Our investigation into a new phishing campaign revealed that the same threat actor is using dozens of domains utilizing Brand Impersonation, including a wide variety of US national banks such as Wells Fargo, Bank of America, Citibank, and Chase, as well as regional banks.
This campaign is harvesting personal and financial information from targeted users, including financial login credentials, credit/debit card info, mother’s maiden name, address, and government ID.
This campaign is a reminder that smishing scams that impersonate well-known financial institutions continue to be an issue for consumers and financial institutions. Smishing attacks provide many advantages over email-based attacks, including higher open rates, a sense of urgency and personalization, and technical advancements such as spoofed phone numbers. The potential rewards are high.
We also observed the same threat actor utilizing domains spoofing the Wirex crypto wallet with debit card functionality. These implementations were much less mature, possibly signaling future crypto attack directions.
Multiple Brands Targeted in Phishing Attempts
A Senior Staff Software Engineer from Trellix recently shared on LinkedIn about receiving an SMS claiming to be a “security notification” from “Wells Fargo” regarding the suspension of their debit card due to “unusual activity.”
SMS from LinkedIn Post
As seen from the original SMS, the URL shortener service was initially used as a first redirect to the phishing page (s.id has terminated the redirect link to the phishing URL at the time of writing). Targeted users are redirected to a page that mimics the Wells Fargo login page.
Wells Fargo fake Login Page
Each user is assigned a unique ‘apitoken’ value in the URI, which is likely tracked by IP address for that user. The URLs involved in the campaign track IP by referencing legitimate sites api[.]org and ipapi[.]co.
IP check in JavaScript
The phishing campaign is not limited to Wells Fargo. By analyzing the JARM value used by the domain cz97sevef[.]online and other header meta information, we were able to identify dozens of other domains linked to the same campaign, involving multiple US national and regional banks.
Our scanners indicate that the campaign started using phishing domains with a banking theme in the second quarter of 2023 and has utilized varied domains associated with different banks. We confirmed that, for all these cases, using the same URI with the same ‘apitoken’ value for the same workstation/IP would successfully load the following pages:
Fake Bank of America Login Page
Fake Truist Bank Login Page
Fake Huntington Bank Login Page
Fake Chase Bank Login Page
Fake Citi Login Page
In addition to traditional banks, brands such as the Wires crypto wallet with a debit card for crypto assets were also targeted in the same campaign.
Fake Wirex Login Page
During our testing, we found that the phishing content did not open when URLs were accessed outside of the USA, which is consistent with the nature of the attack. Furthermore, once an ‘apitoken’ is assigned to a workstation/VM IP, bank-spoofing domains will send a ‘403’ error with the same URI if accessed from a different IP/machine.
The threat actors appear motivated to harvest as much information as possible. The login page only serves as a precursor to redirect users to enter credit/debit card information and other personal information, including a picture of a government ID, on the attacker’s controlled website.
For example, a domain spoofing ‘Bank of America’ is boainformation[.]com, which attempts to upload entered personal information to clientarea2[.]site via a POST request through a web form, as seen in the following Fiddler screen grabs:
POST request to clientarea2[.]site generated from submission on boainformation[.]com
Fiddler’s webform view of information sent in POST request and next information requested
In addition to the personal information provided, the ‘apitoken’ value is also passed via a POST request to associate the user with a unique ID.
Phishing site asking for Government ID
While threat actors are interested in harvesting all information entered, validation has not been implemented on their servers to check the validity of Government ID or its cross-match with personal information entered previously, which is usually done on legitimate sites.
The value of the ‘apitoken’ associated with the user’s data remains consistent with all bank spoofing domains. If the same URL is accessed with an ‘apitoken’ for which data was previously entered, the user will be redirected to a ‘verified’ page for all the domains connected in the campaign. For instance, once information has been entered by the user on a spoofed Bank of America domain’s URL, opening Citi’s spoofed domain with the same ‘apitoken’ will load the same information entered on the fake ‘BoA’ form.
Reusing user information
Most of the IOCs involved, including initial phishing domains as well as domains harvesting personal data, have little to no detection on VirusTotal.
VirusTotal Results
VirusTotal Results
VirusTotal Results
In some cases, domains are only intended for credential phishing purposes and give an error message on the first page, no matter what credentials are entered. At the backend, the same clientarea2[.]site domain is used to upload credentials via a POST request.
Error message after credential phishing
POST request to send credentials
Malicious Infrastructure
The domains connected to the campaign use a wide variety of IPs, ASN services, nameservers, and registrars. Some IPs show a history of being associated with phishing activity related to impersonating postal services and mobile manufacturers like Apple and Xiaomi.
For example, domains associated with the IP address 111.90.143[.]126, which is currently hosting c1t-i[.]me — a domain spoofing Citi Bank — have been observed with a few old domain names likely associated with those previous campaigns, such as myinformedparcl[.]com and www.icloud-com-id[.]us, among others.
Some IPs are dedicated to bank spoofing domains specific to one particular brand, such as 15.223.110[.]65 for Chase. The same IP also consists of the domain alert-usaa[.]info, which is an open directory with an archive file containing details of anti-crawler projects and libraries that may be utilized by threat actors, along with a list of IP ranges, blocked words, and user agents used to identify crawlers/bots.
Smishing Remains Popular
In the ever-changing threat landscape, threat actors operate in a fast-paced environment to host new threats using new infrastructures. Researchers must use tools that comprehensively track attacker infrastructure, applying a wide variety of correlation and fingerprinting capabilities, to uncover all the connecting dots of the attacker’s infrastructure.
Silent Push will continue to help our users by tracking attacker infrastructure to identify campaigns as early as possible.
Silent Push is an early detection-focused threat intelligence solution.
Our platform provides the most comprehensive view of global internet-facing infrastructure available — sign up now and use our predictive analysis to uncover attacker infrastructure and campaigns before they launch.
Silent Push has uncovered open redirect phishing campaigns utilizing spoofed Microsoft and DocuSign notifications.
Prominent email marketing services are being exploited.
Over 6,000 subdomains identified as being vulnerable to open redirect exploitation.
URL manipulation used to direct traffic to attacker-controlled infrastructure.
Popular brands used as lures to avoid email blacklisting.
Background
We recently published research that explored open redirect vulnerabilities. In the blog, we discussed how a subdomain of citi[.]com using CHEETA-Mail infrastructure was redirecting users to phishing pages targeting Microsoft 365 login pages.
Our Threat Analysts have continued their research, and we’ve encountered more phishing campaigns targeting enterprise users with fake notifications from prominent tech companies including Microsoft and DocuSign, luring users into clicking malicious links that redirect to attacker-controlled infrastructure:
DocuSign phishing email
We’ve observed a growing trend of cloud-based email marketing service subdomains being targeted by threat actors seeking to exploit consumer trust in big name brands by propagating global phishing campaigns.
Microsoft credential phishing
During our investigation, we discovered a phishing email using a spoofed notification from “ServiceDesk” that attempted to fool users into clicking on a link entitled “Clear Cache”.
The email uses a hyperlink embedded in an image to direct the user to a URL involved in a threat campaign that spoofs a Microsoft login page hosted on the third-party service glitch[.]me:
M365 phishing email
The original landing page from the email belonged to links.makeit.usfoods[.]com. The URL uses two hops to redirect users to the intended phishing page:
URL analysis 1
URL analysis (2)
We continued to observe different Microsoft 365 and DocuSign spoofing emails using the same tactics, with similar URLs. Emails redirect to domains hosting malicious AiTM proxy kits for Microsoft credential phishing. We explored the phishing process in our previous blog, so let’s focus on the abuse of vulnerable infrastructure via open redirects.
