Abusing Microsoft’s Azure domains to host phishing attacks

Recently, the Zscaler ThreatLabZ team came across various phishing attacks leveraging Microsoft Azure custom domains. These sites are signed with a Microsoft SSL certificate, so they are unlikely to raise suspicion about their authenticity. We notified Microsoft, who quickly engaged to shut these sites down, while we took action to detect and block 2,000 phishing attempts from these domains over a six-week period.  In this blog, we will describe two of the prominent vectors used and we’ll show several examples of the phishing pages. The following figure depicts the phishing hits that were hosted using the Azure domain (Windows.net) and blocked by the Zscaler cloud. Fig 1: Phishing hits using the Azure domain web.core.windows.net (green) and blob.core.windows.net (orange)   The following is the Whois lookup information related to the Windows.net domain. Fig 2: Whois lookup info for domain Windows.net domain   For these phishing campaigns, the delivery vector was spam emails. CASE 1: In this case, the attacker sends a spam email to a user, appearing to come from a particular organization and notifying the user that seven emails have been quarantined. It states that in order to review the emails, the user has to log in using the work or school account. Fig 3: Spam email with direct phishing link   If the user clicks the view emails button, it will redirect to the Outlook login phishing page (hxxps://onemailofice365(.)z13(.)web(.)core(.)windows(.)net/index(.)html). Fig 4: Outlook login phishing page   Some users may get confused because of the unknown URL hosting the Outlook login page. To trick those users, the attackers have used the SSL certificate issued by Microsoft as shown below. Fig 5: SSL certificate page of the hosted phishing URL   The following figure depicts the source code of the phishing page, which is used by attackers to collect users’ data. Fig 6: Source code of the phishing URL page   Once the login information has been entered by the user, the form will post the user’s credential details to the compromised domain that is operated by the cybercriminals. Fig 7: Captured data traffic that has been sent to the attacker’s site   CASE 2: In this method, attackers send the spam email with an attached HTML file that looks like a voice message. Once the user clicks the HTML file, it will redirect to the phishing page hosted using the Azure domain. Fig 8: Spam mail with double extension method   Fig 9: Outlook login phishing page redirected from voice message   In this phishing campaign, the attackers have injected obfuscated JavaScript to validate the user credentials that are present in their database to avoid duplication. Fig 10: Obfuscated JavaScript to validate user credentials to avoid duplication   The following figure depicts the deobfuscated JavaScript. This code will validate the user’s credential details and sent it to the attacker’s server (hxxps://validr2vtap2l3eh544kb(.)azurewebsites(.)net/v20(.)php). Fig 11: Deobfuscated JavaScript Fig 12: User data will be sent to the attacker’s site using the function getValidatorURL().   In addition to the Outlook phishing campaigns, we have seen phishing campaigns associated with these Azure domains: Microsoft Phishing, OneDrive Phishing, Adobe Document Phishing, Blockchain Phishing, and more. The following figure shows the different phishing campaigns that are hosted using the Azure domain (Windows.net). Fig 13: Microsoft login phishing page   Fig 14: Adobe login phishing page   Fig 15: Blockchain login phishing page   Fig 16: OneDrive login phishing page   Conclusion The Zscaler cloud blocked more than 2,000 phishing attacks over six weeks that were hosted using the Azure domain (Windows.net). The following diagram represents the various kinds of phishing campaigns that were blocked by the Zscaler cloud. Fig 17: Detected phishing hits    Fig 18: The Zscaler Zulu URL Risk Analyzer score for one of the phishing URLs   IOCs 039282fsd(.)z19(.)web(.)core(.)windows(.)net 3652adua38ea(.)z5(.)web(.)core(.)windows(.)net 378468459jjn(.)z19(.)web(.)core(.)windows(.)net 623623626638885047749469(.)z19(.)web(.)core(.)windows(.)net 86hoi2a8j592hf2(.)z14(.)web(.)core(.)windows(.)net accounhostoutlook(.)z35(.)web(.)core(.)windows(.)net accountsupdate(.)z22(.)web(.)core(.)windows(.)net adobe111(.)z19(.)web(.)core(.)windows(.)net appriver(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net bchwalletblockchain(.)z13(.)web(.)core(.)windows(.)net