A couple of posts this week have crossed my virtual desk that shows the state of internet hacking continues to reach new depths. The first one is from Microsoft Research, the second is from a little-known security outfit called VulnCheck.
The Microsoft report found what it calls a multi-stage adversary-in-the-middle. Back in the day, we had man-in-the-middle and browser-in-the-middle exploits that involved ways to phish a target and then trick someone into giving up their account credentials. As we got better credentials, such as using multi-factor authentication (MFA), the crooks got more sophisticated at prying the additional factors out of us by putting up fake websites.
The new attacks take things to a more complicated level, and indeed, you need a diagram to show the various logic flows as a compromised email account is used to launch a new email campaign, which launches several new campaigns that target new organizations. All of them use what is called indirect proxies so the attackers can control the phishing pages you see, steal web session cookies, make changes to MFA methods, and other trickery. One thing that makes this attack harder to figure out is that unlike typical phishing attacks, no web traffic actually occurs between the target and the actual website that is being faked. The complete details are at the above link.
The other post from VulnCheck describes research they uncovered recently. This attack impersonated security researchers by copying pictures of actual analysts and attaching them to fake names and social media accounts and GitHub projects, with each project claiming to have a zero-day attack as a lure. Try as they may, the VulnCheck folks would find and neutralize one fake GitHub account only to have it popup a few hours later. All of the claims are phony, and instead contained malware that the attackers try to download to their targets and further compromise things. All of the phonies had one thing in common — they all worked for the High Sierra Cyber Security company, which as you might guess, doesn’t exist. But give them props for all the effort involved in setting this up. If this sounds familiar, the same scenario was used during the Russia attempts on our 2016 election.