Using Silent Push to execute a live DNS lookup, we were able identify a CNAME record associated with the domain (recp.rm02[.]net):
Identifying a CNAME record
We observed another phishing email containing a spoofed Microsoft 365 notification with a URL belonging to the above CNAME domain ‘recpmrm02[.]net’ i.e – hxxps://recp[.]rm02[.]net/ctt?m=<REDACTED>&r=NDMzMjA5MjAzNTUxS0&b=0&j=<REDACTED>&k=reviewCTA&kx=1&kt=12&kd=hxxps://thelittlebluerocketship[.]com/p/ <REDACTED>/<REDACTED>@<REDACTED>.
The URL pattern observed matches links.makeit.usfoods[.]com. We performed further research into infrastructure sharing the CNAME recp[.]rm02[.]net. Our investigation showed that all domains with the associated CNAME were vulnerable to open redirect exploits that involved changing a redirect to any attacker-controlled domain.
The scope of the problem
By analyzing meta data from rm02[.]net, we were able to identify more than six thousand similar subdomains. The infrastructure is associated with ‘Acoustic Marketing Cloud’ (formerly Silverpop). The URL structure also resembles an example shared by the platform on their support page (https://help.goacoustic[.]com/hc/en-us/articles/360043608853-Send-your-email). We discovered subdomains associated with a wide range of brands, from trading and financial platforms to tobacco companies and retail organisations, among others.
Pivoting through URL data
Consider the URL we received for links.makeit.usfoods[.]com – links.makeit.usfoods[.]com/ctt?m=&r=NDMzMjA5MjAzNTUxS0&b=0&j=&k=PrivacyPolicy&kx=1&kt=1&kd=hxxps://www.digital-7[.]com/p//
If we replace the subdomain portion of links.makeit.usfoods[.]com with any of the 6,000+ subdomains found, whilst keeping the rest of the URL intact and changing the last ‘REDACTED’ portion with any email address of our choice (or supply a different phishing domain than www.digital-7[.]com), the redirect still works.
Example pivot
For example, if we take links.email.myparliament[.]com and replace the original email address with theking@buckinghampalace[.]com, while keeping rest of URL the same, the open redirect still leads to digital-7[.]com, which eventually redirects to phishing pages as seen here:
Phishing page re-direction analysis (1)
Phishing page redirection analysis (2)
Destination page
Similarly, a threat actor intending to initiate a phishing attack against an employee from Schwab could use the subdomain emailservices.schwab[.]com and append the remaining URL to redirect targeted users to any web page of their choice.
Additional email marketing abuse
Alongside phishing emails pointing to malicious infrastructure, we’ve also discovered subdomains of legitimate brands, with CNAME records linked to trusted email marketing services, that are being exploited using open redirects which lead to Microsoft 365 login pages and spoofing/credential phishing operations.
Key observations
One of the more prominent cases involved subdomains with a CNAME belonging to Adobe’s marketing service campaign.adobe[.]com.
We also observed multiple submissions by different users to public sandboxes such as tria[.]ge and Joe Sandbox, where some subdomains belonging to Adobe, subdomains of popular hotel brands and the prominent UK electronics retailer, Currys, are being used to redirect to attacker-controlled phishing pages:
Currys subdomain redirection
The URL format constructed for the marketing newsletters are similar but are being abused by threat actors to propagate illegal activity. We were able to re-use the links to confirm the presence of open redirect vulnerabilities. Changing the final page destination to a benign address like facebook[.]com redirects to the same domain.
Example exploit using facebook[.]com
Let’s look at an example. The following URL was available publicly on ‘Joe Sandbox’, and likely sent to an employee of the State Government of Maine (64bit encoded email addresses redacted for privacy).
Currys – Analysis report
If we change the part of the URL after ‘&p1=’ to facebook[.]com, we are successfully redirected to Facebook’s home page, confirming the URL structure is susceptible to open redirects, as seen from following screengrabs:
Facebook redirect
Redirect analysis
Additional example
Whilst hunting for similar abuse on Joe Sandbox, we also discovered a Swiss insurance company’s subdomain with a similar URL structure that was susceptible to an open redirect also. Let’s repeat the scenario of a domain name change to facebook[.]com using the insurance company’s URL:
Insurance company URL analysis
Although the URL structure is similar, with valid open redirect abuse, we were not able to verify any link to campaign.adobe[.]com.
Using Silent Push to protect against open redirect abuse
Threat actors are using abusing email marketing services by targeting enterprise domains with open redirect vulnerabilities that open the door for phishing emails, with Microsoft credentials being the attack vector of choice.
Companies need to offer awareness training to their employees that educate users about the types of phishing campaigns used in open redirect exploits. Users need to be doubly sure that login information is being used on trusted infrastructure. For years, organizations have trained their employees to be wary of suspicious URLs. Our research shows that the scope of the problem has now extended to legitimate subdomains.
At present, there are an unknown number of domains with CNAME records that are open for abuse. We’ve created a dataset for Silent Push customers that can be used to identify elements of an organization’s public DNS presence that’s susceptible to an open redirect exploit.
Enterprise users can download the data by navigating to ‘Advanced Query Builder > Feeds Queries > Get download link’ and choosing the feed name ‘redirect_vulnerable_domains.txt’.
We’ve observed open redirect phishing campaigns using third party hosting sites to host malicious content, so we’ve created feeds that list the domains involved in intermediate redirects between marketing subdomains and the phishing page. These IoCs can be accessed by Enterprise users through the ‘Phishing Domains’ early detection feed.
Register for the Silent Push Community Edition to get access to a free set of specialized resources and enriched data that helps your organization combat the growing trend of open redirect exploitation.
Explore Silent Push Enterprise to benefit from pre-weaponized threat intelligence, enhanced security stack integration, enriched observables, and dedicated campaign feeds.
Silent Push has taken on five veteran industry executives to accelerate sales and growth, following a $10 million investment led by Ten Eleven Ventures.
Joining Ken Bagnall (CEO) and John Jensen (CTO) on the Silent Push Board are Frank Verdecanna, former CFO of Mandiant (now part of Google Cloud), Tim Dawson, Group Chief Information Security Officer at UBS, and Dave Palmer, General Partner at Ten Eleven Ventures, who has over a decade of experience in government intelligence operations, including at UK intelligence agencies GCHQ and MI5, and was one of the founders of AI cybersecurity company Darktrace.
Other key appointments include Chief Marketing Officer Phil Montgomery, former General Manager for Security Go-To-Market at Microsoft, and Chief Revenue Officer David Troha, former Chief Revenue Officer at Advintel.
Ken has this to say on the recent acquisitions: “It’s exciting times at Silent Push. Our customer base is expanding, our research was recently referenced in a CISA Cybersecurity Advisory report, we’ve secured our second round of seed funding, and our team is growing. Populating our board and executive team with globally renowned cybersecurity executives, adds a wealth of industry knowledge and priceless commercial insight. The collective expertise, insight and industry experience we are adding to the company will be a huge boost. The whole team is perfectly poised to take Silent Push to the next level.”
Silent Push has announced the company’s launch with a total of $10M in seed funding led by global cybersecurity specialist investor Ten Eleven Ventures.
Silent Push takes a unique approach to identifying emerging cyber threats by providing the most comprehensive view of global internet-facing infrastructure available and applying deep analysis to reveal new attacker infrastructure and campaigns. Customers can now understand emerging threats before launch, be prepared, and proactively solve problems.
As cyber threats continue to grow, organizations have traditionally focused on detecting threats by using intelligence feeds with indicators of compromise (IOCs). Silent Push’s approach goes beyond that by providing the capability to understand what attackers are doing prior to an attack, delivering detailed analysis of the tactics, techniques, and procedures (TTPs) employed by threat actors. This information provides insights into their capabilities and targets – Silent Push acts like a threat radar, allowing organizations to see what attackers are doing. Silent Push can be used stand-alone or integrated via an API into commonly used security tools such as a SIEM.
Ken Bagnall (CEO) and John Jensen (CTO) are well-known veteran co-founders who have worked together for over 15 years, most recently at FireEye, Inc., who acquired their previous company, The Email Laundry.
