Researchers have recently uncovered a new phishing campaign that utilizes a phishing-as-a-service platform known as ONNX Store. This platform, which is available for purchase on Telegram, seems to be a rebranded version of an existing phishing kit called Caffeine. The ONNX Store and Caffeine kits share infrastructure and are promoted on the same Telegram channels.
The primary targets of this phishing campaign are financial institutions, with the attackers employing QR codes embedded in PDF attachments to lure victims. When individuals scan these QR codes using their smartphones, they are redirected to fake login pages that are designed to capture their login credentials and two-factor authentication (2FA) codes.
One of the notable features of the ONNX Store platform is its ability to facilitate real-time theft of credentials. The platform offers a range of powerful phishing tools, including custom phishing pages, webmail servers, 2FA cookie stealers, and “fully undetectable” referral services that use trusted domains to direct victims to phishing landing pages.
Researchers from EclecticIQ have observed that threat actors utilizing the ONNX Store phishing kit typically distribute phishing emails with PDF attachments containing QR codes that lead to malicious landing pages. This tactic, known as “quishing,” takes advantage of the lack of security measures on employees’ personal mobile devices, making it challenging to detect and monitor these threats.
The phishing landing pages deployed by the ONNX Store kit utilize the Adversary-in-The-Middle (AiTM) method to capture and transmit stolen data in real-time, without the need for frequent HTTP requests. Additionally, the kit uses encrypted JavaScript code that decrypts itself upon page load, collecting victims’ network metadata to steal 2FA tokens and gain unauthorized access to their accounts.
Furthermore, researchers have identified similarities in domain registrants and SSL issuers across various infrastructures associated with the ONNX Store phishing kit, hinting at the use of bulletproof hosting services to host the campaign.
It is believed that the ONNX Store platform is a rebranded version of the Caffeine phishing kit, with significant overlaps in infrastructure and advertising on the same Telegram channels. This overlap suggests the involvement of the Arabic-speaking threat actor MRxC0DER as the likely developer and maintainer of the Caffeine kit.
The rebranding of the ONNX Store platform appears to be focused on enhancing operational security for malicious actors. The service enables threat actors to control operations through Telegram bots, making it more challenging to take down phishing domains. To increase resilience, ONNX Store utilizes Cloudflare services to delay the removal process of phishing domains and evade detection through the use of phishing web crawlers and URL sandboxes.
Overall, the ONNX Store platform poses a significant threat by providing cybercriminals with the tools and infrastructure to conduct various illegal activities, creating a safe haven for criminal operations. Users are advised to exercise caution and rely on reputable sources for cybersecurity information, as the consequences of utilizing such platforms can be severe.