Skip to main content

Microsoft unveils a new credential phishing campaign that leverages an open redirect mechanism to evade security systems. Microsoft has published a long list of phishing domains actively used in this new credential phishing campaign. This list shows that how much the adversaries have invested in this phishing campaign. How extensive would the credential phishing campaign be? Let’s see the listed domains which are part of the credential phishing campaign.

 

Phishing is one of the most prevalent and effective social engineering techniques, growing these days. There are two main motives behind phishing attacks: harvest credentials and ship malware to the victim’s machine, leading to further attacks. In this phishing campaign, attackers used an extremely prevalent way ‘open redirect links’ to effectively bypass the security system to deliver the phishing emails to the victim’s inbox.

What Is An Open Redirect Vulnerability?

Open redirect link refers to a case in which a web application accepts a user-controlled input that could cause the web application to redirect the request to a URL. However, suppose an attacker replaces the URL input with a malicious site to redirect the request to a malicious URL to steal user credentials. In that case, it is called open redirect vulnerability.

Fig #1: Open Redirect Vulnerability (By Microsoft Research Team)

This image is an example of an open redirect vulnerability. Here, the attacker used a domain-generation algorithm (DGA) domain (c-hi[.]xyz) in the parameter of the trusted domain. When a user hovers his mouse on this URL, he believes that this is a trusted URL. However, when he clicks on the link, it takes the user to the malicious domain in the parameter.

Why Do Attackers Use Open Redirect Vulnerabilities To Run Credential Phishing Campaign?

It is pretty common to see open redirect links among organizations for various reasons. Companies’ sales and marketing representatives use open redirect links in their emails to lead their clients or customers to the desired landing page as a business strategy to increase sales, user experience, and productivity. However, threat actors abuse this feature to link to a URL from a trusted domain and embed the malicious URL as a parameter.

Such open redirect vulnerabilities help attackers evade the organizations’ security systems and deliver the email to the victim’s inbox. For example, When a malicious URL is set as a parameter for a legitimate URL, traditional security solutions may pass through such requests because the security solutions might have been trained to identify only the primary URL. The security system may fail to check the malicious parameters embedded.

How Does This New Credential Phishing Attacks Work?

Fig #2: Attack chain for the open redirect phishing campaign (By Microsoft Research Team)
  1. Attackers send phishing emails: The campaign starts with sending emails to the victims. The report says that Attackers followed a pattern in the email content across the drive.
    1. The content of the email will be inside a box.
    2. The email will have a large button with an open redirect link that takes the victims to the credential harvesting phishing page.
    3. The subject of the email will most likely be created with the recipient’s domain and a timestamp.
  2. Users are tricked into clicking on the open redirect link: when users hover their mouse cursor over the button, they will see the complete URL that looks legitimate as attackers crafted the open redirect links using a legitimate service. The fact is a malicious phishing URL has been embedded in the parameter of the open redirect link.
  3. Phishing page verifies reCAPTCHA verification: When users clicked on the crafted open redirect links, users will be redirected to the attacker’s phishing site. These phishing sites used Google reCAPTCHA services to evade email security systems.
  4. Users will see a fake login page to enter the credentials: After users complete the reCAPTCHA verification, users will see a fake login page that impersonates the original site. The site is prepopulated with the victim’s email address to make the site look more legitimate. Adversaries can also use this strategy to bypass the Single Signe On (SSO) authentication either.
  5. Credentials get compromised: If users enter their credentials on the phishing URL, the page throws an error saying the page is timed out or the password was incorrect. This is to make the user enter the credentials twice to confirm the credentials. Upon entering the credentials for a second time, the page directs to the legitimate Sophos website, which says the message has been released. Once your credentials are harvested, attackers can use your credentials to carry out more attacks.
See Also  Top Strategies for Effective Vendor Risk Management Programs

How To Prevent Credential Phishing Attacks And Open Redirect Vulnerability?

The best ways to prevent being a victim of phishing campaign are:

  1. Educate yourselves: The first level of protection would be learning about phishing techniques. Please be aware of the phishing techniques, don’t be the scape sheep of the campaign.
  2. Use anti-phishing toolbars and security solutions: We recommend buying a good anti-phishing solution. The simple and easiest way is to use anti-phishing toolbars on the browser.
  3. Don’t click on the links shared from untrusted sources. Examine the grammar of the email you received and the spelling of the URL before you click on it. Report about the phishing emails or links to your anti-phishing solutions if possible.
  4. Don’t open the attachments if you received them from an unknown source. Verify the email header from the tools like MXToolBox.
  5. Use good security tools like antivirus solutions, network intrusion detection, firewalls, URL filtering tools, spam filters, and adblockers to protect from many types of phishing attacks.
  6. Do regular password resets and use complex passwords.
  7. Enable MFA multi-factor authentication.