“Our unique ability lies in knowing the attacker’s TTPs – what they are doing to prepare for an attack or campaign,” said Ken Bagnall, CEO of Silent Push. “A good example of this is where we recently observed attackers using legitimate websites to redirect to threat actor-controlled intermediate ‘cushion servers’, which leads to phishing URLs with fake Microsoft logins.”
The company currently has over 500 organizations on the free community edition (https://www.silentpush.com/community-app), including commercial and government organizations, and security researchers. The paid Enterprise edition has already been adopted by security teams of some of the world’s largest organizations. Customers can use the solution via the Silent Push browser interface, or tightly integrate into existing security solutions using the Silent Push API, allowing enrichment of any security event and replacing multiple existing products.
“At Ten Eleven Ventures, we always seek truly innovative solutions that provide more effective cyber defense. By taking a totally new approach to how signals are gathered and analyzed, Silent Push is dramatically elevating the impact that threat intelligence can have in protecting enterprises worldwide,” said Dave Palmer, General Partner at Ten Eleven Ventures and formerly one of the founders of Darktrace, a global leader in cyber security artificial intelligence. Palmer also has 13 years experience in government intelligence operations, including at UK intelligence agencies GCHQ and MI5. “Silent Push’s detection-focused intelligence platform, which maps out the entire Internet-facing infrastructure daily to identify attackers setting up campaigns before they launch attacks, is one of a kind. It allows operators to dramatically enrich their defense decision making with proactive knowledge of the most relevant threats, and is already replacing multiple products in customer’s security stack.”
An open redirect vulnerability takes place when attackers construct a URL within an application that triggers a redirection to an arbitrary external domain, such as a phishing site.
Open redirect techniques often feature in phishing emails but a new run of attacks has refined the approach by abusing legitimate domains like citi[.]com and performing multiple hops in the redirection process.
M365 login page spoofing
Silent Push has been tracking different phishing campaigns spoofing M365 login pages as final phishing pages to target enterprise users. Some of these campaigns have attempted to target our staff members as well.
Threat actors use images that impersonate notifications from Microsoft, to lure users into clicking hyperlinks embedded in image files.
We’ve observed that attackers often use legitimate websites to redirect to threat actor-controlled intermediate ‘cushion servers’, which lead to the final phishing URLs with fake Microsoft logins.
In one of the cases we investigated, the phishing emails used an ‘Undelivered Mails’ lure that prompted users to click on “Release My Messages”, triggering a series of HTTP and Javascript redirects:
Phishing email received with “Undelivered Mails” lure.
Attacker infrastructure
To evade security solutions, threat actors use legitimate domains as an initial redirect setup. In this case, the first URL uses a subdomain from a legitimate Fortune 500 domain to use a 302 redirect to an intermediate URL hosted on frudyj.codesandbox[.]io:
From enrichment information stored in our app, we get the following details about the IP:
ASN: ASN-CHEETA-MAIL, US
Header Server: BigIP
From the HTTP server header and the cookies, we can see that the BIG-IP service is in use.
In February 2023 the BIG-IP vulnerability CVE-2023-22418 was reported about virtual servers enabled with the BIG-IP AIM access policy allowing attackers to build an open redirect URL. It is possible that the vulnerability was abused in this case to redirect to an intermediate domain.
The second redirect occurs when the URL hosted on “frudyj.codesandbox[.]io” uses ‘windows.location.replace’ within its Javascript response to redirect to a phishing page hosted on “gw8aes.office-docs[.]net”:
windows.location.replace function used to redirect to phishing domain
By adding an additional redirect server, threat actors ensure that the phishing domain is not visible via preliminary URL analysis of security solutions, using blacklists for known phishing domains.
The final phishing infrastructure is hosted on the Cloudflare nameserver space, and ASNs with registrar ‘NICENIC INTERNATIONAL GROUP CO., LIMITED’.
To evade sandbox analysis, the phishing URL attempts to validate human interaction by using CAPTCHA services before loading the actual phishing content.
CAPTCHA verification to evade Sandbox environment
Final phishing page, post CAPTCHA
Using registrar and ASN information, along with keywords typical for M365 domains, we can identify more IOCs linked to this variant of the campaign, some of which are still loading similar CAPTCHA and phishing pages at the time of writing.
Neighbouring campaigns
We’ve been tracking a similar Microsoft notification spoofing campaign using the Cloudflare CDN service.
The campaign was first observed in early 2023 and seen using domains registered at the Russian registrar ‘R01-RU’ with ‘.ru’ TLDs and using the Cloudflare CDN. The campaign was first noted on Twitter on January 10:
Twitter message by @dllhijack
Investigations into the infrastructure revealed a pattern of ‘.ru’ TLD domains involved in similar phishing campaigns.
Each domain registers multiple subdomains with a 23-character random alphanumeric prefix used.
Phishing operators continue to choose from a pool of subdomains registered against each domain. Silent Push Enterprise customers remain protected as we map out the length and breadth of the attackers’ infrastructure.
While initially loading without CAPTCHAs, all of the recent iterations include similar checks before loading the phishing page:
subdomain from newfiles[.]ru loading showing CAPTCHA at access
Active campaigns using other infrastructure
We’ve been tracking another active campaign hosted on different infrastructure. Similar phishing lures are used through fake Microsoft notification emails:
Microsoft-themed spoof email using Quarantine Messages lure
The above email sample consists of URL from ‘r20.rs6[.]net/tn.jsp?f=001Uz_oasaa6a5lC37PPsB9z-ZgFhC1pGp9pnfq5i9xZtMr96zXrdKn8CQ58mxOBMHls4KIJEKQYKrQLyGkOHCRdhGHDbs4LbL1gJtM7fltrQaLHqyvPgU2KFr-8phP57bDerZR8leLarR6I9RLnaPQWwm4st97ysy8PS4QDUFp0RUz8i3kKSJWR5EpJgGZl_FrFM-GZz-8rNqTXqkMoLRu4g==&c=FMZVwwhlSnT_R6bt1c-Rusd1q6UoQpgXeh7JNVlfAOelVYnB7At6tQ==&ch=I9P2kmoojtJjpthS-pAffdBgRQXjoCrnpX91-blhUzm_QvuiI-ireQ==&__=?VGLn==’ eventually leading to www;.fixedrepo365[.]art/main.
In this case, the user is also directed to an initial CAPTCHA:
Figure 9 CAPTCHA check on phishing domain if redirected from email URL
If the URL is accessed directly, the user is redirected to a benign office[.]com page.
Threat actors are likely tracking the correct redirection path to load, based on the input it expects to receive from the previous redirected URL from domain r6[.]net.
The URL consists of a 64 bit encoded string at the end of the URL shared earlier (mentioned as for security reasons). In the path where it does get a proper redirection with email address input, once the user verifies the above CAPTCHA likely put up to evade sandboxes, the phishing domain opens a URL with the fake Microsoft SSO login page:
Fake MS Login page
This type of evasion and the CAPTCHA check are mentioned by Microsoft in their finding about the distribution of ‘AiTM Phish kits’. It appears as though threat actors continue to successfully deploy the technique with new domains and new infrastructure.
The phishing domain in this case (ww-wfixedrepo365[.]art) is using dnsowl[.]com nameserver and NameSilo registrar. By investigating the infrastructure, we were able to identify other IPs, i.e. 37.120.234[.]53, 209.141.60[.]219 and domains using Microsoft and Office-themed keywords in their name.
Phishing infrastructure on 37.120.234[.]53
Phishing infrastructure hosted on 209.141.60[.]219
The complete domain IOC list is available to our enterprise customers.
Conclusion
Phishing attacks continue to pose major security risks to organizations of all shapes and sizes. Threat actors are continually adopting new evasion techniques to improve success rates and avoid detection from security vendors, through multiple layers of legitimate redirections, CAPTCHA verifications, and cloaking final URLs.
