Phishing trap for One Drive users. How to avoid falling prey?
Cybercriminals often use very cunning and inventive tricks to manipulate victim’s mind in phishing attacks. They aimed at eliciting data in such a way the victim doesn’t aware of it. For that purpose, the crooks use social engineering tricks. Recently Comodo specialists discovered a phishing attack that consists of a rather complicated chain of tricks to deceive the users and cover the tracks to make detecting the attackers harder. The attack was targeted at Microsoft One Drive users. Many of them keep their important documents, logins and passwords there, so it’s a real tidbit for a cybercriminal.
The perpetrators sent out phishing email that asked users to log in to their One Drive accounts and contained a link to the One Drive sign in page. But, in reality, the link leads to the phishing website.
If a user clicks on the link, he gets to the following page.
As you can see, it imitates real One Drive page. Not only the logo but also even favicon seems to be Microsoft’s original. More of that, even the lock sign of secure connections is present, and it’s not faked — the phishing page has real SSL-certificate! The perpetrators used free SSL certificate from “Let’s encrypt” Certificate Authority valid from March 31 2018 to June 29 2018. Obviously, they expect to finish their attack by the date.
But if you look carefully at the browser address bar, you’ll see that URL has nothing to do with Microsoft. As indeed, the link in the email. Let’s examine them closely.
The link in the email is https://kfz-ross.de/6/doc/docs/share/. But if you click, it will redirect you on a URL modified by the hackers: https://kfz-ross.de/6/doc/docs/share/file.html?websrc=59c275dc2e97dd3b896ed4ff2b82a8fd&dispatched=29&id=1775043298
What is http://kfz-ross.de? Is it the perpetrators’ domain? Let’s check it and see what we can find on this URL.
As you can see, it’ looks like a legitimate website. And it really is. It’s the website of a car service company in Germany. So how can it relate to the phishing attack?
The last update of information about the company on the website was made in 2011. And in general, it looks like an out-of-date website without adequate security protection, recklessly abandoned by its owners. Cybercriminals specially look for such websites to use them as a springboard for covering their malicious activity. It helps them to mislead the victims and cover the tracks. When the cybercrime will be detected, the police suspects the website owner in the first turn.
But let’s see what happens if a user takes the bait and put in her credentials.
Unexpectedly, right? You get the message about the error: “Your account password is incorrect. If you don’t remember your password. Please Try Again”. And this time it is not in textual form — it’s an image.
It looks weird for the first sight, is not it? Why do the perpetrators need this construction?
“There can be a few reasons and all of them related to social engineering tricks”, comments Fatih Orhan, the Head of the Comodo Threat Research Labs.” First, it can be done to strengthen the confidence of the users that they deal with the legitimate website. Because for phishers it’s very important to have users staying unaware that their credentials were stolen. Otherwise, if they will suspect something, they can change credentials immediately, so cybercriminals achieve nothing and the whole attack is in vain.
Second, the users often make typos when typing passwords, so the attackers could use this trick to be sure that they got correct credentials”.
After a user enters the credentials for the second time, she will be redirected to a
Google Drive link with the following .pdf file.
Obviously, it does not look like One Drive but it doesn’t look like something malicious also. So inexperienced user, most likely, will be a bit confused but suspect nothing and just forget about the case. Meantime, the attackers will steal her data and use them for their criminal purposes.
Is it a way to prevent this type of attack? Sure. The most effective antidote is awareness.
The matter is that such phishing attacks exploit the common vulnerability of human brain: habit to judge on something by one sign. When a person sees a well-familiar logo, she usually doesn’t go for a deeper check. That’s exactly what the perpetrators count on. Because with paying attention to the link, she would understand easily it has nothing with the real Microsoft One Drive.
So our advice to avoid such scam and outsmart the crooks is simple: always check links and pay attention to your browser address bar. And what is even better, never click on links in emails. Just type the address in the browser with your own hands. Thus, you can be 100% sure that you get exactly to the website you want to get.
Live secure with Comodo!