bitcoinwalletrecovery(.)z13(.)web(.)core(.)windows(.)net blockchainofficesupport(.)z13(.)web(.)core(.)windows(.)net blockchainrecoverywalet(.)z13(.)web(.)core(.)windows(.)net blockchaintradindinvest(.)z13(.)web(.)core(.)windows(.)net businessdrivefilesharing(.)z33(.)web(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net dlgweu(.)blob(.)core(.)windows(.)net driveoffice- secondary(.)z13(.)web(.)core(.)windows(.)net eastexch030serverdatanet(.)z13(.)web(.)core(.)windows(.)net edustudioapp(.)z19(.)web(.)core(.)windows(.)net exchangeonline80293745(.)z27(.)web(.)core(.)windows(.)net finance51(.)z13(.)web(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net fundingmessan(.)z13(.)web(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net h0vbkkkeebweybv(.)z33(.)web(.)core(.)windows(.)net hgnghhghkkdkdh(.)z13(.)web(.)core(.)windows(.)net hp94549754083400j9302975(.)z21(.)web(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net linknec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net linkp4klg1qkni76yoz8(.)z19(.)web(.)core(.)windows(.)net lpdmsonline(.)blob(.)core(.)windows(.)net macrofinancesoftonline(.)z14(.)web(.)core(.)windows(.)net macrosoft0nlineoffice365(.)z13(.)web(.)core(.)windows(.)net mailingofficeupdate(.)z14(.)web(.)core(.)windows(.)net mailofficemicr0softvalid(.)z35(.)web(.)core(.)windows(.)net mailofficesecurity(.)z13(.)web(.)core(.)windows(.)net mailofficeveridiers(.)z33(.)web(.)core(.)windows(.)net mailoutlookmcrosoftupdat(.)z11(.)web(.)core(.)windows(.)net mailoutnewsecurity(.)z14(.)web(.)core(.)windows(.)net mak17opa54vjxu8(.)z7(.)web(.)core(.)windows(.)net mdj34598720843(.)z10(.)web(.)core(.)windows(.)net microexchyz42nhszseheys(.)z13(.)web(.)core(.)windows(.)net micromuze3rlokoyg(.)z14(.)web(.)core(.)windows(.)net microrel00ukelukleqwkoxl(.)z13(.)web(.)core(.)windows(.)net microsofbt50xjotm45wm7al(.)z11(.)web(.)core(.)windows(.)net microsofd8f82gtrjyaajnsj(.)z11(.)web(.)core(.)windows(.)net microsofdi3o152rpnnt2zr8(.)z11(.)web(.)core(.)windows(.)net microsoffn4xwr5df3emnh1m(.)z11(.)web(.)core(.)windows(.)net microsofn642b7o2un27wptm(.)z13(.)web(.)core(.)windows(.)net microsofq2622c5r3wpfsdnp(.)z11(.)web(.)core(.)windows(.)net microsofzwafvh6bisrici50(.)z11(.)web(.)core(.)windows(.)net offic664ghdtsgdyddux(.)z13(.)web(.)core(.)windows(.)net officcee(.)z13(.)web(.)core(.)windows(.)net office365user37773773673(.)z19(.)web(.)core(.)windows(.)net officedelist(.)z13(.)web(.)core(.)windows(.)net officefiledata(.)z13(.)web(.)core(.)windows(.)net onemailofice365(.)z13(.)web(.)core(.)windows(.)net outlookloffice365user23k-secondary(.)z14(.)web(.)core(.)windows(.)net outlookloffice365user25u-secondary(.)z33(.)web(.)core(.)windows(.)net outlookloffice365user65t-secondary(.)z6(.)web(.)core(.)windows(.)net outlookloffice365user65t(.)z6(.)web(.)core(.)windows(.)net outlookloffice365userl6m(.)z13(.)web(.)core(.)windows(.)net outlookofficecom(.)z33(.)web(.)core(.)windows(.)net outlookproctionmail(.)z9(.)web(.)core(.)windows(.)net outwebsignin2094598209(.)z21(.)web(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net pjkiojxyfngsss(.)z13(.)web(.)core(.)windows(.)net pssastd(.)blob(.)core(.)windows(.)net rel00ukelukleqwkoxl(.)z6(.)web(.)core(.)windows(.)net sams2948818388301(.)z13(.)web(.)core(.)windows(.)net secureofficeportal(.)z19(.)web(.)core(.)windows(.)net sharepo7(.)z22(.)web(.)core(.)windows(.)net sharepointewk8xpzoywq7j(.)z19(.)web(.)core(.)windows(.)net supportoffices365(.)z33(.)web(.)core(.)windows(.)net thursday(.)z19(.)web(.)core(.)windows(.)net ttsokaejqumuamreio(.)z6(.)web(.)core(.)windows(.)net under12(.)z19(.)web(.)core(.)windows(.)net user111777999973sdxc(.)z11(.)web(.)core(.)windows(.)net user37377377733(.)z22(.)web(.)core(.)windows(.)net user7779793e792782(.)z14(.)web(.)core(.)windows(.)net user8877773737(.)z11(.)web(.)core(.)windows(.)net usernamewebmailsingin(.)z14(.)web(.)core(.)windows(.)net v83oybtn5zp5mmz(.)z14(.)web(.)core(.)windows(.)net validatnec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net voice88(.)z19(.)web(.)core(.)windows(.)net voicserel00ukeluklwkoxl(.)z13(.)web(.)core(.)windows(.)net webusermicr0softtonlinee(.)z33(.)web(.)core(.)windows(.)net were12(.)z19(.)web(.)core(.)windows(.)net weree(.)z6(.)web(.)core(.)windows(.)net wimdowoutlkjxjy0846335f(.)z13(.)web(.)core(.)windows(.)net yamma(.)z13(.)web(.)core(.)windows(.)net zebra11(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net fiattt(.)blob(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net funksha1(.)blob(.)core(.)windows(.)net