Silent Push uses enriched threat intelligence and a variety of early detection tools to capture campaign IoCs at source, across a broad range of TTPs, and combat attacker infrastructure before its weaponized.
The contents of this report were uncovered using the Silent Push platform.
Sign up for our free Community App to take advantage of our vast array of threat defense tools.
Below is a partial list of IOCs related to the campaign. The full list is accessible to enterprise subscribers of the Silent Push App as part of our threat intel feeds.
We’ve been monitoring the activity of a Kurdish hacktivist collective called 1877 Team.
A Medium article from 2021 picked up on the group’s earlier exploits, but little public information is available on the threat actor’s exploits.
The author of the article claimed the hackers are “(….) unethical, childlike, and pointless (…), nothing more than a mild inconvenience”.
The Silent Push Threat Intel Team has conducted extensive research to establish if that assessment still holds true.
We’ve discovered that the group’s methods and techniques have evolved to become more sophisticated, and instead of being dismissed as frivolous, their actions should be considered as an emerging threat to a range of organizations.
Motives and methods
The 1877 Team are a hacktivist collective that was founded in July 2021 by a small group of Iraqi Kurds.
The hackers initially developed and distributed modified versions of the popular mobile game PUBG, but over time, the group’s activity became significantly more complex, as well as politically driven.
Within the past year, the 1877 Team has claimed responsibility for large doxxing campaigns, website defacements, DDoS attacks, and attacks on the servers and databases of national governments, universities, telecommunication companies, defense organisations, and IT corporations.
The primary targets are situated in the Middle East, but African, Asian, and Western organizations have also been affected. The 1877 Team’s self-proclaimed goals include pressuring governments, spreading public dissent, and gaining notoriety amongst their fellow criminals.
The group has amassed a significant social media following, with 12.000 members on their Telegram channel alone. Hacking tips, exploit scripts, and stolen data are all shared and discussed. The hacktivists also manage a curated presence on TikTok, Twitter, Facebook, Instagram, and YouTube.
The 1877 Team operates a social media service, a defacement exposure website, and a dark web forum for trading exploits, malware, and stolen information, or for seeking advice for launching cyber attacks.
The group has established close links to skilled hacktivist collectives such as Anonymous, AnonGhost (a pro-Palestinian/anti-Israeli hacktivist group), and ALtharea (a pro-Iran hacktivist group).
Attack vectors and cybercriminal activity
The 1877 Team focuses on two simple techniques to gain access to foreign infrastructure:
scans of web pages for particular vulnerabilities;
brute-forcing administrator credentials.
Targets include political entities and popular software/services. Their attacks often involve website defacements, DDoS attacks, and leaks of sensitive information.
The group carries out extensive recon to explore vulnerabilities, not all of which are immediately exploited.
Security gaps of organizations and institutions that are not primary targets are collected in large batches and sold or offered for trade on the group’s Telegram channel and dark web forum.
The 1877 team operates several marketplaces for selling hijacked infrastructure, modified malware, and hacking tools. The items on offer include hacked accounts for popular streaming services and bug bounty platforms, stolen credit cards, exploits & zero-day vulnerabilities, and hacking tools such as:
DDoS tools.
WordPress brute force functions.
CVE mass scanning scripts.
Security/2FA bypassers.
Modified malware and spyware.
Marketplace examples and timeline
July 2021 – October 2022
Sold/offered PUBGM in-game cheats and modifications (MODs)
November 2022 – December 2022
Hijacked and sold/offered accounts for entertainment platforms such as Netflix and Onlyfans, and the bug bounty hunting platform HackerOne.
Sold stolen/fake credit cards.
Hacked and sold thousand of cPanel and WordPress administrator credentials.
Developed and shared a multi-vulnerability exploit for iOS.
Hijacked the webmail service of an undisclosed government.
Advertised security and 2FA bypasses for Metamask and Paypal.
Scanned IoTs with un-patched Fortinet firewalls, susceptible to a vulnerability disclosed in October 2022.
February 2023
Sold web shells targeting government servers.
Sold a zero-day-vulnerability exploit targeting WordPress plugins.
Political affiliations and activity
The 1877 team appears to consist of around a dozen Iraqi-Kurdish teenagers/young adults.
Founder (alias): Overthinker1877
Social Media: @0x1877 @Ameer1877
Co-founder (alias): CodeBoy1877
Social Media: @x1877x @CodeBoy1877x
The group’s activity is strongly dictated by its prevailing political views and affiliations. These appear volatile and at times contradictory.
Hacktivism examples and timeline
Israel/Palestine
The 1877 Team’s social media posts and hacking activity indicate that they are Palestinian-aligned.
The group is affiliated with AnonGhosts, a pro-Palestinian/anti-Israeli hacktivist group whose activity “(…) has primarily involved defacing websites with anti-western, anti-Israel and anti-Semitic messages”, as stated by The Anti-Defamation League.
Note: Although AnonGhost “has always been associated with Anonymous(…), the group has stated multiple times that they are not part of Anonymous, but instead just support some of what Anonymous stands for”, as Binary Defence reinforce on their blog.
June 2022
Hijacked the Palestinian government’s electronic complaints system but abstained from damaging the home page or data.
Attacked the servers of Celebrate, an Israeli Digital Intelligence company, in partnership with the hacking group ALtahrea.
August 2022 – October 2022
Conducted DDoS attacks on several Israeli websites.
Iran
November 2022
Claimed to have gained access to the reconnaissance drone aircraft control systems used by Iraqi Shiite militiamen, operating under the Popular Mobilization Forces.
February 2023
Claimed to have hacked the entire databases of AsiaCell, an Iraqi telecom company, and Zain IQ, an Iraqi network and internet provider.
March 2022
Exposed the personal information of Iranian citizens.
April 2022
Defaced numerous Iranian websites.
Kurdistan
January 2023
Started targeting Kurdish government entities and organizations after allegedly being arrested by the Kurdistan Anti-Terrorism Department (Note: We see no evidence that the group targeted Kurdish entities before 2023)
Leaked databases from the Kurdish Ministry of Justice, Ministry of Interior, and Traffic Police
February 2023 – March 2023
Asked for data from Korek Telecom, an Iraqi Kurdish mobile phone operator company, in return for data from AsiaCell, an Iraqi telecommunications company.
Claimed to have breached Korek Telecom.
Leaked more information from the previously compromised databases from the Kurdish Ministry of Justice, Ministry of Interior and Traffic Police.
Conducted a DDoS attack against the Kurdish Parliament website.
Leaked login credentials for Rudaw Media Network, a Kurdish media group.
Turkey
January 2023
Defaced the Turkish government’s websites.
February 2023
Continued to deface the Turkish government’s websites.
Claimed to have breached a server owned by the Turkish government.
Russo-Ukrainian War
The group’s recent social media interactions indicate they are Russia-aligned.
March 2022
Hacked a Ukrainian website but abstained from defacing the page, claiming “not to be against Ukraine”.
August 2022
Teamed up with AlTahrea and conducted several defacements against Ukrainian websites following the assassination of Darya Dugina.
December 2022
Retweeted a link to a Medium blog, where Twitter user “Cyber Known” claims The 1877 team was Pro-Russia.
African, Asian, and Western countries
The group claims to have defaced various infrastructure outside of the Middle East, including the websites of Donald J. Trump, CRDB Bank, the Philippines Government, and the Nigerian, Honduran, Indian, and Venezuelan Governments.
These attacks are confirmed and can be viewed on archive[.]org.
The group also claims to have carried out additional unverified attacks, such as defacement of the Berkeley University website earlier this year, and being linked to an alleged breach of Vodafone, possibly in Albania.
Group infrastructure
Public infrastructure
All subdomains/domains are currently hosted on 185.11.145[.]254.
We’ve not yet discovered any noteworthy information on other IP addresses that previously hosted these subdomains/domains.
