skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Investigation Reveals Tactics in Phishing Campaigns

Investigation Reveals Tactics in Phishing Campaigns

/ 4 min read

Quick take - The investigation into the Rockstar kit has revealed sophisticated phishing tactics, including the use of fully undetectable links, link redirectors, and the exploitation of legitimate platforms like Microsoft OneDrive and Google Docs Viewer to enhance the credibility and effectiveness of phishing campaigns.

Fast Facts

  • The investigation into the Rockstar kit reveals the use of fully undetectable (FUD) links in phishing campaigns, designed to evade traditional detection systems.
  • Cybercriminals employ tactics such as link redirectors, shortened URLs, and the exploitation of legitimate email marketing services to enhance the credibility of phishing attempts.
  • Platforms like Microsoft OneDrive, OneNote, and Dynamics 365 are being misused to host phishing content and distribute malicious links disguised as legitimate notifications.
  • An emerging trend in phishing is “Quishing,” which uses QR codes to encode URLs, allowing phishers to bypass traditional detection methods.
  • Phishing emails often include HTML obfuscation techniques and unrelated content to confuse recipients, while common attachments are crafted to align with the email’s theme.

Investigation into Rockstar Kit Unveils Phishing Tactics

The ongoing investigation into the Rockstar kit has unveiled concerning tactics employed in phishing campaigns, with a particular focus on the creation and use of fully undetectable (FUD) links. These links are crafted to evade detection by traditional URL-based systems, which typically analyze only the initial link.

Cybercriminals employ various methods to create FUD links. One such method is the use of link redirectors. Phishers utilize shortened URLs and open redirects to mask the destination of malicious links. Another tactic involves the exploitation of email marketing services, where legitimate email services are abused to enhance the credibility of phishing attempts. Additionally, cybercriminals host phishing content on trusted sites to further evade detection.

Several well-known platforms have been identified as tools or hosts for phishing activities:

  • Microsoft OneDrive: A new phishing method has emerged where OneDrive hosts URL shortcut files. Phishing emails may masquerade as ShareFile notifications, prompting users to click on a shortcut file labeled ‘ACCESS PROPOSAL HERE.url,’ which redirects them to a phishing page.

  • Microsoft OneNote: This platform distributes phishing links through email messages disguised as document notifications. An example includes an email with the subject “Complete review of contract,” containing an image linked to a OneNote document, effectively bypassing text-based detection.

  • Microsoft Dynamics 365 Customer Voice: This service has been co-opted in phishing schemes as a link stager.

  • Atlassian Confluence: Phishing links are often disguised as notifications for shared Microsoft Excel documents. Links labeled “STIAHNUT’ DOKUMENT” can lead users to a Confluence wiki page, which subsequently redirects to a phishing landing page.

  • Google Docs Viewer: Phishing emails may contain links to Google Docs Viewer, which can present malicious PDF files hosted externally, embedding links to phishing sites.

  • LiveAgent (ladesk.com): Compromised accounts, such as those belonging to teachers, have been used to send payment-related phishing messages that include links to credible external sites.

An emerging trend in phishing is the use of QR codes, dubbed “Quishing.” This method encodes URLs within emails or attachments, allowing it to circumvent traditional detection systems focused on visible links. For instance, a phishing email impersonating DocuSign included a QR code redirecting users to a phishing site.

Phishers also employ tactics such as inserting stolen email threads into their messages. This inflates the email size and creates confusion for recipients by including unrelated content. Additionally, HTML obfuscation techniques are used to disguise malicious code, involving the splitting of code into tokens and inserting comments or hidden elements to obscure the source.

The Rockstar kit exemplifies the multi-stage phishing chains that leverage various legitimate services. These services host malicious links or serve as redirectors. Commonly used attachments in these phishing emails include randomized PDF, HTML, and MS Office documents, often crafted to align with the email’s theme, facilitating further phishing attempts.

Original Source: Read the Full Article Here

Check out what's latest