Link: https://www.zscaler.com/blogs/research/abusing-microsofts-azure-domains-host-phishing-attacks

Fake Instagram Verification

Across various social media platforms there are verification checkmark symbols that appear near the name of the account’s page we view. For example, this verified account indicator seen from our our Twitter page:

These verification checkmarks exist as a credibility indicator to help show authenticity and integrity to social media page visitors.
In order to obtain these checkmark symbols, page owners must meet a list of various requirements and undergo a verification process with their social media provider.
Continue reading Fake Instagram Verification at Sucuri Blog.

Link: https://blog.sucuri.net/2019/06/fake-instagram-verification.html

MFA is No Cure for Phishing

Last year my Twitter feed became full of stories and retweets about how Google “solved the phishing problem” using hardware multi-factor authentication (MFA) tokens. One such article covering this topic was “Google: Security Keys Neutralized Employee Phishing” by the venerable Brian Krebs. While I have a lot of respect for his work, I have to strongly disagree with the title of his blog post. If you haven’t already read the story, take a moment to familiarize yourself with it. I don’t want to be the one to crush your hopes and dreams, but, frankly, this is untrue.
Before we get too far into this, I want to throw this out there and say that for the sake of this article, I use the term MFA loosely and as a synonym for 2-factor authentication (2FA). I will also mention that I am a fan of MFA and cover some information about MFA in a previous article I wrote for this column, “Credential Phishing – Easy Steps to Stymie Hackers”; however, it is not the cure for everything as some people seem to think. In my years doing sysadmin and information security work for the US Army and in the private sector, I have learned to appreciate the great things that MFA can do to secure systems and communications, something I have even covered in previous articles in this very column. I have also learned that it has its limitations as well. I want to go on record saying this, MFA does not solve the phishing epidemic.
The post MFA is No Cure for Phishing appeared first on The Ethical Hacker Network.

