![]() |
| Outlook Web App Users Phished |
A cyberspying team has been using spear-phishing techniques to steal user email login credentials from the employees of military agencies, embassies, defense contractors and international media outlets that use Office 365’s Outlook Web App.
Trend Micro who published a research paper on Wednesday said about the attack. The phishing campaign is termed "Operation Pawn Storm". They also reported that the attack may have started from 2007 and still been carrying out.
How was Phishing Attack performed :
Trend Micro said that the attackers have used different types of attacks such as spear phishing emails with malicious Microsoft Office Attachments that installed a backdoor type malware program called SEDNIT or Sofacy or selective exploits injected into compromised legitimate websites.
The method of this attack is different from others. They have used one interesting technique in spear phishing attack against organizations that use the Outlook Web App (OWA), part of Microsoft’s Office 365 service.
Special Moves:
For the phishing purpose the attackers have created two different domains. One of them looks similar to that of a third-party website known to the victims and another similar to the domain used by the targeted organization’s Outlook Web App deployment.
In some cases the attackers even purchased legitimate SSL certificates so that the victims’ browsers display the HTTPS secure connection indicators for the phishing sites, the Trend Micro researchers said.
Technical Details of the Attacking Method:
The attackers then crafted the phishing mail with a link to the third party website where they hosted non-malicious javascript file. The duty of that JS file was to open the legitimate site in a new tab and also to redirect the already opened OWS tab to a phishing page .
“The JavaScript made it appear that the victims’ OWA sessions ended while at the same time, tricked them into reentering their credentials,” the Trend Micro researchers wrote in their paper. “To do this, the attackers redirected victims to fake OWA log-in pages by setting their browsers’ open windows property.”
Area of the Attack:
As the attack method did not use any vulnerability in the browser so it worked for almost all major eb browsers like firefox, IE, Google Chrome, Apple Safari.
Requirement for the Attack to be Successful
There are two things needed for the attack to be successful.
1) the victim needs to use OWA
2) the victim needs to click on the link OWA's preview pane.
This can be a powerful attack, because the victims know they had a legitimate OWA session opened in that browser tab and might not check if the URL has changed before re-entering their credentials.
Who are the Victims :
1) Employees of US Private military company ACADEMI
2) The Organization for Security and Co-operation in Europe (OSCE)
3)US Department of State
4)U.S. government contractor SAIC
5)a Germany based multinational company
6)Vatican Embassy in Iraq
7)broadcasting companies in several countries
8)the defense ministries of France and Hungary, Pakistani military officials
9)Polish government employees, and military attachés from various countries.
Attackers misused the interests of the Victims such as well known events and conference as the phishing fly.
“Apart from effective phishing tactics, the threat actors used a combination of proven targeted attack staples to compromise systems and get in to target networks—exploits and data-stealing malware,” the Trend Micro researchers said. “SEDNIT variants particularly proved useful, as these allowed the threat actors to steal all manners of sensitive information from the victims’ computers while effectively evading detection.”

0 comments:
Post a Comment