1877[.]to – English-speaking underground forum
1877[.]team – Kurdish-speaking underground forum
1877[.]krd – Kurdish-speaking blog
zone.1877[.]team – defacement archive website
social.1877[.]team – social media platform
tube.1877[.]to – video sharing platform
shop.1877[.]to – hacking tools marketplace
tools.1877[.]to – free hacking resources
Exposed infrastructure
The threat actor briefly exposed an IP address containing malware samples, exploit panels, log files, and other data.
Pivoting on the IP addresses’ SSL certificate returned related infrastructure.
Malware samples
The samples on the open directory were Redline Stealer, RemCos RAT, and ClipBanker.
All samples attempt to connect to the same C2 servers:
C2 IPs
203.156.136[.]113
5.206.227[.]115
C2 domains
hawler.duckdns[.]org
overthinker1877.duckdns[.]org
Searching the hashes on VirusTotal showed that several scanners picked up these samples this month, with the last submission date only a few days before the publication of this article, indicating that the threat actor is actively launching malicious campaigns.
Log file
The entries in the log file result from a PHP cookie stealer — (…)/xss/cookielogger[.]php — that the attackers use in XSS injections.
The file displays hundreds of IP addresses from potential victims, but the cookie values are missing and likely stored using a different method.
Takeaways
The 1877 Team does not yet qualify as an Advanced Persistent Threat. Though the group’s malicious activity has broadened in scope, it is uncertain how disruptive and successful these attacks have been.
The group continuously improved its tactics and implemented numerous new attack vectors. If this behaviour continues, their threat level and reputation will likely increase over time.
It’s impossible to predict whether this threat actor will evolve into an adversary capable of launching sophisticated attacks such as ransomware and cyber espionage, and if so, when. However, given the group’s public presence and close relationship with more advanced entities, the resources and knowledge needed to develop these attack vectors are within reach.
Silent Push categorizes the 1877 Team as an emerging threat that is worthy of attention. The hackers appear intent on positioning themselves as a notable menace, and will likely continue operations that further this goal.
The contents of this report were uncovered using the Silent Push platform.
Sign up for the free Community App to take advantage of our vast array of threat defense tools now.
We’ve created a custom feed tracking the 1877 Team’s activity and infrastructure. Silent Push Enterprise Users can search and monitor the IOCs related to this threat actor using the tag sp-blog-2023-05-01.
View our complete list of available threat feeds here.
Cloud-based solutions and third-party SaaS are a go-to for startups and large enterprises alike. With their popularity on the rise, we want to talk about the role they play in helping threat actors bypass companies’ security efforts and threat monitoring.
This article outlines the inherent risk of adding third-party services to your tech stack, and the measures you can take to appropriately safeguard your infrastructure and assets.
How threat actors use your third-party apps against you
Signing up for a SaaS product immediately increases your company’s attack surface. Platforms lacking basic security measures such as 2FA pose a particular risk to their clients, but any third-party addition to your tech stack creates new angles of attack for threat actors to take advantage of.
By targeting your enterprise through your third-party platforms, threat actors exploit vulnerabilities that are often neglected by internal security efforts, but which are nevertheless linked to your infrastructure and assets.
Supply-chain attacks, email takeovers, subdomain takeovers, and brand impersonation are the most common attack vectors used for harming your enterprise via a connected third party:
Supply chain attacks
Supply chain attacks spread viruses and other malicious code via a company’s third-party software, often hidden behind system updates. Attackers commonly place malware within source code that then spreads the malicious content to trusted apps and systems.
This type of attack is difficult to track, and a single piece of compromised software is enough to propagate malware across an entire supply chain. Threat actors can additionally use stolen certificates to make it easier for the code to pass as legitimate.
Malware attacks are used to damage your infrastructure, steal or withhold your information, enable broader security breaches, and more.
Email & subdomain takeovers
Threat actors gaining control over a third party’s subdomain (or subdomains) can use these to host malicious content, gain control of sensitive information, steal cookies, hijack SSO sessions, and more.
Compromised subdomains are hard to spot. The related apex domains are known and trusted, and threat actors often obtain SSL certificates to add to the perceived legitimacy.
Threat actors hijack emails and email servers to spread fraudulent content in the name of known and trusted senders. Since these emails stem from otherwise legitimate contacts, they can easily bypass security filters. They are especially difficult to identify when the threat actors imitate the content and tone of previous email traffic.
Compromised emails are commonly used to request employees’ personal information, spread malicious links, send fraudulent invoices, and more.
Third-party impersonation
Threat actors often impersonate legitimate brands and companies to obscure malicious intent and activity. Third-party platforms along an enterprise’s supply chain are a popular target for these impersonations.
Impersonation attacks follow a similar pattern to email and subdomain takeovers, only that the third party’s infrastructure is imitated, rather than directly breached. Spoofed and typosquatted domains are used for both fraudulent pages and malicious emails. Content, copy, and visuals can be made to further imitate the targeted third party, and make the fakes more convincing.
As above, these fraudulent emails and pages are used to harvest credentials, commit invoice fraud, open the door for further attacks, and more.
Domain impersonations of microsoft[.]com
Email impersonations of microsoft[.]com
Security best practices
Adding your third-party infrastructure to your threat framework allows you to keep the ball in your court. Rudimentary security hygiene and best practices significantly reduce the risk stemming from platforms and SaaS you’ve made part of your tech stack, or want to.
Assess vulnerabilities beforehand
Some SaaS platforms are quickly identifiable as liabilities to their potential clients. Vulnerabilities that are easy to spot for you are also evident to threat actors and should be taken into consideration when assessing a platform or service.
Check for two-factor authentication Before signing up for a platform, check if they offer 2FA. Two-factor authentication is a minimum safety standard for any platform or service. Threat actors have a nearly endless toolset for stealing login credentials — without 2FA, a stolen password and email address are all that is needed to infiltrate your third-party’s infrastructure and spread attacks amongst the entire length of your supply chain.
Scan for dangling DNS Companies allowing subdomains to expire without removing the DNS records pointing at them, make themselves vulnerable to subdomain takeovers and vast infrastructure/data compromises from there on out. These so-called dangling DNS can be easily spotted by outsiders, and you should scan for them before signing up for a new platform. On the Silent Push App, the Xperimental-PADNS Report on Dangling Records Audits a given domain name for dangling records. The query returns all dangling DNS records — type A, NS, MX, or all — that were created, removed, or left unchanged in the past 7 days for the given domain name and its subdomains. This allows your security team to quickly identify infrastructure susceptible to takeover by malicious actors.
Investigate open directories Open directories are publicly accessible web directories that do not require authentication or access control to view the files within them. Lax security measures and information mismanagement go hand in hand, and it is not uncommon for companies to store critical data in freely accessible files. Much like threat actors, you can scan for a third party’s open directories and investigate the information they contain. On the Silent Push App, the Open Directories query allows you to locate all open directories within a given network/IP address, or to search for specific files across all IPs, either by name or regex. Before signing up for a platform, your security team should perform an open directory search to assess whether critical information that is freely available for threat actors to steal and abuse.
Open directory example with exposed sensitive information
Manage your infrastructure
Keep an eye on your existing third-party services to track the true borders of your infrastructure. Unused applications should be removed from your tech stack, and platforms with obvious safety concerns replaced with more appropriate alternatives.
Track infrastructure associated with you Manually kept logs of your third-party services are prone to inaccuracy, more so as your company grows in size and headcount, and your departments start autonomously signing up for platforms to support their operations. Over time, your associated infrastructure becomes hidden and vulnerable to attacks. Creating an automated, centralized dashboard of your related third-party infrastructure removes dangerous unknowns. On the Silent Push App, the Discover Shadow IT uncovers related infrastructure by returning subdomains set up in your name by your third-party services. This allows you to see which parts of your supply chain are easily visible to threat actors, and likely entry points for attack.