Link: https://www.ethicalhacker.net/columns/kron/mfa-is-no-cure-for-phishing/

URLextractor – Information Gathering and Website Reconnaissance

Information gathering & website reconnaissanceUsage: ./extractor http://www.hackthissite.org/Tips:Colorex: put colors to the ouput pip install colorex and use it like ./extractor http://www.hackthissite.org/ | colorex -g “INFO" -r "ALERT"Tldextract: is used by dnsenumeration function pip install tldextractFeatures:IP and hosting info like city and country (using FreegeoIP)DNS servers (using dig)ASN, Network range, ISP name (using RISwhois)Load balancer testWhois for abuse mail (using Spamcop)PAC (Proxy Auto Configuration) fileCompares hashes to diff coderobots.txt (recursively looking for hidden stuff)Source code (looking for passwords and users)External links (frames from other websites)Directory FUZZ (like Dirbuster and Wfuzz – using Dirbuster) directory list)URLvoid API – checks Google page rank, Alexa rank and possible blacklistsProvides useful links at other websites to correlate with IP/ASNOption to open ALL results in browser at the endChangelog to version 0.2.0:[Fix] Changed GeoIP from freegeoip to ip-api[Fix/Improvement] Remove duplicates from robots.txt[Improvement] Better whois abuse contacts (abuse.net)[Improvement] Top passwords collection added to sourcecode checking[New feature] Firt run verification to install dependencies if need[New feature] Log file[New feature] Check for hostname on log file[New feature] Check if hostname is listed on Spamaus Domain Blacklist[New feature] Run a quick dnsenumeration with common server namesChangelog to version 0.1.9:Abuse mail using lynx istead of curlTarget server name parsing fixedMore verbose about HTTP codes and directory discoveryMD5 collection for IP fixedLinks found now show unique URLs from array[New feature] Google results[New feature] Bing IP check for other hosts/vhosts[New feature] Opened ports from Shodan[New feature] VirusTotal information about IP[New feature] Alexa Rank information about $TARGET_HOSTRequirements:Tested on Kali light mini AND OSX 10.11.3 with brewsudo apt-get install bc curl dnsutils libxml2-utils whois md5sha1sum lynx openssl -yConfiguration file:CURL_TIMEOUT=15 #timeout in –connect-timeoutCURL_UA=Mozilla #user-agent (keep it simple)INTERNAL=NO #YES OR NO (show internal network info)URLVOID_KEY=your_API_key #using API from http://www.urlvoid.com/FUZZ_LIMIT=10 #how many lines it will read from fuzz fileOPEN_TARGET_URLS=NO #open found URLs at the end of scriptOPEN_EXTERNAL_LINKS=NO #open external links (frames) at the end of scriptFIRST_TIME=YES #if first time check for dependeciesDownload URLextractor

Link: http://feedproxy.google.com/~r/PentestTools/~3/yeRbR31P73k/urlextractor-information-gathering-and.html

Shellphish – Phishing Tool For 18 Social Media (Instagram, Facebook, Snapchat, Github, Twitter…)

Phishing Tool for 18 social media: Instagram, Facebook, Snapchat, Github, Twitter, Yahoo, Protonmail, Spotify, Netflix, Linkedin, WordPress, Origin, Steam, Microsoft, InstaFollowers, Gitlab, Pinterest.This script uses some webpages generated by SocialFish Tool (https://github.com/UndeadSec/SocialFish)Instagram webpage generated by An0nUD4Y (@its_udy) (https://github.com/An0nUD4Y)Phishing Tool for Instagram, Facebook, Twitter, Snapchat, Github, Yahoo, Protonmail, Google, Spotify, Netflix, Linkedin, WordPress, Origin, Steam, Microsoft, InstaFollowers, Pinterest +1 customizableFeatures:Port Forwarding using Ngrok or ServeoLegal disclaimer:Usage of Shellphish for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this programUsage:git clone https://github.com/thelinuxchoice/shellphishcd shellphishbash shellphish.shAuthor: github.com/thelinuxchoiceIG: instagram.com/linux_choiceDownload Shellphish

Link: http://feedproxy.google.com/~r/PentestTools/~3/5hBi829B8IU/shellphish-phishing-tool-for-18-social.html