors |
| Texte | #### Targeted Industries - Communications Infrastructure - Financial Services ## Snapshot EclecticIQ released a report detailing an October 2024 phishing campaign impacting the telecommunications and financial sectors. The campaign leveraged Google Docs and Weebly, two trusted platforms, to evade detection and social engineer targets. was identified, Attackers embedded phishing links in Google Docs presentations, redirecting victims to fake login pages hosted on Weebly. This approach allowed the campaign to bypass traditional email filters and endpoint protections, exploiting the legitimacy of these platforms. ## Description The campaign employed customized phishing pages mimicking telecom and financial institutions, such as AT&T and Canadian banks. These pages incorporated fake multi-factor authentication (MFA) prompts to increase credibility and deceive victims into divulging sensitive information. Dynamic DNS infrastructure enabled frequent URL rotation, complicating detection and takedown efforts. Legitimate tracking tools like Google Analytics were integrated into phishing kits to monitor user interactions, collect IP data, and refine attack strategies. According to EclecticIQ researchers, the attackers also used SIM swapping to bypass SMS-based MFA protections, emphasizing the need for app-based or hardware-based MFA solutions. Additionally, the campaign featured phishing lures targeting cybersecurity professionals by imitating trusted security training content. This strategy aimed to compromise privileged accounts through tailored and convincing phishing attempts. The use of shared IP addresses and infrastructure centralization within Weebly\'s hosting network highlighted the operational efficiency of the threat actors. ## Microsoft Analysis and Additional OSINT Context Threat actors use Google Analytics in phishing campaigns to exploit its legitimate functionality for malicious purposes. By integrating tracking scripts, attackers can gather detailed information about victim interactions, such as browser type, operating system, geographical location, and behavior on phishing pages. This data allows attackers to fine-tune their campaigns, optimizing malicious domains and phishing content to align with the preferences and vulnerabilities of their target demographics. The ability to monitor campaign effectiveness in real time, including click rates and navigation patterns, mirrors the marketing insights sought by legitimate users. However, in the hands of cybercriminals, these analytics enhance the precision and longevity of phishing campaigns, making them more adaptive and harder to detect. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensur |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 ability about access accessed according accounts action actor actors adaptive additional additionally addresses af74 against aimed alert alerts align all allow allowed allows also analysis analytics antivirus any app approach are artifacts at&t attack attacker attackers attempts authentication authority automated banks based behavior behind block breach breaches browser bypass campaign campaigns can canadian centralization changes click cloud collect com/en com/financially com/microsoft com/threatanalytics3/9382203e common communications complicating compromise configure content context controlled convincing copyright cover credential credibility customized cybercriminals cybersecurity data deceive defend defender delivered demographics description detailed detailing detect detected detection distribution divulging dns docs does domains dynamic eclecticiq edr effectiveness efficiency efforts email embedded emphasizing employed enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engineer enhance ensure equivalent evade even evolving exploit exploiting factor fake featured filters financial financially fine folder folders follow following frequent from full functionality gather geographical google hands hardening harder hardware highlighted hosted hosting however https://blog https://learn https://security identified imitating immediate impact impacting including incorporated increase industries information infrastructure insights institutions integrated integrating interactions investigation investigations its kits learndoc learning legitimacy legitimate leveraged like links local location login longevity lsa lsass lures machine majority making malicious manage marketing mfa microsoft mimicking mirrors mitigations mode monitor more motivated multi navigation need network new non not ocid=magicti october operating operational optimizing osint overview pages part passive patterns permission phishing platforms post precision preferences premises presentations privileged product professionals prohibited prompts protection protection#how protections purposes rapidly rates real recommendations recommends redirecting reduce reducing reduction reference#block references refine released remediate remediation report reproduction researchers reserved resolve rights rotation rules run running scenes scripts sectors security sensitive services settings shared significantly sim site sms snapshot social solutions sought stealing strategies strategy subsystem such surface swapping system tailored take takedown tamper target targeted targeting targets techniques telecom telecommunications theft them thereof these threat threats through time tools tracking traditional training trusted tune turn two type unknown url us/defender use used user users victim victims view=o365 volume vulnerabilities weebly when windows within without works worldwide written your |
| Tags | Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.