List Of Phishing Domains Which Are Part Of New Credential Phishing Campaign:

Patterns of Secondary redirected domains:

The secondary domains used in the parameter URLs most likely follow a specific domain-generation algorithm (DGA) pattern and use .xyz, .club, .shop, and .online TLDs.

  • [letter]-[letter][letter].xyz
  • [letter]-[letter][letter].club

Secondary Domains:

Some of the captured secondary domains in the crafted open redirect links in this credential phishing campaign are:

  • c-tl[.]xyz
  • a-cl[.]xyz
  • j-on[.]xyz
  • p-at[.]club
  • i-at[.]club
  • f-io[.]online

Sender Domains:

Adversaries used a wide range of domains to send emails, and the sender domains could be from any of these.

  • Attacker-owned DGA domains
  • Compromised legitimate domains
  • Domains ending in .co.jp
  • Free email domains

Patterns Of Sender Domains:

  • [word or string of characters]-[word][number], incrementing by one, for example: masihtidur-shoes08[.]com
  • [number][word or string of characters]-[number], incrementing by one, for example: 23moesian-17[.]com
  • [word][word][number], incrementing by one, for example: notoficationdeliveryamazon10[.]com
  • [word or letters][number]-[number], incrementing by one, for example: dak12shub-3[.]com

Secondary Domains:

Some of the captured primary domains that match the DGA patterns:

masihtidur-shoes08[.]com masihtidur-shoes07[.]com masihtidur-shoes04[.]com bas9oiw88remnisn-14[.]com
masihtidur-shoes02[.]com masihtidur-shoes01[.]com wixclwardwual-updates9[.]com romanseyilefreaserty0824r-4[.]com
wixclwardwual-updates8[.]com wixclwardwual-updates7[.]com wixclwardwual-updates6[.]com securemanageprodio-04[.]com
wixclwardwual-updates5[.]com wixclwardwual-updates10[.]com wixclwardwual-updates1[.]com suppamz2-piryshj01-9[.]com
zxcsaxb-good8[.]com zxcsaxb-good6[.]com zxcsaxb-good5[.]com solution23-servviue-7[.]com
zxcsaxb-good4[.]com zxcsaxb-good3[.]com zxcsaxb-good10[.]com solution23-servviue-27[.]com
trashxn-euyr9[.]com trashxn-euyr7[.]com trashxn-euyr6[.]com solution23-servviue-9[.]com
trashxn-euyr5[.]com trashxn-euyr3[.]com trashxn-euyr20[.]com solution23-servviue-17[.]com
trashxn-euyr2[.]com trashxn-euyr19[.]com trashxn-euyr18[.]com solution23-servviue-30[.]com
trashxn-euyr17[.]com trashxn-euyr16[.]com trashxn-euyr15[.]com solution23-servviue-10[.]com
trashxn-euyr14[.]com trashxn-euyr12[.]com trashxn-euyr11[.]com solution23-servviue-24[.]com
trashxn-euyr10[.]com trashxn-euyr1[.]com berangberang-9[.]com service-account-7243[.]com
berangberang-7[.]com berangberang-12[.]com berangberang-6[.]com service-account-374567[.]com
notoficationdeliveryamazon8[.]com berangberang-8[.]com berangberang-3[.]com gxnhfghnjzh809[.]com
berangberang-4[.]com berangberang-10[.]com berangberang-11[.]com accountservicealert003[.]com
berangberang-13[.]com berangberang-5[.]com 77support-update23-4[.]com care887-yyrtconsumer23-23[.]com
posher876ffffff-30[.]com posher876ffffff-5[.]com posher876ffffff-25[.]com care887-yyrtconsumer23-26[.]com
fenranutc0x24ai-11[.]com organix-xtc21[.]com fenranutc0x24ai-13[.]com laser9078-ter10[.]com
fenranutc0x24ai-4[.]com fenranutc0x24ai-17[.]com fenranutc0x24ai-18[.]com hayalanphezor-3sit[.]com
adminsecurity102[.]com adminsecurity101[.]com 23moesian-17[.]com ressstauww-6279-3[.]com
23moesian-10[.]com 23moesian-11[.]com 23moesian-26[.]com ressstauww-6279-7[.]com
23moesian-19[.]com 23moesian-2[.]com cokils2ptys-3[.]com ketiak-muser14[.]com
cokils2ptys-1[.]com 23moesian-20[.]com 23moesian-15[.]com spammer-comingson01[.]com
23moesian-18[.]com 23moesian-16[.]com sux71a37-net19[.]com spammer-comingson05[.]com
sux71a37-net1[.]com sux71a37-net25[.]com sux71a37-net14[.]com posidma-posidjar03[.]com
sux71a37-net18[.]com sux71a37-net15[.]com sux71a37-net12[.]com tembuslah-bandar01[.]com
sux71a37-net13[.]com sux71a37-net20[.]com sux71a37-net11[.]com tembuslah-bandar04[.]com
sux71a37-net27[.]com sux71a37-net2[.]com sux71a37-net21[.]com tembuslah-bandar07[.]com
bimspelitskalix-xuer9[.]com account-info005[.]com irformainsition0971a8-net16[.]com tembuslah-bandar10[.]com
bas9oiw88remnisn-12[.]com bas9oiw88remnisn-27[.]com bas9oiw88remnisn-26[.]com solution23-servviue-23[.]com
bas9oiw88remnisn-11[.]com bas9oiw88remnisn-10[.]com bas9oiw88remnisn-5[.]com hayalanphezor-7sit[.]com
bas9oiw88remnisn-13[.]com bas9oiw88remnisn-1[.]com bas9oiw88remnisn-7[.]com solution23-servviue-15[.]com
bas9oiw88remnisn-3[.]com bas9oiw88remnisn-20[.]com bas9oiw88remnisn-8[.]com suppamz2-piryshj01-6[.]com
bas9oiw88remnisn-23[.]com bas9oiw88remnisn-24[.]com bas9oiw88remnisn-4[.]com solution23-servviue-16[.]com
bas9oiw88remnisn-25[.]com romanseyilefreaserty0824r-2[.]com romanseyilefreaserty0824r-1[.]com romanseyilefreaserty0824r-5[.]com
sux71a37-net26[.]com sux71a37-net10[.]com sux71a37-net17[.]com solution23-servviue-19[.]com
maills-activitymove02[.]com maills-activitymove04[.]com solution23-servviue-26[.]com solution23-servviue-18[.]com
maills-activitymove01[.]com copris7-yearts-6[.]com copris7-yearts-9[.]com solution23-servviue-13[.]com
copris7-yearts-5[.]com copris7-yearts-8[.]com copris7-yearts-37[.]com solution23-servviue-4[.]com
securityaccount102[.]com copris7-yearts-4[.]com copris7-yearts-40[.]com solution23-servviue-5[.]com
copris7-yearts-7[.]com copris7-yearts-38[.]com copris7-yearts-39[.]com service-account-735424[.]com
romanseyilefreaserty0824r-6[.]com rick845ko-3[.]com rick845ko-2[.]com service-account-764246[.]com
rick845ko-10[.]com fasttuamz587-4[.]com winb2as-wwersd76-19[.]com xcfhjxfyxnhnjzh10[.]com
winb2as-wwersd76-4[.]com winb2as-wwersd76-6[.]com org77supp-minty662-8[.]com care887-yyrtconsumer23-24[.]com
winb2as-wwersd76-18[.]com winb2as-wwersd76-1[.]com winb2as-wwersd76-10[.]com care887-yyrtconsumer23-27[.]com
org77supp-minty662-9[.]com winb2as-wwersd76-12[.]com winb2as-wwersd76-20[.]com laser9078-ter11[.]com
account-info003[.]com account-info012[.]com account-info002[.]com hayalanphezor-6sit[.]com
laser9078-ter17[.]com account-info011[.]com account-info007[.]com romanseyilefreaserty0824r-3[.]com
notoficationdeliveryamazon1[.]com notoficationdeliveryamazon20[.]com notoficationdeliveryamazon7[.]com ressstauww-6279-10[.]com
notoficationdeliveryamazon17[.]com notoficationdeliveryamazon12[.]com contackamazon1[.]com ressstauww-6279-1[.]com
notoficationdeliveryamazon6[.]com notoficationdeliveryamazon5[.]com notoficationdeliveryamazon4[.]com ketiak-muser13[.]com
notoficationdeliveryamazon18[.]com notoficationdeliveryamazon13[.]com notoficationdeliveryamazon3[.]com spammer-comingson02[.]com
notoficationdeliveryamazon14[.]com gaplerr-xt5[.]com posher876ffffff-29[.]com spammer-comingson07[.]com
kenatipurecehkali-xt3[.]com kenatipurecehkali-xt13[.]com kenatipurecehkali-xt4[.]com posidma-posidjar05[.]com
kenatipurecehkali-xt12[.]com kenatipurecehkali-xt5[.]com wtbwts-junet1[.]com tembuslah-bandar02[.]com
kenatipurecehkali-xt6[.]com hayalanphezor-2sit[.]com hayalanphezor-1sit[.]com tembuslah-bandar05[.]com
noticesumartyas-sc24[.]com noticesumartyas-sc13[.]com noticesumartyas-sc2[.]com tembuslah-bandar08[.]com
noticesumartyas-sc17[.]com noticesumartyas-sc22[.]com noticesumartyas-sc5[.]com organix-xtc18[.]com
noticesumartyas-sc4[.]com noticesumartyas-sc21[.]com noticesumartyas-sc25[.]com bimspelitskalix-xuer7[.]com
appgetbox3[.]com notoficationdeliveryamazon19[.]com notoficationdeliveryamazon10[.]com solution23-servviue-1[.]com
appgetbox9[.]com appgetbox8[.]com appgetbox6[.]com solution23-servviue-25[.]com
notoficationdeliveryamazon2[.]com appgetbox7[.]com appgetbox5[.]com solution23-servviue-11[.]com
notoficationdeliveryamazon23[.]com appgetbox10[.]com notoficationdeliveryamazon16[.]com cokils2ptys-6[.]com
hvgjgj-shoes08[.]com hvgjgj-shoes13[.]com jgkxjhx-shoes09[.]com solution23-servviue-8[.]com
hvgjgj-shoes15[.]com hvgjgj-shoes16[.]com hvgjgj-shoes18[.]com suppamz2-piryshj01-1[.]com
hvgjgj-shoes20[.]com hvgjgj-shoes12[.]com jgkxjhx-shoes02[.]com solution23-servviue-12[.]com
hvgjgj-shoes10[.]com jgkxjhx-shoes03[.]com hvgjgj-shoes11[.]com solution23-servviue-20[.]com
hvgjgj-shoes14[.]com jgkxjhx-shoes05[.]com jgkxjhx-shoes04[.]com solution23-servviue-14[.]com
hvgjgj-shoes19[.]com jgkxjhx-shoes08[.]com hpk02h21yyts-6[.]com service-account-8457845[.]com
romanseyilefreaserty0824r-7[.]com gets25-amz[.]net gets30-amz[.]net service-account-762441[.]com
gets27-amz[.]net gets28-amz[.]net gets29-amz[.]net accountservicealert002[.]com
gets32-amz[.]net gets3-amz[.]net gets31-amz[.]net bas9oiw88remnisn-15[.]com
noticesumartyas-sc19[.]com noticesumartyas-sc23[.]com noticesumartyas-sc18[.]com care887-yyrtconsumer23-25[.]com
noticesumartyas-sc15[.]com noticesumartyas-sc20[.]com noticesumartyas-sc16[.]com bimspelitskalix-xuer6[.]com
noticesumartyas-sc29[.]com rick845ko-1[.]com bas9oiw88remnisn-9[.]com hayalanphezor-4sit[.]com
rick845ko-5[.]com bas9oiw88remnisn-21[.]com bas9oiw88remnisn-2[.]com solution23-servviue-6[.]com
bas9oiw88remnisn-19[.]com rick845ko-6[.]com bas9oiw88remnisn-22[.]com sytesss-tas7[.]com
bas9oiw88remnisn-17[.]com bas9oiw88remnisn-16[.]com adminmabuk103[.]com hvgjgj-shoes01[.]com
account-info008[.]com suppamz2-piryshj01-3[.]com dak12shub-1[.]com ketiak-muser15[.]com
securemanageprodio-02[.]com securemanageprodio-05[.]com securemanageprodio-01[.]com spammer-comingson04[.]com
dak12shub-3[.]com dak12shub-9[.]com dak12shub-8[.]com posidma-posidjar01[.]com
dak12shub-6[.]com dak12shub-10[.]com dak12shub-4[.]com posidma-posidjar06[.]com
securemanageprodio-03[.]com org77supp-minty662-7[.]com winb2as-wwersd76-7[.]com tembuslah-bandar03[.]com
org77supp-minty662-10[.]com bimspelitskalix-xuer2[.]com gets34-amz[.]net tembuslah-bandar06[.]com
gets35-amz[.]net service-account-7254[.]com service-account-76357[.]com tembuslah-bandar09[.]com
service-account-7247[.]com account-info004[.]com service-account-5315[.]com  

Thanks for reading this post, which has the list of phishing domains actively used in this new credential phishing campaign and helps create awareness against credential phishing campaigns.

Leave a Reply