This phishing kit punishes unsuspecting Black Friday shoppers
Akamai cybersecurity researchers have uncovered a new phishing campaign targeting consumers in the United States with fake holiday deals. The aim of the campaign is to steal sensitive credentials such as credit card information and ultimately their money.
Threat actors create landing pages that impersonate some of the biggest brands in the US, including Dick’s, Tumi, Delta Airlines, Sam’s Club, Costco, and others.
The landing page, often hosted on reputable cloud services such as Google or Azure, directs users to complete a short survey after which they are promised a reward. The poll would also be timed to five minutes, using urgency to distract people from potential red flags.
Unique phishing addresses
After completing the survey, the victims will be declared “winners”. All they have to do now to get their reward is pay for shipping. This is where they entered their sensitive payment information, which was later used by the attackers in various ways.
However, what makes this campaign unique is the token-based system that allows it to fly under the radar and undetected by cybersecurity solutions.
As the researchers explain, the system helps redirect each victim to a unique phishing page URL. The URLs vary depending on the victim’s location as scammers try to impersonate locally available brands.
Explaining how the system works, the researchers found that each phishing email contains a link to the landing page with an anchor (#). Typically, this is how visitors are directed to specific parts of the landing page. In this scenario, the tag is a token used by JavaSCript on the landing page that reconstructs the URL.
“The values behind the HTML anchor will not be treated as HTTP parameters and will not be sent to the server, however, this value will be available to the JavaScript code running in the victim’s browser,” the researchers said. “In the context of a phishing scam, the value placed after the HTML anchor may be ignored or missed when scanned by security products that check whether it is malicious or not.”
“This value will also be skipped if displayed by the traffic control tool.”
Cybersecurity solutions bypass this token, helping cybercriminals remain discreet. On the other hand, researchers, analysts and other unwanted visitors are kept away because without the right token the page will not load.
By: Beeping Computer (opens in a new tab)