Educate and train your teams Human error is the most common cause of security breaches. Employee education makes a noticeable impact on the safety of your infrastructure. Train your departments on the risks associated with third-party infrastructure, and have potential sign-ups to new platforms assessed and sanctioned by your security team. Ensure that all employees adhered to basic security standards such as using 2FA for all services, maintaining and updating strong passwords, not sharing sensitive emails on suspicious channels, etc.
Create fail-safe scenarios: Outlining how a third-party breach would impact internal systems is part of a cohesive strategy for protecting organization data and assets. Start by identifying which parts of your infrastructure would be immediately affected by a breach and whether they are cohesively nested within other systems. Implement fail-safe mechanisms and consider how you could minimize an attack’s collateral damage, for instance by isolating core system resources or encrypting sensitive data. Periodically re-evaluate the security controls in place to avoid having your data extracted or erased as a consequence of a third-party compromise.
Monitor your full attack surface
Monitor your third-party apps as part of your expanded attack surface to quickly spot suspicious activity on the periphery of your infrastructure.
Scan for impersonation Typosquatted domain and subdomain names of your third-party platforms are common indicators of impersonation and spoofing. You can use them as entry points for more extensive investigation and prompt countermeasures. On the Silent Push App, the DomainImpersonation recipe identifies typosquatted domains of your trusted third-party services and enables you to proactively block any traffic stemming from them. Similarly, the Autospoofing query tracks and lists likely impersonations of your third party’s emails, allowing you to block these as well. Set up daily monitors for both lookups to be automatically notified of any new domain and email impersonations. Exclude benign infrastructure from your searches and filter your results to remove false positives and attain more accurate tracking.
Tailor your threat predictions Since it is impossible to closely monitor all of the internet’s activity, threat prediction tools give additional weight to suspicious movement in close proximity to a given organization. Marking your third-party solutions as part of your infrastructure enables your security teams and tools to better predict and monitor the likely entry points for attacks on your enterprise. On the Silent Push App (Enterprise Subscription), adding your Supply Chain Domains to your trusted Organization Assets improves the tailored threat prediction given for known IOCs. This increases their given threat scores visible on the Threat Ranking Page and allows you to counteract suspicious infrastructure before it is activated for malicious campaigns.
Organization Assets
Filtered Threat Ranking page showing IoCs similar to Organization Assets
Takeaways
SaaS and third-party solutions are an integral part of the digital landscape and are often crucial to companies’ operationality and growth. Be it to provide cost-efficient scalability, or to allow more agile management, there are many good reasons to keep SaaS platforms as a part of your tech stack.
Third-party solutions are not inherently dangerous. The risk associated with them stems from lacking security tools and frameworks that don’t integrate associated infrastructure into threat management efforts. Correctly using tools like the Silent Push App allows you to make the most out of SaaS and third-party solutions without creating unnecessary risks to your enterprise’s security.
Take advantage of Silent Push’s vast array of threat defense tools by signing up for our free Community App.
Phishing campaigns are a dime a dozen, but that doesn’t make them any less dangerous for the individuals and organizations affected by them.
Our Threat Intelligence Team recently discovered a campaign targeting social media users on Facebook Messenger, so we decided to take a closer look at the threat actor’s tactics, and the infrastructure used.
Enterprise risk
Whilst phishing attacks are often considered a consumer threat, many campaigns specifically target organizations and their supply chains.
Enterprises especially overlook vulnerabilities native to mobile and social media, either because they occur in employees’ personal networks or because they aren’t overtly linked to an organization’s overall security.
Large-scale threats caused by phishing attacks include:
compromised accounts used as an entry point to target employees further along the org chart and supply chain;
hijacked social profiles used to create reputation damage or leak sensitive information;
employee data opening the door for further attacks such as invoice fraud or malware propagation.
Attack Vectors
Fraudulent DMs
In the campaign we discovered, threat actors send phishing links to the contacts of previously compromised Facebook accounts.
These DMs include a short message referring to what appears to be a linked video. Whilst the domains contained within these links use differently themed typosquatting attack vectors (based on the phrase “tiktok”, for example), the content they preview is made to look like a Facebook post:
“Is that you in the film?” Example of a phishing message disguised as a contact’s DMThe link’s content previews as a video on Facebook
Clicking the phishing link sends users to a fake Facebook login page, seemingly to access the video in question.
When users enter their credentials, the data is forwarded to the threat actors, who access the user’s account for malicious purposes and to propagate the campaign via the victim’s Facebook contacts:
This fake login page is designed to steal your Facebook credentials
Those falling for the scam are left in the dark and are either shown an infinite loading screen, or a notification saying that a wrong password was entered.
Exploring the Domain Infrastructure
Investigating the campaign revealed that the initial IoC domain tiktok.e09rg[.]cloud was registered in Porkbun late last year and hosted on 69.57.163[.]217, an IP address on Namecheap (22612) ASN with multiple domains associated with the campaign pointing at it:
Domains hosted on 69.57.163[.]217
By tracking similar threat activity in different autonomous systems and using content similarity techniques, we were able to track additional phishing domains deployed by the threat actors. The domains in question, as well as all other relevant IOCs, are listed at the end of the article.
We found that the domains associated with the campaign all contain the words “tiktok”, “video”, or “photo”, and searched for infrastructure displaying the same naming conventions. This uncovered other malicious IPs such as:
Domains hosted on 190.92.189[.]249 showing the same naming pattern as on 69.57.163[.]217
These domains all point toward the same fake login page when accessed on mobile:
Same fake login page as above, different domain: video.tv1d30[.]sbs
Platform-specific threat
The campaign’s initial infrastructure suggested that it was designed to harvest mobile users’ Facebook credentials. Desktop users and users in certain locations are instead redirected away from the fake login pages.
Fake bicycle brand
We found most domains pointing to the landing page of a non-existent bicycle brand when accessed on desktop. The page has no functionality and only displays partial and repetitive information about the mock-up brand. It didn’t take much work for us to discover that the page is a free template taken from Dribble.
Though this decoy page doesn’t create any damage on its own, it helps to hide the scam from automated threat scanners and users within the wrong target audience, increasing the lifespan of the phish before it is noticed at scale, and reported.
Fake bicycle brand landing page shown to desktop users — switches back to the fake login page when viewed on mobileOriginal Dribble template
Ad-ware extensions
The phishing domains are geo-blocked and redirect users away from the fake login pages depending on their location.
Users accessing the phishing links from Singapore, for example, are sent to buzzonclick[.]com.
This domain redirects to different fake ad blocker extensions each time it is accessed. These extensions are known adware platforms that perform a variety of harmful actions when downloaded, including:
populating websites with additional ads;
unexpectedly redirected users to different websites;
forcing the use of unwanted browser engines.
To appear more legitimate, the fake adblockers are installed via the official Google web store, some with over 90k registered downloads and a 4/5 star rating. Further research revealed related adware such as:
adblocker-sentinel[.]net
globaladblocker[.]com
adfreewatch[.]info
Example of one of the fake ad blockers in question: “Clean-Blocker”Another fake ad blocker called “Ad Block One”“Ad Block One” on the official Google web storeAn extension with an incompleted domain setup
Redirects to YouTube
We found that some domains also redirect some mobile users based on their location:
Redirect to a popular music video via video3w[.]com/16751921325rpQpSopczqLtIaPdZKWG-bB7SeTbtDoIMd0jpjZAUjO5
Since the threat campaign is directed at mobile users, the above may be a temporary decoy or placeholder for further attacks.
Fake desktop login
As the campaign evolved, we discovered some domains displaying the fake Facebook login on desktop as well as on mobile, such as tiktok28.ykw3[.]com:
Fake login with same functionality as mobile counterparts
The domain is hosted on 170.10.160[.]83, where we uncovered more than 5000 other domains related to this campaign.
Tracking content and activity similarities uncovered related IoCs such as 190.92.189[.]251, which hosts 3retc[.]com and its subdomain tiktokl.3retc[.]com.
Optimizing for location and user agents
Whilst still launching at scale, phishing campaigns are increasingly deploying geo-blocking and mobile optimization tactics to hone in on specific target groups.
