An on-going phishing and spearphishing campaign is currently taking place, aiming to steal Office 365. The phishing emails appear as if they come from major brands, including Kaspersky.
According to a Kaspersky post from Monday, two phishing kits identified as “Iamtheboss” and “MIRCBOOT’ are being used together by multiple threat actors to send fake fax notifications.
“The phishing e-mails are usually arriving in the form of ‘fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” according to the post.
One phishing campaign tracked by cybersecurity researchers abuses an Amazon service called Amazon Simple Email Service (SES). SES is designed to let developers deliver email from apps. The campaign relies on a stolen SES token used by a third-party contractor during the testing of the website 2050.earth.
The 2050.earth site is a Kaspersky project that features an interactive map illustrating what futurologists predict to be the future impact of technology on the planet. The stolen SES token is tied to Kaspersky and SES because the 2050.earth site is hosted on the Amazon infrastructure.
“These emails have various sender addresses, including but not limited to firstname.lastname@example.org. They are sent from multiple websites including Amazon Web Services infrastructure,” the security bulletin warned. The company said the stolen SES token was only abused in a limited capacity relative to an otherwise large-scale campaign abusing multiple brands.
It’s unclear what other brands, and how many, are impacted by the ongoing campaigns. It is believed that other non-Kaspersky SES tokens are involved
The company said the SES token was immediately revoked when it was identified as being stolen and abused.
The theft caused no damage, according to the advisory. “No server compromise, unauthorized database access or any other malicious activity was found at 2050.earth and associated services,” it said.
Office 365 credentials are a very common target for phishing attacks. In March, a phishing scam targeted executives in the insurance and financial sectors in an attempt to harvest Office 365 credentials to launch business email compromise (BEC) attacks.
Hackers abusing SES tokens are trying to give their emails a sense of legitimacy, by identifying themselves as coming from trusted companies.
Analysis showed that the phishing campaigns are relying on a phishing kit that Kaspersky researchers have named “Iamtheboss,” used in conjunction with another phishing kit known as “MIRCBOOT.”
The MIRCBOOT phishing kit was previously used in a large-scale phishing-as-a-service (PhaaS) campaign called BulletProofLink, which Microsoft previously discovered.
BulletProofLink provides phishing kits, email templates, hosting, and other tools that let users customize campaigns and develop their own phishing ploys. They then use the PhaaS platform to help with phishing kits, email templates, and the hosting services needed to launch attacks.
Protection Against Phishing
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.