Threat actors are focusing on these TTPs for numerous reasons:
It saves resources otherwise wasted on suboptimal targets.
It increases effectiveness within the right audience.
It reduces the attention drawn to the campaign and increases its longevity.
Except for the third point, this is the same thinking that digital marketers use when localizing the content and language of their ad campaigns and optimizing them for an increasingly mobile landscape.
Takeaways
Phishing attacks remain a persistent threat to all enterprises, regardless of revenue, size, or headcount. The campaign investigated in this article is only one of many recent Facebook scams focused on stealing user credentials through fraudulent links and DMs.
Threat actors constantly adjust their campaigns to match changing digital habits, and better exploit enterprise vulnerabilities. Next to employee training, it is key to stay informed about the security tools available to your organization to stay ahead of potential attacks.
This campaign was uncovered using the Silent Push App and dataset. Silent Push enables businesses to detect malicious infrastructure before it is activated, and proactively check for vulnerabilities within their digital presence.
Take advantage of Silent Push’s vast array of threat defense tools by signing up for our free Community App.
Indicators of Compromise
Below is a categorized list of the IoCs discussed in this article. Please note that the actual number of IoCs is far greater.
We track several malicious groups and threats. Comprehensive lists of real-time IoCs relating to the Facebook campaign and others are available with a Silent Push Enterprise Subscription.
Enterprise users can search for IoCs related to this campaign using the tag sp-blog-2023-03-21.
On Friday, March 10th, 2023, Silicon Valley Bank collapsed. The financial institution’s unexpected failure spread chaos amongst thousands of businesses, including tech companies, VCs, and other banks.
With the failure comes a massive opportunity for crime groups to take advantage of vulnerable companies seeking out information and trying get access to their funds, creating an additional existential threat for all those affected.
Background
The collateral damage caused by SVB’s collapse is most noticeable in the form of countless clients trying to desperately relocate their funds. However, third-party companies with outstanding payments from SVB customers or stakeholders are equally affected, and need to overcome liquidity bottlenecks to pay their bills and stay afloat.
In short, the financial reality of thousands of companies is currently dominated by uncertainty and desperate urgency.
The door for fraud is wide open. Our Threat Analysts are already tracking malicious infrastructure that’s been set up to take advantage of the situation. The risk applies to anyone affiliated with SVB and its clients.
Attack Vectors
Bank and invoice frauds are some of the easiest ways for crime groups to gain quick wins.
Threat actors constantly monitor for major events such as the SVB crash, and exploit the fact that thousands of organizations and individuals need to communicate their banking credentials this week to secure their funds and process payments.
SVB Spoofing
The most obvious targets are those directly affected by SVB’s collapse, i.e. those holding deposits with the bank.
SVB customers need to check in on their funds and most likely transfer them to different accounts outside of SVB.
We’re already tracking a huge spike in domains potentially imitating SVB, many of which we expect to be launching malicious content soon:
List of domains containing “siliconvalleybank” and registered after 03-01-2023
Threat actors can use the typosquatted SVB domains to redirect traffic to their infrastructure and add legitimacy to it. We’re also expecting to see spoofing pages imitating SVB’s branding and digital presence to entice users to interact with fake login portals designed to harvest credentials.
We extensively cover the TTPs of brand impersonation here.
We’re expecting phishing emails and messages imitating SVB that target the bank’s clients. These attacks will use urgent messaging and aggressive CTAs to pressure recipients to share private information, or visit fraudulent domains.
Case Study – svb-usdc[.]com
We’ve marked the typosquatted domain svb-usdc[.]com as an active threat.
The domain is part of a cryptocurrency scam that poses as a USDC reward/compensation program for SVB clients.
Most of the phishing page’s content is copied from svb[.]com/private-bank/lending/mortgage-lending:
Phishing pageLegitimate page
The button added to the fraudulent page redirects users to a cryptocurrency wallet via WalletConnect:
WalletConnect URI
Case Study – pay.fsvb[.]net
We’ve also discovered malicious SVB-typosquatted domains related to pay.fsvb[.]net. They are likely part of a phishing campaign aimed at misappropriating users’ payment details.
The domains are registered on GoDaddy and make use of the platform’s online payment option:
pay.wefinancesvbclients[.]com
Fake refunds
Many individuals and organizations not directly affiliated with SVB are still affected by the crash, and are now waiting for potential pay-backs, refunds, and insurance claims.
We’re also seeing companies struggling with liquidity bottlenecks, meaning entire staff, as well as third-party clients, are dealing with with frozen salary and services payments.
Threat actors have the opportunity to imitate a variety of organizations and institutions offering supposed financial support, aid, and compensation. As above, this can be either achieved through simple typosquatting or combined with brand spoofing and phishing campaigns.
It is also likely for unaffected individuals to be targeted under the pretext that they are, in fact, eligible for monetary compensation.
Case Study – redemptions-circle[.]com
We uncovered additional infrastructure associated with the cryptocurrency fraud mentioned above. The related domains impersonate Circle, and were registered after the company announced they had $3.3bn of their USDC cash reserves with SVB.
The phishing pages urge users to connect their crypto wallets to reclaim USDC:
redemptions-circle[.]com
We’ve also discovered pages displaying SVB’s logo in combination with Circle’s branding.
Invoice fraud & requests to change payment information
Invoice fraud consists of threat actors posing as a company’s supplier and requesting payment on their behalf.
This is often combined with an explanation as to why the funds need to be transferred to a different bank account than was previously used.
Following SVB’s failure, thousands of companies will have to forcefully change banks, and thus thousands of their clients can expect updated invoices and payment requests.
Some may still be unsure as to whether or not their suppliers are affected by the SVB collapse, and will be awaiting updates.
Threat actors will use this opportunity to contact companies and request payments to new recipient accounts, using the excuse that payments via SVB are now impossible.
Additional factors
Lack of two-factor authentication
SVB does not enforce 2FA, making both itself and its deposit holders far more vulnerable to fraud and security breaches.
Once threat actors are in receipt of SVB’s customers’ details, a lack of 2FA means that they do not have to overcome additional security hurdles to gain access to the accounts in question.
Not enforcing 2FA also makes it easier for threat actors to pass off fake login pages as legitimate.
Unusual legitimate behavior mixed with genuine threats
While it is possible for banks (and their clients) to notice suspicious transfers and malicious activity, the environment surrounding SVB almost exclusively encourages irregular account activity.
The current panic will make it easy for threat actors to go unnoticed long before the dust has settled.
Managing the risk
The threat landscape caused by SVBs collapse is extremely aggressive and has the potential to adversley affect countless institutions and organizations.
We’re dedicating our resources to offer real-time insights into the threats and to help companies stay ahead of potential attacks.
Stay informed about SVB imitators
We’ve created an SVB spoofing feed that scans global DNS infrastructure for signs of threat actors imitating the bank.
The feed is automatically updated, and contains all recently registered domains relating to SVB.
Not all domains listed here are malicious or have not yet had malicious activity hosted on them.
Since we expect a spike in fraudulent campaigns in the coming weeks, we’re closely monitoring all associated assets and we’ll flag serious threats as and when they appear.
Silent Push Spoofing Feed for SVB
Protect yourself from impersonation
We’re offering our free typosquatting tool for companies to detect domains and email communication falsely created on their behalf.
SVB’s crash creates an opportunity for impersonation campaigns and attacks targeting a vast number of brands and organizations. We’re encouraging particular awareness of invoice fraud committed in your name.
Impersonation attempts are a liability to you and your assets and can cause lasting reputation damage. Detecting malicious infrastructure before it can facilitate an attack is the best way to keep your organization safe.
Get access to our free community app and typosquatting tool here.
Indicators of Compromise
Below is a categorized list of the IoCs discussed in this article. Please note that the actual number of IoCs is far greater.
We track several malicious groups and threats. Comprehensive lists of real-time IoCs relating to SVB bank and others are available with a Silent Push Enterprise subscription.
Enterprise users can search for IoCs related to this campaign using the tagsp-blog-2023-03-15.
Brand impersonation remains a persistent existential threat to the financial and reputational livelihood of businesses across the globe, regardless of size, revenue or sector.
Whilst threat actors are more likely to impersonate brands that command a high degree of trust among consumers and businesses – especially those within the financial and cloud services sector – no organisation is truly safe.
Threat actors view impersonation as a means to exploit the good name and commercial standing of well-established companies, gaining the trust of users who are less vigilant than they usually would be, given the brand names involved.
Inadequate solutions
Cloud-based security platforms are available that target individual elements of an impersonation campaign – DNS records, website content, and security architecture (certificates) – but the industry has thus far failed to offer a unified, end-to-end solution that encompasses all the constituent parts of a firm’s ability to defend itself against online impersonation.
Let’s take a look at the individual TTPs threat actors use to impersonate brands, what questions you should be asking your current security provider, and how Silent Push can help through our centralized Brand Impersonation Protection service.
Domain name impersonation
The most common scenario covered by most anti-impersonation solutions is domain name impersonation – a tactic that involves threat actors registering a domain name that is alphanumerically similar to your own domain.
Typosquatting and regex searches
Standalone typosquatting services monitor new domains for registrations that meet certain criteria, usually with a similar string of numbers and characters to the legitimate domain, e.g. examp1e[.]com being used to impersonate example[.]com.
If your domain is 4 characters or less, generally speaking, results will not be fit for purpose unless you’re also able to conduct a regex search that offers granular analysis of potential threats – a form of advanced searching that looks for specific naming patterns, instead of using whole domain or nameserver names.
Example regex pattern: ^g[^\.o]ogle[a-z]{1,}\.[a-z]{1,}$
The above query returns results for google, followed by any characters (before the top-level domain), and also any single characters that replace the first o.
The returned data is highly specific to the target domain, with zero erroneous or irrelevant returns.
Subdomain enumeration
Any digital threat management platform worth its salt needs to include a function that monitors subdomains, as well as root domains and TLDs.
Your security provider needs to be checking for impersonation campaigns that target not only your root domain but also typosquats on your subdomain too. Cybercriminals view subdomains as low-hanging fruit, due in part to the inattention they receive from most digital threat monitoring platforms.
Email Impersonation
MX (Mail Exchange) records
Threat actors impersonate email domains using MX records in a technique called ‘spoofing’. Spoofing involves forging email headers so that communication appears to come from a trusted sender.
MX records are DNS records that specify which mail server is responsible for handling emails for a particular domain. By spoofing the MX record, the attacker can make it appear as though the email is coming from a legitimate sender’s mail server, even if it is not.
Here’s a common attack vector:
The attacker sets up a fake email server and creates an email address that appears to be from a legitimate sender, such as helpdesk@randombank[.]com.
The attacker spoofs the MX record for randombank[.]com so that it points to their own fake email server, rather than the actual mail server for randombank[.]com.
When a recipient receives an email from helpdesk@randombank[.]com, their email client checks the MX record for randombank[.]com to determine which mail server to use. Since the attacker has spoofed the MX record, the email client sends the email to the attacker’s fake email server instead of the legitimate mail server for randombank[.]com.
The attacker’s email server receives the email and is free to exploit the data in numerous ways – they may forward it on to a legitimate mail server to avoid suspicion, or modify the contents of the email to include malicious links or attachments.
TXT records
MX record exploits are commonly used to propagate business email compromise or supply chain fraud and are often used in combination with TXT spoofing.
Threat actors engage in TXT (Text) spoofing to add an additional layer of legitimacy to the fake email.
Here’s an example of how hackers can use email domain spoofing with TXT records to impersonate email domains, using the above domain as an example:
The attacker creates a new TXT record for randombank[.]com that includes a special string of text, known as a DKIM (DomainKeys Identified Mail) signature. This signature is designed to prove that the email is legitimate and has not been tampered with.
The attacker sends an email from [email protected] that includes the DKIM signature in the email header. The recipient’s email client checks the TXT record for randombank[.]com to confirm that the email is legitimate.
Since the attacker has created a fake TXT record with a valid DKIM signature, the email appears to be legitimate to the recipient’s email client. The recipient is therefore more likely to trust the email and is far more included to click on malicious links or open attachments that contain malware.
By using email domain spoofing with TXT records, threat actors increase the perceived legitimacy of their phishing emails, making it more likely that the recipient will fall for their scam.
It’s important for organizations to deploy countermeasures that provide MX and TXT record searches as standard. If these features are lacking, risk levels are considerably higher.
Spoofed content
Content can broadly be described as the information contained within a web page, as seen by the person who is viewing it.
Threat actors cast their nets far and wide in their attempts to redirect traffic and fool users into believing a fake website is in fact legitimate. These efforts are not limited to back-end DNS exploits. Cybercriminals go to great lengths to replicate the look and feel of popular online brands.
Let’s take a look at two prominent TTPs – favicons and content similarity.
Favicons
Favicons are small icons that appear in the browser’s address bar and next to the website name in tabs. They are usually associated with a specific website or brand, and can be used by threat actors to create a sense of legitimacy for fake websites that host malware or are designed to harvest credentials.
Here’s an example of how threat actors use favicons to impersonate brands:
The threat actor creates a fake website that looks similar to a legitimate domain, using a similar domain name (see above), design, and content.
The threat actor creates a favicon that is similar or identical to the favicon of the legitimate website they are trying to impersonate. This is easily achieved by copying the legitimate favicon and making subtle alterations.
The copied favicon is enabled on the fake website, increasing its legitimacy in the eyes of the user.
Favicon phishing is notoriously difficult to detect, as the visual similarity between the fake favicon and the legitimate one can be subtle. Counteracting favicon spoofing is a fine art. Most digital threat management platforms struggle to deal with the complexities involved, and businesses are often left exposed by poorly performing or non-existent favicon search functions.
Content similarity
Threat actors use templates to re-purpose malicious content across hundreds of spoofed domains. Images are included that mimic legitimate graphics, page layouts are similar and text placement resembles the original domain.
Content impersonation services need to extend beyond favicons and certificate queries. Corporate defenses need to include similarity searches that flag malicious on-screen content masquerading as a legitimate website.
Certificate impersonation
A digital certificate is an electronic document that verifies the identity of a website or online service and encrypts communications between the user and the website.
By impersonating the digital certificate of a legitimate website or service, threat actors deceive users into thinking that they are interacting with a legitimate website or service when they are actually interacting with a fake one.
Threat actors can create their own fake digital certificates that mimic the legitimate certificate of an established brand, which are then used to create fake websites that host malicious content.
Subdomain takeovers and SSL certificates
A subdomain takeover occurs when hackers gain unfettered access to one or more subdomains within an organization’s DNS records, usually caused by poor housekeeping and inadequate third-party service management.
Once a subdomain has been captured, threat actors are able to generate valid SSL certificates using a legitimate certificate authority, which dramatically increases legitimacy in the eyes of any potential victim.
Unless you’re able to perform a quick and comprehensive search for certificates similar or identical to your brand’s name that aren’t hosted on trusted infrastructure (i.e. created or hosted by threat actors), then your public DNS presence is significantly more at risk of being compromised.
Silent Push brand impersonation defense tools
Our platform contains an exhaustive list of queries that combat all the constituent TTPs of a brand spoofing attack, without the need to utilise numerous distinct platforms, with varying results depending on how each one approaches digital threat management.
Silent Push contains a set of role-based impersonation detection tools that leave no stone unturned, and shine a light on your online presence in ways that are all too often overlooked by brands and other security vendors alike.
All of our queries are designed to be used in unison with one another from a centralized, user-friendly UX, offering enriched data that shines a light on your public DNS presence in ways that no other security platform can match:
